Professional Documents
Culture Documents
Visit http://support.fortinet.com to register your FortiGate product. By registering you can receive product updates, technical support, and FortiGuard services.
FortiGate Administration Guide Version 4.0 MR1 22 October 2009 01-410-89802-20091022 Copyright 2009 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Contents
Contents
Introduction ............................................................................................ 23
Fortinet products .......................................................................................................... 23 Before you begin........................................................................................................... 24 How this guide is organized......................................................................................... 24 Document conventions ................................................................................................ 27 IP addresses............................................................................................................. Cautions, Notes and Tips ......................................................................................... Typographical conventions ....................................................................................... CLI command syntax ................................................................................................ 27 27 27 28
Registering your Fortinet product............................................................................... 29 Fortinet products End User License Agreement ....................................................... 29 Customer service and technical support.................................................................... 29 Training .......................................................................................................................... 29 Fortinet documentation ............................................................................................... 30 Tools and Documentation CD................................................................................... 30 Fortinet Knowledge Base ......................................................................................... 30 Comments on Fortinet technical documentation ..................................................... 30
Contents
Two-factor authentication ............................................................................................ 36 Force UTF-8 login..................................................................................................... 36 FortiGate wireless controller ....................................................................................... 36 Interface status detection for gateway load balancing ............................................. 36 Enhanced ECMP route failover and load balancing .................................................. 36 SCEP extensions........................................................................................................... 37 Dynamic routing for IPv6 traffic................................................................................... 37 router bgp command................................................................................................. router access-list6..................................................................................................... router ospf6............................................................................................................... router prefix-list6 ....................................................................................................... router ripng ............................................................................................................... get router info6 {bgp | ospf | protocols | rip} .............................................................. 37 37 37 37 38 38
IPv6 DNS ........................................................................................................................ 38 IPv6 Transparent mode ................................................................................................ 38 IPv6 administrative access .......................................................................................... 38 Network interface changes for IPv6 ............................................................................ 38 UTM features support IPv6 traffic................................................................................ 38 HTTP basic authentication in firewall policies ........................................................... 39 VDOM dashboard .......................................................................................................... 39 IPsec protocol improvements...................................................................................... 39 Support for IKE v2 .................................................................................................... 39 Support for DH-2048 (Group 14) .............................................................................. 39 Support for SHA256.................................................................................................. 39 Auto-configuration of IPsec VPNs............................................................................... 40 IPsec Phase 1 configuration for IKE Configuration Method...................................... 40 IPsec Phase 2 configuration for IKE Configuration Method...................................... 40 Integral basic DNS server............................................................................................. 40 Creating local DNS entries ....................................................................................... 40 Enabling DNS on an interface .................................................................................. 41 Per-VDOM DNS configuration ...................................................................................... 41 Password policy............................................................................................................ 41 Use LDAP groups in firewall and SSL-VPN authentication ...................................... 41 Traffic shaping enhancements .................................................................................... 42 Shared traffic shaping............................................................................................... 42 Per-IP traffic shaping ................................................................................................ 42 Accounting and quota enforcement .......................................................................... 42 Logging enhancements................................................................................................ 42 Support for per-VDOM FortiAnalyzer units or syslog devices .................................. 42 SQL log format for Executive Summary reports ....................................................... 43
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
Contents
Antivirus changes ......................................................................................................... 43 Reliable syslog .............................................................................................................. 44 Web filtering combined block/exempt list .................................................................. 44 Web filtering by content header .................................................................................. 44 Safe search .................................................................................................................... 44 Data Leak Prevention supports international character sets ................................... 44 SNMPv3 enhancements................................................................................................ 45 Support for snmpEngineID ....................................................................................... 45 Authentication and privacy........................................................................................ 45 Schedule groups ........................................................................................................... 45 RAID support ................................................................................................................. 46
Button bar features ....................................................................................................... 51 Contacting Customer Support..................................................................................... 51 Backing up your FortiGate configuration ................................................................... 52 Using FortiGate Online Help ........................................................................................ 52 Searching the online help ......................................................................................... 54 Logging out ................................................................................................................... 55 Web-based manager pages.......................................................................................... 55 Using the web-based manager menu....................................................................... Using web-based manager lists................................................................................ Adding filters to web-based manager lists ................................................................ Using page controls on web-based manager lists .................................................... Using column settings to control the columns displayed .......................................... Using filters with column settings.............................................................................. 56 57 57 60 61 63
Contents
Changing system information ..................................................................................... 86 Configuring system time ........................................................................................... 86 Changing the FortiGate unit host name.................................................................... 87 Changing the FortiGate firmware ................................................................................ 87 Upgrading to a new firmware version ....................................................................... 88 Reverting to a previous firmware version ................................................................. 89 Viewing operational history ......................................................................................... 90 Manually updating FortiGuard definitions.................................................................. 91 Viewing Log and Archive Statistics ............................................................................ 91 Viewing DLP Archive information on the Statistics widget........................................ 91 Viewing the Attack Log ............................................................................................. 93 Configuring the RAID array.......................................................................................... 94 RAID disk configuration ............................................................................................ 94 RAID Level................................................................................................................ 96 Rebuilding the RAID array ........................................................................................ 97 Configuring AMC modules........................................................................................... 98 Auto-bypass and recovery for AMC bridge module............................................ 99 Enabling or disabling bypass mode for AMC bridge modules ................................ 101 Viewing application, policy, and DLP archive usage data ...................................... 102 Top Application Usage............................................................................................ 102 Top Policy Usage.................................................................................................... 104 DLP Archive Usage ................................................................................................ 106 Using the topology viewer ......................................................................................... 107 Adding a subnet object ........................................................................................... 110 Customizing the topology diagram ......................................................................... 111
Contents
Configuring VDOM resource limits ........................................................................... 139 Setting VDOM global resource limits ...................................................................... 140 Configuring resource usage for individual VDOMs................................................. 141
Contents
Configuring zones....................................................................................................... 170 Configuring the modem interface.............................................................................. 170 Configuring modem settings ................................................................................... Redundant mode configuration............................................................................... Standalone mode configuration .............................................................................. Adding firewall policies for modem connections ..................................................... Connecting and disconnecting the modem............................................................. Checking modem status ......................................................................................... 171 173 174 175 175 176
Configuring Networking Options............................................................................... 176 DNS Servers........................................................................................................... 177 Configuring FortiGate DNS services......................................................................... 177 About split DNS ...................................................................................................... 178 Configuring FortiGate DNS services....................................................................... 178 Configuring the FortiGate DNS database ............................................................... 180 Configuring the explicit web proxy ........................................................................... 182 Configuring WCCP...................................................................................................... 183 Routing table (Transparent Mode)............................................................................. 184
Contents
Wireless MAC Filter .................................................................................................... 193 Managing the MAC Filter list................................................................................... 194 Wireless Monitor ......................................................................................................... 195 Rogue AP detection .................................................................................................... 196 Viewing wireless access points .............................................................................. 196
SNMP............................................................................................................................ 213
Contents
Replacement messages ............................................................................................. 225 VDOM and global replacement messages ............................................................. Viewing the replacement messages list.................................................................. Changing replacement messages .......................................................................... Mail replacement messages ................................................................................... HTTP replacement messages ................................................................................ FTP replacement messages................................................................................... NNTP replacement messages................................................................................ Alert Mail replacement messages........................................................................... Spam replacement messages ................................................................................ Administration replacement message..................................................................... User authentication replacement messages........................................................... FortiGuard Web Filtering replacement messages .................................................. IM and P2P replacement messages....................................................................... Endpoint NAC replacement messages................................................................... NAC quarantine replacement messages ................................................................ Traffic quota control replacement messages.......................................................... SSL VPN replacement message ............................................................................ Replacement message tags ................................................................................... 225 225 226 228 229 230 230 231 231 232 232 234 234 235 235 236 236 236
Operation mode and VDOM management access ................................................... 238 Changing operation mode ...................................................................................... 238 Management access............................................................................................... 239
Admin profiles ............................................................................................................. 254 Viewing the admin profiles list ................................................................................ 257 Configuring an admin profile................................................................................... 258 Central Management................................................................................................... 260 Settings ........................................................................................................................ 261 Monitoring administrators.......................................................................................... 264 FortiGate IPv6 support ............................................................................................... 264 Configuring IPv6 on FortiGate units........................................................................ 265 Customizable web-based manager ........................................................................... 268
10
Contents
Remote Certificates .................................................................................................... 284 Importing Remote (OCSP) certificates ................................................................... 285 CA Certificates ............................................................................................................ 286 Importing CA certificates......................................................................................... 286 CRL............................................................................................................................... 287 Importing a certificate revocation list ...................................................................... 288
Managing configuration revisions............................................................................. 297 Using script files ......................................................................................................... 298 Creating script files ................................................................................................. 299 Uploading script files............................................................................................... 299 Configuring FortiGuard Services .............................................................................. 300 FortiGuard Distribution Network ............................................................................. 300 FortiGuard services ................................................................................................ 300 Configuring the FortiGate unit for FDN and FortiGuard subscription services ....... 302 Troubleshooting FDN connectivity ........................................................................... 306 Updating antivirus and attack definitions................................................................. 307 Enabling push updates............................................................................................... 308 Enabling push updates when a FortiGate unit IP address changes ....................... 309 Enabling push updates through a NAT device ....................................................... 309 Adding VDOM Licenses.............................................................................................. 311
11
Contents
Static Route ................................................................................................................ 316 Working with static routes ...................................................................................... 316 Default route and default gateway ......................................................................... 318 Adding a static route to the routing table ............................................................... 320 ECMP route failover and load balancing .................................................................. 322 Configuring spill-over or usage-based ECMP......................................................... 323 Configuring weighted static route load balancing ................................................... 326 Policy Route ............................................................................................................... 328 Adding a policy route .............................................................................................. 329 Moving a policy route.............................................................................................. 332
BGP .............................................................................................................................. 346 Viewing and editing BGP settings........................................................................... 346 Multicast....................................................................................................................... 348 Viewing and editing multicast settings .................................................................... 348 Overriding the multicast settings on an interface.................................................... 350 Multicast destination NAT ....................................................................................... 350 Bi-directional Forwarding Detection (BFD) .............................................................. 351 Configuring BFD ..................................................................................................... 351
12
Contents
Customizable routing widgets ................................................................................... 353 Access List.............................................................................................................. Distribute List .......................................................................................................... Key Chain ............................................................................................................... Offset List................................................................................................................ Prefix List ................................................................................................................ Route Map .............................................................................................................. 353 354 355 355 356 357
Using DoS policies to detect and prevent attacks ................................................... 379 Viewing the DoS policy list...................................................................................... 380 Configuring DoS policies ........................................................................................ 381 Using one-arm sniffer policies to detect network attacks ...................................... 382 Viewing the sniffer policy list................................................................................... 383 Configuring sniffer policies...................................................................................... 384 How FortiOS selects unused NAT ports ................................................................... 385 Global pool.............................................................................................................. Global per-protocol pool ......................................................................................... Per NAT IP pool...................................................................................................... Per NAT IP, destination IP, port, and protocol pool ................................................ 386 386 386 387
Firewall policy examples ............................................................................................ 389 Scenario one: SOHO-sized business ..................................................................... 389 Scenario two: enterprise-sized business ................................................................ 392
13
Contents
Viewing the address group list .................................................................................. 398 Configuring address groups...................................................................................... 399
Virtual IP Groups......................................................................................................... 436 Viewing the VIP group list .......................................................................................... 436 Configuring VIP groups.............................................................................................. 436
14
Contents
Configuring IP pools................................................................................................... 437 IP pools and dynamic NAT ..................................................................................... 438 IP Pools for firewall policies that use fixed ports..................................................... 438 Source IP address and IP pool address matching.................................................. 438 Viewing the IP pool list ............................................................................................... 439 Configuring IP Pools................................................................................................... 440 Double NAT: combining IP pool with virtual IP........................................................ 440 Adding NAT firewall policies in transparent mode .................................................. 442
15
Contents
File Quarantine ............................................................................................................ 516 Viewing the AutoSubmit list .................................................................................... 517 Configuring the AutoSubmit list .............................................................................. 517 Configuring quarantine options............................................................................... 518 Selecting the virus database...................................................................................... 519 Antivirus CLI configuration........................................................................................ 520
16
Contents
DoS sensors ................................................................................................................ 537 Viewing the DoS sensor list .................................................................................... 538 Configuring DoS sensors........................................................................................ 538 Understanding the anomalies ................................................................................. 539 Intrusion protection CLI configuration ..................................................................... 540
17
Contents
FortiGuard Web Filtering............................................................................................ 552 Configuring FortiGuard Web Filtering ..................................................................... 552 FortiGuard Web filtering overrides............................................................................ 552 Administrative overrides and user overrides........................................................... Configuring administrative override rules ............................................................... Creating local categories ........................................................................................ Viewing the local ratings list.................................................................................... Configuring local ratings ......................................................................................... 552 553 555 555 556
Category block CLI configuration ............................................................................. 557 FortiGuard Web Filtering reports .............................................................................. 557
Advanced Email Filter configuration......................................................................... 570 config spamfilter mheader ...................................................................................... 570 config spamfilter dnsbl ............................................................................................ 571 Using wildcards and Perl regular expressions ........................................................ 571 Perl regular expression formats.............................................................................. 572 Example regular expressions ................................................................................. 573
18
Contents
DLP archiving .............................................................................................................. 580 Configuring DLP archiving ...................................................................................... 581 Configuring spam email message archiving ........................................................... 585 Viewing DLP archives............................................................................................. 586 DLP Rules .................................................................................................................... 586 Viewing the DLP rule list......................................................................................... 586 Adding or configuring DLP rules ............................................................................. 588 DLP Compound Rules ................................................................................................ 591 Viewing the DLP compound rule list ....................................................................... 592 Adding and configuring DLP compound rules ........................................................ 592
Manual Key .................................................................................................................. 614 Creating a new manual key configuration .............................................................. 614 Internet browsing configuration ................................................................................ 616 Concentrator ............................................................................................................... 617 Defining concentrator options ................................................................................. 617 Monitoring VPNs ......................................................................................................... 618
19
Contents
SSL VPN web portal.................................................................................................... 627 Default web portal configurations ........................................................................... Configuring web portal settings .............................................................................. Configuring the virtual desktop ............................................................................... Configuring security control .................................................................................... Configuring web portal layout ................................................................................. Session Information widget..................................................................................... Bookmarks widget .................................................................................................. Connection Tool widget .......................................................................................... Tunnel Mode widget ............................................................................................... 628 628 629 631 632 633 634 636 637
Virtual Desktop Application Control ......................................................................... 639 Host Check list ............................................................................................................ 640 SSL VPN monitor list .................................................................................................. 641
Options......................................................................................................................... 667 Monitor ......................................................................................................................... 668 Firewall user monitor list ......................................................................................... 668 IM user monitor list ................................................................................................. 669
20
Contents
NAC quarantine and the Banned User list................................................................ 670 NAC quarantine and DLP ....................................................................................... NAC quarantine and DLP replacement messages ................................................. Configuring NAC quarantine................................................................................... The Banned User list .............................................................................................. 670 671 671 672
21
Contents
Configuring Alert Email .............................................................................................. 709 Configuring Event logging ......................................................................................... 711 Data Leak Prevention log ....................................................................................... Application Control log............................................................................................ Antivirus log ............................................................................................................ Web filter log........................................................................................................... Email filter log ......................................................................................................... Attack log (IPS)....................................................................................................... Accessing logs stored in memory ........................................................................... Accessing logs stored on the hard disk .................................................................. Accessing logs stored on the FortiAnalyzer unit..................................................... Accessing logs stored on the FortiGuard Analysis and Management Service ....... Customizing the display of log messages............................................................... Column settings ...................................................................................................... Filtering log messages............................................................................................ 712 712 713 713 713 714 715 716 716 717 717 718 719
Viewing DLP Archives ................................................................................................ 719 Viewing the File Quarantine list................................................................................. 720 Configuring FortiAnalyzer report schedules ............................................................ 721 Viewing Executive Summary reports from SQL logs .............................................. 724 Viewing FortiAnalyzer reports ................................................................................... 724 Printing your FortiAnalyzer report ........................................................................... 725 Viewing basic traffic reports ...................................................................................... 725 Log severity levels ...................................................................................................... 727 Log types ..................................................................................................................... 728 Traffic log ................................................................................................................ 728 Example configuration: logging all FortiGate traffic ............................................... 729
Index...................................................................................................... 731
22
Introduction
Fortinet products
Introduction
Ranging from the FortiGate-50 series for small businesses to the FortiGate-5000 series for large enterprises, service providers and carriers, the FortiGate line combines the FortiOS security operating system with FortiASIC processors and other hardware to provide a high-performance array of security and networking functions including: firewall, VPN, and traffic shaping Intrusion Prevention system (IPS) antivirus/antispyware/antimalware web filtering antispam application control (for example, IM and P2P) VoIP support (H.323, SIP, and SCCP) Layer 2/3 routing multiple redundant WAN interface options
FortiGate appliances provide cost-effective, comprehensive protection against network, content, and application-level threats, including complex attacks favored by cybercriminals, without degrading network availability and uptime. FortiGate platforms include sophisticated networking features, such as high availability (active/active, active/passive) for maximum network uptime, and virtual domain capabilities to separate various networks requiring different security policies. This chapter contains the following sections: Fortinet products Before you begin How this guide is organized Registering your Fortinet product Fortinet products End User License Agreement Customer service and technical support Training Fortinet documentation
Fortinet products
Fortinet's portfolio of security gateways and complementary products offers a powerful blend of ASIC-accelerated performance, integrated multi-threat protection, and constantly updated, in-depth threat intelligence. This unique combination delivers network, content, and application security for enterprises of all sizes, managed service providers, and telecommunications carriers, while providing a flexible, scalable path for expansion. For more information on the Fortinet product family, go to www.fortinet.com/products.
23
Introduction
Once that basic installation is complete, you can use this document. This document explains how to use the web-based manager to: maintain the FortiGate unit, including backups reconfigure basic items that were configured during installation configure advanced features.
This guide also contains some information about the FortiGate command line interface (CLI), but not all the commands. For detailed information on the CLI, see the FortiGate CLI Reference. This document is intended for administrators, not end users.
24
Introduction
System Status describes the System Status page, the dashboard of your FortiGate unit. At a glance you can view the current system status of the FortiGate unit including serial number, uptime, FortiGuard license information, system resource usage, alert messages and network statistics. You can also access the CLI from this page. This section also describes status changes that you can make, including changing the unit firmware, host name, and system time. Finally this section describes the topology viewer that is available on all FortiGate models except those with model numbers 50 and 60. Managing firmware versions describes upgrading and managing firmware versions. You should review this section before upgrading your FortiGate firmware because it contains important information about how to properly back up your current configuration settings and what to do if the upgrade is unsuccessful. Using virtual domains describes how to use VDOMs to operate your FortiGate unit as multiple virtual FortiGate units, which effectively provides multiple separate firewall and routing services to multiple networks. System Network explains how to configure physical and virtual interfaces and DNS settings on the FortiGate unit. System Wireless describes how to configure the Wireless LAN interface on a FortiWiFi-60 unit. System DHCP explains how to configure a FortiGate interface as a DHCP server or DHCP relay agent. System Config contains procedures for configuring HA and virtual clustering, configuring SNMP and replacement messages, and changing the operation mode. System Admin guides you through adding and editing administrator accounts, defining admin profiles for administrators, configuring central management using the FortiGuard Management Service or FortiManager, and defining general administrative settings such as language, timeouts, and web administration ports. System Certificates explains how to manage X.509 security certificates used by various FortiGate features such as IPSec VPN and administrator authentication. System Maintenance details how to back up and restore the system configuration using a management computer or a USB disk, as well as how to use revision control, enable FortiGuard services and FortiGuard Distribution Network (FDN) updates, and enter a license key to increase the maximum number of virtual domains. Router Static explains how to define static routes and create route policies. A static route causes packets to be forwarded to a destination other than the factory-configured default gateway. Router Dynamic explains how to configure dynamic protocols to route traffic through large or complex networks. Router Monitor explains how to interpret the Routing Monitor list. The list displays the entries in the FortiGate routing table. Firewall Policy describes how to add firewall policies to control connections and traffic between FortiGate interfaces, zones, and VLAN subinterfaces. This chapter also describes how to add DoS policies to apply DoS sensors to network traffic and how to add sniffer policies to operate the FortiGate unit as an Intrusion Detection System (IDS) appliance by sniffing packets for attacks without actually receiving and otherwise processing the packets. Firewall Address describes how to configure addresses and address groups for firewall policies.
25
Introduction
Firewall Service describes available services and how to configure service groups for firewall policies. Firewall Schedule describes how to configure one-time and recurring schedules for firewall policies. Traffic Shaping describes how to create traffic shaping instances and add them to firewall policies. Firewall Virtual IP describes how to configure and use virtual IP addresses and IP pools. Firewall Load Balance describes how to use FortiGuard load balancing to intercept incoming traffic and balance it across available servers. Firewall Protection Profile describes how to configure protection profiles for firewall policies. SIP support includes some high-level information about VoIP and SIP and describes how FortiOS SIP support works and how to configure the key SIP features. The AntiVirus, Intrusion Protection, Web Filter, and Email filtering chapters explain how to configure these options associated with a firewall protection profile. Data Leak Prevention explains how to use FortiGate data leak prevention to prevent sensitive data from leaving your network. Application Control describes how to configure the application control options associated with firewall protection profiles. IPSec VPN provides information about the tunnel-mode and route-based (interface mode) Internet Protocol Security (IPSec) VPN options available through the webbased manager. PPTP VPN explains how to use the web-based manager to specify a range of IP addresses for PPTP clients. SSL VPN provides information about basic SSL VPN settings. User describes how to control access to network resources through user authentication. WAN optimization and web caching describes how to use FortiGate units to improve performance and security of traffic passing between locations on your wide area network (WAN) or over the Internet. Endpoint NAC describes how to use FortiGate endpoint NAC to enforce the use of FortiClient End Point Security (Enterprise Edition) in your network. Wireless Controller describes how to configure a FortiGate unit to act as a wireless network controller, managing the wireless Access Point (AP) functionality of FortiWiFi units Log&Report describes how to enable logging, view log files, and view the basic reports available through the web-based manager.
26
Introduction
Document conventions
Document conventions
Fortinet technical documentation uses the conventions described below.
IP addresses
To avoid publication of public IP addresses that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918.
Note: Presents useful information, usually focused on an alternative, optional method, such as a shortcut, to perform a step.
Tip: Highlights useful additional information, often tailored to your workplace activity.
Typographical conventions
Fortinet documentation uses the following typographical conventions:
Table 1: Typographical conventions in Fortinet technical documentation Convention Example
Button, menu, text box, From Minimum log level, select Notification. field, or check box label CLI input* config system dns set primary <address_ipv4> end FGT-602803030703 # get system settings comments : (null) opmode : nat HTTP connections are not secure and can be intercepted by a third party. <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD> <BODY><H4>You must authenticate to use this service.</H4> Visit the Fortinet Technical Support web site, https://support.fortinet.com. Type a name for the remote VPN peer or client, such as Central_Office_1. Go to VPN > IPSEC > Auto Key (IKE).
CLI output
27
Document conventions
Introduction
Table 1: Typographical conventions in Fortinet technical documentation Publication For details, see the FortiGate Administration Guide. Note: Links typically go to the most recent version. To access earlier releases, go to http://docs.fortinet.com/. This link appears at the bottom of each page of this document. The chapter or section contains VDOM configuration settings, see VDOM configuration settings on page 126. The chapter or section contains Global configuration settings, see Global configuration settings on page 129. * For conventions used to represent command syntax, see CLI command syntax on page 28.
28
Introduction
Table 2: Command syntax Curly braces { } A word or series of words that is constrained to a set of options delimited by either vertical bars or spaces. You must enter at least one of the options, unless the set of options is surrounded by square brackets [ ].
Options delimited Mutually exclusive options. For example: by vertical bars | {enable | disable} indicates that you must enter either enable or disable, but must not enter both. Options delimited Non-mutually exclusive options. For example: by spaces {http https ping snmp ssh telnet} indicates that you may enter all or a subset of those options, in any order, in a space-delimited list, such as: ping https ssh Note: To change the options, you must re-type the entire list. For example, to add snmp to the previous example, you would type: ping https snmp ssh If the option adds to or subtracts from the existing list of options, instead of replacing it, or if the list is comma-delimited, the exception will be noted.
Training
Fortinet Training Services provides a variety of training programs to serve the needs of our customers and partners world-wide. Visit the Fortinet Training Services web site at http://campus.training.fortinet.com, or email training@fortinet.com.
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
29
Fortinet documentation
Introduction
Fortinet documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-to-date versions of Fortinet publications, as well as additional technical documentation such as technical notes. In addition to the Fortinet Technical Documentation web site, you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet Knowledge Base.
30
New SIP ALG configuration options Easy FortiCare and FortiGuard services registration and renewal Endpoint control enhancements Per-VDOM replacement messages Content archiving is now DLP archive Topology viewer is now a custom web-based manager page Usage page shows application, policy, and DLP archive usage Alert Message Console enhancements WCCP widget SSL VPN enhancements Two-factor authentication FortiGate wireless controller Interface status detection for gateway load balancing Enhanced ECMP route failover and load balancing SCEP extensions Dynamic routing for IPv6 traffic IPv6 DNS IPv6 Transparent mode IPv6 administrative access UTM features support IPv6 traffic HTTP basic authentication in firewall policies VDOM dashboard IPsec protocol improvements Auto-configuration of IPsec VPNs Integral basic DNS server Per-VDOM DNS configuration Password policy Use LDAP groups in firewall and SSL-VPN authentication Traffic shaping enhancements Logging enhancements Antivirus changes
31
Reliable syslog Web filtering combined block/exempt list Web filtering by content header Safe search Data Leak Prevention supports international character sets SNMPv3 enhancements Schedule groups RAID support
32
FortiOS 4.0 provided software detection on endpoints. Using FortiOS 4.0 MR1, you can now also allow or block endpoints based on detected software. The Software Detection List is now called an Application Detection List and you can create multiple lists. FortiGuard services provide all application signatures. You create your application detection list entries by selecting applications from lists of categories, vendors, and application names. Go to Endpoint NAC > Application Detection > Detection List to create detection lists. To view application information from FortiGuard services, go to Endpoint NAC > Application Detection > Predefined. Endpoint check options are no longer configured in the firewall policy. These options and the application detection list are now selected in an Endpoint NAC profile. In the firewall policy, you simply enable Endpoint NAC and select the Endpoint NAC profile to apply. For more information, see Endpoint NAC on page 687.
33
By default, the Usage widget displays on the System > Status > Usage page for both global and VDOM administrators. You can also add the Usage widget to custom webbased manager pages. For more information, see Viewing application, policy, and DLP archive usage data on page 102.
WCCP widget
Using the FortiOS 4.0 customizable GUI feature, you can add a WCCP widget to the web-based manager and use this widget to add WCCP entries to the FortiGate configuration. For more information, see Configuring WCCP on page 183.
Single Sign-On
With the new single sign-on feature, a web bookmark can include login credentials to automatically log the SSL VPN user into the web site. This means that once the user logs into the SSL VPN, he or she does not have to enter any more credentials to visit preconfigured web sites. When the administrator configures bookmarks, the web site credentials must be the same as the users SSL VPN credentials. Users configuring their own bookmarks can specify alternative credentials for the web site. For more information, see Bookmarks widget on page 634.
34
OS Check changes
You can now configure the client operating system checks only in the CLI, but the supported operating systems now include Windows Vista. config vpn ssl web portal edit <portal_name> set os-check enable config os-check-list {windows-2000 | windows-xp | windows-vista} set action {allow | check-up-to-date | deny} set latest-patch-level {disable | 0 - 255} set tolerance {tolerance_num} end
35
Two-factor authentication
Two-factor authentication
In FortiOS 4.0 MR1, PKI users can be required to authenticate by password in addition to their certificate authentication, for both administrative and SSL VPN access. This twofactor authentication provides additional security to meet ICSA 4.0 requirements. For more information, see Configuring peer users and peer groups on page 657. You can also configure two-factor authentication in an SSL VPN, by using these settings: config vpn ssl settings set force-two-factor-auth enable end If this option is enabled, only users with two-factor authentication can log in to the SSL VPN.
36
SCEP extensions
The FortiGate unit load balances sessions among ECMP routes based on weights added to ECMP routes. More traffic is directed to routes with higher weights. The FortiGate unit distributes sessions among ECMP routes based on how busy the FortiGate interfaces added to the routes are.
For more information, see ECMP route failover and load balancing on page 322.
SCEP extensions
FortiOS 4.0 MR1 supports automatic update of system certificates. When a certificate is about to expire, the FortiGate unit uses SCEP to request and download a new certificate. This applies to both Local and CA certificates. You can also configure periodic updating of a Certificate Revocation List (CRL). Certificate auto-update is configured in the CLI.
The following dynamic routing commands were added or modified to support IPv6 traffic:
router access-list6
Use the new router access-list6 command to add, edit, or delete access lists for IPv6 traffic. Access lists are filters used by FortiGate unit routing processes. For an access list to take effect, it must be called by a FortiGate unit routing process (for example, a process that supports RIPng or OSPF).
router ospf6
Use the new router ospf6 command to configure OSPF routing for IPv6 traffic.
router prefix-list6
Use the new router prefix-list6 command to add, edit, or delete prefix lists for IPv6 traffic. A prefix list is an enhanced version of an access list that allows you to control the length of the prefix netmask.
37
IPv6 DNS
router ripng
Use this command to configure FortiGate support for RIPng. RIPng is the next generation (ng) version of RIP that supports IPv6. See RFC 2080 for details about RIPng for IPv6.
IPv6 DNS
In FortiOS 4.0 MR1, you can configure DNS server addresses for IPv6 traffic. For more information about IPv6 DNS, see Configuring Networking Options on page 176.
38
VDOM dashboard
In previous FortiOS versions, only administrators with the super_admin profile could view the dashboard. In FortiOS 4.0 MR1, VDOM administrators see their own VDOM-specific dashboard when they log in or go to System > Status. The super_admin can view only the global dashboard. For more information, see VDOM and global dashboards on page 68.
39
40
Password policy
Optionally, you can set a password policy to require more secure passwords than the FortiGate defaults. The password policy can apply to administrators or IPsec VPN preshared keys. You can: require the use of special characters in the password require periodic password changes set a minimum amount of change in the new password (available in CLI only).
41
Logging enhancements
Due to the new per-VDOM FortiAnalyzer unit feature, there are some general changes to logging configuration.
CLI changes
In the CLI, the global FortiAnalyzer configuration has moved from system fortianalyzer to log fortianalyzer setting. The keywords within the command are unchanged.
42
Antivirus changes
Antivirus changes
For FortiOS 4.0 MR1, if you enable VDOMs, all UTM > Antivirus options are now configured separately for each VDOM. In FortiOS 4.0 GA, only administrators with global access could configure and manage the file quarantine, view the virus list, and configure the grayware list. In addition, the following antivirus functionality has been renamed or moved: Go to Log & Report > Quarantined Files to view the quarantined files list. The functionality of the quarantined files list is unchanged except that with VDOMs enabled, the Quarantined files list is now available for each VDOM and only shows files quarantined from that VDOM. UTM > Antivirus > Quarantine was UTM > Antivirus > Config. Functionally is unchanged. Go to UTM > Virus Database to view information about the current virus database on the FortiGate unit. For FortiGate units that support the extended virus database, you can go to UTM > Virus Database and select the virus database to use for virus scanning. With VDOMs enabled, you select the virus database to use for virus scanning for the VDOM. For FortiGate units that support the extended virus database, you can select the virus database to use for individual protection profiles from the CLI. The Protection Profile Antivirus > Extended AV Database option has been removed from the web-based manager. New CLI options for selecting the antivirus database for a protection profile are available for each protocol. For example, to select the antivirus database in the scan protection profile for http and for FTP, enter: config firewall profile edit scan set http-avdb {default | extended | normal} set ftp-avdb {default | extended | normal} end Go to UTM > Virus Database to enable grayware detection. The previous UTM > Grayware page has been removed and you can no longer enable or disable individual grayware categories.
For more information, see Selecting the virus database on page 519.
43
Reliable syslog
Reliable syslog
Reliable syslog protects log information through authentication and data encryption and ensures that the log messages are reliably delivered in order. FortiOS 4.0 MR1 implements the RAW profile of RFC 3195. You can configure this feature only in the CLI. For more information, see Remote logging to a syslog server on page 707.
Safe search
FortiOS 4.0 MR1 can prevent users from disabling the safe search feature of the Google, Yahoo!, or Bing search engines. This is important in environments such as education where web filtering is used to block sites with inappropriate content. If users can bypass the search engine safe search feature, the returned search results can contain inappropriate material in either summary text or thumbnail images. Safe search is enabled in the Web Filtering part of a protection profile. For more information, see Web Filtering options on page 480.
44
SNMPv3 enhancements
To view the list of available character sets, enter set http-post-lang ? from within the edit shell for the profile. For more information, see Character sets and Web content filtering, Email filtering banned word, and DLP scanning on page 483.
SNMPv3 enhancements
FortiOS 4.0 introduced basic support for SNMPv3, the latest version of the Simple Network Management Protocol. FortiOS Version 4.0 MR1 adds support for snmpEngineID user authentication and encryption capabilities.
The snmpEngineID is optional, so you are not required to define an engine-id value. To specify engine-id config system snmp sysinfo set engine-id <string> end
Schedule groups
You can now create schedule groups, similar to address groups or service groups. In a firewall policy you can select either an individual schedule or a schedule group. For more information, see Configuring schedule groups on page 413.
45
RAID support
RAID support
Some FortiGate units that contain multiple hard disks also support redundant array of independent disks (RAID). For more information, see Configuring the RAID array on page 94.
46
Web-based manager
Web-based manager
This section describes the features of the user-friendly web-based manager administrative interface (sometimes referred to as a graphical user interface, or GUI) of your FortiGate unit. Using HTTP or a secure HTTPS connection from any management computer running a web browser, you can connect to the FortiGate web-based manager to configure and manage the FortiGate unit. The recommended minimum screen resolution for the management computer is 1280 by 1024. Some of the information displayed by the web-based manager uses features only supported by the most recent versions most popular web browsers. Older versions of these web browsers may not always work correctly with the web-based manager. You can configure the FortiGate unit for HTTP and HTTPS web-based administration from any FortiGate interface. To connect to the web-based manager you require a FortiGate administrator account and password. The web-based manager supports multiple languages, but by default appears in English on first use. You can go to System > Status to view detailed information about the status of your FortiGate unit on the system dashboard. The dashboard displays information such as the current FortiOS firmware version, antivirus and IPS definition versions, operation mode, connected interfaces, and system resources. It also shows whether the FortiGate unit is connected to a FortiAnalyzer unit and a FortiManager unit or other central management services. You can use the web-based manager menus, lists, and configuration pages to configure most FortiGate settings. Configuration changes made using the web-based manager take effect immediately without resetting the FortiGate unit or interrupting service. You can back up your configuration at any time using the Backup Configuration button on the button bar. The button bar is located in the upper right corner of the web-based manager. The saved configuration can be restored at any time. The web-based manager also includes detailed context-sensitive online help. Selecting Online Help on the button bar displays help for the current web-based manager page. You can use the FortiGate command line interface (CLI) to configure the same FortiGate settings that you can configure from the web-based manager, as well as additional CLIonly settings. The system dashboard provides an easy entry point to the CLI console that you can use without exiting the web-based manager. This section describes: Common web-based manager tasks Changing your FortiGate administrator password Changing the web-based manager language Changing administrative access to your FortiGate unit Changing the web-based manager idle timeout Connecting to the FortiGate CLI from the web-based manager Button bar features Contacting Customer Support Backing up your FortiGate configuration
47
Web-based manager
Using FortiGate Online Help Logging out Web-based manager pages Web-based manager icons
To connect to the web-based manager 1 Start your web browser and browse to https:// followed by the IP address of the FortiGate unit interface that you can connect to. For example, if the IP address is 192.168.1.99, browse to https://192.168.1.99. (remember to include the s in https://). To support a secure HTTPS authentication method, the FortiGate unit ships with a selfsigned security certificate, which is offered to remote clients whenever they initiate a HTTPS connection to the FortiGate unit. When you connect, the FortiGate unit displays two security warnings in a browser. The first warning prompts you to accept and optionally install the FortiGate units selfsigned security certificate. If you do not accept the certificate, the FortiGate unit refuses the connection. If you accept the certificate, the FortiGate login page appears. The credentials entered are encrypted before they are sent to the FortiGate unit. If you choose to accept the certificate permanently, the warning is not displayed again. Just before the FortiGate login page is displayed, a second warning informs you that the FortiGate certificate distinguished name differs from the original request. This warning occurs because the FortiGate unit redirects the connection. This is an informational message. Select OK to continue logging in. 2 Type admin or the name of a configured administrator in the Name field. 3 Type the password for the administrator account in the Password field. 4 Select Login.
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
48
Web-based manager
To change an administrator account password 1 Go to System > Admin > Administrators. This web-based manager page lists the administrator accounts that can log into the FortiGate unit. The default configuration includes the admin administrator account. 2 Select the Change Password icon and enter a new password. 3 Select OK.
Note: You can also add new administrator accounts by selecting Create New. For more information about adding administrators, changing administrator account passwords and related configuration settings, see System Admin on page 241.
49
Web-based manager
To change administrative access to your FortiGate unit 1 Go to System > Network > Interface. 2 Choose an interface for which to change administrative access and select Edit. 3 Select one or more Administrative Access types for the interface. 4 Select OK. For more information about changing administrative access see Configuring administrative access to an interface on page 165.
50
Web-based manager
To change the web-based manager idle timeout 1 Go to System > Admin > Settings. 2 Change the Idle Timeout minutes as required. 3 Select Apply.
51
Web-based manager
You must register your Fortinet product to receive product updates, technical support, and FortiGuard services. To register a Fortinet product, go to Product Registration and follow the instructions.
52
Web-based manager
Show Navigation
Open the online help navigation pane. From the navigation pane you can use the online help table of contents, index, and search to access all of the information in the online help. The online help is organized in the same way as the FortiGate web-based manager and the FortiGate Administration Guide. Display the previous page in the online help. Display the next page in the online help Send an email to Fortinet Technical Documentation at techdoc@fortinet.com if you have comments on or corrections for the online help or any other Fortinet technical documentation product. Print the current online help page. Add an entry for this online help page to your browser bookmarks or favorites list to make it easier to find useful online help pages. Not supported by all browsers. When you select help for a VDOM configuration settings web-based manager page the help display includes the VDOM icon. For information about VDOM configuration settings, see VDOM configuration settings on page 126. When you select help for a Global configuration settings web-based manager page the help display includes the Global icon. For information about Global configuration settings, see Global configuration settings on page 129.
Print Bookmark
To view the online help table of contents or index, and to use the search feature, select Online Help in the button bar in the upper right corner of the web-based manager. From the online help, select Show Navigation.
Figure 5: Online help page with navigation pane and content pane
53
Web-based manager
Contents
Display the online help table of contents. You can navigate through the table of contents to find information in the online help. The online help is organized in the same way as the FortiGate web-based manager and the FortiGate Administration Guide. Display the online help index. You can use the index to find information in the online help. Display the online help search. For more information, see Searching the online help on page 54. If you have used the index, search, or hyperlinks to find information in the online help, the table of contents may not be visible or the table of contents may be out of sync with the current help page. You can select Show in Contents to display the location of the current help page within the table of contents.
To search in the online help system 1 From any web-based manager page, select the online help button. 2 Select Show Navigation. 3 Select Search. 4 In the search field, enter one or more words to search for and then press the Enter key on your keyboard or select Go. The search results pane lists the names of all the online help pages that contain all the words that you entered. Select a name from the list to display that help page.
54
Web-based manager
Logging out
Search Field
Go
Search Results
Alt+8 Alt+9
Logging out
The Logout button immediately logs you out of the web-based manager. Log out before you close the browser window. If you simply close the browser or leave the web-based manager, you remain logged in until the idle timeout (default 5 minutes) expires. To change the timeout, see Changing the web-based manager idle timeout on page 50.
55
Web-based manager
Tabs
Page
Button bar
Menu
Log&Report
56
Web-based manager
Delete Edit If you log in as an administrator with an admin profile that allows Read Only access to a list, you will only be able to view the items on the list (see Figure 9).
Figure 9: A web-based manager list (read only access)
57
Web-based manager
Endpoint NAC list of known endpoints (see Monitoring endpoints on page 693) Log and report log access list (see Accessing and viewing log messages on page 714).
Filters are useful for reducing the number of entries that are displayed on a list so that you can focus on the information that is important to you. For example, you can go to System > Status, and, in the Statistics section, select Details on the Sessions line to view the communications sessions that the FortiGate unit is currently processing. A busy FortiGate unit may be processing hundreds or thousands of communications sessions. You can add filters to make it easier to find specific sessions. For example, you might be looking for all communications sessions being accepted by a specific firewall policy. You can add a Policy ID filter to display only the sessions for a particular Policy ID or range of Policy IDs. You add filters to a web-based manager list by selecting any filter icon to display the Edit Filters window. From the Edit Filters window you can select any column name to filter, and configure the filter for that column. You can also add filters for one or more columns at a time. The filter icon remains gray for unfiltered columns and changes to green for filtered columns.
Figure 10: An intrusion protection predefined signatures list filtered to display all signatures containing apache with logging enabled, action set to drop, and severity set to high
No filter added
The filter configuration is retained after leaving the web-based manager page and even after logging out of the web-based manager or rebooting the FortiGate unit. Different filter styles are available depending on the type of information displayed in individual columns. In all cases, you configure filters by specifying what to filter on and whether to display information that matches the filter, or by selecting NOT to display information that does not match the filter.
Note: Filter settings are stored in the FortiGate configuration and will be maintained the next time that you access any list for which you have added filters.
On firewall policy, IPv6 policy, predefined signature and log and report log access lists, you can combine filters with column settings to provide even more control of the information displayed by the list. See Using filters with column settings on page 63 for more information.
58
Web-based manager
Figure 11 shows a numeric filter configured to control the source addresses that are displayed on the session list. In this example, a filter is enabled for the Source Address column. The filter is configured to display only source addresses in the range of 1.1.1.11.1.1.2. To view the session list, go to System > Status. In the Statistics section, beside Sessions, select Details.
Figure 11: A session list with a numeric filter set to display sessions with source IP address in the range of 1.1.1.1-1.1.1.2
59
Web-based manager
Custom filters
Other custom filters are also available. You can filter log messages according to date range and time range. You can also set the level filter to display log messages with multiple severity levels.
Figure 14: A log access filter set to display all log messages with level of alert, critical, error, or warning
60
Web-based manager
intrusion protection predefined signatures list (see Viewing the predefined signature list on page 525) web filtering lists (see Web Filter on page 541) antispam lists (see Email filtering on page 559) Firewall user monitor list (see Firewall user monitor list on page 668) IPSec VPN Monitor (see Monitoring VPNs on page 618) Banned user list (see NAC quarantine and the Banned User list on page 670) log and report log access lists (see Accessing and viewing log messages on page 714). Endpoint NAC list of known endpoints (see Monitoring endpoints on page 693)
Last Page Next Page Current Page (enter a page number to display that page)
Display the first page of items in the list. Display the previous page of items in the list. The current page number of list items that are displayed. You can enter a page number and press Enter to display the items on that page. For example if there are 5 pages of items and you enter 3, page 3 of the sessions will be displayed. The number of pages of list items that you can view. Display the next page of items in the list. Display the last page of items in the list.
61
Web-based manager
IPSec VPN Monitor (see Monitoring VPNs on page 618) Endpoint NAC list of known endpoints (see Monitoring endpoints on page 693) Log and report log access lists (see Accessing and viewing log messages on page 714).
Note: Any changes that you make to the column settings of a list are stored in the FortiGate configuration and will display the next time that you access the list.
To change column settings on a list that supports it, select Column Settings. From Available fields, select the column headings to be displayed and then select the Right Arrow to move them to the Show these fields in this order list. Similarly, to hide column headings, use the Left Arrow to move them back to the Available fields list. Use Move Up and Move Down to change the order in which to display the columns. For example, you can change interface list column headings to display only the IP/Netmask, MAC address, MTU, and interface Type for each interface.
Figure 16: Example of interface list column settings
Left Arrow
Right Arrow
62
Web-based manager
For more information, see Adding filters to web-based manager lists on page 57.
Administrative The administrative status of a FortiGate interface is down status down and the interface will not accept traffic. Administrative The administrative status of a FortiGate interface is up and status up the interface accepts traffic. Change Password Clear Change the administrator password. This icon appears in the Administrators list if your admin profile enables you to give write permission to administrators. Clear all or remove all entries from the current list. For example, on a URL filter list you can use this icon to remove all URLs from the current URL filter list.
63
Web-based manager
Table 4: web-based manager icons (Continued) Icon Name Clone Comment Delete Description Diff Disconnect from cluster Download Edit Edit User/Group Description Make a new item based on this item. Hover the mouse pointer over this icon to view the text from the Comment field. Delete an item. This icon appears in lists where the item can be deleted and you have edit permission for the item. The tooltip for this icon displays the Description or Comments field for this table entry. Determine the differences between two revisions of the FortiGate unit configuration. Disconnect a FortiGate unit from a functioning HA cluster. Download information from a FortiGate unit. For example, you can download certificates and debug logs. Edit a configuration. This icon appears in lists where you have write permission for the item. Edit user or group (Directory Service).
Enter a VDOM Enter a virtual domain and use the web-based manager to configure settings for the virtual domain. Expand Arrow Expand this section to reveal more fields. This icon is used in (closed) some dialog boxes and lists. Expand Arrow Close this section to hide some fields. This icon is used in (open) some dialog boxes and lists. Filter Set a filter on one or more columns in this table. See Adding filters to web-based manager lists on page 57.
View the first page of a list. Forget the Rogue or Accepted Status of a detected wireless access point and return the AP to Unknown status. Add a new item to a list so that it precedes the current item. Used in lists when the order of items in the list is significant, for example firewall policies, IPS Sensors, and DoS Sensors. View the last page of a list. Move the detected wireless access point to the Accepted Access Points list. Exempt the selected endpoint from endpoint NAC. Move the detected wireless access point to the Rogue Access Points list. Resume blocking access for a temporarily exempted endpoint (Endpoint NAC). Change the position of an item in a list. Used in lists when the order of items in the list is significant, for example firewall policies, IPS Sensors, and DoS Sensors.
Last page Mark as Accepted Exempt Temporarily Mark as Rogue Restore to Blocked State Move to
64
Web-based manager
Table 4: web-based manager icons (Continued) Icon Name Next page Description View the next page of a list.
Previous page View the previous page of a list. Refresh Reset Reset Revert View Update the information on this page. Revert to the global version of this replacement message. Reset to default value (Global resource limits). Revert to this revision of the unit configuration. View a configuration. This icon appears in lists instead of the Edit icon when you have read-only access to a web-based manager list. View detailed information about an item. For example, you can use this icon to view details about certificates.
View details
65
Web-based manager
66
System Status
System Status
This section describes the System Status page, the dashboard of your FortiGate unit. At a glance you can view the current system status of the FortiGate unit including serial number, uptime, FortiGuard license information, system resource usage, alert messages and network statistics.
Note: Your browser must support Javascript to view the System Status page.
If you enable virtual domains (VDOMs) on the FortiGate unit, the status page is available globally and system status settings are configured globally for the entire FortiGate unit. The Topology viewer is not available when VDOMs are enabled. For details, see Using virtual domains on page 125. This section describes: Viewing the system dashboard Changing system information Changing the FortiGate firmware Viewing operational history Manually updating FortiGuard definitions Viewing Log and Archive Statistics Configuring the RAID array Configuring AMC modules Viewing application, policy, and DLP archive usage data Using the topology viewer
67
System Status
Global administrators with the super_admin admin profile can view only the global dashboard.
Shows the name of the display Select to open or close the display. Select to show an expanded set of data. Not available for all widgets.
68
System Status
Select to change settings for the display. Select to update the displayed information. Select to close the display. You will be prompted to confirm the action.
The available dashboard widgets are: System Information License Information Unit Operation System Resources Alert Message Console Log and Archive Statistics CLI Console Top Sessions Top Viruses Top Attacks RAID monitor
System Information
Go to System > Status > Dashboard to find System Information. To add the System Information widget to the dashboard go to System > Status > Dashboard, select Add Content and select System Information from the list.
Figure 20: System Information
The serial number of the FortiGate unit. The serial number is specific to the FortiGate unit and does not change with firmware upgrades. The time in days, hours, and minutes since the FortiGate unit was started. The current date and time according to the FortiGate units internal clock. Select Change to change the time or configure the FortiGate unit to get the time from an NTP server. For more information, see Configuring system time on page 86. The status of high availability for this unit. Standalone indicates the unit is not operating in HA mode. Active-Passive or Active-Active indicate the unit is operating in HA mode. Select Configure to configure the HA status for this unit. For more information, see HA on page 205.
HA Status
69
System Status
Host Name
The host name of the current FortiGate unit. Select Change to change the host name. For more information, see Changing the FortiGate unit host name on page 87. If the FortiGate unit is in HA mode, this field is not displayed. The name of the HA cluster for this FortiGate unit. For more information, see HA on page 205. The FortiGate unit must be operating in HA mode to display this field. The FortiGate units in the HA cluster. Information displayed about each member includes host name, serial number, and whether the unit is a primary (master) or subordinate (slave) unit in the cluster. For more information, see HA on page 205. The FortiGate unit must be operating in HA mode with virtual domains disabled to display this field. The role of each FortiGate unit in virtual cluster 1 and virtual cluster 2. For more information, see HA on page 205. The FortiGate unit must be operating in HA mode with virtual domains enabled to display these fields.
Cluster Name
Cluster Members
Firmware Version The version of the current firmware installed on the FortiGate unit. The format for the firmware version is Select Update to change the firmware. For more information, see Upgrading to a new firmware version on page 88. FortiClient Version The currently version of FortiClient uploaded to your FortiGate unit used for endpoint control. This field appears if you can upload a FortiClient image onto your FortiGate unit. For more information, see Configuring FortiClient installer download and version enforcement on page 688. Operation Mode The operating mode of the current FortiGate unit. A FortiGate unit can operate in NAT mode or Transparent mode. Select Change to switch between NAT and Transparent mode. For more information, see Changing operation mode on page 238 If virtual domains are enabled, this field shows the operating mode of the current virtual domain. Each virtual domain can be operating in either NAT mode or Transparent mode. If virtual domains are enabled, the Global System Status dashboard does not include this field. Status of virtual domains on your FortiGate unit. Select Enable or Disable to change the status of virtual domains feature. If you enable or disable virtual domains, your session will be terminated and you will need to log in again. For more information, see Using virtual domains on page 125. The number of administrators currently logged into the FortiGate unit. Select Details to view more information about each administrator that is currently logged in. The additional information includes user name, type of connection, IP address from which they are connecting, and when they logged in. The name of the admin account that you have used to log into the FortiGate unit. If you are authenticated locally by password, not by PKI or remote authentication, you can select Change Password to change the password for this account. When you change the password you are logged out and must log back in with the new password. For more information, see Changing an administrator account password on page 246.
Virtual Domain
Current Administrators
Current User
License Information
License Information displays the status of your technical support contract and FortiGuard subscriptions. The FortiGate unit updates the license information status indicators automatically when attempting to connect to the FortiGuard Distribution Network (FDN). FortiGuard Subscriptions status indicators are green if the FDN was reachable and the license was valid during the last connection attempt, grey if the FortiGate unit cannot connect to the FDN, and orange if the FDN is reachable but the license has expired.
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
70
System Status
When a new FortiGate unit is powered on, it automatically searches for FortiGuard services. If the unit is configured for central management, it will look for FortiGuard services on the configured FortiManager system. The FortiGate unit sends its serial number to the FortiGuard service provider, which then determines whether the FortiGate unit is registered and has valid contracts for FortiGuard subscriptions and FortiCare support services. If the FortiGate unit is registered and has a valid contract, the License Information is updated. If the FortiGate unit is not registered, any administrator with the super_admin profile sees a reminder message that provides access to a registration form. When a contract is due to expire within 30 days, any administrator with the super_admin profile sees a notification message that provides access to an Add Contract form. Simply enter the new contract number and select Add. Fortinet Support also sends contract expiry reminders. Optionally, you can disable notification for registration or contract inquiry. To disable registration notification config system global set registration-notification disable end To disable contract expiry notification config system global set service-expire-notification disable end Selecting any of the Configure options will take you to the Maintenance page. For more information, see System Maintenance on page 289.
Figure 21: License Information (example)
71
System Status
Support Contract
Displays details about your current Fortinet Support contract including expiry dates and registration status. If Not Registered appears, select Register to register the unit. If Expired appears, select Renew for information on renewing your technical support contract. Contact your local reseller. If Registered appears the name of the support that registered this FortiGate unit is also displayed. You can select Login Now to log into the Fortinet Support account that registered this FortiGate unit. The FortiGuard Antivirus version, license issue date and service status. If your license has expired, you can select Renew to renew the license. The currently installed version of the FortiGuard Antivirus definitions. To update the definitions manually, select Update. For more information, see Manually updating FortiGuard definitions on page 91. The currently installed version of the extended FortiGuard Antivirus definitions. For more information about the extended antivirus database, see Selecting the virus database on page 519. To update the definitions manually, select Update. For more information, see Manually updating FortiGuard definitions on page 91. The extended antivirus database is not available on all models. The FortiGuard Intrusion Prevention System (IPS) license version, license issue date and service status. If your license has expired, you can select Renew to renew the license. The currently installed version of the IPS attack definitions. To update the definitions manually, select Update. For more information, see Manually updating FortiGuard definitions on page 91. The FortiGuard Web Filtering license status, expiry date and service status. If your license has expired, you can select Renew to renew the license. The FortiGuard Email Filtering or Antispam license status, license expiry date and service status. If your license has expired, you can select Renew to renew the license. The currently installed version of the FortiGuard Email Filtering rule set. To update the rule set manually, select Update. For more information, see Manually updating FortiGuard definitions on page 91. The FortiGuard Analysis Service and Management Service license, license expiry date, and reachability status. For more information, see Configuring FortiGuard Analysis & Management Service Options on page 306.
Extended set
Services Account Select Change to enter a different Service Account ID. This ID is used to validate your license for subscription services such as FortiGuard ID Management Service and FortiGuard Analysis Service. For more information, see Configuring FortiGuard Analysis & Management Service Options on page 306. Virtual Domain VDOMs Allowed The maximum number of virtual domains the unit supports with the current license. For high-end FortiGate models, you can select the Purchase More link to purchase a license key through Fortinet technical support to increase the maximum number of VDOMs. For more information, see Adding VDOM Licenses on page 311.
72
System Status
Endpoint Security FortiClient View information about the latest version of the FortiClient application available from FortiGuard for EndPoint NAC. Select Download to download Software Windows Installer the FortiClient application installer to your PC. For more information, see Configuring FortiClient installer download and version enforcement on page 688. Application Signature package The version number of the current endpoint NAC application detection predefined signature package. For more information, see Configuring application detection lists on page 689.
Unit Operation
In the Unit Operation widget, an illustration of the FortiGate units front panel shows the status of the units Ethernet network interfaces. If a network interface is green, that interface is connected. Pause the mouse pointer over the interface to view the name, IP address, netmask and current status of the interface. If you select Reboot or ShutDown, a pop-up window opens allowing you to enter the reason for the system event. You can only have one management and one logging/analyzing method displayed for your FortiGate unit. The graphic for each will change based on which method you choose. If none are selected, no graphic is shown.
Caution: Abruptly powering off your FortiGate unit may corrupt its configuration. Using the reboot and shutdown options here or in the CLI ensure proper shutdown procedures are followed to prevent any loss of configuration. Note: Your reason will be added to the Disk Event Log if disk logging, event logging, and admin events are enabled. For more information on Event Logging, see Configuring Event logging on page 711. Figure 22: Unit Operation examples
73
System Status
INT / EXT / DMZ / HA / The network interfaces on the FortiGate unit. The names and number of WAN1 / WAN2 / 1 / 2 / these interfaces vary by model. The icon below the interface name indicates its up/down status by color. 3/4 Green indicates the interface is connected. Grey indicates there is no connection. For more information about the configuration and status of an interface, pause the mouse over the icon for that interface. A tooltip displays the full name of the interface, its alias if one is configured, the IP address and netmask, the status of the link, the speed of the interface, and the number of sent and received packets. AMC-SW1/1, ... AMC-DW1/1, ... If your FortiGate unit supports Advanced Mezzanine Card (AMC) modules and if you have installed an AMC module containing network interfaces (for example, the ASM-FB4 contains 4 interfaces) these interfaces are added to the interface status display. The interfaces are named for the module, and the interface. For example AMC-SW1/3 is the third network interface on the SW1 module, and AMC-DW2/1 is the first network interface on the DW2 module. AMC modules support hard disks as well, such as the ASM-S08 module. When a hard disk is installed, ASM-S08 is visible as well as a horizontal bar and percentage indicating how full the hard disk is. You can also add the ASM-CX4 and ASM-FX2 modules to bridge FortiGate interfaces when the FortiGate unit is operating in transparent mode. For more information about AMC modules, see Configuring AMC modules on page 98. The icon on the link between the FortiGate unit graphic and the FortiAnalyzer graphic indicates the status of their OFTP connection. An X on a red icon indicates there is no connection. A check mark on a green icon indicates there is OFTP communication. Select the FortiAnalyzer graphic to configure remote logging tot he FortiAnalyzer unit on your FortiGate unit. For more information, see Remote logging to a FortiAnalyzer unit on page 704. The icon on the link between the FortiGate unit graphic and the FortiGuard Analysis Service graphic indicates the status of their OFTP connection. An X on a red icon indicates there is no connection. A check mark on a green icon indicates there is OFTP communication. Select the FortiGuard Analysis Service graphic to configure remote logging to the FortiGuard Analysis Service. For more information, see the FortiGuard Analysis and Management Service Administration Guide. The icon on the link between the FortiGate unit graphic and the FortiManager graphic indicates the status of the connection. An X on a red icon indicates there is no connection. A check mark on a green icon indicates there is communication between the two units. Select the FortiManager graphic to configure central management on your FortiGate unit. For more information, see Central Management on page 260.
FortiAnalyzer
FortiManager
FortiGuard The icon on the link between the FortiGate unit graphic and the FortiGuard Management Service Management Service graphic indicates the status of the connection. An X on a red icon indicates there is no connection. A check mark on a green icon indicates there is communication. Select the FortiGuard Management Service graphic to configure central management on your FortiGate unit. For more information, see Central Management on page 260. Reboot Shutdown Select to shutdown and restart the FortiGate unit. You will be prompted to enter a reason for the reboot that will be entered into the logs. Select to shutdown the FortiGate unit. You will be prompted for confirmation, and also prompted to enter a reason for the shutdown that will be entered into the logs.
74
System Status
System Resources
The System Resources widget displays basic FortiGate unit resource usage, such as CPU and memory (RAM) usage. Any System Resources that are not displayed on the status page can be viewed as a graph by selecting the History icon. To see the most recent CPU and memory usage, select the Refresh icon.
Figure 23: System Resources
History
A graphical representation of the last minute of CPU, memory, sessions, and network usage. This page also shows the virus and intrusion detections over the last 20 hours. For more information, see Viewing operational history on page 90. The current CPU status displayed as a dial gauge and as a percentage. The web-based manager displays CPU usage for core processes only. CPU usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded. The displayed CPU usage is equivalent to using the CLI command get system performance status and adding user, system, and nice percentages. Both the web-based CPU Usage and the CLI command access the same CPU information. The current memory (RAM) status displayed as a dial gauge and as a percentage. The web-based manager displays memory usage for core processes only. Memory usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded.
CPU Usage
Memory Usage
FortiAnalyzer Usage The current status of the FortiAnalyzer disk space used by this FortiGate units quota, displayed as a pie chart and a percentage. You can use the System Resources edit menu to select not to display this information. This is available only if you have configured logging to a FortiAnalyzer unit. Disk Usage The current status of the FortiGate unit disk space used, displayed as a pie chart and a percentage. This is available only if you have a hard disk on your FortiGate unit.
75
System Status
View all alert messages. Configure Alert Message Console settings. Update displayed information. Close the module. Select to remove this message. The Acknowledge icon is also available for each alert message in the History window.
The following types of messages can appear in the Alert Message Console:
System restart System shutdown Firmware upgraded by <admin_name> Firmware downgraded by <admin_name> FortiGate has reached connection limit for <n> seconds The system restarted. The restart could be due to operator action or power off/on cycling. An administrator shut down the FortiGate unit from the web-based manager or CLI. The named administrator upgraded the firmware to a more recent version on either the active or non-active partition. The named administrator downgraded the firmware to an older version on either the active or non-active partition. The antivirus engine was low on memory for the duration of time shown and entered conserve mode. Depending on model and configuration, content can be blocked or can pass unscanned under these conditions.
Found a new FortiAnalyzer Shows that the FortiGate unit has either found or lost the Lost the connection to FortiAnalyzer connection to a FortiAnalyzer unit. For more information, see Remote logging to a FortiAnalyzer unit on page 704. New firmware is available from FortiGuard An updated firmware image is available to be downloaded to this FortiGate unit.
To configure the Alert Message Console You can configure the alert message console settings to control what types of messages are displayed on the console. 1 Go to System > Status > Dashboard. 2 Select the Edit icon in the Alert Message Console title bar. 3 Select the types of alerts that the Alert Message Console should display. By default, all alert types are enabled.
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
76
System Status
4 Select OK.
77
System Status
The date and time when the counts were last reset. Counts are reset when the FortiGate unit reboots, or when you select Reset. Reset the Log and Archive Statistic counts to zero. A summary of the HTTP, HTTPS, email, FTP IM, and VoIP (also called session control) traffic that has passed through the FortiGate unit, and has archived by DLP. The Details pages list the last 64 items of the selected type and provides links to the FortiAnalyzer unit where the archived traffic is stored. If logging to a FortiAnalyzer unit is not configured, the Details pages provide a link to Log & Report > Log Config > Log Settings. You configure the FortiGate unit to collect DLP archive data for the widget by configuring protection profiles to display content meta-information on the system dashboard. To configure a protection profile, see To configure a protection profile (DLP archive) on page 79. You must also add the protection profile to a firewall policy. When the firewall policy receives sessions for the selected protocols, meta-data is added to the statistics widget. The Email statistics are based on email protocols. POP3 and IMAP traffic is registered as email received, and SMTP is email sent. If your FortiGate unit supports SSL content scanning and inspection, incoming email also includes POP3S and IMAPS and outgoing email also includes SMTPS. If incoming or outgoing email does not use these protocols, these statistics will not be accurate. The IM statistics are based on the AIM, ICQ, MSN, and Yahoo! protocols and configured by selecting Archive in DLP Sensors for IM DLP rules. The VoIP statistics are based on the SIP, SIMPLE and SCCP session control protocols and configured by selecting Archive in DLP Sensors for Session Control DLP rules. A summary of traffic, viruses, attacks, spam email messages, and blocked URLs that the FortiGate unit has logged. Also displays the number of sessions matched by DLP and event log messages. The Details pages list the 20 most recent items, providing the time, source, destination and other information. DLP data loss detected actually displays the number of sessions that have matched DLP sensors added to protection profiles. DLP collects meta-data about all sessions matched by DLP sensors and records this meta-data in the DLP log. Every time a DLP log message is recorded, the DLP data loss detected number increases. If you are using DLP for summary or full archiving the DLP data loss detected number can get very large. This number may not indicate that data has been lost or leaked.
Log
78
System Status
To configure a protection profile (DLP archive) 1 Go to Firewall > Protection Profile. 2 Create or edit a protection profile. 3 Configure Data Leak Prevention Sensor > Display content meta-information on the system dashboard. 4 Select the protocols to collect statistics for. By default meta-data is collected and displayed on the statistics widget for all protocols. For more information, see Data Leak Prevention Sensor options on page 488.
CLI Console
The System Status page can include a CLI console. To use the console, select it to automatically log in to the admin account you are currently using in the web-based manager. You can copy (CTRL-C) and paste (CTRL-V) text from or to the CLI Console.
Figure 28: CLI Console
Customize
The two controls located on the CLI Console widget title bar are Customize, and Detach. Detach moves the CLI Console widget into a pop-up window that you can resize and reposition. The two controls on the detached CLI Console are Customize and Attach. Attach moves the CLI console widget back onto the System Status page. Customize allows you to change the appearance of the console by defining fonts and colors for the text and background.
Figure 29: Customize CLI Console window
79
System Status
Preview Text
A preview of your changes to the CLI Consoles appearance. Select the current color swatch next to this label, then select a color from the color palette to the right to change the color of the text in the CLI Console. Select the current color swatch next to this label, then select a color from the color palette to the right to change the color of the background in the CLI Console. Select to display a command input field below the normal console emulation area. When this option is enabled, you can enter commands by typing them into either the console emulation area or the external command input field.
Background
Console buffer length Enter the number of lines the console buffer keeps in memory. Valid numbers range from 20 to 9999. Font Size Select a font from the list to change the display font of the CLI Console. Select the size of the font. The default size is 10 points.
Top Sessions
Top Sessions displays either a bar graph or a table showing the IP addresses that have the most sessions currently open on the FortiGate unit. The sessions are sorted by their source or destination IP address, or the port address. The sort criteria being used is displayed in the top right corner. The Top Sessions widget polls the FortiGate unit for session information, and this slightly impacts the FortiGate unit performance. For this reason when this display is not shown on the dashboard, it is not collecting data, and not impacting system performance. When the display is shown, information is only stored in memory.
Note: Rebooting the FortiGate unit will reset the Top Session statistics to zero.
Customize the Top Sessions Display Detach Refresh Close Last updated Number of active sessions Report By
80
System Status
Select Details to view the current sessions list, a list of all sessions currently processed by the FortiGate unit. For more information, see Viewing the current sessions list on page 82. To view detailed information about the sessions represented by a bar in the chart, click on the bar. To change the information displayed on the Top Sessions widget 1 Selecting edit icon to change the information displayed by the Top Sessions widget: 2 Change the Top Sessions settings as required:
Figure 31: Edit menu for Top Sessions
Sort Criteria
Select the method used to sort the Top Sessions on the System Status display. Choose one of: Source Address Destination Address Port Address Select to include the username associated with this source IP address, if available. In the table display format this will be a separate column. Display UserName is available only when the sort criteria is Source Address. Select to resolve the IP address to the host name. Resolve Host Name is not available when the sort criteria is Destination Port. Select to resolve a port addresses into their commonly associated service names. Any port address without a service, will continue to be displayed as the port address. For example port 443 would resolve to HTTPS. Resolve Service is only available when the sort criteria is Destination Port. Select how the Top Session information is displayed. Choose one of: Chart Table Select the number of sessions to display. Choose to display 5, 10, 15, or 20 sessions. Select how often the display is updated. The refresh interval range is from 10 to 240 seconds. Selecting 0 will disable the automatic refresh of the display. You will still be able to select the manual refresh option on the Top Sessions title bar. Shorter refresh intervals may impact the performance of your FortiGate unit. If this occurs, try increasing the refresh interval or disabling the automatic refresh.
Resolve Service
Display Format
81
System Status
To view the current sessions list 1 Go to System > Status > Dashboard. 2 In the Top Sessions widget, select Details at the bottom of the widget. 3 The current sessions list appears. Optionally select Detach to detach and expand the browser window to see the entire list. 4 Select Return to return to the Top Sessions bar chart display.
Figure 32: Current sessions list
Edit Filters
Virtual Domain
Select a virtual domain to list the sessions being processed by that virtual domain. Select All to view sessions being processed by all virtual domains. This is only available if virtual domains are enabled. For more information see Using virtual domains on page 125. Update the session list. Select to go to the first displayed page of current sessions.
82
System Status
Select to go to the page of sessions immediately before the current page Enter the page number of the session to start the displayed session list. For example if there are 5 pages of sessions and you enter 3, page 3 of the sessions will be displayed. The number following the / is the number of pages of sessions. Select to go to the next page of sessions. Select to go to the last displayed page of current sessions. The total number sessions. Select to reset any display filters that may have been set. Return to the Top Sessions display. The icon at the top of all columns except #, and Expiry. When selected it brings up the Edit Filter dialog allowing you to set the display filters by column. See Adding filters to web-based manager lists on page 57. The service protocol of the connection, for example, udp, tcp, or icmp. The source IP address of the connection. The source port of the connection. The destination IP address of the connection. The destination port of the connection. The number of the firewall policy allowing this session or blank if the session involves only one FortiGate interface (admin session, for example). The time, in seconds, before the connection expires. The age of each session in seconds. The age is the amount of time the session has been active. Stop an active communication session. Your admin profile must include read and write access to System Configuration.
Next Page Last Page Total Clear All Filters Return Filter Icon
Protocol Source Address Source Port Destination Address Destination Port Policy ID Expiry (sec) Duration Delete icon
Top Viruses
Top Viruses displays a bar graph representing the virus threats that have been detected most frequently by the FortiGate unit. The Top Viruses display is not part of the default dashboard display. It can be displayed by selecting Add Content >Top Viruses from the drop down menu. Selecting the history icon opens a window that displays up to the 20 most recent viruses that have been detected with information including the virus name, when it was last detected, and how many times it was detected. The system stores up to 1024 entries, but only displays up to 20 in the web-based manager. Selecting the edit icon for Top Viruses allows changes to the: refresh interval top viruses to show
Top Attacks
Top Attacks displays a bar graph representing the most numerous attacks detected by the FortiGate unit. The Top Attacks display is not part of the default dashboard display. It can be displayed by selecting Add Content > Top Attacks from the drop down menu.
83
System Status
Selecting the history icon opens a window that displays up to the 20 most recent attacks that have been detected with information including the attack name, when it was last detected, and how many times it was detected. The FortiGate unit stores up to 1024 entries, but only displays up to 20 in the web-based manager. Selecting the Edit icon for Top Attacks allows changes to the: refresh interval top attacks to show
Traffic History
The traffic history display shows the traffic on one selected interface over the last hour, day, and month. This feature can help you locate peaks in traffic that you need to address as well as their frequency, duration, and other information. Only one interface at a time can be monitored. You can change the interface being monitored by selecting Edit, choosing the interface from the drop down menu, and selecting Apply. Doing this will clear all the traffic history data.
Figure 33: Traffic History
Interface kbit/s Last 60 Minutes Last 24 Hours Last 30 Days Traffic In Traffic Out
The interface that is being monitored . The units of the traffic graph. The scale varies based on traffic levels to allow it to show traffic levels no matter how little or how much traffic there is. Three graphs showing the traffic monitored on this interface of the FortiGate unit over different periods of time. Certain trends may be easier to spot in one graph over the others. The traffic entering the FortiGate unit on this interface is indicated with a thin red line. The traffic leaving the FortiGate unit on this interface is indicated with a dark green line, filled in with light green.
RAID monitor
The RAID monitor display shows the current state of the RAID array and each RAID disk. For information on configuring the RAID array, see Configuring the RAID array on page 94. The RAID monitor display is not part of the default dashboard display. It can be displayed by selecting Add Content > RAID Monitor from the drop down menu. The RAID monitor will not be displayed unless your FortiGate unit has more than one disk installed.
84
System Status
Figure 34: RAID monitor Array status icon Disk status icon
Select to configure the RAID array, or rebuild a degraded array. For more information, see Configuring the RAID array on page 94. Shows the status of the RAID array. Green with a check mark shows a healthy RAID array. Yellow triangle shows the array is in a degraded state but it is still functioning. A degraded array is slower than a healthy array. Rebuild the array to fix the degraded state. A wrench shows the array is being rebuilt. Positioning the mouse over the array status icon displays a text message of the status of the array. There is one icon for each disk in the array. Green with a check mark shows a healthy disk. Red with an X shows the disk has failed and needs attention. Positioning the mouse over the disk status icon displays the status of the disk, and the storage capacity of the disk. The RAID level of this RAID array. The RAID level is set as part of configuring the RAID array. For more information, see RAID Level on page 96. The bar shows the percentage of the RAID array that is currently in use. These three numbers show the amount of RAID array storage that is being used, the amount of storage that is free, and the total storage in the RAID array. The values are in GB. Used added to Free should equal Total.
RAID Level
85
System Status
Synchronizing status Display the percent complete of the RAID array synchronization. Synchronizing may take several hours. When synchronizing the status of the RAID array will indicate synchronizing is happening in the background. Synchronizing progress bar is visible only when the RAID array is synchronizing. You may need to select the refresh icon in the widget title bar to update this progress bar. Rebuild status Display the percent complete of the RAID array rebuild. Rebuilding the array may take several hours. While rebuilding the array, it is in a degraded and vulnerable state any disk failure during a rebuild will result in data loss. A warning is displayed indicating the RAID array is running in reduced reliability mode until the rebuild is completed. You may need to select the refresh icon in the widget title bar to update this progress bar.
The current FortiGate system date and time. Update the display of the current FortiGate system date and time. Select the current FortiGate system time zone.
Automatically adjust Select to automatically adjust the FortiGate system clock when your time zone changes between daylight saving time and standard time. clock for daylight saving changes Set Time Select to set the FortiGate system date and time to the values you set in the Hour, Minute, Second, Year, Month and Day fields.
86
System Status
Select to use a Network Time Protocol (NTP) server to automatically set the system date and time. You must specify the server and synchronization interval. FortiGate units use NTP Version 4. No RFC is currently available for NTP version 4. The RCF for NTP Version 3 is RFC 1305. For more information about NTP see http://www.ntp.org. Enter the IP address or domain name of an NTP server. To find an NTP server that you can use, see http://www.ntp.org. Specify how often the FortiGate unit should synchronize its time with the NTP server. For example, a setting of 1440 minutes causes the FortiGate unit to synchronize its time once a day.
To change the FortiGate unit host name If the host name is longer than 16 characters, it will be displayed as being truncated and end with a ~. The full host name will be displayed under System > Status > Dashboard, but the truncated host name will be displayed on the CLI and other places it is used. 1 Go to System > Status > Dashboard. 2 In the Host Name field of the System Information section, select Change. 3 In the New Name field, type a new host name. 4 Select OK. The new host name is displayed in the Host Name field and the CLI prompt. It is also added to the SNMP System Name.
Caution: By installing an older firmware image, some system settings may be lost. You should always backup your configuration before changing the firmware image.
87
System Status
For more information about using the USB disk, and the FortiGuard Network see System Maintenance on page 289.
Figure 36: Firmware Upgrade/Downgrade
Upgrade From
Select the firmware source from the drop down list of available sources. Possible sources include Local Hard Disk, USB, and FortiGuard Network. This field does not appear on all models. Browse to the location of the firmware image on your local hard disk. This field is available for local hard disk and USB only. Select to confirm the the installation of an older firmware image (downgrade). This field only displayed when attempting to downgrade firmware. Go to the FortiGuard Center to learn more about firmware updates through the FortiGuard network.
Firmware changes either upgrade to a newer version or revert to an earlier version. Follow the appropriate procedure to change your firmware. For more information about managing firmware, see Managing firmware versions on page 113.
To upgrade the firmware using the web-based manager 1 Copy the new firmware image file to your management computer. The firmware images for FortiGate units are available at the Fortinet Support web site. 2 Log into the web-based manager as the super admin, or an administrator account that has system configuration read and write privileges.
88
System Status
3 Go to System > Status > Dashboard. 4 In the System Information section, select Update on the Firmware Version line. 5 Type the path and filename of the firmware image file, or select Browse and locate the file. 6 Select OK. The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, closes all sessions, restarts, and displays the FortiGate login. This process takes a few minutes. 7 Log into the web-based manager. 8 Go to System > Status > Dashboard and check the Firmware Version to confirm that the expected firmware upgrade was successfully installed. 9 Update antivirus and attack definitions. For information about updating antivirus and attack definitions, see Configuring FortiGuard Services on page 300.
To revert to a previous firmware version using the web-based manager 1 Copy the firmware image file to your management computer. The firmware images for FortiGate units are available at the Fortinet Support web site. 2 Log into the web-based manager as the super admin, or an administrator account that has system configuration read and write privileges. 3 Go to System > Status > Dashboard. 4 In the System Information section, select Update on the Firmware Version line. 5 Type the path and filename of the firmware image file, or select Browse and locate the file. 6 Select OK. The FortiGate unit uploads the firmware image file, reverts to the old firmware version, resets the configuration, restarts, and displays the FortiGate login. This process takes a few minutes. 7 Log into the web-based manager. 8 Go to System > Status > Dashboard and check the Firmware Version to confirm that the firmware is successfully installed.
89
System Status
9 Restore your configuration. For information about restoring your configuration, see About the Maintenance menu on page 289. 10 Update antivirus and attack definitions. For information about antivirus and attack definitions, see To update antivirus and attack definitions on page 307.
Time Interval CPU Usage History Memory Usage History Session History Network Utilization History Virus History Intrusion History
Select the time interval to display along the bottom axis of the graphs. Percentage CPU usage for the preceding interval. Percentage memory usage for the preceding interval. Number of sessions over the preceding interval. Network utilization for the preceding interval. Number of Viruses detected over the preceding interval. Number of intrusion attempts detected over the preceding interval.
90
System Status
To update FortiGuard antivirus definitions, IPS definitions, or antispam rule set manually 1 Download the latest update file from Fortinet support site and copy it to the computer that you use to connect to the web-based manager. 2 Start the web-based manager and go to System > Status > Dashboard. 3 In the License Information section, in the AV Definitions, IPS Definitions, or AS Rule Set field of the FortiGuard Subscriptions, select Update. 4 Select Browse and locate the update file or type the path and filename. 5 Select OK to copy the update file to the FortiGate unit. The FortiGate unit updates the AV definitions. This takes about 1 minute. 6 Go to System > Status > Dashboard to confirm that the version information for the selected definition or rule set has updated.
91
System Status
The time when the URL was accessed. The IP address from which the URL was accessed. The URL that was accessed.
Viewing Email content information 1 Go to System > Status > Dashboard. 2 In the DLP archive section, select Details for Email.
The time that the email passed through the FortiGate unit. The senders email address. The recipients email address. The subject line of the email.
Viewing archived FTP content information 1 Go to System > Status > Dashboard. 2 In the DLP archive section, select Details for FTP.
The time of access. The IP address of the FTP server that was accessed. The User ID that logged into the FTP server. The names of files that were downloaded. The names of files that were uploaded.
Viewing IM content information 1 Go to System > Status > Dashboard. 2 In the DLP archive section, select Details for IM.
92
System Status
The time of access. The protocol used in this IM session. The kind of IM traffic this transaction is. The local address for this transaction. The remote address for this transaction If the file was sent or received.
Viewing attacks blocked 1 Go to System > Status > Dashboard. 2 In the Attack Log section, select Details for IPS.
Date and Time From To Service Attack The time that the attack was detected. The source of the attack. The target host of the attack. The service type. The type of attack that was detected and prevented.
Viewing spam email detected 1 Go to System > Status > Dashboard. 2 In the Attack Log section, select Details for Spam.
Date and Time From->To IP From->To Email Accounts Service SPAM Type The time that the spam was detected. The sender and intended recipient IP addresses. The sender and intended recipient email addresses. The service type, such as SMTP, POP or IMAP. The type of spam that was detected.
93
System Status
Viewing URLs blocked 1 Go to System > Status > Dashboard. 2 In the Attack Log section, select Details for Web.
Date and Time From URL Blocked The time that the attempt to access the URL was detected. The host that attempted to view the URL. The URL that was blocked.
Viewing the sessions matched by DLP 1 Go to System > Status > Dashboard. 2 In the Attack Log section, select Details for DLP.
Date and Time Service Source From URL Blocked From To The time that the attempt to access the URL was detected. The service type, such as HTTP, SMTP, POP or IMAP. The source address of the session. The host that attempted to view the URL. The URL that was blocked. The senders email address or IP address. The intended recipients email address or IP address.
Caution: A RAID array provides no redundancy in a degraded state. Any disk failure while the raid is in a degraded state will cause data loss.
This section includes: RAID disk configuration RAID Level Rebuilding the RAID array
94
System Status
RAID level
Select the level of RAID. Options include: RAID-0 (striping) better performance, no redundancy RAID-1 (mirroring) half the storage capacity, but totally redundant RAID-5 striping with parity checking, and redundancy Available RAID level options depend on the available number of hard disks. Two or more disks are required for RAID 0 or RAID 1. Three or more disks are required for RAID 5. Changing the RAID level will take effect when Apply is selected. Changing the RAID level will erase any stored log information on the array, and reboot the FortiGate unit. The unit will remain offline while it reconfigures the RAID array. When it reboots, the array will need to synchronize before being fully operational. For more information on RAID levels, see RAID Level on page 96. The status, or health, of RAID array. This status can be one of: OK standard status, everything is normal OK (Background-Synchronizing) (%) synchronizing the disks after changing RAID level, Synchronizing progress bar shows percent complete Degraded One or more of the disks in the array has failed, been removed, or is not working properly. A warning is displayed about the lack of redundancy in this state. Also, a degraded array is slower than a healthy array. Select Rebuild RAID to fix the array. Degraded (Background-Rebuilding) (%) The same as degraded, but the RAID array is being rebuilt in the background. The array continues to be in a fragile state until the rebuilding is completed. The size of the RAID array in gigabytes (GB). The size of the array depends on the RAID level selected, and the number of disks in the array. Select to rebuild the array after a new disk has been added to the array, or after a disk has been swapped in for a failed disk. If you try to rebuild a RAID array with too few disks you will get a rebuild error. After inserting a functioning disk, the rebuild will start. This button is only available when the RAID array is in a degraded state and has enough disks to be rebuilt. You cannot restart a rebuild once a rebuild is already in progress. Note: If a disk has failed, the number of working disks may not be enough for the RAID level to function. In this case, replace the failed disk with a working disk to rebuild the RAID array. The disks position in the array. This corresponds to the physical slot of the disk. If a disk is removed from the FortiGate unit, the disk is marked as not a member of the array and its position is retained until a new disk is inserted in that drive bay. The status of this disk. Options include OK, and unavailable. A disk is unavailable if it is removed or has failed.
Status
Disk#
Status
95
System Status
Member
Display if the selected disk is part of the RAID array. A green icon with a check mark indicates the disk is part of the array. A grey icon with an X indicates the disk is not part of the RAID array. A disk may be displayed as healthy on the dashboard display even when it is not a member in the RAID array. A disk may be available but not used in the RAID array. For example three disks in a RAID 1 array, only two are used. The storage capacity that this drive contributes to the RAID array. The full storage capacity of the disk is used for the RAID array automatically. The total storage capacity of the RAID array depends on the capacity and numbers of the disks, and the RAID level of the array.
Capacity
RAID Level
When changing the RAID level, the available levels depend on the number of working disks that are actually present in the unit. For example, RAID 5 is not available on units with fewer than three disks. When a disk fails, becomes corrupt, or is removed you must rebuild the RAID array. For more information, see Rebuilding the RAID array on page 97. If the FortiGate unit only has one disk installed, the RAID monitor widget will not be displayed as it is not possible to configure a RAID array with only one disk. Available RAID levels include: RAID 0 RAID 1 RAID 5
RAID 0
A RAID 0 array is also referred to as striping. The FortiGate unit writes information evenly across all hard disks. The total space available is that of all the disks in the RAID array. There is no redundancy available. If any single drive fails, the data on that drive cannot be recovered. This RAID level is beneficial because it provides better performance, since the FortiGate unit can distribute disk writing across multiple disks. For example if your FortiGate unit has three disks each with a one TeraByte (TB) capacity, your RAID 0 array will have a three TB capacity.
RAID 1
A RAID 1 array is also referred to as mirroring. The FortiGate unit writes information to one hard disk, and writes a copy (a mirror image) of all information to all other hard disks. The total disk space available is that of only one hard disk, as the others are solely used for mirroring. This provides redundant data storage with no single point of failure. Should any of the hard disks fail, there are several backup hard disks available. For example, if one disk fails, the unit can still access three other hard disks and continue functioning. In a RAID 1 array, if you have four disks of one TB capacity, the array will have a two TB capacity. Since RAID 1 pairs disks for mirroring, if you have an odd number of disks then one disk will not be used. If you have three disks, only two will be used in the RAID 1 array.
96
System Status
RAID 5
A RAID 5 array employs striping with a parity check. Similar to RAID 0, the FortiGate unit writes information evenly across all drives but additional parity blocks are written on the same stripes. The parity block is staggered for each stripe. The total disk space is the total number of disks in the array, minus one disk for parity storage. For example, with four hard disks, the total capacity available is actually the total for three hard disks. RAID 5 performance is typically better with reading than with writing, although performance is degraded when one disk has failed or is missing. With RAID 5, one disk can fail without the loss of data. If a drive fails, it can be replaced and the FortiGate unit will restore the data on the new disk by using reference information from the parity volume.
97
System Status
Before you rebuild the RAID array, you should have a replacement disk for the one that failed if that is the cause of the degraded array. You cannot rebuild an array that is missing a disk. A replacement disk should be the same storage capacity as the disk it is replacing. Also before rebuilding the array, you should backup the data if possible. As soon as the RAID array becomes degraded you should backup the array if possible to prevent data loss. To rebuild the RAID array 1 Go to Status > Dashboard > RAID Monitor > Configure. 2 Verify the status of the RAID array is degraded, and the Rebuild button is not greyed out. 3 Remove the failed disk from the FortiGate unit. Ensure you have the correct disk. Press the green button to unlock the disk. Gently push the lever to the left as far as it will go to disconnect the disk. Remove the disk from the FortiGate unit by pulling on the lever. 4 Insert the new disk into the FortiGate unit that is replacing the failed disk. Insert the disk carefully into the FortiGate unit. Push the front panel of the disk to make the connectionthe lever will start to move to the right. Ensure that both sides of the disk are in line with the other disks. When in place push the bar fully to the right, until the green button clicks. 5 Refresh your display to ensure the new disk is installed properly. If it is not recognized, repeat steps 3 and 4 with the new disk to ensure it is properly installed. 6 On the configure screen, select Rebuild RAID. Rebuilding the RAID array will normally take several hours. You can follow its progress on the RAID Monitor display on the dashboard. 7 When the rebuild is complete, the status of the RAID array will change to OK.
98
System Status
If you have added the name of a module to a slot and you are planning or removing the module and replacing it with a different type of module (for example, if you are removing a FortiGate-ASM-S08 and replacing it with a FortiGate-ASM-FX2) you should reset the slot to the default before removing the module. Then after adding the new module you should add its name to the slot. You configure AMC slot settings from the FortiGate CLI using the config system amc command. For information about this command, see the FortiGate CLI Reference. To change the default setting for an AMC slot The following procedure shows how to add a FortiGate-ADM-FB8 to the first double-width AMC slot (dw1) and how to add the name of the module to the slot configuration. 1 Enter the following CLI command to verify that the slot that you will insert the FortiGate-ADM-FB8 module into is set to the default configuration. This command lists the AMC slots and the settings for each one. Example command output for a FortiGate-5001A with an empty double-width AMC slot: get system amc dw1 : auto 2 Power down the FortiGate unit. 3 Insert the FortiGate-ADM-FB8 module into the double-width AMC slot. 4 Power up the FortiGate unit. As long as the slot that you have inserted the FortiGate-ADM-FB8 module into is set to auto the FortiGate unit should automatically find the module when it powers up. 5 Add the name of the FortiGate-ADM-FB8 module to the FortiGate configuration. config system amc set dw1 adm-fb8 end
99
System Status
In bypass mode all traffic flows between interfaces on the FortiGate-ASM-CX4 and FortiGate-ASM-FX2 modules and not through the FortiGate unit. You can configure a recovery watchdog to verify that the bridged FortiGate interfaces cannot process traffic. If you fix the problem or the problem fixes itself, the recovery watchdog automatically detects that traffic can resume and switches the module back to normal operation by turning off bypass mode. To configure a FortiGate unit to operate with a FortiGate-ASM-CX4 or FortiGate-ASM-FX2 module 1 Switch the FortiGate unit to operate in Transparent mode. config system settings set opmode transparent set manageip <management_IPv4> <netmask_ipv4> set gateway <gateway_ipv4> end After a short pause the FortiGate unit is operating in Transparent mode. 2 Enter the following command to verify that the slot that you will insert the FortiGate-ASM-CX4 or FortiGate-ASM-FX2 module into is set to auto. This command lists the AMC slots and the settings for each one. Example command output for a FortiGate-620B with an empty AMC slot: get system amc sw1 : auto 3 Power down the FortiGate unit. 4 Insert the FortiGate-ASM-CX4 or FortiGate-ASM-FX2 module into a single-width AMC slot. 5 Power up the FortiGate unit. As long as the slot that you have inserted the module into is set to auto the FortiGate unit should automatically find the module when it powers up. 6 Add the name of the module to the FortiGate configuration and configure bypass and recovery settings. The following command configures AMC single width slot 1 (sw1) for a FortiGate-ASMCX4. This command also enables the bypass watchdog and increases the bypass timeout from the default value of 10 seconds to 60 seconds. This means that if a failure occurs the bridge module will change to bypass mode 60 seconds after the bypass watchdog detects the failure. This command also enables watchdog recovery and sets the watchdog recovery period to 30 seconds. This means that if a failure occurs, while the FortiGate-ASM-CX4 module is bridging the connection the AMC bypass watchdog monitors FortiGate processes and will revert to normal operating mode (that is disable the bridging the interfaces with the FortiGate-ASM-CX4 module) if the FortiGate unit recovers from the failure. config system amc set sw1 asm-cx4 set bypass-watchdog enable set bypass-timeout 60 set watchdog-recovery enable set watchdog-recovery-period 30 end
100
System Status
To manually disable bypass mode 1 Use the following command to manually disable bypass mode: execute amc bypass disable 2 Use the following diagnose command to view the status of the AMC modules installed in a FortiGate unit, including whether they are operating in bypass mode. For example if you have installed a FortiGate-ASM-CX4 module in AMC slot 2 of a FortiGate-3810A and bypass mode is disabled: diagnose sys amc bypass status
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
101
System Status
ASM-CX4 in slot 2: amc-sw2/1 <--> amc-sw2/2: mode=normal amc-sw2/3 <--> amc-sw2/4: mode=normal Daemon heartbeat status: normal Last heartbeat received: 1 second(s) ago 3 Log into the web-based manager and go to System > Status > Dashboard and view the Unit Operation widget to see the status of the AMC bridge module. Figure 40 shows bypass mode disabled.
Figure 40: FortiGate-3810A with FortiGate-ASM-CX4 module installed in AMC slot 2
Top Application Usage data collection is started by adding application control black/white lists to protection profiles. Only information about applications matched by application control is added to the chart or table. Sessions accepted by firewall policies that do not include protection profiles with application control configured do not contribute to the data displayed.
102
System Status
Reset all counts to zero. Configure module settings. Update displayed information. Close the module. Application names in order of use. Traffic volume in bytes or number of messages, depending on Sort Criteria setting.
To configure the Top Application Usage module - web-based manager 1 Go to System > Status > Usage. 2 Select the Edit icon in the Top Application Usage module title bar.
103
System Status
Sort Criteria Report By Display User Name Resolve Host Name VDOM
Select whether to sort the applications by number of Bytes or number of Messages. Select Source Address or Destination Address. Select the check box to show the user name (when known) instead of the IP address. Select to use reverse-DNS lookup to determine the host name instead of displaying the IP address. Select the VDOM to monitor or select Global. This is available for global administrators only. VDOM administrators see only their only VDOM. Select Chart or Table display. Select whether to display top 5, 10, 15, or 20 applications. Select display update interval in seconds. Range 10 to 240 seconds. Select 0 to disable updating. You can also update using the Refresh icon in the module header.
Top Policy Usage data is collected by all firewall policies. You can configure Top Policy Usage to show data for up to 20 firewall policies. Only firewall policies that have accepted sessions appear on the chart or table.
104
System Status
Reset all counts to zero. Configure module settings. Update displayed information. Close the module. The firewall policy identifier. The cumulative traffic volume for the firewall policy in bytes or packets, depending on the Sort Criteria setting.
To configure the Top Policy Usage module 1 Go to System > Status > Usage. 2 Select the Edit icon in the Top Policy Usage module title bar. 3 Enter the following information and select OK.
105
System Status
Select whether to sort the policies by number of Bytes or number of Packets. Select the VDOM to monitor or select Global. This is available for global administrators only. VDOM administrators see only their only VDOM. Select Chart or Table display. Select whether to display top 5, 10, 15, or 20 applications. Select display update interval in seconds. Range 10 to 240 seconds. Select 0 to disable updating. You can also update using the Refresh icon in the module header.
DLP Archive Usage data is collected by adding DLP sensors to protection profiles. Only information about sessions matched by DLP sensors is added to the chart or table. Sessions accepted by firewall policies that do not include protection profiles with DLP sensors configured do not contribute to the data displayed.
Figure 47: DLP Archive Usage module
106
System Status
Reset Edit Refresh Close DLP Rule or Policy or Profile or Protocol Bytes or Messages
Reset all counts to zero. Configure module settings. Update displayed information. Close the module. The DLP Rule, firewall policy, protection profile or protocol, depending on the Report By setting.
The volume of archived data in bytes or messages, depending on the Sort Criteria setting.
To configure the DLP Archive Usage module 1 Go to System > Status > Usage. 2 Select the Edit icon in the DLP Archive Usage module title bar. 3 Enter the following information and select OK.
Figure 48: Configuring the DLP Archive module
Select one of: DLP Rule, Profile, Policy, or Protocol. Select whether to sort the results by number of Bytes or number of Messages. Select the protocols to include. Select the VDOM to monitor or select Global. This is available for global administrators only. VDOM administrators see only their only VDOM. This field is not available if Report By is Protocol. Select whether to display top 5, 10, 15, or 20 items. Select display update interval in seconds. Range 10 to 240 seconds. Select 0 to disable updating. You can also update using the Refresh icon in the module header.
107
System Status
The Topology page consists of a large canvas upon which you can draw a network topology diagram of your FortiGate installation.
Figure 49: Topology page
Zoom/Edit controls
Text object
Subnet object
Viewport
Viewport control
108
System Status
Zoom in. Select to display a smaller portion of the drawing area in the viewport, making objects appear larger.
Zoom out. Select to display a larger portion of the drawing area in the viewport, making objects appear smaller.
Select to begin editing the diagram. This button expands the toolbar to show the editing controls described below:
Save changes made to the diagram. Note: If you switch to any other page in the web-based manager without saving your changes, your changes are lost. Add a subnet object to the diagram. The subnet object is based on the firewall address that you select, and is connected by a line to the interface associated with that address. See Adding a subnet object on page 110. Insert Text. Select this control and then click on the diagram where you want to place the text object. Type the text and then click outside the text box. Delete. Select the object(s) to delete and then select this control or press the Delete key.
Customize. Select to change the colors and the thickness of lines used in the drawing. See Customizing the topology diagram on page 111.
Drag. Select this control and then drag objects in the diagram to arrange them.
Scroll. Select this control and then drag the drawing area background to move the viewport within the drawing area. This has the same effect as moving the viewport rectangle within the viewport control. Select. Select this control and then drag to create a selection rectangle. Objects within the rectangle are selected when you release the mouse button.
Exit. Select to finish editing the diagram. Save changes first. The toolbar contracts to show only the Refresh and Zoom controls.
109
System Status
Create a subnet object based on an existing firewall address. The object has the name of the firewall address and is connected by a line to the interface associated with that address. For more information about firewall addresses, see Firewall Address on page 395. Enter a name to identify the firewall address. Addresses, address groups, and virtual IPs must have unique names to avoid confusion in firewall policies. Select the interface or zone to associate with this address. If the field already displays a name, changing the setting changes the interface or zone associated with this existing address. If the address is currently used in a firewall policy, you can choose only the interface selected in the policy. Create a new firewall address and add a subnet object based on that address to the topology diagram. The address is associated with the interface you choose. Enter a name to identify the firewall address. Addresses, address groups, and virtual IPs must have unique names to avoid confusion in firewall policies. Select the type of address: Subnet/IP Range or FQDN. If Type is Subnet / IP Range, enter the firewall IP address, followed by a forward slash and then the subnet mask. Alternatively, enter IP range start address, followed by a hyphen (-) and the IP range end address. If Type is FQDN, enter the fully qualified domain name. Select the interface or zone to associate with this address.
Connect to interface
New addresses
Address Name
110
System Status
Preview Canvas Size Resize to Image Background Solid U.S. Map World Map Upload My Image Background Color Image path Exterior Color Line Color Line Width Reset to Default
A simulated topology diagram showing the effect of the selected appearance options. The size of the drawing in pixels. If you selected an image as Background, resize the diagram to fit within the image. One of: A solid color selected in Background Color. A map of the United States. A map of the world. Upload the image from Image Path Select the color of the diagram background. If you selected Upload My Image for Background, enter the path to your image, or use the Browse button to find it. Select the color of the border region outside your diagram. Select the color of connecting lines between subnet objects and interfaces. Select the thickness of connecting lines. Reset all topology diagram settings to default.
111
System Status
112
Installing a patch release without reviewing release notes or testing the firmware may result in changes to settings or unexpected issues. With FortiOS 4.0, you can also configure your FortiGate unit to use NAT while in transparent mode. For more information, see the Fortinet Knowledge Center article, Configuring NAT in Transparent mode. If you enable virtual domains (VDOMs) on the FortiGate unit, system firmware versions are configured globally. For more information, see Using virtual domains on page 125. This section describes: Backing up your configuration Testing firmware before upgrading Upgrading your FortiGate unit Reverting to a previous firmware image Restoring your configuration
Note: For more information about the settings that are available on the Backup and Restore page, (such as remotely backing up to a FortiManager unit), see System Maintenance on page 289.
113
You can back up configuration settings to a local PC, a FortiManager unit, FortiGuard Management server, or to a USB key. You can also back up to a FortiGuard Management server if you have FortiGuard Analysis and Management Service enabled. Fortinet recommends backing up all configuration settings from your FortiGate unit before upgrading to FortiOS 4.0. This ensures all configuration settings are still available if you require downgrading to FortiOS 3.0 MR7 and want to restore those configuration settings.
114
2 Enter the following to back up the configuration file to a TFTP or FTP server: execute backup config {tftp | ftp} <backup_filename> <tftp_server_ipaddress> <ftp server [:ftp port] <ftp_username> <ftp_passwd> <encrypt_passwd> 3 Enter the following to back up the configuration to a FortiGuard Management server: execute backup config management-station <comment> To back up the entire configuration file through the CLI Enter the following to back up the entire configuration file: execute backup full-config {tftp | ftp | usb} <backup_filename> <backup_filename> <tftp_server_ipaddress> <ftp server [:ftp port] <ftp_username> <ftp_passwd> <encrypt_passwd>
115
116
9 Type the internal IP address of the FortiGate unit. This IP address connects the FortiGate unit to the TFTP server. This IP address must be on the same network as the TFTP server, but make sure you do not use an IP address of another device on the network. The following message appears: Enter File Name [image.out]: 10 Enter the firmware image file name and press Enter. The TFTP server uploads the firmware image file to the FortiGate unit and the following appears: Save as Default firmware/Backup firmware/Run image without saving: [D/B/R] 11 Type R. The FortiGate firmware image installs and saves to system memory. The FortiGate unit starts running the new firmware image with the current configuration. When you have completed testing the firmware, you can reboot the FortiGate unit and resume using the original firmware.
The following procedure describes how to upgrade to FortiOS 4.0 in the web-based manager. Fortinet recommends using the CLI to upgrade to FortiOS 4.0. The CLI upgrade procedure reverts all current firewall configurations to factory default settings. To upgrade to FortiOS 4.0 through the web-based manager 1 Download the firmware image file to your management computer. 2 Log in to the web-based manager. 3 Go to System > Status and locate the System Information widget. 4 Beside Firmware Version, select Update. 5 Enter the path and filename of the firmware image file, or select Browse and locate the file.
117
6 Select OK. The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, restarts, and displays the FortiGate login. This process may take a few minutes. When the upgrade is successfully installed: ping to your FortiGate unit to verify there is still a connection. clear the browsers cache and log in to the web-based manager.
After logging back in to the web-based manager, you should save the configuration settings that carried forward. Some settings may have carried forward from FortiOS 3.0 MR7, while others may not have, such as certain IPS group settings. Go to System > Maintenance > Backup and Restore to save the configuration settings that carried forward.
Note: After upgrading to FortiOS 4.0, perform an Update Now to retrieve the latest FortiGuard signatures from the FortiGuard Distribution Network (FDN) as these signatures included in the firmware may be older than those currently available on the FDN.
The following procedure uses a TFTP server to upgrade the firmware. The CLI upgrade procedure reverts all current firewall configurations to factory default settings. See the Fortinet Knowledge Center article, Loading FortiGate firmware using TFTP for CLI procedure, for additional information about upgrading firmware in the CLI. The following procedure assumes that you have already downloaded the firmware image to your management computer. To upgrade to FortiOS 4.0 through the CLI 1 Copy the new firmware image file to the root directory of the TFTP server. 2 Start the TFTP server. 3 Log in to the CLI. 4 Enter the following command to ping the computer running the TFTP server: execute ping <server_ipaddress> Pinging the computer running the TFTP server verifies that the FortiGate unit and TFTP server are successfully connected. 5 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit: execute restore image <name_str> <tftp_ipv4> Where <name_str> is the name of the firmware image file and <tftp_ipv4> is the IP address of the TFTP server. For example, if the firmware image file name is image.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image.out 192.168.1.168 The FortiGate unit responds with a message similar to the following: This operation will replace the current firmware version! Do you want to continue? (y/n)
118
6 Type y. The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, and restarts. This process takes a few minutes. 7 Reconnect to the CLI. 8 Enter the following command to confirm the firmware image installed successfully: get system status 9 To update antivirus and attack definitions from the CLI, enter the following: execute update-now If you want to update antivirus and attack definitions from the web-based manager instead, log in to the web-based manager and go to System > Maintenance > FortiGuard.
119
When downgrading to a previous firmware, only the following settings are retained: operation mode Interface IP/Management IP route static table DNS settings VDOM parameters/settings admin user account session helpers system accprofiles.
If you created additional settings in FortiOS 4.0, make sure to back up the current configuration before downgrading. For more information, see Backing up your configuration on page 114. To downgrade through the web-based manager 1 Go to System > Status and locate the System Information widget. 2 Beside Firmware Version, select Update. 3 Enter the path and filename of the firmware image file, or select Browse and locate the file.. 4 Select OK. The following message appears: This version will downgrade the current firmware version. Are you sure you want to continue? 5 Select OK. The FortiGate unit uploads the firmware image file, reverts to the old firmware version, resets the configuration, restarts, and displays the FortiGate login. This process takes a few minutes. 6 Log in to the web-based manager. Go to System > Status to verify that the firmware version under System Information has changed to the correct firmware.
120
When downgrading to a previous firmware, only the following settings are retained: operation mode Interface IP/Management IP route static table DNS settings VDOM parameters/settings admin user account session helpers system accprofiles.
If you have created additional settings in FortiOS 4.0, make sure you back up your configuration before downgrading. For more information, see Backing up your configuration on page 114. The following procedure assumes that you have already downloaded the firmware image to your management computer. To downgrade through the CLI 1 Copy the new firmware image file to the root directory of the TFTP server. 2 Start the TFTP server. 3 Log in to the CLI. 4 Enter the following command to ping the computer running the TFTP server: execute ping <server_ipaddress> Pinging the computer running the TFTP server verifies that the FortiGate unit and TFTP server are successfully connected. 5 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit: execute restore image tftp <name_str> <tftp_ipv4> Where <name_str> is the name of the firmware image file and <tftp_ipv4> is the IP address of the TFTP server. For example, if the firmware image file name is image.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image tftp image.out 192.168.1.168 The FortiGate unit responds with the message: This operation will replace the current firmware version! Do you want to continue? (y/n)
121
6 Type y. The FortiGate unit uploads the firmware image file. After the file uploads, a message similar to the following is displayed: Get image from tftp server OK. Check image OK. This operation will downgrade the current firmware version! Do you want to continue? (y/n) 7 Type y. The FortiGate unit reverts to the old firmware version, resets the configuration to factory defaults, and restarts. This process takes a few minutes. After the FortiGate unit uploads the firmware, you need to reconfigure your IP address since the FortiGate unit reverts to default settings, including its default IP address. See your install guide for configuring IP addresses. 8 Reconnect to the CLI. 9 Enter the following command to confirm the firmware image installed successfully: get system status See Restoring your configuration on page 123 to restore you previous configuration settings.
122
123
5 Enter the following command to copy the backed -up configuration file to restore the file on the FortiGate unit: execute restore allconfig <name_str> <tftp_ipv4> <passwrd> Where <name_str> is the name of the backed up configuration file and <tftp_ipv4> is the IP address of the TFTP server and <passwrd> is the password you entered when you backed up your configuration settings. For example, if the backed up configuration file is confall and the IP address of the TFTP server is 192.168.1.168 and the password is ghrffdt123: execute restore allconfig confall 192.168.1.168 ghrffdt123 The FortiGate unit responds with the message: This operation will overwrite the current settings and the system will reboot! Do you want to continue? (y/n) 6 Type y. The FortiGate unit uploads the backed up configuration file. After the file uploads, a message, similar to the following, is displayed: Getting file confall from tftp server 192.168.1.168 ## Restoring files... All done. Rebooting... This may take a few minutes. Use the CLI show shell command to verify your settings are restored, or log in to the web-based manager.
124
Virtual domains
Virtual domains
Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. A single FortiGate unit is then flexible enough to serve multiple departments of an organization, separate organizations, or to act as the basis for a service providers managed security service.
Benefits of VDOMs
Some benefits of VDOMs are: Easier administration Continued security maintenance Savings in physical space and power
Easier administration
VDOMs provide separate security domains that allow separate zones, user authentication, firewall policies, routing, and VPN configurations. Using VDOMs can also simplify administration of complex configurations because you do not have to manage as many routes or firewall policies at one time. For more information, see VDOM configuration settings on page 126. By default, each FortiGate unit has a VDOM named root. This VDOM includes all of the FortiGate physical interfaces, modem, VLAN subinterfaces, zones, firewall policies, routing settings, and VPN settings. Also you can assign an administrator account restricted to that VDOM. If the VDOM is created to serve an organization, this feature enables the organization to manage its own configuration. Management systems such as SNMP, logging, alert email, FDN-based updates and NTPbased time setting use addresses and routing in the management VDOM to communicate with the network. They can connect only to network resources that communicate with the management virtual domain. The management VDOM is set to root by default, but you can change it. For more information, see Changing the management VDOM on page 139.
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
125
Virtual domains
If virtual domain configuration is enabled and you log in as the default super_admin, you can go to System > Status and look at Virtual Domain in the License Information section to see the maximum number of virtual domains supported on your FortiGate unit. For more information on VDOMs, see the FortiGate VLANs and VDOMs Guide.
126
Virtual domains
The following configuration settings are exclusively part of a virtual domain and are not shared between virtual domains. A regular VDOM administrator sees only these settings. The default super_admin can also access these settings, but must first select which VDOM to configure.
Table 6: VDOM configuration settings Configuration Object System Network Zone Network DNS Database Network Web Proxy Configuring zones on page 170 Configuring FortiGate DNS services on page 177 Configuring the explicit web proxy on page 182 For more information, see
Network Routing Table Routing table (Transparent Mode) on page 184 (Transparent mode) Network Modem Wireless Settings Wireless MAC Filter Wireless Monitor Wireless Rogue AP DHCP service Config Replacement Message Configuring the modem interface on page 170 Wireless settings on page 190 Wireless MAC Filter on page 193 Wireless Monitor on page 195 Rogue AP detection on page 196 Configuring DHCP services on page 200 Replacement messages on page 225
Config Operation mode Changing operation mode on page 238 (NAT/Route or Transparent) Config Management IP Changing operation mode on page 238 (Transparent mode) Router Static Dynamic Monitor Firewall Policy Address Service Schedule Virtual IP Virtual IP Group Virtual IP, IP pool Load Balance Protection Profile UTM AntiVirus File Filter Intrusion Protection Web Filter File Filter on page 513 Intrusion Protection on page 523 Web Filter on page 541 Firewall Policy on page 363 Firewall Address on page 395 Firewall Service on page 401 Firewall Schedule on page 411 Firewall Virtual IP on page 421 Virtual IP Groups on page 436 Configuring IP pools on page 437 Firewall Load Balance on page 445 Firewall Protection Profile on page 467 Router Static on page 313 Router Dynamic on page 333 Router Monitor on page 359
127
Virtual domains
Table 6: VDOM configuration settings (Continued) Configuration Object Email Filter Data Leak Prevention Application Control VPN IPSec SSL User Local Remote Directory Service PKI User Group Options Monitor WAN optimization and web caching Endpoint NAC Wireless Controller Log&Report Logging configuration Alert E-mail Event Log Log access DLP Archive Report Access Configuring how a FortiGate unit stores logs on page 704 Configuring Alert Email on page 709 Configuring Event logging on page 711 Accessing and viewing log messages on page 714 Viewing DLP Archives on page 719 Configuring FortiAnalyzer report schedules on page 721 Local user accounts on page 644 Remote on page 647 Directory Service on page 654 PKI on page 656 User Group on page 658 Settings on page 261 Monitoring administrators on page 264 WAN optimization and web caching on page 675 Endpoint NAC on page 687 Wireless Controller on page 697 IPSec VPN on page 603 SSL VPN on page 625 For more information, see Email filtering on page 559 Data Leak Prevention on page 575 Application Control on page 595
128
Virtual domains
Network Interfaces and Configuring interfaces on page 145 VLAN subinterfaces (You configure interfaces as part of the global configuration but each interface and VLAN subinterface belongs to a VDOM. You add interfaces to VDOMs as part of the global configuration.) Network Options DNS DNS Servers on page 177 Network Options Configuring interface status detection for gateway load Detect Interface Status balancing on page 165 for Gateway Load Balancing Admin Administrators Administrators on page 241 (You can add global administrators. You can also add administrators to VDOMs. VDOM administrators cannot add or configure administrator accounts.)
129
Table 7: Global configuration settings (Continued) Configuration Object Admin profiles Admin Central Management configuration Admin Settings Idle and authentication time-out Admin Settings Webbased manager language Admin Settings LCD panel PIN, where applicable Wireless Settings Wireless MAC Filter Wireless Monitor WIreless Rogue AP Config HA Config SNMP Config Replacement Message Certificates Configuration backup and restore Maintenance Revision Control Maintenance Scripts Maintenance FDN update configuration Log&Report Log Configuration Alert E-mail Configuring how a FortiGate unit stores logs on page 704 Configuring Alert Email on page 709 For more information, see Admin profiles on page 254 Central Management on page 260
Settings on page 261 and Getting started - User authentication on page 643 Settings on page 261
Wireless settings on page 190 Wireless MAC Filter on page 193 Wireless Monitor on page 195 Rogue AP detection on page 196 HA on page 205 SNMP on page 213 Replacement messages on page 225 System Certificates on page 279 Backing up and restoring on page 290 Managing configuration revisions on page 297 Using script files on page 298 FortiGuard Distribution Network on page 300
130
When virtual domains are enabled, the web-based manager and the CLI are changed as follows: Global and per-VDOM configurations are separated. For more information, see VDOM configuration settings on page 126, and Global configuration settings on page 129. A new VDOM entry appears under the System option. Within a VDOM, reduced dashboard menu options are available, and a new Global option appears. Selecting Global exits the current VDOM. There is no operation mode option at the Global level. Only super_admin profile accounts can view or configure Global level options. Super_admin profile accounts can configure configurations for all VDOM. One or more administrators can be configured for each VDOM; however, these admin accounts cannot edit settings for any VDOMs for which they are not configured.
When virtual domains are enabled, the current virtual domain is displayed at the bottom left of the screen, in the format Current VDOM: <name of the virtual domain>.
This section includes: VDOM licenses Creating a new VDOM Disabling a VDOM Working with VDOMs and global settings Adding interfaces to a VDOM Inter-VDOM links
131
Assigning an interface to a VDOM Assigning an administrator to a VDOM Changing the management VDOM
VDOM licenses
All FortiGate units, except the 30B, support 10 VDOMs by default. High-end FortiGate models support the purchase of a VDOM license key from customer service to increase their maximum allowed VDOMs to 25, 50, 100, 250, or 500. Configuring 250 or more VDOMs will result in reduced system performance.
Table 9: VDOM support by FortiGate model FortiGate model 30B Low and mid-range models High-end models Support VDOMs no yes yes Default VDOM maximum 0 10 10 Maximum VDOM license 0 10 500
Note: Your FortiGate unit has limited resources that are divided amongst all configured VDOMs. These resources include system memory, and CPU. When running 250 or more VDOMs, you cannot run Unified Threat Management (UTM) features such as proxies, web filtering, or antivirusyour FortiGate unit can only provide basic firewall functionality.
Tip: If you do not have a System > Maintenance > License tab, your FortiGate model does not support more than 10 VDOMs.
To obtain a VDOM license key 1 Log in to your FortiGate unit using the admin account. Other accounts such as other super_admin profile accounts may also have sufficient privileges to install VDOM licenses. 2 Go to System > Status. 3 Record your FortiGate unit serial number as shown in System Information on page 69. 4 Under License Information > Virtual Domains, select Purchase More. 5 You will be taken to the Fortinet customer support web site where you can log in and purchase a license key for 25, 50, 100, 250, or 500 VDOMs. 6 When you receive your license key, go to System > Maintenance > License. 7 In the License Key field, enter the 32-character license key you received from Fortinet customer support. 8 Select Apply. To verify the new VDOM license, go to System > Status under Global Configuration. In the License Information area Virtual Domains, VDOMs Allowed shows the maximum number of VDOMs allowed.
132
Note: VDOMs created on a registered FortiGate unit are recognized as real devices by connected FortiAnalyzer units. FortiAnalyzer units include VDOMs in their total number of registered devices. For example, if three FortiGate units are registered on a FortiAnalyzer unit and they contain a total of four VDOMs, the total number of registered FortiGate units on the FortiAnalyzer unit is seven units. For more information, see the FortiAnalyzer Administration Guide.
page 141.
Figure 53: New Virtual Domain
133
To create a new VDOM 1 Log in as a super_admin profile admin. 2 Ensure VDOMs are enabled. For more information, see Enabling virtual domains on page 130. 3 Go to System > VDOM. 4 Select Create New. 5 Enter a name for the new VDOM, up to a maximum of 11 characters. This name cannot be changed. 6 Optionally enter a comment for the VDOM, up to a maximum of 63 characters. 7 Select OK.
Disabling a VDOM
When you have multiple VDOMs configured, it can be useful to disable one VDOM temporarily instead of deleting and re-creating it later. Disabling can be used during initial configuration, equipment changes, or even a DoS attack. A disabled VDOM has en empty Enable checkbox. A VDOM with a greyed-out checkbox is the management VDOM can cannot be disabled. Re-enabling is simply a matter of checking the Enable box and answering the prompt. To disable a VDOM 1 Log in as a super_admin profile admin. 2 Go to System > VDOM. 3 For the VDOM to be disabled, unselect the Enable checkbox. 4 Confirm your choice when prompted.
Management VDOM
134
Create New
Select to add a new VDOM. Enter the new VDOM name and select OK. The VDOM must not have the same name as an existing VDOM, VLAN or zone. The VDOM name can have a maximum of 11 characters and must not contain spaces. Change the management VDOM to the selected VDOM in the list. The management VDOM is then grayed out in the Enable column. The default management VDOM is root. For more information, see Changing the management VDOM on page 139. Select to save your changes to the Management VDOM. There are three states this column can be in. A green check mark indicates this VDOM is enabled, and that you can select the Enter icon to change to that VDOM. An empty check box indicates this VDOM is disabled. When disabled, the configuration of that VDOM is preserved. The Enter icon is not available. A grayed-out check box indicates this VDOM is the management VDOM. It cannot be deleted or changed to disabled; it is always active. The name of the VDOM. The VDOM operation mode, either NAT or Transparent. When a VDOM is in Transparent mode, SNMP can display the management address, address type and subnet mask for that VDOM. For more information, see SNMP on page 213. The interfaces associated with this VDOM, including virtual interfaces. Every VDOM includes an SSL VPN virtual interface named for that VDOM. For the root VDOM this interface is ssl.root. Comments added by an admin when this VDOM was created. Delete the VDOM. The Delete icon appears only when there are no configuration objects associated with that VDOM. For example, you must remove all referring interfaces, profiles, and so on before you can delete the VDOM. If the icon does not appear and you do not want to delete all the referring configuration, you can disable the VDOM instead. The disabled VDOM configuration remains in memory, but the VDOM is not usable until it is enabled. Change the description of the VDOM. The name of the VDOM cannot be changed. Enter the selected VDOM. After entering a VDOM you will only be able to view and change settings specific to that VDOM. This icon will not be displayed for disabled VDOMs.
Apply Enable
Interfaces
135
Inter-VDOM links
An inter-VDOM link is a pair of interfaces that enable you to communicate between two VDOMs internally without using a physical interface. Inter-VDOM links have the same security as physical interfaces, but allow more flexible configurations that are not limited by the number of physical interfaces on your FortiGate unit. As with all virtual interfaces, the speed of the link depends on the CPU load, but generally it is faster than physical interfaces. There are no MTU settings for inter-VDOM links. DHCP support includes interVDOM links. A packet can pass through an inter-VDOM link a maximum of three times. This is to prevent a loop. When traffic is encrypted or decrypted, it changes the content of the packets and this resets the inter-VDOM counter. However, using IPIP or GRE tunnels does not reset the counter. In HA mode, inter-VDOM links must have both ends of the link within the same virtual cluster. DHCP over IPSec is supported for inter-VDOM links, however regular DHCP services are not available. To view inter-VDOM links, go to System > Network > Interface. When an inter-VDOM link is created, it automatically creates a pair of virtual interfaces that correspond to the two internal VDOMs. Each of the virtual interfaces is named using the inter-VDOM link name with an added 0 or 1. So if the inter-VDOM link is called vlink the interfaces are vlink0 and vlink1. Select the Expand Arrow beside the VDOM link to display the virtual interfaces.
Note: Inter-VDOM links cannot refer to a domain that is in transparent mode.
Up
Down
Delete Edit
To create an inter-VDOM link 1 Log in as admin. 2 Go to System > Network > Interface. 3 Select the arrow on the Create New button. 4 Select VDOM link. You will see the New VDOM Link screen.
136
5 Enter the name for the new VDOM link, up to a maximum of 11 characters. The name must not contain any spaces or special characters. Hyphens (-) and underlines (_) are allowed. Remember that the name will have a 0 or 1 attached to the end for the actual interfaces. 6 Configure VDOM link 0. 7 Select the VDOM from the menu that this interface will connect to. 8 Enter the IP address and netmask for this interface. 9 Select the administrative access method or methods. Keep in mind that PING, TELNET, and HTTP are less secure methods. 10 Optionally enter a description for this interface. 11 Repeat steps 7 through 10 for VDOM link 1. 12 Select OK to save your configuration and return to the System > Interface screen.
Before removing these configurations, it is recommended that you back up your configuration, so you can restore it if you want to create this VDOM at a later date. Delete the items in this list or modify them to remove the interface before proceeding. The VDOM field on the Edit screen for that interface will change from being greyed out and locked when there are no more objects tied to that interface.
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
137
Note: You can reassign or remove an interface or subinterface once the Delete icon is displayed. Absence of the icon means that the interface is being used in a configuration somewhere. Tip: You can disable a VDOM instead of deleting it. Your configuration will be preserved, saving time you would otherwise need to remove and reconfigure it. For more information, see Working with VDOMs and global settings on page 134.
To assign an interface to a VDOM 1 Log in as admin. 2 Go to System > Network > Interface. 3 Select Edit for the interface that you want to reassign. 4 Select the new virtual domain for the interface. 5 Configure other settings as required and select OK. For more information, see Configuring interface settings on page 151. The interface is assigned to the VDOM. Existing firewall virtual IP addresses for this interface are deleted. You should manually delete any routes that refer to this interface, and create new routes for this interface in the new VDOM. Otherwise your network traffic will not be properly routed. For more information on creating static routes, see Router Static on page 313.
To assign an administrator to a VDOM 1 Log in as the super_admin. 2 Ensure that virtual domains are enabled. For more information, see Enabling virtual domains on page 130. 3 Go to System > Admin >Administrators. 4 Create a new administrator account or select the Edit icon of an existing administrator account. 5 Go to the Virtual Domain list. 6 Select the VDOM that this administrator manages. Administrators are assigned to a specific VDOM when the account is created unless they are super_admin administrators. For more information, see Configuring an administrator account on page 244.
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
138
7 Configure other settings as required. For detailed information, see Configuring an administrator account on page 244. 8 Select OK.
Before you change the management VDOM, ensure that virtual domains are enabled on the system dashboard screen. For more information, see Enabling virtual domains on page 130. Only one VDOM can be the management VDOM at any given time. Global events are logged with the VDOM set to the management VDOM.
Note: You cannot change the management VDOM if any administrators are using RADIUS authentication.
To change the management VDOM 1 Go to System > VDOM. 2 From the list of VDOMs, select the VDOM to be the new management VDOM. This list is located to the immediate left of the Apply button. 3 Select Apply to make the change. At the prompt, confirm the change. Management traffic will now originate from the new management VDOM.
139
The number of SSL VPN user sessions that can be started in a VDOM. When this limit is reached the VDOM displays a system busy message instead of the login page when a user attempts to login to start an SSL VPN session.
Static resources are controlled by limits in the FortiGate configuration. These limits vary by model and are listed in the FortiGate Maximum Values Matrix. Limiting static resources does not limit the amount of traffic that the VDOM process. Instead limiting static resources controls the number of configuration elements that can be added to a VDOM. You can set the following static resource limits: The number of VPN IPSec Phase 1 and Phase 2 tunnels that can be added to a VDOM configuration. The number of tunnels is limited by the maximum values for the FortiGate model. The number of Firewall policies, Protection Profiles, Firewall Addresses, Firewall Address Groups, Firewall Custom Services, Firewall Service Groups, Firewall One-Time Schedules, and Firewall Recurring Schedules that can be added to a VDOM configuration. The number of Local Users and User Groups that can be added to a VDOM configuration.
140
Figure 57: Configuring global resource limits that apply to all VDOMs
Name of the resource. Includes dynamic and static resources. The maximum amount of the resource allowed for each VDOM. This amount matches the default maximum until you change it. The default maximum value for each VDOM for this resource. This value depends on the FortiGate model. Dynamic resources (Sessions, Dial-up Tunnels, and SSL VPN) do not have default maximums so the default maximum for dynamic resources is always 0 (meaning unlimited). Static resources may have a limit set or many be set to 0 meaning they are limited by the resource limit configuration. Note: If you set the maximum resource usage for a VDOM you cannot reduce the default maximum global limit for all VDOMs below this maximum.
Current Usage The amount of the resource currently in use. For dynamic resources, current usage is the number of the sessions or tunnels currently in use. For static resources, current usage is the number of configuration items added to the FortiGate unit. Edit icon Change the configured maximum for this resource. The Edit Global Resource Limits dialog box lists the valid range of values for the configured maximum. You can set the maximum to zero to set no limit; which means the resource is limited by other factors such as system capacity or max values. Reset the Configured Maximum to the Default Maximum value.
Reset icon
141
The Maximum value limits the amount of the resource that can be used by the VDOM. When you add a VDOM, all maximum resource usage settings are 0 indicating that resource limits for this VDOM are controlled by the global resource limits. You do not have to override the maximum settings unless you need to override global limits to further limit the resources available for the VDOM. You cannot set maximum resource usage higher in a VDOM than the corresponding global resource limit.
Note: To set global resource limits go to System > VDOM > Global Resources. See Setting VDOM global resource limits on page 140
The Guaranteed value represents the minimum amount of the resource available for that VDOM. Setting the guaranteed value makes sure that other VDOMs do not use all of a resource. A guaranteed value of 0 means that an amount of this resource is not guaranteed for this VDOM. You only have to change guaranteed settings if your FortiGate may become low on resources and you want to guarantee that a minimum level is available for this VDOM.
Resource Maximum
Name of the resource. Includes dynamic and static resources. Override the global limit to reduce the amount of each resource available for this VDOM. The maximum must the same as or lower than the global limit. The default value is 0, which means the maximum is the same as the global limit. Note: If you set the maximum resource usage for a VDOM you cannot reduce the default maximum global limit for all VDOMs below this maximum.
Guaranteed
Enter the minimum amount of the resource available to this VDOM regardless of usage by other VDOMs. The default value is 0, which means that an amount of this resource is not guaranteed for this VDOM. The amount of the resource that this VDOM currently uses.
Current
142
143
144
System Network
Configuring interfaces
System Network
This section describes how to configure your FortiGate unit to operate in your network. Basic network settings include configuring FortiGate interfaces and DNS options. More advanced configuration includes adding zones and VLAN subinterfaces to the FortiGate network configuration. Optional configurations also include configuring the FortiGate unit as a DNS server and an explicit web proxy server If you enable virtual domains (VDOMs) on the FortiGate unit, you configure interface and networking options globally for the entire FortiGate unit. All interface settings, including adding interfaces to VDOMs, are part of the global configuration. You configure zones, the modem interface, the DNS database, the explicit web proxy, and the Transparent mode routing table separately for each VDOM. For more information, see Using virtual domains on page 125.
Note: Unless stated otherwise, the term interface can refer to either a physical FortiGate interface or to a virtual FortiGate VLAN subinterface.
Note: If you can enter both an IP address and a netmask in the same field, you can use the short form of the netmask. For example, 192.168.1.100/255.255.255.0 can also be entered as 192.168.1.100/24.
This section describes: Configuring interfaces Configuring zones Configuring the modem interface Configuring Networking Options Configuring FortiGate DNS services Configuring the explicit web proxy Configuring WCCP Routing table (Transparent Mode)
Configuring interfaces
Go to System > Network > Interface to configure FortiGate interfaces. Many interface options are available. Different options are available in NAT/Route mode and in Transparent mode. Some of the options available include: modify the configuration of a physical interface add VLAN subinterfaces aggregate several physical interfaces into an IEEE 802.3ad aggregate interface (some models) combine several physical interfaces into a redundant interface (some models) add loopback interfaces
145
Configuring interfaces
System Network
add wireless interfaces (FortiWiFi models) and service set identifiers (SSIDs) add VDOM links on FortiGate units with multiple VDOMs enabled configure the modem interface (on some models) detect interface status for gateway load balancing change the information displayed about the interfaces configure a virtual wireless access point (VAP) interface
VLAN Interface
View Interface Description Virtual Wireless Access Point (VAP) Interface Loopback Interface Show Backplane Interfaces
VLAN Interface
Aggregate Interface
Edit Delete
146
System Network
Configuring interfaces
Figure 61: Example switch mode interface list (on supported models)
AMC Interfaces
147
Configuring interfaces
System Network
Create New
Select Create New to add a new interface. Depending on the model you can add a VLAN interface, a loopback interface, a IEEE 802.3ad aggregated interface, or a redundant interface. Adding VLAN interfaces on page 158 Adding loopback interfaces on page 158 Adding 802.3ad aggregate interfaces on page 159 Adding redundant interfaces on page 160 When VDOMs are enabled, you can also select Create New to add InterVDOM links. For more information see Inter-VDOM links on page 136. On supported models, select Switch Mode to change between switch mode and interface mode. Switch mode combines some FortiGate interfaces into one switch with one IP address. Interface mode allows you to configure them as separate interfaces. On some FortiGate models you can also select Hub Mode. Hub mode is similar to switch mode except that in hub mode the interfaces do not learn the MAC addresses of the devices on the network they are connected to and may also respond quicker to network changes. Normally, you would only select Hub Mode if you are having network performance issues when operating with switch mode. The configuration of the FortiGate unit is the same whether in switch mode or hub mode. Before switching modes, all configuration settings for the interfaces affected by the change must be set to defaults. When you select Switch Mode the web-based manager displays the list of affected interfaces. See Switch Mode on page 150. Select to make FortiGate-5000 series backplane interfaces visible. Once visible these interfaces can be configured as regular physical interfaces. Select to change the columns of information that are displayed on the interface list. Fore more information, see Using column settings to control the columns displayed on page 61. Display a description for the interface is one has been added. For more information, see Configuring interface settings on page 151.
Switch Mode
Description icon
148
System Network
Configuring interfaces
Name
The names of the physical interfaces on your FortiGate unit. This includes any alias names that have been configured. The names of the physical interfaces depend on the model. Some names indicate the default function of the interface such as internal, external, wan1 (wide are network), wlan (wireless LAN) and dmz. Other names are more generic such as port1, port20, and so on. Some FortiGate models also include a modem interface named modem. See Configuring the modem interface on page 170. When you combine several interfaces into an aggregate or redundant interface, only the aggregate or redundant interface is listed, not the component interfaces. See Adding 802.3ad aggregate interfaces on page 159 or Adding redundant interfaces on page 160. On FortiGate models that support switch mode, the individual interfaces in the switch are not displayed when in switch mode. For more information, see Switch Mode on page 150. If you have added VLAN interfaces, they also appear in the name list, below the physical or aggregated interface to which they have been added. See the FortiGate VLANs and VDOMs Guide. If you have added loopback interfaces, they also appear in the interface list, below the physical interface to which they have been added. If you have software switch interfaces configured, you will be able to view them. For more information, see Adding software switch interfaces on page 169. If you have interface mode enabled on a FortiGate model with a switch interface, you will see multiple internal interfaces. If switch mode is enabled, there will only be one internal interface. For more information see Switch Mode on page 150. If your FortiGate unit supports AMC modules and have installed an AMC module containing interfaces (for example, the ASM-FB4 contains 4 interfaces) these interfaces are added to the interface status display. The interfaces are named amc-sw1/1, amc-dw1/2, and so on. sw1 indicates it is a single width or double width card respectively in slot 1. The last number /1 indicates the interface number on that card - for the ASM-FB4 card there would be /1 through /4. The current IP address/netmask of the interface. In VDOM mode, when VDOMs are not all in NAT or Transparent mode some values may not be available for display and will be displayed as - instead. When IPv6 Support is enabled on the web-based manager, IPv6 addresses may be displayed in this column. The administrative access configuration for the interface. For more information, see Configuring administrative access to an interface on page 165. The administrative status for the interface. If the administrative status is a green arrow, the interface is up and can accept network traffic. If the administrative status is a red arrow, the interface is administratively down and cannot accept traffic. To change the administrative status of an interface, select the Edit icon to edit the interface and change the Administrative Status setting for the interface. The status of the interface physical connection. Link status can be either up or down. If link status is up there is an active physical connection between the physical interface and a network switch. If link status is down the interface is not connected to the network or there is a problem with the connection. You cannot change link status from the web-based manager. Link status is only displayed for physical interfaces. The MAC address of the interface. Shows the addressing mode of the interface. The addressing mode can be manual, DHCP, or PPPoE. The maximum number of bytes per transmission unit (MTU) for the interface. See Changing interface MTU packet size on page 167. Displays the secondary IP addresses added to the interface. See Adding secondary IP addresses to an interface on page 167.
IP/Netmask
Access
Administrative Status
Link Status
149
Configuring interfaces
System Network
Type
The type of the interface. Valid types include: Physical - a physical network interface, including the modem interface VLAN - a VLAN interface Aggregate - a group of 802.3ad aggregated interfaces Redundant - a group of redundant interfaces VDOM Link - a pair of virtual interfaces that link two VDOMs Pair - one two interfaces that are joined together, such as 2 VDOM links Switch - two or more interfaces joined together to create a software switch interface Tunnel - a virtual IPSec VPN interface VAP - a wireless controller virtual access point (VAP or virtual AP) interface The virtual domain to which the interface belongs. This column is visible when VDOM configuration is enabled. The configured VLAN ID for VLAN subinterfaces. Delete the interface. Available for interfaces added by selecting Create New. For example, you can delete VLAN, loopback, aggregate, and redundant interfaces. You can only deleted an interface if it is not used in another configuration. Change the interfaces configuration. View the interfaces configuration.
Switch Mode
Select switch mode to switch a group of related FortiGate interfaces to operate as a multiport switch with one IP address. Switch mode is available on FortiGate models with switch hardware.
Note: From the FortiGate CLI you can also add software switch interfaces. See Adding software switch interfaces on page 169.
The switch mode feature has two states - switch mode and interface mode. Switch mode is the default mode with only one interface and one address for the entire internal switch. Interface mode allows you to configure each of the internal switch physical interface connections separately. This allows you to assign different subnets and netmasks to each of the internal physical interface connections. Selecting Switch Mode on the System > Network > Interface screen displays the Switch Mode Management screen.
Caution: Before you are able to change between switch mode and interface mode all configuration settings for the affected interfaces must be set to defaults. This includes firewall policies, routing, DNS forwarding, DHCP services, VDOM interface assignments, and routing. If they are not removed, you will not be able to switch modes, and you will see an error message. The web-based manager displays the list of affected interfaces. Figure 63: Switch Mode Management
150
System Network
Configuring interfaces
Select Switch Mode. Only one internal interface is displayed. This is the default mode. Select Interface Mode. All internal i nterfaces on the switch are displayed as individually configurable interfaces. On some FortiGate models you can select Hub Mode. Hub mode is similar to switch mode except t hat in hub mode the interfaces do not learn the MAC addresses of the devices on the network they are connected to and may also respond quicker to network changes in some circumstances. You should only select Hub Mode if you are having network performance issues when operating with switch mode. The configuration of the FortiGate unit is the same whether in switch mode or hub mode.
151
Configuring interfaces
System Network
152
System Network
Configuring interfaces
153
Configuring interfaces
System Network
154
System Network
Configuring interfaces
Name
The name of the interface. You can specify and change the names of VLAN,
You cannot change the name of an existing interface. The interface display also includes the MAC address of the physical interface. Alias Enter another name for the interface that will easily distinguish this interface from another. This is available only for physical interfaces where you cannot configure the name. The alias can be a maximum of 15 characters. The alias name is not part of the interface name, but it will appear in brackets beside the interface name. It will not appears in logs. Indicates whether the interface is connected to a network (link status is Up) or not (link status is Down).
Link Status
155
Configuring interfaces
System Network
Type
When adding a new interface, set Type to the type of interface that you want to add: Set Type to VLAN to add a VLAN interface. SeeAdding VLAN interfaces on page 158 Set Type to Loopback Interface to add a loopback interface. See Adding loopback interfaces on page 158 On some models you can set Type to 802.3ad Aggregate to add an aggregate interface. SeeAdding 802.3ad aggregate interfaces on page 159) On some models you can set Type to Redundant Interface to add a redundant interface. SeeAdding redundant interfaces on page 160
VLAN ID
Virtual Domain Select the virtual domain to add the interface to. Admin accounts with super-admin profile can change the Virtual Domain. Physical Interface Members This section has two different forms depending on the interface type: Software switch interface - this section is a display-only field showing the interfaces that belong to the software switch virtual interface. See Adding software switch interfaces on page 169. 802.3ad aggregate or Redundant interface - this section includes available interface and selected interface lists to enable adding or removing interfaces from the interface. See Adding 802.3ad aggregate interfaces on page 159 and Adding redundant interfaces on page 160. Select interfaces from this list to include in the grouped interface - either redundant or aggregate interface. Select the right arrow to add an interface to the grouped interface. These interfaces are included in the aggregate or redundant interface. Select the left arrow to remove an interface from the grouped interface. For redundant interfaces, the interfaces will be activated during failover from the top of the list to the bottom Select the addressing mode for the interface. Select Manual and add an IP/Netmask for the interface. If IPv6 configuration is enabled you can add both a IPv4 and an IPv6 IP address. Select DHCP to get the interface IP address and other network settings from a DHCP server. See Configuring DHCP on an interface on page 161 Select PPPoE to get the interface IP address and other network settings from a PPPoE server. See Configuring PPPoE on an interface on page 162. If Addressing Mode is set to Manual, enter an IPv4 address/subnet mask for the interface. Two FortiGate interfaces cannot have IP addresses on the same subnet.
Addressing mode
IP/Netmask
156
System Network
Configuring interfaces
IPv6 Address
If Addressing Mode is set to Manual and IPv6 support is enabled on the web-based manager, enter an IPv6 address/subnet mask for the interface. A single interface can have both an IPv4 and IPv6 address or just one or the other.
Enable one-arm Select to configure this interface to operate as a one-armed sniffer as part of configuring a FortiGate unit to operate as an IDS appliance by sniffing packets for sniffer attacks without actually receiving and otherwise processing the packets. Once the interface is enabled for sniffing you cannot use the interface for other traffic. You must add sniffer policies for the interface to actually sniff packets. For more information on one-armed IPS, see Firewall Policy Using one-arm sniffer policies to detect network attacks on page 382. Enable explicit Select to enable explicit web proxying on this interface. When enabled, this interface will be displayed on System > Network > Web Proxy under Listen on Web Proxy Interfaces and web traffic on this interface will be proxied according to the Web Proxy settings. For more information, see Configuring the explicit web proxy on page 182. Enable DDNS Override Default MTU Value Select Enable DDNS to configure a Dynamic DNS service for this interface. For more information, see Configuring Dynamic DNS on an interface on page 163. To change the MTU, select Override default MTU value (1 500) and enter the MTU size based on the addressing mode of the interface 68 to 1 500 bytes for static mode 576 to 1 500 bytes for DHCP mode 576 to 1 492 bytes for PPPoE mode larger frame sizes if supported by the FortiGate model Only available on physical interfaces. Virtual interfaces associated with a physical interface inherit the physical interface MTU size. For more information on MTU size, see Changing interface MTU packet size on page 167. Note: In Transparent mode, if you change the MTU of an interface, you must change the MTU of all interfaces to match the new MTU. Enable DNS Query recursive Select to configure the interface to accept DNS queries. Select recursive or nonrecursive. For more information, see Configuring FortiGate DNS services on page 177. Look up domain names in the FortiGate DNS database. If the entry is not found, relay the request to the DNS servers configured under System > Network > Options. Look up domain names in the FortiGate DNS database. Do not relay the request to the DNS servers configured under System > Network > Options.
nonrecursive
Administrative Select the types of administrative access permitted for IPv4 connections to this interface. Access Ipv6 Select the types of administrative access permitted for IPv6 connections to this Administrative interface. Access HTTPS PING HTTP SSH SNMP TELNET Allow secure HTTPS connections to the web-based manager through this interface. Interface responds to pings. Use this setting to verify your installation and for testing. Allow HTTP connections to the web-based manager through this interface. HTTP connections are not secure and can be intercepted by a third party. Allow SSH connections to the CLI through this interface. Allow a remote SNMP manager to request SNMP information by connecting to this interface. See Configuring SNMP on page 214. Allow Telnet connections to the CLI through this interface. Telnet connections are not secure and can be intercepted by a third party.
157
Configuring interfaces
System Network
Detect Interface Configure interface status detection for the main interface IP address. See Configuring interface status detection for gateway load balancing on page 165. Status for Gateway Load Balancing Secondary IP Address Description Add additional IPv4 addresses to this interface. Select the blue arrow to expand or hide the section. See Adding secondary IP addresses to an interface on page 167. Enter a description up to 63 characters to describe the interface.
Administrative Select either Up (green arrow) or Down (red arrow) as the status of this interface. Status Up indicates the interface is active and can accept network traffic. Down indicates the interface is not active and cannot accept traffic.
158
System Network
Configuring interfaces
4 Select OK. To add a loopback interface - CLI The CLI command to configure a loopback interface called loop1 with an IP address of 10.0.0.10 is:
config system interface edit loop1 set type loopback set ip 10.0.0.10 255.255.255.0 end
For more information, see config system interface in the FortiGate CLI Reference.
Interfaces included in an aggregate interface are not listed on the System > Network > Interface list. You cannot configure the interface individually and it is not available for inclusion in firewall policies, firewall virtual IPs, or routing.
Figure 67: Settings for an 802.3ad aggregate interface
159
Configuring interfaces
System Network
To create an 802.3ad Aggregate interface 1 Go to System > Network > Interface. 2 Select Create New. 3 In the Name field, enter a name for the aggregated interface. The interface name must be different from any other interface, zone or VDOM. 4 From the Type list, select 802.3ad Aggregate. 5 In the Available Interfaces list, move two or more interfaces to include in the aggregate interface to the Selected Interfaces list. 6 Configure other interface options as required. See Configuring interface settings on page 151. 7 Select OK.
When an interface is included in a redundant interface, it is not listed on the System > Network > Interface page. You cannot configure the interface individually and it is not available for inclusion in firewall policies, VIPs, or routing.
Figure 68: Settings for a redundant interface
160
System Network
Configuring interfaces
To create a redundant interface 1 Go to System > Network > Interface. 2 Select Create New. 3 In the Name field, enter a name for the redundant interface. The interface name must different from any other interface, zone or VDOM. 4 From the Type list, select Redundant Interface. 5 In the Available Interfaces list, select each interface that you want to include in the redundant interface and move it to the Selected Interfaces list. In a failover situation, the interface activated will be the next interface down the Selected Interfaces list. 6 Configure other interface options as required. See Configuring interface settings on page 151. 7 Select OK.
Status
Displays DHCP status messages as the interface connects to the DHCP server and gets addressing information. Select Status to refresh the addressing mode status message. Status can be one of: initializing - No activity. connecting - interface attempts to connect to the DHCP server. connected - interface retrieves an IP address, netmask, and other settings from the DHCP server. failed - interface was unable to retrieve an IP address and other settings from the DHCP server. The IP address and netmask leased from the DHCP server. Only displayed if Status is connected.
Obtained IP/Netmask
161
Configuring interfaces
System Network
Select to renew the DHCP license for this interface. Only displayed if Status is connected. The time and date when the leased IP address and netmask is no longer valid. Only displayed if Status is connected. The IP address of the gateway defined by the DHCP server. Only displayed if Status is connected, and if Receive default gateway from server is selected. Enter the administrative distance for the default gateway retrieved from the DHCP server. The administrative distance, an integer from 1-255, specifies the relative priority of a route when there are multiple routes to the same destination. A lower administrative distance indicates a more preferred route. The default distance for the default gateway is 5. Enable to retrieve a default gateway IP address from the DHCP server. The default gateway is added to the static routing table. Enabled by default on low-end models. Enable to use the DNS addresses retrieved from the DHCP server instead of the DNS server IP addresses on the DNS page. On low end models, this is enabled by default. When VDOMs are enabled, you can override the internal DNS only on the management VDOM.
Default Gateway
Distance
Status
Displays PPPoE status messages as the FortiGate unit connects to the PPPoE server and gets addressing information. Select Status to refresh the addressing mode status message. Only displayed if you selected Edit. Status can be one of the following 4 messages. No activity. The interface is attempting to connect to the PPPoE server.
initializing connecting
162
System Network
Configuring interfaces
connected
The interface retrieves an IP address, netmask, and other settings from the PPPoE server. When the status is connected, PPPoE connection information is displayed. The interface was unable to retrieve an IP address and other information from the PPPoE server. Select to reconnect to the PPPoE server. Only displayed if Status is connected. The PPPoE account user name. The PPPoE account password. Specify the IP address for the interface. If your ISP has assigned you a block of IP addresses, use one of them. Otherwise, this IP address can be the same as the IP address of another interface or can be any IP address.
Initial Disc Timeout Enter Initial discovery timeout. Enter the time to wait before starting to retry a PPPoE discovery. Initial PADT timeout Enter Initial PPPoE Active Discovery Terminate (PADT) timeout in seconds. Use this timeout to shut down the PPPoE session if it is idle for this number of seconds. PADT must be supported by your ISP. Set initial PADT timeout to 0 to disable. Distance Enter the administrative distance for the default gateway retrieved from the PPPoE server. The administrative distance, an integer from 1-255, specifies the relative priority of a route when there are multiple routes to the same destination. A lower administrative distance indicates a more preferred route. The default distance for the default gateway is 1. Enable to retrieve a default gateway IP address from a PPPoE server. The default gateway is added to the static routing table. Enable to replace the DNS server IP addresses on the System DNS page with the DNS addresses retrieved from the PPPoE server. When VDOMs are enabled, you can override the internal DNS only on the management VDOM.
163
Configuring interfaces
System Network
Select a DDNS server to use. The client software for these services is built into the FortiGate firmware. The FortiGate unit can connect only to one of these services. Enter the fully qualified domain name of the DDNS service. Enter the user name to use when connecting to the DDNS server. Enter the password to use when connecting to the DDNS server.
The name of the IPSec interface. Select the VDOM of the IPSec interface.
164
System Network
Configuring interfaces
IP Remote IP Administrative Access HTTPS PING HTTP SSH SNMP TELNET Description
If you want to use dynamic routing with the tunnel or be able to ping the tunnel interface, enter IP addresses for the local and remote ends of the tunnel. These two addresses must not be used anywhere else in the network. Select the types of administrative access permitted on this interface. Allow secure HTTPS connections to the web-based manager through this interface. Allow the interface to respond to pings. Use this setting to verify your installation and for testing. Allow HTTP connections to the web-based manager through this interface. HTTP connections are not secure and can be intercepted by a third party. Allow SSH connections to the CLI through this interface. Allow a remote SNMP manager to request SNMP information by connecting to this interface. See Configuring SNMP on page 214. Allow Telnet connections to the CLI through this interface. Telnet connections are not secure and can be intercepted by a third party. Enter a description of the interface. It can be up to 63 characters.
For more information on configuring administrative access in Transparent mode, see Operation mode and VDOM management access on page 238. To control administrative access to an interface 1 Go to System > Network > Interface. 2 Choose an interface and select Edit. 3 Select the Administrative Access methods for the interface. 4 Select OK.
165
Configuring interfaces
System Network
Interface status detection is used for ECMP route failover and load balancing. See ECMP route failover and load balancing on page 322. Since its possible that a response may not be received, even if the server and the network are operating normally, the dead gateway detection configuration controls the time interval between testing the connection to the server and the number times the test can fail before the FortiGate unit assumes that the interface cannot connect to the server. See Configuring Networking Options on page 176 for information about configuring dead gateway detection. To configure gateway failover detection for an interface, from the web-based manager go to System > Network > Interface and edit an interface. Select Detect Interface Status for Gateway Load Balancing, enter the IP address of the server to test connecting to and select one or more protocols to use to test the connection to the server. If you have added secondary IP addresses to an interface you can also configure interface status detection separately for each secondary IP address.
Note: As long as the FortiGate unit receives responses for at least one of the protocols that you select, the FortiGate unit assumes the server is operating and can forward packets. Responses received to more than one protocol does not enhance the status of the server or interface and receiving responses from fewer protocols does not reduce the status of the server or interface. Figure 73: Interface status detection settings
The IP address of the server to test connecting to. Use standard ICMP ping to confirm that the server is responding. Ping confirms that the server can respond to an ICMP ping request. Use TCP echo to confirm that the server is responding. Select this option if the server is configured to provide TCP echo services. In some cases a server may be configured to reply to TCP echo requests but not to reply to ICMP pings. TCP echo uses TCP packets on port number 7 to send a text string to the server and expect an echo reply back from the server. The echo reply just echoes back the same text to confirm that the server can respond to TCP requests. FortiGate units do not recognize RST (reset) packets from TCP Echo servers as normal TCP echo replies. If the FortiGate receives an RST response to a TCP echo request, the FortiGate unit assumes the server is unreachable. Use UDP echo to detect the server. Select this option of the server is configured to provide UDP echo services. In some cases a server may be configured to reply to UDP echo requests but not to reply ICMP pings. UDP echo uses UDP packets on port number 7 to send a text string to the server and expects an echo reply from the server. The echo reply just echoes back the same text to confirm that the server can respond to UDP requests. Set the spillover threshold to limit the amount of bandwidth processed by the Interface. The Spillover Thresholds range is 0-2097000 KBps. The FortiGate unit sends all ECMP-routed sessions to the lowest numbered interface until the bandwidth being processed by this interface reaches its spillover threshold. The FortiGate unit then spills additional sessions over to the next lowest numbered interface. For more information, including the order in which interfaces are selected, see ECMP route failover and load balancing on page 322.
UDP Echo
Spillover Threshold
166
System Network
Configuring interfaces
Note: For more information about TCP echo and UDP echo, see RFC 862.
Note: In Transparent mode, if you change the MTU of an interface, you must change the MTU of all interfaces on the FortiGate unit to match the new MTU.
167
Configuring interfaces
System Network
All of the IP addresses added to an interface are associated with the single MAC address of the physical interface and all secondary IP addresses are in the same VDOM as the interface that are added to. You configure interface status detection for gateway load balancing separately for each secondary IP addresses. As with all other interface IP addresses, secondary IP addresses cannot be on the same subnet as any other primary or secondary IP address assigned to a FortiGate interface unless they are in separate VDOMs. To add secondary IP addresses to an interface 1 Go to System > Network > Interface. 2 Edit the physical interface to add secondary IP addresses to. 3 Make sure the interface Addressing Mode is set to Manual and that you have added an IP/Netmask to the interface. 4 Select the blue arrow to expand the Secondary IP Address section. 5 Configure the settings for a secondary IP address and select OK to add the address and its configuration settings to the interface. 6 Repeat to add more secondary IP addresses. 7 Select OK or Apply at the bottom of the Edit Interface dialog to add the secondary IP addresses to the interface.
Tip: After adding secondary IP addresses and selecting OK to save changes to the Edit Interface dialog you should edit the interface again to make sure the secondary IP addresses have been added as expected. Figure 74: Adding Secondary IP Addresses
Edit Delete
IP/Netmask Enter the IP address/subnet mask of the secondary IP address. The Secondary IP address must be on a different subnet than the Primary IP address. To Configure interface status detection for the secondary IP address. See Configuring interface status detection for gateway load balancing on page 165. Select the types of administrative access permitted on the secondary IP. Allow secure HTTPS connections to the web-based manager through this secondary IP.
Detect Interface Status for Gateway Load Balancing Administrative Access HTTPS
168
System Network
Configuring interfaces
Allow secondary IP to respond to pings. Use this setting to verify your installation and for testing. Allow HTTP connections to the web-based manager through this secondary IP. HTTP connections are not secure and can be intercepted by a third party. Allow SSH connections to the CLI through this secondary IP. Allow a remote SNMP manager to request SNMP information by connecting to this secondary IP. See Configuring SNMP on page 214. Allow Telnet connections to the CLI through this secondary IP. Telnet connections are not secure and can be intercepted by a third party. Select to add the configured secondary IP address to the secondary IP table. Addresses in this table are not added to the interface until you select OK or Apply. A table that displays all the secondary IP addresses that have been added to this interface. These addresses are not permanently added to the interface until you select OK or Apply at the bottom of the Edit Interface dialog. The identifying number of the secondary IP address. The IP address and netmask for the secondary IP. Indicates whether interface status detection is enabled for the secondary IP address. The IP address of the detect server for the secondary IP address. The same detect server can be shared by multiple secondary IP addresses. The detect protocols configured for the secondary IP address. The administrative access methods for this address. They can be different from the primary IP address. Select to remove this secondary IP address. Edit the selected secondary IP address. When you select the Edit icon the settings for the secondary IP address to edit appear in the fields above the secondary IP address table. You can edit these settings and select OK to save changes to the secondary IP address. Note: If you select the Edit icon to edit a secondary IP address and change the IP/Netmask, when you select OK a new secondary IP address is added. If you only wanted to change the IP/Netmask and not add a new secondary IP address you should delete the secondary IP address that you selected the Edit icon for.
# IP/Netmask Detect Server Enable Detect Server Detect Protocol Administrative Access Delete Icon Edit Icon
169
Configuring zones
System Network
config system switch-interface edit soft_switch set members port1 external dmz
end
Configuring zones
Group interfaces into zones to simplify policy creation. By grouping interfaces into a zone you can add one set of firewall policies for the zone instead of adding separate policies for each interface. Once you add interfaces to a zone you cannot configure policies for the interfaces, but only for the zone. You can add all types of interfaces to a zone (physical, VLAN, switch, and so on) and a zone can consist of any combination of interface types. You can add zones, rename and edit zones, and delete zones from the zone list. When you add a zone, you select the names of the interfaces to add to the zone. Zones are configured from virtual domains. If you have added multiple virtual domains to your FortiGate configuration, make sure you are configuring the correct virtual domain before adding or editing zones.
Figure 75: Zone list
Edit Delete
Block intra-zone traffic Displays Yes if traffic between interfaces in the same zone is blocked and No if traffic between interfaces in the same zone is not blocked. Interface Members Edit/View icons Delete icon Names of the interfaces added to the zone. Interface names depend on the FortiGate model. Edit or view a zone. Delete a zone.
170
System Network
You can connect a supported USB mode to any FortiGate model with a USB interface. You can connect a supported serial model to any FortiGate model with a serial modem port. You can insert a supported PCMCIA modem into any FortiGate model with a PCMCIA slot. Power off the FortiGate unit before inserting the PCMCIA modem. After inserting the modem, when you power up the FortiGate unit it should automatically find the modem and create the modem interface. In redundant (backup) mode, the modem interface automatically takes over from a selected ethernet interface when that ethernet interface is unavailable. In standalone mode, the modem interface is the connection from the FortiGate unit to the Internet.
In redundant or standalone mode when connecting to the ISP, you can configure the FortiGate unit to automatically have the modem dial up to three dialup accounts until the modem connects to an ISP. Other models can connect to an external modem through a USB-to-serial converter. For these models, you must configure modem operation using the CLI. Initially modem interfaces are disabled, and must be enabled in the CLI to be visible in the web-based manager. See the system modem command in the FortiGate CLI Reference.
Note: The modem interface is not the AUX port. While the modem and AUX port may appear similar, the AUX port has no associated interface and is used for remote console connection. The AUX port is only available on FortiGate models 1000A, 1000AFA2, and 3000A. For more information, see the config system aux command in the FortiGate CLI Reference.
This section describes: Configuring modem settings Redundant mode configuration Standalone mode configuration Adding firewall policies for modem connections Connecting and disconnecting the modem Checking modem status
171
System Network
Note: You cannot configure and use the modem in Transparent mode.
Figure 76 shows the only the settings specific to standalone mode. The remaining settings are common to both standalone and redundant modes and are shown in Figure 77.
Figure 76: Modem settings (Standalone)
Select to enable the FortiGate modem. Modem status can be: not active, connecting, connected, disconnecting, or hung up. (Standalone mode only) Select Dial Now to manually connect to a dialup account. If the modem is connected, you can select Hang Up to manually disconnect the modem.
172
System Network
Select Standalone or Redundant mode. Select to dial the modem automatically if the connection is lost or the FortiGate unit is restarted. You cannot select Auto-dial if Dial on demand is selected. Select to dial the modem when packets are routed to the modem interface. The modem disconnects after the idle timeout period if there is no network activity. You cannot select Dial on demand if Auto-dial is selected. Enter the timeout duration in minutes. After this period of inactivity, the modem disconnects. Select the ethernet interface for which the modem provides backup service. (Redundant mode only) Enter the time (1-60 seconds) that the FortiGate unit waits before switching back to the primary interface from the modem interface, after the primary interface has been restored. The default is 1 second. Configure a higher value if you find the FortiGate unit switching repeatedly between the primary interface and the modem interface. The maximum number of times (1-10) that the FortiGate unit modem attempts to reconnect to the ISP if the connection fails. The default redial limit is 1. Select None to have no limit on redial attempts. Display a connected wireless modem if available. Display connections made on the modem interface. Information displayed about connections includes: date and time duration of the connection in hours, minutes, and seconds IP address connected to traffic statistics including received, sent, and total current status of the connection Configure up to three dialup accounts. The FortiGate unit tries connecting to each account in order until a connection can be established. The active dialup account is indicated with a green check mark. The phone number required to connect to the dialup account. Do not add spaces to the phone number. Make sure to include standard special characters for pauses, country codes, and other functions as required by your modem to connect to your dialup account. The user name (maximum 63 characters) sent to the ISP. The password sent to the ISP.
Idle timeout (Standalone mode) Redundant for (Redundant mode) Holddown Timer (Redundant mode) Redial Limit
Dialup Account
Phone Number
To configure the modem in Redundant mode, see Redundant mode configuration on page 173. To configure the modem in Standalone mode, see Standalone mode configuration on page 174.
173
System Network
The FortiGate unit disconnects the modem interface and switches back to the ethernet interface when the ethernet interface is able to connect to its network. You can set a holddown timer that delays the switch back to the ethernet interface to ensure it is stable and fully active before switching the traffic. The modem will disconnect after a period of network inactivity set by the value in idle timeout. This saves money on dialup connection charges. For the FortiGate unit to be able to switch from an ethernet interface to the modem, you must select the name of the interface in the modem configuration and configure a ping server for that interface. You must also configure firewall policies for connections between the modem interface and other FortiGate interfaces.
Note: Do not add policies for connections between the modem interface and the ethernet interface that the modem is backing up.
To configure redundant mode 1 Go to System > Network > Modem. 2 Select Redundant mode. 3 Enter the following information:
Redundant for Holddown timer Redial Limit Dialup Account 1 Dialup Account 2 Dialup Account 3 From the list, select the interface to back up. Enter the number of seconds to continue using the modem after the network connectivity is restored. Enter the maximum number of times to retry if the ISP does not answer. Enter the ISP phone number, user name and password for up to three dialup accounts.
4 Select Apply. 5 Configure interface status detection for the ethernet interface the modem backs up. See Configuring interface status detection for gateway load balancing on page 165. 6 Configure firewall policies for network connectivity through the modem interface. See Adding firewall policies for modem connections on page 175.
174
System Network
To configure standalone mode 1 Go to System > Network > Modem. 2 Select Standalone mode. 3 Enter the following information:
Auto-dial Dial on demand Idle timeout Redial Limit Select if you want the modem to dial when the FortiGate unit restarts. Select if you want the modem to connect to its ISP whenever there are unrouted packets. Enter the timeout duration in minutes. After this period of inactivity, the modem disconnects. Enter the maximum number of times to retry if the ISP does not answer.
Dialup Account 1 Enter the ISP phone number, user name and password for up to three Dialup Account 2 dialup accounts. Dialup Account 3
4 Select Apply. 5 Configure firewall policies for network connectivity through the modem interface. See Adding firewall policies for modem connections on page 175. 6 Go to Router > Static and set device to modem to configure static routes to route traffic to the modem interface. See Adding a static route to the routing table on page 320.
To connect to a dialup account 1 Go to System > Network > Modem. 2 Select Enable USB Modem. 3 Verify the information in Dialup Accounts. 4 Select Apply. 5 Select Dial Now. The FortiGate unit dials into each dialup account in turn until the modem connects to an ISP. To disconnect from a dialup account 1 Go to System > Network > Modem. 2 Select Hang Up to disconnect the modem.
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
175
System Network
A green check mark indicates the active dialup account. The IP address and netmask assigned to the modem interface appears on the System Network Interface screen of the web-based manager.
DNS Settings Primary DNS Server Secondary DNS Server Local Domain Name IPv6 DNS Settings Primary DNS Server Secondary DNS Server Enter the primary IPv6 DNS server IP address. Enter the secondary IPv6 DNS server IP address. Enter the primary DNS server IP address. Enter the secondary DNS server IP address. Enter the domain name to append to addresses with no domain portion when performing DNS lookups.
176
System Network
Configure interface status detection for one or more FortiGate interfaces and use the dead gateway detection settings to configure how interface status detection functions. For information, see Configuring interface status detection for gateway load balancing on page 165. Enter a number in seconds to specify how often the FortiGate unit detects interface status. Enter the number of times that interface status tests fail before the FortiGate unit assumes that the interface is no longer functioning.
DNS Servers
Several FortiGate functions use DNS, including alert email and URL blocking. You can specify the IP addresses of the DNS servers to which your FortiGate unit connects. DNS server IP addresses are usually supplied by your ISP. You can configure FortiGate models numbered 100 and lower to obtain DNS server addresses automatically. To obtain these addresses automatically, at least one FortiGate unit interface must use the DHCP or PPPoE addressing mode. See Configuring DHCP on an interface on page 161 or Configuring PPPoE on an interface on page 162. FortiGate models 100 and lower can provide DNS Forwarding on their interfaces. Hosts on the attached network use the interface IP address as their DNS server. DNS requests sent to the interface are forwarded to the DNS server addresses that you configured or that the FortiGate unit obtained automatically.
If virtual domains are not enabled you can create one DNS databases that can be shared by all the FortiGate interfaces. If virtual domains are enabled, you create a DNS database in each VDOM. All of the interfaces in a VDOM share the DNS database in that VDOM. This section describes: About split DNS Configuring FortiGate DNS services
177
System Network
non-recursive
4 Go to System > Network > DNS Database and configure the FortiGate DNS database. Add zones and entries as required. See Configuring the FortiGate DNS database on page 180.
178
System Network
5 Configure the hosts on the internal network to use the FortiGate interface as their DNS server. If you are also using a FortiGate DHCP server to configure the hosts on this network, add the IP address of the FortiGate interface to the DNS Server IP address list. To configure a FortiGate interface to relay DNS requests to external DNS servers Configure a FortiGate interface to relay DNS requests to the DNS servers configured for the FortiGate unit under System > Network > Options. 1 Go to System > Network > Options and add the IP addresses of a Primary and Secondary DNS server. These should be the DNS servers provided by your ISP or other public DNS servers. The FortiGate unit uses these DNS servers for its own DNS lookups and can be used to supply DNS look ups for your internal networks. See Configuring Networking Options on page 176. 2 Go to System > Network > Interface and edit the interface connected to a network that you want the FortiGate unit to be a DNS server for. 3 Select Enable DNS Query and select Recursive. The interface is configured to look up domain names in the FortiGate DNS database. and relay the requests for names not in the FortiGate DNS database to the DNS servers configured under System > Network > Options. If you do not add entries to the FortiGate DNS database all DNS requests are relayed to the DNS servers configured under System > Network > Options. 4 Configure the hosts on the internal network to use the FortiGate interface as their DNS server. If you are also using a FortiGate DHCP server to configure the hosts on this network, add the IP address of the FortiGate interface to the DNS Server IP address list. To configure a FortiGate interface to resolve DNS requests using only the FortiGate DNS database Configure a FortiGate interface to resolve DNS requests using the FortiGate DNS database and to drop requests for host names that not in the FortiGate DNS database. 1 Go to System > Network > Options and add the IP addresses of a Primary and Secondary DNS server. These should be the DNS servers provided by your ISP or other public DNS servers. The FortiGate unit uses these DNS servers for its own DNS lookups and can be used to supply DNS look ups for your internal networks. See Configuring Networking Options on page 176. 2 Go to System > Network > Interface and edit the interface connected to a network that you want the FortiGate unit to be a DNS server for. 3 Select Enable DNS Query and select Non-Recursive. When you select Non-Recursive only the entries in the FortiGate DNS database are used. 4 Go to System > Network > DNS Database and configure the FortiGate DNS database. Add zones and entries as required. See Configuring the FortiGate DNS database on page 180.
179
System Network
5 Configure the hosts on the internal network to use the FortiGate interface as their DNS server. If you are also using a FortiGate DHCP server to configure the hosts on this network, add the IP address of the FortiGate interface to the DNS Server IP address list. To configure a split DNS configuration Configure an interface to resolve DNS requests using the FortiGate DNS database and relay DNS requests for host names not in the FortiGate DNS database to the DNS servers configured under System > Network > Options. This is called a split DNS configuration. See About split DNS on page 178. 1 Go to System > Network > Options and add the IP addresses of a Primary and Secondary DNS server. These should be the DNS servers provided by your ISP or other public DNS servers. The FortiGate unit uses these DNS servers for its own DNS lookups and can be used to supply DNS look ups for your internal networks. See Configuring Networking Options on page 176. 2 Go to System > Network > Interface and edit the interface connected to a network that you want the FortiGate unit to be a DNS server for. 3 Select Enable DNS Query and select Recursive. The interface is configured to look up domain names in the FortiGate DNS database. and relay the requests for names not in the FortiGate DNS database to the DNS servers configured under System > Network > Options. You can add entries to the FortiGate DNS database for users on the internal network. 4 Go to System > Network > DNS Database and configure the FortiGate DNS database. Add zones and entries as required for users on the internal network. See Configuring the FortiGate DNS database on page 180. 5 Configure the hosts on the internal network to use the FortiGate interface as their DNS server. If you are also using a FortiGate DHCP server to configure the hosts on this network, add the IP address of the FortiGate interface to the DNS Server IP address list.
180
System Network
Delete Edit
Delete Edit
DNS Database list Create New DNS Zone Domain Name TTL # of Entries Delete icon Edit icon Create New Delete icon Edit icon Type Details Type Hostname Add a new DNS zone to the DNS database list. The names of the DNS zones added to the DNS database list. The domain name of each zone. The TTL value for the domain name which is the packet time to live in seconds. The range is 0 to 2 147 483 647. The number of entries in the zone. Delete an zone from the DNS database. Select Edit beside an existing zone to modify it. Select to add a new entry to the zone. Each zone contains entries for one domain name. Delete a DNS entry from the zone. Select Edit beside an existing DNS entry to modify it. The type of DNS entry. Can be an IPv4 address (A), an IPv6 address (AAAA), a name server (NS), a canonical name (CNAME), or a mail exchange (MX) name. A description of the entry. Select the type of entry to add. The options change depending on the type. Enter the host name. Available for all Types.
181
System Network
Enter the hosts IP address (IPv4). Available if Type is Address (A). Enter the hosts IP address (IPv6). Available if Type is IPv6 Address (AAAA).
Canonical Name Enter the hosts fully qualified domain name. Available if Type is Canonical Name (CNAME). Preference TTL (seconds) Enter the MX preference value. Range 0 to 65 535. Available if Type is Mail Exchange (Mx). Enter the TTL value. Enter 0 to use the Zone TTL value.
Web proxies are configured for each VDOM when VDOMs are enabled. For a more complete description of the FortiGate web proxy, including a configuration example, see the FortiGate WAN Optimization, Web Cache, and Web Proxy User Guide. To configure the explicit web proxy go to System > Network > Web Proxy.
Figure 80: Configuring Web Proxy settings
182
System Network
Configuring WCCP
Proxy FQDN
Enter the fully qualified domain name (FQDN) for the proxy server. This is the domain name to enter into browsers to access the proxy server. Enter the maximum length of an HTTP request. Larger requests will be rejected. Enter the maximum length of an HTTP message. Larger messages will be rejected. The web proxy server will forward HTTP requests to the internal network. You can include the following headers in those requests: Enable to include the Client IP Header from the original HTTP request. Enable to include the Via Header from the original HTTP request. Enable to include the X-Forwarded-For (XFF) HTTP header. The XFF HTTP header identifies the originating IP address of a web client or browser that is connecting through an HTTP proxy, and the remote addresses it passed through to this point.
Max HTTP request length Max HTTP message length Add headers to Forwarded Requests Client IP Header Via Header X-forwarded-for Header
Front-end HTTPS Header Enable to include the Front-end HTTP Header from the original HTTPS request. Explicit Web Proxy Options Web proxies can be transparent or explicit. Transparent web proxy does not modify the web traffic in any way, but just forwards it to the destination. Explicit web proxy can modify web traffic to provide extra services and administration. Explicit web proxy is configured with the following options. Enable the explicit web proxy. Enter the explicit web proxy server port. To use the explicit proxy, users must add this port to their web browser proxy configuration. The default value of 0 means 8080. Displays the interfaces that are being monitored by the explicit web proxy server. Select the action to take when the proxy server must handle an unknown HTTP version request or message. Choose from either Reject or Best Effort. The Reject option is more secure.
Configuring WCCP
Using the FortiOS 4.0 customizable GUI feature you can add a WCCP widget to the web-based manager and use this widget to add WCCP entries to the FortiGate configuration. Configure settings for Web Cache Communication Protocol (WCCP) version 2 to optimize web traffic, thus reducing transmission costs and downloading time. When a web client (on a computer) makes a request for web content, WCCP allows the routers on the local network to redirect the web content requests to the appropriate web cache server on the local network. If the web cache server contains the information in the web content request, the web cache server sends the content directly to the local client. If the web cache does not contain the requested information, the web cache server will download the HTTP information, cache it, and send it to the local client. The local client is not aware this caching is taking place. For web caching to function, local network traffic must be directed through one or more routers that are able to forward the HTTP requests to the web cache servers. The FortiGate unit can act as a WCCP version 2 enabled router and direct web content requests to configured web cache servers.
183
System Network
The web caching will speed up downloads by not accessing remote websites for each HTTP request. It will also reduce the amount of data a company network sends and receives over the Internet, reducing costs. To configure WCCP from the web-based manager, go to System > Admin > Admin Profile and create a custom menu layout in your administrative profile and add the WCCP page. It is in the Additional content category. See Configuring an admin profile on page 258.
Figure 81: Adding WCCP entries
Delete Edit
Service ID Router IP
Enter an ID number to identify the WCCP service. Enter an IP address known to all cache servers. This IP address identifies a FortiGate interface IP address to the cache servers. If all cache servers connect to the same FortiGate interface, then Router IP can be 0.0.0.0, and the FortiGate unit uses the IP address of that interface as the Router IP. If the cache servers can connect to different FortiGate interfaces, you must set Router IP to a single IP address, and this IP address must be added to the configuration of the cache servers. The IP multicast address used by the cache servers. Enter 0.0.0.0 to have the FortiGate unit ignore multicast WCCP traffic. Otherwise, Group Address must be from 224.0.0.0 to 239.255.255.255. The IP addresses of the web cache servers. Specify how the FortiGate unit forwards traffic to cache servers. You can select GRE (the default), L2, or Any. If Forward Method is Any the cache server determines the forward method. Specify how a cache server declines a redirected packet and returns it to the FortiGate unit. You can select GRE (the default), L2, or Any. If Return Method is Any the cache server determines the return method.
Group Address
Return Method
Assignment Method Specify which assignment method the FortiGate unit prefers. You can select Hash (the default), Mask, or Any. If Assignment Method is Any the cache server determines the assignment method. Authentication Password Select to use MD5 authentication for the WCCP configuration. Enter an authentication password. Maximum length is 8 characters.
184
System Network
Note: In NAT/Route mode the static routing table is located at System > Routing > Static.
Delete Edit
Create New IP/Mask Gateway Delete icon View/edit icon Destination IP /Mask
Add a new Transparent mode static route. The destination IP address and netmask for the route. The IP address of the next hop router to which the route directs traffic. For an Internet connection, the next hop routing gateway routes traffic to the Internet. Remove a route. Edit or view a route. Enter the destination IP address and netmask for the route. To create a default route, set the IP and netmask to 0.0.0.0.
185
System Network
186
System Wireless
System Wireless
This section describes how to configure the Wireless LAN interfaces on FortiWiFi units. The majority of this section is applicable to all FortiWiFi units. If you enable virtual domains (VDOMs) on the FortiGate unit, MAC filters and wireless monitor are configured separately for each virtual domain. System wireless settings are configured globally. For details, see Using virtual domains on page 125. This section describes: FortiWiFi wireless interfaces Channel assignments Wireless settings Wireless MAC Filter Wireless Monitor Rogue AP detection
or or
187
Channel assignments
System Wireless
Channel assignments
Depending on the wireless protocol selected, you have specific channels available to you, depending on what region of the world you are in. Set the channel for the wireless network by going to System > Wireless > Settings. For more information see Wireless settings on page 190. The following tables list the channel assignments for wireless networks for each supported wireless protocol.
188
System Wireless
Channel assignments
Table 11: IEEE 802.11b (2.4-Ghz Band) channel numbers Channel number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Frequency (MHz) 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 2484 Regulatory Areas Americas EMEA Israel Japan
189
Wireless settings
System Wireless
Wireless settings
To configure the wireless settings, go to System > Wireless > Settings. By default the FortiWiFi unit includes one wireless interface, called wlan. If you are operating your FortiWiFi unit in access point mode, you can add up to three virtual wireless interfaces. All wireless interfaces use the same wireless parameters. That is, you configure the wireless settings once, and all wireless interfaces use those settings. For details on adding more wireless interfaces, see Adding a wireless interface on page 191. When operating the FortiWiFi unit in Client mode, radio settings are not configurable.
Figure 83: FortiWiFi wireless parameters - Access Point mode
190
System Wireless
Wireless settings
Operation Mode
Select Change to switch operation modes. Access Point The FortiWiFi unit acts as an access point for wireless users to connect to send and receive information over a wireless network. It enables multiple wireless network users access to the network without the need to connect to it physically. The FortiWiFi unit can connect to the internal network and act as a firewall to the Internet. Client The FortiWiFi unit is set to receive transmissions from another access point. This enables you to connect remote users to an existing network using wireless protocols. Monitoring Scan for other access points. These are listed in the Rogue AP list. See Rogue AP detection on page 196. Note: You cannot switch to Client mode or Monitoring mode if you have added virtual wireless interfaces. For these modes, there must be only one wireless interface, wlan. Select the wireless frequency band. Be aware what wireless cards or devices your users have as it may limit their use of the wireless network. For example, if you configure the FortiWiFi unit for 802.11g and users have 802.11b devices, they may not be able to use the wireless network. Select your country or region. This determines which channels are available. See Channel assignments on page 188 for channel information. Select a channel for your wireless network or select Auto. The channels that you can select depend on the Geography setting. See Channel assignments on page 188 for channel information. Set the transmitter power level. The higher the number, the larger the area the FortiWiFi will broadcast. If you want to keep the wireless signal to a small area, enter a smaller number. Set the interval between beacon packets. Access Points broadcast Beacons or Traffic Indication Messages (TIM) to synchronize wireless networks. A higher value decreases the number of beacons sent, however it may delay some wireless clients from connecting if it misses a beacon packet. Decreasing the value will increase the number of beacons sent, while this will make it quicker to find and connect to the wireless network, it requires more overhead, slowing throughput. Perform the Monitoring mode scanning function while the unit is in Access Point mode. Scanning occurs while the access point is idle. The scan covers all wireless channels. Background scanning can reduce performance if the access point is busy. See Rogue AP detection on page 196. The name of the wireless interface. To modify wireless interface settings, select the interface name. To add more wireless interfaces in Access Point mode, see Adding a wireless interface on page 191. The MAC address of the Wireless interface. The wireless service set identifier (SSID) or network name for the wireless interface. To communicate, an Access Point and its clients must use the same SSID. Green checkmark icon indicates that the wireless interface broadcasts its SSID. Broadcasting the SSID makes it possible for clients to connect to your wireless network without first knowing the SSID. This column is visible only in Access Point mode. The wireless interface security mode: WEP64, WEP128, WPA, WPA2, WPA2 Auto or None.
Geography Channel
Tx Power
Beacon Interval
SSID Broadcast
Security Mode
191
Wireless settings
System Wireless
Note: You cannot add additional wireless interfaces when the FortiWiFi unit is in Client mode or Monitoring mode.
To add a wireless interface 1 Go to System > Network > Interface. 2 Select Create New. 3 Complete the following:
Name Type Address Mode Enter a name for the wireless interface. The name cannot be the same as an existing interface, zone or VDOM. Select Wireless. The wireless interface can only be set as a manual address. Enter a valid IP address and netmask. If the FortiWiFi is running in Transparent mode, this field does not appear. The interface will be on the same subnet as the other interfaces. Set the administrative access for the interface.
Administrative Access
4 In the Wireless Settings section, complete the following and select OK:
Figure 86: Wireless interface settings (WEP)
SSID
Enter the wireless service set identifier (SSID) or network name for this wireless interface. Users who want to use the wireless network must configure their computers with this network name.
SSID Broadcast Select to broadcast the SSID. Broadcasting the SSID enables clients to connect to your wireless network without first knowing the SSID. For better security, do not broadcast the SSID. If the interface is not broadcast, there is less chance of an unwanted user connecting to your wireless network. If you choose not to broadcast the SSID, you need to inform users of the SSID so they can configure their wireless devices.
192
System Wireless
Security mode
Select the security mode for the wireless interface. Wireless users must use the same security mode to be able to connect to this wireless interface. None has no security. Any wireless user can connect to the wireless network. WEP64 64-bit web equivalent privacy (WEP). To use WEP64 you must enter a Key containing 10 hexadecimal digits (0-9 a-f) and inform wireless users of the key. WEP128 128-bit WEP. To use WEP128 you must enter a Key containing 26 hexadecimal digits (0-9 a-f) and inform wireless users of the key. WPA Wi-Fi protected access (WPA) security. To use WPA you must select a data encryption method. You must also enter a pre-shared key containing at least eight characters or select a RADIUS server. If you select a RADIUS server the wireless clients must have accounts on the RADIUS server. WPA2 WPA with more security features. To use WPA2 you must select a data encryption method and enter a pre-shared key containing at least eight characters or select a RADIUS server. If you select a RADIUS server the wireless clients must have accounts on the RADIUS server. WPA2 Auto the same security features as WPA2, but also accepts wireless clients using WPA security. To use WPA2 Auto you must select a data encryption method You must also enter a pre-shared key containing at least 8 characters or select a RADIUS server. If you select a RADIUS server the wireless clients must have accounts on the RADIUS server. Enter the security key. This field appears when selecting WEP64 or WEP128 security.
Key
Data Encryption Select a data encryption method to be used by WPA, WPA2, or WPA Auto. Select TKIP to use the Temporal Key Integrity Protocol (TKIP). Select AES to use Advanced Encryption Standard (AES) encryption. AES is considered more secure that TKIP. Some implementations of WPA may not support AES. Pre-shared Key Enter the pre-shared key. This field appears when selecting WPA, WPA2, or WPA2 Auto security. RADIUS Server Select to use a RADIUS server when selecting WPA or WPA2 security. You can use WPA or WPA2 Radius security to integrate your wireless network configuration with a RADIUS or Windows AD server. Select a RADIUS server name from the list. You must configure the Radius server by going to User > RADIUS. For more information, see RADIUS on page 647. RTS Threshold Set the Request to Send (RTS) threshold. The RTS threshold is the maximum size, in bytes, of a packet that the FortiWiFi will accept without sending RTS/CTS packets to the sending wireless device. In some cases, larger packets being sent may cause collisions, slowing data transmissions. By changing this value from the default of 2346, you can configure the FortiWiFi unit to, in effect, have the sending wireless device ask for clearance before sending larger transmissions. There can still be risk of smaller packet collisions, however this is less likely. A setting of 2346 bytes effectively disables this option. Fragmentation Set the maximum size of a data packet before it is broken into smaller packets, reducing the chance of packet collisions. If the packet is larger than Threshold the threshold, the FortiWiFi unit will fragment the transmission. If the packet size less than the threshold, the FortiWiFi unit will not fragment the transmission. A setting of 2346 bytes effectively disables this option.
193
System Wireless
Alternatively, you can create a deny list. Similar to the allow list, you can configure the wireless interface to allow all connections except those in the MAC address list. Using MAC address filtering makes it more difficult for a hacker using random MAC addresses or spoofing a MAC address to gain access to your network. Note you can configure one list per WLAN interface. To allow or deny wireless access to wireless clients based on the MAC address of the client wireless cards, go to System > Wireless > MAC Filter.
The name of the wireless interface. The list of MAC addresses in the MAC filter list for the wireless interface. Allow or deny access to the listed MAC addresses for the wireless interface. Select to enable MAC filtering for the wireless interface. Edit the MAC address list for an interface.
To edit a MAC filter list 1 Go to System > Wireless > MAC Filter. 2 Select Edit for the wireless interface.
Figure 89: Wireless interface MAC filter
194
System Wireless
Wireless Monitor
Select to allow or deny the addresses in the MAC Address list from accessing the wireless network. Enter the MAC address to add to the list. Add the entered MAC address to the list. Select one or more MAC addresses in the list and select Remove to deleted the MAC addresses from the list.
Wireless Monitor
Go to System > Wireless > Monitor to view information about your wireless network. In Access Point mode, you can see who is connected to your wireless LAN. In Client mode, you can see which access points are within radio range.
Figure 90: Wireless monitor - AP mode
Statistical information about wireless performance for each wireless interface. The name of the wireless interface. The frequency that the wireless interface is operating with. Should be around 5-GHz for 802.11a interfaces and around 2.4GHz for 802.11b and 802.11g networks. The strength of the signal from the client. The received noise level. The signal-to-noise ratio in deciBels calculated from signal strength and noise level. The amount of data in kilobytes received this session. The amount of data in kilobytes sent this session.
195
Rogue AP detection
System Wireless
Real-time details about the client wireless devices that can reach this FortiWiFi unit access point. Only devices on the same radio band are listed. The MAC address of the connected wireless client. The IP address assigned to the connected wireless client. The name of the wireless interface that the client is connected to. Real-time details about the access points that the client can receive. The MAC address of the connected wireless client. The wireless service set identifier (SSID) that this access point broadcasts. The wireless radio channel that the access point uses. The data rate of the access point in Mbits/s. The received signal strength indication, a relative value between 0 (minimum) and 255 (maximum).
MAC Address IP Address AP Name Neighbor AP list (Client mode) MAC Address SSID Channel Rate (M) RSSI
Rogue AP detection
On models that support Rogue Access Point Detection, you can select Monitoring mode to scan for available wireless access points. You can also enable scanning in the background while the unit is in Access Point mode. To enable the monitoring mode 1 Go to System > Wireless > Settings. 2 Select Change beside the current operation mode. 3 Select Monitoring and then select OK. 4 Select OK to confirm the mode change. 5 Select Apply. To enable background scanning 1 While in Access Point mode, go to System > Wireless > Settings. 2 Enable Background Rogue AP Scan and then select Apply.
196
System Wireless
Rogue AP detection
Set time between information updates. none means no updates. Updates displayed information now.
Inactive Access Points Select which inactive access points to show: all, none, those detected less than one hour ago, or those detected less than one day ago. Online SSID MAC Address Channel Rate First Seen Last Seen Mark as Rogue AP Forget AP A green checkmark indicates an active access point. A grey X indicates that the access point is inactive. The wireless service set identifier (SSID) or network name for the wireless interface. The MAC address of the Wireless interface. The wireless radio channel that the access point uses. The data rate of the access point. The data and time when the FortiWifi unit first detected the access point. The data and time when the FortiWifi unit last detected the access point. Select the icon to move this entry to the Rogue Access Points list. Return item to Unknown Access Points list from Accepted Access Points list or Rogue Access Points list.
Mark as Accepted AP Select the icon to move this entry to the Accepted Access Points list.
You can also enter information about accepted and rogue APs in the CLI without having to detect them first. See the system wireless ap-status command in the FortiGate CLI Reference.
197
Rogue AP detection
System Wireless
198
System DHCP
System DHCP
This section describes how to use DHCP to provide convenient automatic network configuration for your clients. DHCP is not available in Transparent mode. DHCP requests are passed through the FortiGate unit when it is in Transparent mode. If you enable virtual domains (VDOMs) on the FortiGate unit, DHCP is configured separately for each virtual domain. For details, see Using virtual domains on page 125. This section describes: FortiGate DHCP servers and relays Configuring DHCP services Viewing address leases
An interface cannot provide both a server and a relay for connections of the same type (regular or IPSec).
Note: You can configure a Regular DHCP server on an interface only if the interface is a physical interface with a static IP address. You can configure an IPSec DHCP server on an interface that has either a static or a dynamic IP address.
You can configure one or more DHCP servers on any FortiGate interface. A DHCP server dynamically assigns IP addresses to hosts on the network connected to the interface. The host computers must be configured to obtain their IP addresses using DHCP. If an interface is connected to multiple networks via routers, you can add a DHCP server for each network. The IP range of each DHCP server must match the network address range. The routers must be configured for DHCP relay. To configure a DHCP server, see Configuring a DHCP server on page 201. You can configure a FortiGate interface as a DHCP relay. The interface forwards DHCP requests from DHCP clients to an external DHCP server and returns the responses to the DHCP clients. The DHCP server must have appropriate routing so that its response packets to the DHCP clients arrive at the FortiGate unit. To configure a DHCP relay see Configuring an interface as a DHCP relay agent on page 201. DHCP services can also be configured through the Command Line Interface (CLI). See the FortiGate CLI Reference for more information.
199
System DHCP
Note: An interface must have a static IP before you configure a DHCP server on it.
These settings are appropriate for the default Internal interface IP address of 192.168.1.99. If you change this address to a different network, you need to change the DHCP server settings to match.
Figure 93: DHCP service list - FortiGate-200A shown
Edit Delete Add DHCP Server Interface Server Name/ Relay IP Type Enable List of FortiGate interfaces. Expand each listed interface to view the Relay and Servers. Name of FortiGate DHCP server or IP address of DHCP server accessed by relay. Type of DHCP relay or server: Regular or IPSec. Green check mark icon indicates that server or relay is enabled.
Add DHCP Server Select to configure and add a DHCP server for this interface. icon
200
System DHCP
Select to edit the DHCP relay or server configuration. Select to delete the DHCP server.
The name of the interface. Select the type of DHCP service required as either Regular or IPSEC. Enter the IP address of the DHCP server that will answer DHCP requests from computers on the network connected to the interface.
DHCP Relay Agent Select to enable the DHCP relay agent on this interface.
201
System DHCP
Enter a name for the DHCP server. Enable the DHCP server. Select Regular or IPSEC DHCP server. You cannot configure a Regular DHCP server on an interface that has a dynamic IP address. Enter the start and end for the range of IP addresses that this DHCP server assigns to DHCP clients. These fields are greyed out when IP Assignment Mode is set to User-group defined method. Enter the netmask of the addresses that the DHCP server assigns. Enter the IP address of the default gateway that the DHCP server assigns to DHCP clients. Enter the domain that the DHCP server assigns to DHCP clients. Select Unlimited for an unlimited lease time or enter the interval in days, hours, and minutes after which a DHCP client must ask the DHCP server for new settings. The lease time can range from 5 minutes to 100 days. Select to configure advanced options. The remaining options in this table are advanced options.
IP Range
Advanced
202
System DHCP
IP Assignment Mode
Configure how the IP addresses for an IPSec DHCP server are assigned to Dialup IPSec VPN users. Select: Server IP Range - The IPSec DHCP server will assign the IP addresses as specified in IP Range, and Exclude Ranges. User-group defined method - The IP addresses will be assigned by a user group used to authenticate the user. The user group is used to authenticate XAUTH users. See Dynamically assigning VPN client IP addresses from a user group on page 665. When User-group defined method is selected, the IP Range fields are greyed out, and the Exclude Ranges table and controls are not visible. Enter the IP addresses of up to 3 DNS servers that the DHCP server assigns to DHCP clients. Add the IP addresses of one or two WINS servers that the DHCP server assigns to DHCP clients. Enter up to three custom DHCP options that can be sent by the DHCP server. Code is the DHCP option code in the range 1 to 255. Option is an even number of hexadecimal characters and is not required for some option codes. For detailed information about DHCP options, see RFC 2132, DHCP Options and BOOTP Vendor Extensions. Add an range of IP addresses to exclude. You can add up to 16 exclude ranges of IP addresses that the DHCP server cannot assign to DHCP clients. No range can exceed 65536 IP addresses. Enter the first IP address of the exclude range. Enter the last IP address of the exclude range. Delete the exclude range.
DNS Server 1 DNS Server 2 DNS Server 3 WINS Server 1 WINS Server 2 Option 1 Option 2 Option 3 Exclude Ranges Add
Select interface for which to list leases. Select Refresh to update Address leases list. The assigned IP address. The MAC address of the device to which the IP address is assigned. Expiry date and time of the DHCP lease.
203
System DHCP
204
System Config
HA
System Config
This section describes the configuration of several non-network features, such as HA, SNMP, custom replacement messages, and Operation mode. If you enable virtual domains (VDOMs) on the FortiGate unit, HA, SNMP, and replacement messages are configured globally for the entire FortiGate unit. Changing operation mode is configured for each individual VDOM. For details, see Using virtual domains on page 125. This section describes: HA SNMP Replacement messages Operation mode and VDOM management access
HA
FortiGate high availability (HA) provides a solution for two key requirements of critical enterprise networking components: enhanced reliability and increased performance. This section contains a brief description of HA web-based manager configuration options, the HA cluster members list, HA statistics, and disconnecting cluster members. If you enable virtual domains (VDOMs) on the FortiGate unit, HA is configured globally for the entire FortiGate unit. For details, see Using virtual domains on page 125. For complete information about how to configure and operate FortiGate HA clusters see the FortiGate HA Overview, the FortiGate HA Guide. The following topics are included in this section: HA options Cluster members list Viewing HA statistics Changing subordinate unit host name and device priority Disconnecting a cluster unit from a cluster
HA options
Configure HA options so that a FortiGate unit can join a cluster or to change the configuration of an operating cluster or cluster member. To configure HA options so that a FortiGate unit can join an HA cluster, go to System > Config > HA.
Note: FortiGate HA is not compatible with PPP protocols such as PPPoE. FortiGate HA is also not compatible with DHCP. If one or more FortiGate unit interfaces is dynamically configured using DHCP or PPPoE you cannot switch to operate in HA mode. Also, you cannot switch to operate in HA mode if one or more FortiGate unit interfaces is configured as a PPTP or L2TP client or if the FortiGate unit is configured for standalone session synchronization.
205
HA
System Config
If HA is already enabled, go to System > Config > HA to display the cluster members list. Select Edit for the FortiGate unit with Role of master (also called the primary unit). When you edit the HA configuration of the primary unit, all changes are synchronized to the other units in the cluster.
Figure 97: FortiGate-3810A unit HA configuration
You can configure HA options for a FortiGate unit with virtual domains (VDOMs) enabled by logging into the web-based manager as the global admin administrator and going to System > Config > HA. If HA is enabled, you will have to select Edit for the cluster member before you see the virtual cluster configuration screen for that cluster unit. For more information, seeCluster members list on page 209.
Note: If your FortiGate cluster uses virtual domains, you are configuring HA virtual clustering. Most virtual cluster HA options are the same as normal HA options. However, virtual clusters include VDOM partitioning options. Other differences between configuration options for regular HA and for virtual clustering HA are described below and in the FortiGate HA Overview and the FortiGate HA Guide.
206
System Config
HA
Mode
Select an HA mode for the cluster or return the FortiGate units in the cluster to standalone mode. When configuring a cluster, you must set all members of the HA cluster to the same HA mode. You can select Standalone (to disable HA), Active-Passive, or Active-Active. If virtual domains are enabled you can select Active-Passive or Standalone. Optionally set the device priority of the cluster unit. Each unit in a cluster can have a different device priority. During HA negotiation, the unit with the highest device priority usually becomes the primary unit. In a virtual cluster configuration, each cluster unit can have two different device priorities, one for each virtual cluster. During HA negotiation, the unit with the highest device priority in a virtual cluster becomes the primary unit for that virtual cluster. Changes to the device priority are not synchronized. You can accept the default device priority when first configuring a cluster. When the cluster is operating you can change the device priority for different cluster units as required.
Device Priority
207
HA
System Config
Group Name
Enter a name to identify the cluster. The maximum length of the group name is 32 characters. The group name must be the same for all cluster units before the cluster units can form a cluster. After a cluster is operating, you can change the group name. The group name change is synchronized to all cluster units. The default group name is FGT-HA. You can accept the default group name when first configuring a cluster, however two clusters on the same network cannot have the same group name. When the cluster is operating you can change the group name, if required. Enter a password to identify the cluster. The maximum password length is 15 characters. The password must be the same for all cluster units before the cluster units can form a cluster. The default is no password. You can accept the default password when first configuring a cluster. When the cluster is operating, you can add a password, if required. Two clusters on the same network must have different passwords.
Password
Enable Session Select to enable session pickup so that if the primary unit fails, sessions are picked up by the cluster unit that becomes the new primary unit. pickup You must enable session pickup for session failover protection. If you do not require session failover protection, leaving session pickup disabled may reduce HA CPU usage and reduce HA heartbeat network bandwidth usage. Session pickup is disabled by default. You can accept the default setting for session pickup and later choose to enable session pickup after the cluster is operating. Port Monitor Select to enable or disable monitoring FortiGate interfaces to verify the monitored interfaces are functioning properly and are connected to their networks. If a monitored interface fails or is disconnected from its network, the interface leaves the cluster and a link failover occurs. The link failover causes the cluster to reroute the traffic being processed by that interface to the same interface of another cluster unit that still has a connection to the network. This other cluster unit becomes the new primary unit. Port monitoring (also called interface monitoring) is disabled by default. Leave port monitoring disabled until the cluster is operating and then only enable port monitoring for connected interfaces. You can monitor up to 16 interfaces. This limit only applies to FortiGate units with more than 16 physical interfaces. Select to enable or disable HA heartbeat communication for each interface in the cluster and set the heartbeat interface priority. The heartbeat interface with the highest priority processes all heartbeat traffic. If two or more heartbeat interfaces have the same priority, the heartbeat interface with the lowest hash map order value processes all heartbeat traffic. The web-based manager lists interfaces in alphanumeric order: port1 port2 through 9 port10 Hash map order sorts interfaces in the following order: port1 port10 port2 through port9 The default heartbeat interface configuration is different for each FortiGate unit. This default configuration usually sets the priority of two heartbeat interfaces to 50. You can accept the default heartbeat interface configuration or change it as required. The heartbeat interface priority range is 0 to 512. The default priority when you select a new heartbeat interface is 0. You must select at least one heartbeat interface. If heartbeat communication is interrupted, the cluster stops processing traffic. For more information about configuring heartbeat interfaces, see the FortiGate HA Overview. You can select up to 8 heartbeat interfaces. This limit only applies to FortiGate units with more than 8 physical interfaces. If you are configuring virtual clustering, you can set the virtual domains to be in virtual cluster 1 and the virtual domains to be in virtual cluster 2. The root virtual domain must always be in virtual cluster 1. For more information about configuring VDOM partitioning, see the FortiGate HA Overview.
Heartbeat Interface
VDOM partitioning
208
System Config
HA
If virtual domains are enabled, you can display the cluster members list to view the status of the operating virtual clusters. The virtual cluster members list shows the status of both virtual clusters including the virtual domains added to each virtual cluster. To display the virtual cluster members list for an operating cluster log in as the global admin administrator and go to System > Config > HA.
209
HA
System Config
Figure 100: Example FortiGate-5001SX virtual cluster members list Download Debug Log Edit Disconnect from Cluster
View HA Statistics
Displays the serial number, status, and monitor information for each cluster unit. See Viewing HA statistics on page 211.
Up and down arrows Changes the order of cluster members in the list. The operation of the cluster or of the units in the cluster are not affected. All that changes is the order of the units on the cluster members list. Cluster member Illustrations of the front panels of the cluster units. If the network jack for an interface is shaded green, the interface is connected. Pause the mouse pointer over each illustration to view the cluster unit host name, serial number, how long the unit has been operating (up time), and the interfaces that are configured for port monitoring. The host name of the FortiGate unit. The default host name of the FortiGate unit is the FortiGate unit serial number. To change the primary unit host name, go to System > Status and select Change beside the current host name. To change a subordinate unit host name, from the cluster members list select the Edit icon for a subordinate unit. The status or role of the cluster unit in the cluster. Role is MASTER for the primary (or master) unit Role is SLAVE for all subordinate (or backup) cluster units The device priority of the cluster unit. Each cluster unit can have a different device priority. During HA negotiation, the unit with the highest device priority becomes the primary unit. The device priority range is 0 to 255. Select to disconnect a selected cluster unit from the cluster. See Disconnecting a cluster unit from a cluster on page 212.
Hostname
Role
Priority
210
System Config
HA
Edit
Select to change a cluster unit HA configuration. For a primary unit, select Edit to change the cluster HA configuration (including the device priority) of the primary unit. For a primary unit in a virtual cluster, select Edit to change the virtual cluster HA configuration; including the virtual cluster 1 and virtual cluster 2 device priority of this cluster unit. For a subordinate unit, select Edit to change the subordinate unit host name and device priority. See Changing subordinate unit host name and device priority on page 212. For a subordinate unit in a virtual cluster, select Edit to change the subordinate unit host name and the device priority of the subordinate unit for the selected virtual cluster. See Changing subordinate unit host name and device priority on page 212.
Download debug log Select to download an encrypted debug log to a file. You can send this debug log file to Fortinet Technical Support (http://support.fortinet.com) for help diagnosing problems with the cluster or with individual cluster units.
Viewing HA statistics
From the cluster members list, you can select View HA Statistics to display the serial number, status, and monitor information for each cluster unit. To view HA statistics, go to System > Config > HA and select View HA Statistics.
Figure 101: Example HA statistics (active-passive cluster)
Refresh every
Select to control how often the web-based manager updates the HA statistics display. The host name and serial number of the cluster unit. Indicates the status of each cluster unit. A green check mark indicates that the cluster unit is operating normally. A red X indicates that the cluster unit cannot communicate with the primary unit. The time in days, hours, minutes, and seconds since the cluster unit was last started. Displays system status information for each cluster unit. The current CPU status of each cluster unit. The web-based manager displays CPU usage for core processes only. CPU usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded. For more information about CPU usage, see System Resources on page 75.
Back to HA monitor Select to close the HA statistics list and return to the cluster members list. Unit Status
211
HA
System Config
Memory Usage
The current memory status of each cluster unit. The web-based manager displays memory usage for core processes only. Memory usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded. For more information about memory usage, see System Resources on page 75. The number of communications sessions being processed by the cluster unit. The number of packets that have been processed by the cluster unit since it last started up. The number of viruses detected by the cluster unit. The total network bandwidth being used by all of the cluster unit interfaces. The number of bytes that have been processed by the cluster unit since it last started up. The number of intrusions or attacks detected by Intrusion Protection running on the cluster unit.
Active Sessions Total Packets Virus Detected Network Utilization Total Bytes Intrusion Detected
Peer Priority
View and optionally change the subordinate unit host name. View and optionally change the subordinate unit device priority. The device priority is not synchronized among cluster members. In a functioning cluster you can change device priority to change the priority of any unit in the cluster. The next time the cluster negotiates, the cluster unit with the highest device priority becomes the primary unit. The device priority range is 0 to 255. The default device priority is 128.
212
System Config
SNMP
Displays the serial number of the cluster unit to be disconnected from the cluster. Select the interface that you want to configure. You also specify the IP address and netmask for this interface. When the FortiGate unit is disconnected, all management access options are enabled for this interface. Specify an IP address and netmask for the interface. You can use this IP address to connect to this interface to configure the disconnected FortiGate unit.
IP/Netmask
SNMP
Simple Network Management Protocol (SNMP) allows you to monitor hardware on your network. You can configure the hardware, such as the FortiGate SNMP agent, to report system information and send traps (alarms or event messages) to SNMP managers. An SNMP manager, or host, is a typically a computer running an application that can read the incoming trap and event messages from the agent and send out SNMP queries to the SNMP agents. A FortiManager unit can act as an SNMP manager, or host, to one or more FortiGate units. Using an SNMP manager, you can access SNMP traps and data from any FortiGate interface or VLAN subinterface configured for SNMP management access.
Note: Part of configuring an SNMP manager is to list it as a host in a community on the FortiGate unit it will be monitoring. Otherwise the SNMP monitor will not receive any traps from that FortiGate unit, or be able to query that unit.
The FortiGate SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP managers have read-only access to FortiGate system information through queries and can receive trap messages from the FortiGate unit. To monitor FortiGate system information and receive FortiGate traps, you must first compile the proprietary Fortinet and FortiGate Management Information Base (MIB) files. A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP manager. These MIBs provide information the SNMP manager needs to interpret the SNMP trap, event, and query messages sent by the FortiGate unit SNMP agent. For information on how to download the MIB files, see the Fortinet Knowledge Base.
Note: There were major changes to the MIB files between FortiOS v3.0 and v4.0. You need to use the new MIBs for FortiOS v4.0 or you may be accessing the wrong traps and fields.
The Fortinet implementation of SNMP includes support for most of RFC 2665 (Ethernetlike MIB) and most of RFC 1213 (MIB II). For more information, see Fortinet MIBs on page 217. RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411), and partial support of User-based Security Model (RFC 3414).
213
SNMP
System Config
SNMP traps alert you to events that happen, such as an a log disk being full or a virus being detected. For more information about SNMP traps, see Fortinet and FortiGate traps on page 218. SNMP fields contain information about your FortiGate unit, such as percent CPU usage or the number of sessions. This information is useful to monitor the condition of the unit, both on an ongoing basis and to provide more information when a trap occurs. For more information about SNMP fields, see Fortinet and FortiGate MIB fields on page 221. The FortiGate SNMP v3 implementation includes support for queries, traps, authentication, and privacy. Authentication and encryption are configured in the CLI. See the system snmp user command in the FortiGate CLI Reference.
Configuring SNMP
Go to System > Config > SNMP v1/v2c to configure the SNMP agent.
Figure 104: Configuring SNMP
SNMP Agent Description Location Contact Apply Create New Communities Name Queries Traps Enable Delete icon Edit/View icon
Enable the FortiGate SNMP agent. Enter descriptive information about the FortiGate unit. The description can be up to 35 characters long. Enter the physical location of the FortiGate unit. The system location description can be up to 35 characters long. Enter the contact information for the person responsible for this FortiGate unit. The contact information can be up to 35 characters. Save changes made to the description, location, and contact information. Select Create New to add a new SNMP community. See Configuring an SNMP community on page 215. The list of SNMP communities added to the FortiGate configuration. You can add up to 3 communities. The name of the SNMP community. The status of SNMP queries for each SNMP community. The query status can be enabled or disabled. The status of SNMP traps for each SNMP community. The trap status can be enabled or disabled. Select Enable to activate an SNMP community. Select Delete to remove an SNMP community. Select to view or modify an SNMP community.
214
System Config
SNMP
215
SNMP
System Config
Enter a name to identify the SNMP community. Enter the IP address and Identify the SNMP managers that can use the settings in this SNMP community to monitor the FortiGate unit. The IP address of an SNMP manager than can use the settings in this SNMP community to monitor the FortiGate unit. You can also set the IP address to 0.0.0.0 to so that any SNMP manager can use this SNMP community. Optionally select the name of the interface that this SNMP manager uses to connect to the FortiGate unit. You only have to select the interface if the SNMP manager is not on the same subnet as the FortiGate unit. This can occur if the SNMP manager is on the Internet or behind a router. In virtual domain mode, the interface must belong to the management VDOM to be able to pass SNMP traps. Select a Delete icon to remove an SNMP manager. Add a blank line to the Hosts list. You can add up to 8 SNMP managers to a single community. Enter the Port number (161 by default) that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive configuration information from the FortiGate unit. Select the Enable check box to activate queries for each SNMP version. Note: The SNMP client software and the Fortigate unit must use the same port for queries.
Interface
216
System Config
SNMP
Traps
Enter the Local and Remote port numbers (port 162 for each by default) that the FortiGate unit uses to send SNMP v1 and SNMP v2c traps to the SNMP managers in this community. Select the Enable check box to activate traps for each SNMP version. Note: The SNMP client software and the Fortigate unit must use the same port for traps. Enable each SNMP event for which the FortiGate unit should send traps to the SNMP managers in this community. CPU overusage traps sensitivity is slightly reduced, by spreading values out over 8 polling cycles. This prevents sharp spikes due to CPU intensive shortterm events such as changing a policy. Power Supply Failure event trap is available only on some FortiGate models. AMC interfaces enter bypass mode event trap is available only on FortiGate models that support AMC modules.
SNMP Event
To configure SNMP access (NAT/Route mode) Before a remote SNMP manager can connect to the FortiGate agent, you must configure one or more FortiGate interfaces to accept SNMP connections. 1 Go to System > Network > Interface. 2 Choose an interface that an SNMP manager connects to and select Edit. 3 In Administrative Access, select SNMP. 4 Select OK. To configure SNMP access (Transparent mode) 1 Go to System > Config > Operation Mode. 2 Enter the IP address that you want to use for management access and the netmask in the Management IP/Netmask field. 3 Select Apply.
Fortinet MIBs
The FortiGate SNMP agent supports Fortinet proprietary MIBs as well as standard RFC 1213 and RFC 2665 MIBs. RFC support includes support for the parts of RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to FortiGate unit configuration. There are two MIB files for FortiGate units - the Fortinet MIB, and the FortiGate MIB. The Fortinet MIB contains traps, fields and information that is common to all Fortinet products. The FortiGate MIB contains traps, fields and information that is specific to FortiGate units. Each Fortinet product has its own MIBif you use other Fortinet products you will need to download their MIB files as well. The Fortinet MIB and FortiGate MIB along with the two RFC MIBs are listed in tables in this section. You can download the two FortiGate MIB files from Fortinet Customer Support. For information on how to download the MIB files, see the Fortinet Knowledge Base.
Note: There were major changes to the MIB files between FortiOS v3.0 and v4.0. You need to use the new MIBs for FortiOS v4.0 or you may mistakenly access the wrong traps and fields.
Your SNMP manager may already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIB to this database to have access to the Fortinet specific information. You need to obtain and compile the two MIBs for this release.
217
SNMP
System Config
Table 13: Fortinet MIBs MIB file name or RFC FORTINET-CORE-MIB.mib Description The proprietary Fortinet MIB includes all system configuration information and trap information that is common to all Fortinet products. Your SNMP manager requires this information to monitor FortiGate unit configuration settings and receive traps from the FortiGate SNMP agent. For more information, see Fortinet and FortiGate traps on page 218 and Fortinet and FortiGate MIB fields on page 221. The proprietary FortiGate MIB includes all system configuration information and trap information that is specific to FortiGate units. Your SNMP manager requires this information to monitor FortiGate configuration settings and receive traps from the FortiGate SNMP agent. FortiManager systems require this MIB to monitor FortiGate units. For more information, see Fortinet and FortiGate traps on page 218 and Fortinet and FortiGate MIB fields on page 221. The FortiGate SNMP agent supports MIB II groups with the following exceptions. No support for the EGP group from MIB II (RFC 1213, section 3.11 and 6.10). Protocol statistics returned for MIB II groups (IP/ICMP/TCP/UDP/etc.) do not accurately capture all FortiGate traffic activity. More accurate information can be obtained from the information reported by the Fortinet MIB. The FortiGate SNMP agent supports Ethernet-like MIB information with the following exception. No support for the dot3Tests and dot3Errors groups.
FORTINET-FORTIGATE-MIB.mib
218
System Config
SNMP
The following tables include: Generic Fortinet traps (OID 1.3.6.1.4.1.12356.1.3.0) System traps (OID1.3.6.1.4.1.12356.1.3.0) FortiGate VPN traps (OID1.3.6.1.4.1.12356.1.3.0) FortiGate IPS traps (OID1.3.6.1.4.1.12356.1.3.0) FortiGate antivirus traps (OID1.3.6.1.4.1.12356.1.3.0) FortiGate HA traps (OID1.3.6.1.4.1.12356.1.3.0)
Table 14: Generic Fortinet traps (OID 1.3.6.1.4.1.12356.1.3.0) Index Trap message .1 .2 .3 .4 ColdStart WarmStart LinkUp LinkDown Description Standard traps as described in RFC 1215.
Table 15: System traps (OID1.3.6.1.4.1.12356.1.3.0) Index Trap message .101 CPU usage high (fnTrapCpuThreshold) Memory low (fnTrapMemThreshold) Log disk too full (fnTrapLogDiskThreshold) Temperature too high (fnTrapTempHigh) Description CPU usage exceeds 80%. This threshold can be set in the CLI using config system snmp sysinfo, set trap-high-cpu-threshold. Memory usage exceeds 90%. This threshold can be set in the CLI using config system snmp sysinfo, set trap-low-memory-threshold. Log disk usage has exceeded the configured threshold. Only available on devices with log disks. This threshold can be set in the CLI using config system snmp sysinfo, set trap-log-full-threshold. A temperature sensor on the device has exceeded its threshold. Not all devices have thermal sensors. See manual for specifications.
.102
.103
.104
.105
Voltage outside acceptable Power levels have fluctuated outside of normal levels. Not range all devices have voltage monitoring instrumentation. (fnTrapVoltageOutOfRange) Power supply failure (fnTrapPowerSupplyFailure) Interface IP change (fnTrapIpChange) Power supply failure detected. Not available on all models. Available on some devices which support redundant power supplies. The IP address for an interface has changed. The trap message includes the name of the interface, the new IP address and the serial number of the Fortinet unit. You can use this trap to track interface IP address changes for interfaces with dynamic IP addresses set using DHCP or PPPoE. This trap is sent for diagnostic purposes. It has an OID index of .999.
.106
.201
.999
Table 16: FortiGate VPN traps (OID1.3.6.1.4.1.12356.1.3.0) Index Trap message .301 .302 VPN tunnel is up (fgTrapVpnTunUp) VPN tunnel down (fgTrapVpnTunDown) Description An IPSec VPN tunnel has started. An IPSec VPN tunnel has shut down.
219
SNMP
System Config
Table 16: FortiGate VPN traps (OID1.3.6.1.4.1.12356.1.3.0) Index Trap message Local gateway address (fgVpnTrapLocalGateway) Description Address of the local side of the VPN tunnel. This information is associated with both of the VPN tunnel traps. (OID1.3.6.1.4.1.12356.101.12.3.2)
Remote gateway address Address of remote side of the VPN tunnel. (fgVpnTrapRemoteGateway) This information is associated with both of the VPN tunnel traps. (OID1.3.6.1.4.1.12356.101.12.3.2) Table 17: FortiGate IPS traps (OID1.3.6.1.4.1.12356.1.3.0) Index Trap message .503 .504 .505 IPS Signature (fgTrapIpsSignature) IPS Anomaly (fgTrapIpsAnomaly) IPS Package Update (fgTrapIpsPkgUpdate) (fgIpsTrapSigId) (fgIpsTrapSrcIp) (fgIpsTrapSigMsg) Description IPS signature detected. IPS anomaly detected. The IPS signature database has been updated. ID of IPS signature identified in trap. (OID 1.3.6.1.4.1.12356.101.9.3.1) IP Address of the IPS signature trigger. (OID 1.3.6.1.4.1.12356.101.9.3.2) Message associated with IPS event. (OID 1.3.6.1.4.1.12356.101.9.3.3)
Table 18: FortiGate antivirus traps (OID1.3.6.1.4.1.12356.1.3.0) Index Trap message .601 Virus detected (fgTrapAvVirus) Oversize file/email detected (fgTrapAvOversize) Filename block detected (fgTrapAvPattern) Fragmented file detected (fgTrapAvFragmented) (fgTrapAvEnterConserve) (fgTrapAvBypass) (fgTrapAvOversizePass) (fgTrapAvOversizeBlock) (fgAvTrapVirName) Description The antivirus engine detected a virus in an infected file from an HTTP or FTP download or from an email message. The antivirus scanner detected an oversized file. The antivirus scanner blocked a file that matched a known virus pattern. The antivirus scanner detected a fragmented file or attachment. The AV engine entered conservation mode due to low memory conditions. The AV scanner has been bypassed due to conservation mode. An oversized file has been detected, but has been passed due to configuration. An oversized file has been detected, and has been blocked. The virus name that triggered the event. (OID1.3.6.1.4.1.12356.101.8.3.1)
220
System Config
SNMP
Table 19: FortiGate HA traps (OID1.3.6.1.4.1.12356.1.3.0) Index Trap message .401 .402 HA switch (fgTrapHaSwitch) HA State Change (fgTrapHaStateChange) HA Heartbeat Failure (fgTrapHaHBFail) HA Member Unavailable (fgTrapHaMemberDown) HA Member Available (fgTrapHaMemberUp) (fgHaTrapMemberSerial) Description The specified cluster member has transitioned from a slave role to a master role. The trap sent when the HA cluster member changes its state. . The heartbeat failure count has exceeded the configured threshold. An HA member becomes unavailable to the cluster. An HA member becomes available to the cluster. Serial number of an HA cluster member. Used to identify the origin of a trap when a cluster is configured. (OID1.3.6.1.4.1.12356.101.13.3.1)
Table 20: FortiGate HA MIB Information fields (OID 1.3.6.1.4.1.12356.101.13.1) MIB field fgHaSystemMode fgHaGroupId fgHaPriority fgHaOverride fgHaAutoSync Description High-availability mode (Standalone, A-A or A-P). HA cluster group ID. HA clustering priority (default - 127). Status of a master override flag. Status of an automatic configuration synchronization. Index .1 .2 .3 .4 .5
221
SNMP
System Config
Table 20: FortiGate HA MIB Information fields (OID 1.3.6.1.4.1.12356.101.13.1) MIB field fgHaSchedule fgHaGroupName fgHaTrapMemberSerial Description Load balancing schedule for cluster in Active-Active mode. HA cluster group name. Serial number of an HA cluster member. Index .6 .7 .8
Table 21: FortiGate HA unit stats fields (OID 1.3.6.1.4.1.12356.101.13.2) MIB field fgHaStatsTable Description Statistics for the individual FortiGate unit in the HA cluster. fgHaStatsIndex fgHaStatsSerial The index number of the unit in the cluster. The FortiGate unit serial number. .1 .2 .3 .4 .5 .6 .7 .8 Index
fgHaStatsCpuUsage The current FortiGate unit CPU usage (%). fgHaStatsMemUsage The current unit memory usage (%). fgHaStatsNetUsage fgHaStatsSesCount fgHaStatsPktCount The current unit network utilization (Kbps). The number of active sessions. The number of packets processed.
fgHaStatsByteCount The number of bytes processed by the FortiGate unit fgHaStatsIdsCount fgHaStatsAvCount fgHaStatsHostname
The number of attacks that the IPS detected in .9 the last 20 hours. The number of viruses that the antivirus system detected in the last 20 hours. Hostname of HA Cluster's unit. .10 .11
Table 22: FortiGate Administrator accounts (OID 1.3.6.1.4.1.12356.101) MIB field fgAdminIdleTimeout fgAdminLcdProtection fgAdminTable Description Idle period after which an administrator is automatically logged out of the system. Status of the LCD protection, either enabled or disabled. Table of administrators on this FortiGate unit. fgAdminVdom The virtual domain the administrator belongs to. (OID 1.3.6.1.4.1.12356.101.6.1.2.1.1.1) Index .1 .2
Table 23: FortiGate Virtual domains (OID 1.3.6.1.4.1.12356.101.3.1) MIB field fgVdInfo Description FortiGate unit Virtual Domain related information. fgVdNumber fgVdMaxVdoms The number of virtual domains configured on this FortiGate unit. .1 Index
The maximum number of virtual domains allowed on .2 the FortiGate unit as allowed by hardware or licensing. Whether virtual domains are enabled on this FortiGate unit. .3
fgVdEnabled
222
System Config
SNMP
Table 24: FortiGate Virtual domain table entries (OID 1.3.6.1.4.1.12356.101.3.2.1.1) MIB field Description Index
fgVdTable.fgV Table of information about each virtual domaineach virtual domain has an fgVdEntry. Each entry has the following fields. dEntry fgVdEntIndex Internal virtual domain index used to uniquely identify .1 entries in this table. This index is also used by other tables referencing a virtual domain. fgVdEntName fgVdEntOpMode The name of the virtual domain. .2 Operation mode of this virtual domain - either NAT or .3 Transparent.
Table 25: FortiGate Active IP sessions table (OID 1.3.6.1.4.1.12356.101.11.2.1.1) MIB field fgIpSessIndex fgIpSessProto fgIpSessFromPort fgIpSessToAddr fgIpSessToPort fgIpSessExp fgIpSessVdom Description The index number of the IP session within the fgIpSessTable table The IP protocol the session is using (IP, TCP, UDP, etc.). The source port of the active IP session (UDP and TCP only). The destination IPv4 address of the active IP session. The destination port of the active IP session (UDP and TCP only). The number of seconds remaining until the sessions expires (if idle). Virtual domain the session is part of. Corresponds to the index in fgVdTable. fgIpSessStatsEntry. Total sessions on this virtual domain. fgIpSessNumber (OID 1.3.6.1.4.1.12356.101.11.2.1.2.1.1) Table 26: FortiGate Firewall policy statistics table (OID 1.3.6.1.4.1.12356.101.5.1.2.1.1) MIB field Description Index Index .1 .2 .3 .4 .5 .6 .7 .8
fgFwPolicyStatsTable.fg Entries in the table for firewall policy statistics on a virtual domain. FwPolicyStatsEntry fgFwPolicyID Firewall policy ID. Only enabled policies are available for querying. Policy IDs are only unique within a virtual domain. .1
fgFwPolicyPktCount
Number of packets matched to policy (passed or blocked, .2 depending on policy action). Count is from the time the policy became active. Number of bytes matched to policy (passed or blocked, .3 depending on policy action). Count is from the time the policy became active.
fgFwPolicyByteCount
Table 27: FortiGate Dialup VPN peers (OID 1.3.6.1.4.1.12356.101.12.2.1.1) MIB field fgVpnDialupIndex fgVpnDialupGateway fgVpnDialupLifetime Description An index value that uniquely identifies an VPN dial-up peer in the table. The remote gateway IP address on the tunnel. VPN tunnel lifetime in seconds. Index .1 .2 .3
223
SNMP
System Config
Table 27: FortiGate Dialup VPN peers (OID 1.3.6.1.4.1.12356.101.12.2.1.1) MIB field fgVpnDialupTimeout fgVpnDialupSrcBegin fgVpnDialupSrcEnd fgVpnDialupDstAddr fgVpnDialupVdom fgVpnDialUpInOctets fgVpnDialUpOutOctets Description Time remaining until the next key exchange (seconds) for this tunnel. Remote subnet address of the tunnel. Remote subnet mask of the tunnel. Local subnet address of the tunnel. The virtual domain this tunnel is part of. This index corresponds to the index in fgVdTable. The number of bytes received over the tunnel. The number of byes send over the tunnel. Index .4 .5 .6 .7 .8 .9 .10
Table 28: VPN Tunnel table (OID 1.3.6.1.4.1.12356.101.12.2.2.1) MIB field fgVpnTunEntIndex fgVpnTunEntPhase1Name fgVpnTunEntPhase2Name fgVpnTunEntRemGwyIp fgVpnTunEntRemGwyPort fgVpnTunEntLocGwyIp fgVpnTunEntLocGwyPort Description An index value that uniquely identifies a VPN tunnel within the VPN tunnel table. The descriptive name of the Phase1 configuration for the tunnel. The descriptive name of the Phase2 configuration for the tunnel. The IP of the remote gateway used by the tunnel. Index .1 .2 .3 .4
The port of the remote gateway used by the tunnel, if it .5 is UDP. The IP of the local gateway used by the tunnel. .6 The port of the local gateway used by the tunnel, if it is .7 UDP.
fgVpnTunEntSelectorSrcBegin Beginning of the address range of the source selector. .8 Ip fgVpnTunEntSelectorSrcEndIp Ending of the address range of the source selector. fgVpnTunEntSelectorSrcPort Source selector port. fgVpnTunEntSelectorDstBegin Beginning of the address range of the destination selector. Ip fgVpnTunEntSelectorDstPort fgVpnTunEntSelectorProto fgVpnTunEntLifeSecs fgVpnTunEntLifeBytes fgVpnTunEntTimeout fgVpnTunEntInOctets fgVpnTunEntOutOctets fgVpnTunEntStatus fgVpnTunEntVdom Destination selector port. Protocol number for the selector. .9 .10 .11
fgVpnTunEntSelectorDstEndIp Ending of the address range of the destination selector. .12 .13 .14
Lifetime of the tunnel in seconds, if time based lifetime .15 is used. Lifetime of the tunnel in bytes, if byte transfer based lifetime is used. Timeout of the tunnel in seconds. Number of bytes received on the tunnel. Number of bytes sent out on the tunnel. Current status of the tunnel - either up or down. Virtual domain the tunnel belongs to. This index corresponds to the index used in fgVdTable. .16 .17 .18 .19 .20 .21
224
System Config
Replacement messages
Replacement messages
Go to System > Config > Replacement Message to change replacement messages and customize alert email and information that the FortiGate unit adds to content streams such as email messages, web pages, and FTP sessions. The FortiGate unit adds replacement messages to a variety of content streams. For example, if a virus is found in an email message attachment, the file is removed from the email and replaced with a replacement message. The same applies to pages blocked by web filtering and email blocked by email filtering.
Note: Disclaimer replacement messages provided by Fortinet are examples only.
225
Replacement messages
System Config
Reset Edit
Name
The replacement message category. Select the expand arrow to expand or collapse the category. Each category contains several replacement messages that are used by different FortiGate features. The replacement messages are described below. A description of the replacement message. Select to change or view a replacement message. Only displayed on the a VDOM replacement message list. Select to revert to the global version of this replacement message.
Note: FortiOS uses HTTP to send the Authentication Disclaimer page for the user to accept before the firewall policy is in effect. Therefore, the user must initiate HTTP traffic first in order to trigger the Authentication Disclaimer page. Once the Disclaimer is accepted, the user can send whatever traffic is allowed by the firewall policy.
226
System Config
Replacement messages
Replacement messages can be text or HTML messages. You can add HTML code to HTML messages. Allowed Formats shows you which format to use in the replacement message. There is a limit of 8192 characters for each replacement message. The following fields and options are available when editing a replacement message. Different replacement messages have different sets of fields and options.
Message Setup Allowed Formats The name of the replacement message. The type of content that can be included in the replacement message. Allowed formats can be Text or HTML. You should not use HTML code in Text messages. You can include replacement message tags in text and HTML messages. The number of characters allowed in the replacement message. Usually size is 8192 characters. The editable text of the replacement message. The message text can include text, HTML codes (if HTML is the allowed format) and replacement message tags.
You can customize the following categories of replacement messages: Mail replacement messages HTTP replacement messages FTP replacement messages NNTP replacement messages Alert Mail replacement messages Spam replacement messages Administration replacement message User authentication replacement messages FortiGuard Web Filtering replacement messages IM and P2P replacement messages Endpoint NAC replacement messages NAC quarantine replacement messages Traffic quota control replacement messages SSL VPN replacement message
227
Replacement messages
System Config
Banned by data In a DLP sensor, a rule with action set to Ban replaces a blocked email message leak prevention with this message. This message also replaces any additional email messages message that the banned user sends until they are removed from the banned user list. Sender banned by data leak prevention message Virus message (splice mode) In a DLP sensor, a rule with action set to Ban Sender replaces a blocked email message with this message. This message also replaces any additional email messages that the banned user sends until the user is removed from the banned user list. Splice mode is enabled and the antivirus system detects a virus in an SMTP email message. The FortiGate unit aborts the SMTP session and returns a 554 SMTP error message to the sender that includes this replacement message.
File block Splice mode is enabled and the antivirus file filter deleted a file from an SMTP message (splice email message. The FortiGate unit aborts the SMTP session and returns a 554 mode) SMTP error message to the sender that includes this replacement message. Oversized file Splice mode is enabled and antivirus Oversized File/Email set to Block and the message (splice FortiGate unit blocks an oversize SMTP email message. The FortiGate unit mode) aborts the SMTP session and returns a 554 SMTP error message to the sender that includes this replacement message.
228
System Config
Replacement messages
Banned by data In a DLP sensor, a rule with action set to Ban replaces a blocked web page or file leak prevention with this web page. This web page also replaces any additional web pages or message files that the banned user attempts to access until the user is removed from the banned user list. Banned word message Web content filtering enabled in a protection profile blocks a web page being downloaded with an HTTP GET that contains content that matches an entry in the selected Web Content Filter list. The blocked page is replaced with this web page. Email headers include information about content types such as image for pictures, and so on. If a specific content-type is blocked, the blocked message is replaced with this web page. Web URL filtering enabled in a protection profile blocks a web page with a URL that matches an entry in the selected URL Filter list. The blocked page is replaced with this web page. Antivirus File Filter enabled for HTTP or HTTPS in a protection profile blocks a file being uploaded by an HTTP POST that matches an entry in the selected file filter list and replaces it with this web page that is displayed by the client browser. Antivirus Virus Scan enabled for HTTP or HTTPS in a protection profile deletes an infected file being uploaded using an HTTP PUT and replaces the file with this a web page that is displayed by the client browser. In a protection profile, antivirus Oversized File/Email set to Block for HTTP or HTTPS and an oversized file that is being uploaded with an HTTP PUT is blocked and replaced with this web page. Web content filtering enabled in a protection profile blocks a web page being uploaded with an HTTP PUT that contains content that matches an entry in the selected Web Content Filter list. The client browser displays this web page. HTTP POST Action is set to Block in a protection profile and the FortiGate unit blocks an HTTP POST and displays this web page.
Client anti-virus
Client filesize
229
Replacement messages
System Config
Banned by data In a DLP sensor, a rule with action set to Ban replaces a blocked NNTP leak prevention message with this message. This message also replaces any additional NNTP message messages that the banned user sends until they are removed from the banned user list.
230
System Config
Replacement messages
If you enable Send alert email for logs based on severity for alert email, whether or not replacement messages are sent by alert email depends on how you set the alert email Minimum log level.
DNSBL/ORDBL From the CLI, spamrbl enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message. HELO/EHLO domain Email address Mime header HELO DNS lookup enabled for SMTP in a protection profile identifies an email message as spam and adds this replacement message. HELO DNS lookup is not available for SMTPS. E-mail address BWL check enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message. From the CLI, spamhdrcheck enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message. Return e-mail DNS check enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message. Banned word check enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message. Any Email Filtering option enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message. Email Filtering adds this message to all email tagged as spam. The message describes a button that the recipient of the message can select to submit the email signatures to the FortiGuard Antispam service if the email was incorrectly tagged as spam (a false positive).
231
Replacement messages
System Config
232
System Config
Replacement messages
<TR><TH>Username:</TH> <TD><INPUT NAME="%%USERNAMEID%%" SIZE="25" TYPE="text"> </TD></TR> <TR><TH>Password:</TH> <TD><INPUT NAME="%%PASSWORDID%%" SIZE="25" TYPE="password"> </TD></TR> <TR><TD COLSPAN="2" ALIGN="center" BGCOLOR="#00cccc"> <INPUT NAME="%%STATEID%%" VALUE="%%STATEVAL%%" TYPE="hidden"> <INPUT NAME="%%REDIRID%%" VALUE="%%PROTURI%%" TYPE="hidden"> <INPUT VALUE="Continue" TYPE="submit"> </TD></TR> </TBODY></TABLE></FORM></BODY></HTML>
Table 35: Authentication replacement messages Message name Description Disclaimer page Enable Disclaimer and Redirect URL to selected in a firewall policy that includes identity based policies. After a firewall user authenticates with the FortiGate unit using HTTP or HTTPS, this disclaimer page is displayed. The CLI includes auth-disclaimer-page-1, auth-disclaimer-page-2, and auth-disclaimer-page-3 that you can use to increase the size of the authentication disclaimer page replacement message. For more information, see the FortiGate CLI Reference. Declined When a firewall user selects the button on the Disclaimer page to decline access disclaimer page through the FortiGate unit, the Declined disclaimer page is displayed. Login page Login failed page The HTML page displayed for firewall users who are required to authenticate using HTTP or HTTPS before connecting through the FortiGate unit. The HTML page displayed if firewall users enter an incorrect user name and password combination.
Login challenge The HTML page displayed if firewall users are required to answer a question to page complete authentication. The page displays the question and includes a field in which to type the answer. This feature is supported by RADIUS and uses the generic RADIUS challenge-access auth response. Usually, challenge-access responses contain a Reply-Message attribute that contains a message for the user (for example, Please enter new PIN). This message is displayed on the login challenge page. The user enters a response that is sent back to the RADIUS server to be verified. The Login challenge page is most often used with RSA RADIUS server for RSA SecurID authentication. The login challenge appears when the server needs the user to enter a new PIN. You can customize the replacement message to ask the user for a SecurID PIN. Keepalive page The HTML page displayed with firewall authentication keepalive is enabled using the following command: config system global set auth-keepalive enable end Authentication keepalive keeps authenticated firewall sessions from ending when the authentication timeout ends. Go to User > Options to set the Authentication Timeout.
233
Replacement messages
System Config
FortiGuard Web Override selected for a FortiGuard Web Filtering category and FortiGuard Web Filtering Filtering blocks a web page in this category and displays this web page. Using override form this web page users can authenticate to get access to the page. Go to UTM > Web Filter > Override to add override rules. For more information, see Configuring administrative override rules on page 553. The %%OVRD_FORM%% tag provides the form used to initiate an override if FortiGuard Web Filtering blocks access to a web page. Do not remove this tag from the replacement message.
File name block Antivirus File Filter enabled for IM in a protection profile deletes a file with a message name that matches an entry in the selected file filter list and replaces it with this message. Virus message Oversized file message Data leak prevention message Antivirus Virus Scan enabled for IM in a protection profile deletes a infected file from and replaces the file with this message. Antivirus Oversized File/Email set to Block for IM in a protection profile removes an oversized file and replaces the file with this message. In a DLP sensor, a rule with action set to Block replaces a blocked IM or P2P message with this message.
Banned by data In a DLP sensor, a rule with action set to Ban replaces a blocked IM or P2P leak prevention message with this message. This message also replaces any additional message messages that the banned user sends until they are removed from the banned user list. Voice chat block In an Application Control list, the Block Audio option is selected for AIM, ICQ, message MSN, or Yahoo! and the application control list is added to a protection profile. Photo share block message In an Application Control list, the block-photo CLI keyword is enabled for MSN, or Yahoo and the application control list is added to a protection profile. You enable photo blocking from the CLI.
234
System Config
Replacement messages
To modify these messages, go to System > Config > Replacement Messages. Expand Endpoint NAC and select the Edit icon of the message that you want to modify. For more information about Endpoint NAC, see Endpoint NAC on page 687.
DoS Message
235
Replacement messages
System Config
Table 38: NAC quarantine replacement messages Message name Description IPS Message Quarantine Attackers enabled in an IPS sensor filter or override and the IPS sensor added to a protection profile adds a source IP address, a destination IP address, or a FortiGate interface to the banned user list. The FortiGate unit displays this replacement message as a web page when the blocked user attempts to connect through the FortiGate unit using HTTP on port 80 or when any user attempts to connect through a FortiGate interface added to the banned user list using HTTP on port 80. This replacement message is not displayed if method is set to Attacker and Victim IP Address. Action set to Quarantine IP address or Quarantine Interface in a DLP sensor and the DLP sensor added to a protection profile adds a source IP address or a FortiGate interface to the banned user list. The FortiGate unit displays this replacement message as a web page when the blocked user attempts to connect through the FortiGate unit using HTTP on port 80 or when any user attempts to connect through a FortiGate interface added to the banned user list using HTTP on port 80.
DLP Message
%%AUTH_REDIR_URL%% The auth-keepalive page can prompt the user to open a new window which links to this tag. %%CATEGORY%% %%DEST_IP%% The name of the content category of the web site. The IP address of the request destination from which a virus was received. For email this is the IP address of the email server that sent the email containing the virus. For HTTP this is the IP address of web page that sent the virus.
236
System Config
Replacement messages
Table 39: Replacement message tags (Continued) Tag %%EMAIL_FROM%% %%EMAIL_TO%% Description The email address of the sender of the message from which the file was removed. The email address of the intended receiver of the message from which the file was removed. The name of a file that has been removed from a content stream. This could be a file that contained a virus or was blocked by antivirus file blocking. %%FILE%% can be used in virus and file block messages. The FortiGuard - Web Filtering logo. The Fortinet logo. The link to the FortiClient Host Security installs download for the Endpoint Control feature. The HTTP error code. 404 for example. The HTTP error description. The IPS attack message. %%NIDSEVENT%% is added to alert email intrusion messages. The link to the FortiGuard Web Filtering override form. This is visible only if the user belongs to a group that is permitted to create FortiGuard web filtering overrides. The FortiGuard web filter block override form. This tag must be present in the FortiGuard Web Filtering override form and should not be used in other replacement messages. The protocol (http, ftp, pop3, imap, or smtp) in which a virus was detected. %%PROTOCOL%% is added to alert email virus messages. The name of a file that has been removed from a content stream and added to the quarantine. This could be a file that contained a virus or was blocked by antivirus file blocking. %%QUARFILENAME%% can be used in virus and file block messages. Quarantining is only available on FortiGate units with a local disk. Display information about the traffic shaping quota setting that is blocking the user. Used in traffic quota control replacement messages. Authentication challenge question on auth-challenge page. Prompt to enter username and password on auth-login page. The name of the web filtering service. The IP address of the request originator who would have received the blocked file. For email this is the IP address of the users computer that attempted to download the message from which the file was removed. Configured number of seconds between authentication keepalive connections. Used on the auth-keepalive page. The URL of a web page. This can be a web page that is blocked by web filter content or URL blocking. %%URL%% can also be used in http virus and file block messages to be the URL of the web page from which a user attempted to download a file that is blocked. The name of a virus that was found in a file by the antivirus system. %%VIRUS%% can be used in virus messages
%%FAILED_MESSAGE%% The failed to login message displayed on the auth-login-failed page. %%FILE%%
%%OVRD_FORM%%
%%PROTOCOL%% %%QUARFILENAME%%
%%TIMEOUT%% %%URL%%
%%VIRUS%%
237
System Config
Default Gateway
To switch from Transparent to NAT/Route mode 1 Go to System > Config > Operation Mode or select Change beside Operation Mode on the System Status page for the virtual domain. 2 From the Operation Mode list, select NAT.
238
System Config
Management access
Management access defines how administrators are able to log on to the FortiGate unit to perform management tasks such as configuration and maintenance. Methods of access can include local access through the console connection, or remote access over a network or modem interface using various protocols including Telnet and HTTPS. You can configure management access on any interface in your VDOM. See Configuring administrative access to an interface on page 165. In NAT/Route mode, the interface IP address is used for management access. In Transparent mode, you configure a single management IP address that applies to all interfaces in your VDOM that permit management access. The FortiGate also uses this IP address to connect to the FDN for virus and attack updates (see Configuring FortiGuard Services on page 300). The system administrator (admin) can access all VDOMs, and create regular administrator accounts. A regular administrator account can access only the VDOM to which it belongs. The management computer must connect to an interface in that VDOM. It does not matter to which VDOM the interface belongs. In both cases, the management computer must connect to an interface that permits management access and its IP address must be on the same network. Management access can be via HTTP, HTTPS, telnet, or SSH sessions if those services are enabled on the interface. HTTPS and SSH are preferred as they are more secure. You can allow remote administration of the FortiGate unit. However, allowing remote administration from the Internet could compromise the security of the FortiGate unit. You should avoid this unless it is required for your configuration. To improve the security of a FortiGate unit that allows remote administration from the Internet: Use secure administrative user passwords. Change these passwords regularly. Enable secure administrative access to this interface using only HTTPS or SSH. Use Trusted Hosts to limit where the remote access can originate from. Do not change the system idle timeout from the default value of 5 minutes (see Settings on page 261).
239
System Config
240
System Admin
Administrators
System Admin
This section describes how to configure administrator accounts on your FortiGate unit. Administrators access the FortiGate unit to configure its operation. The factory default configuration has one administrator, admin. After connecting to the web-based manager or the CLI, you can configure additional administrators with various levels of access to different parts of the FortiGate unit configuration. If you enable virtual domains (VDOMs) on the FortiGate unit, system administrators are configured globally for the entire FortiGate unit. For details, see Using virtual domains on page 125.
Note: Always end your FortiGate session by logging out, in the CLI or the web-based manager. If you do not, the session remains open.
This section describes: Administrators Admin profiles Central Management Settings Monitoring administrators FortiGate IPv6 support Customizable web-based manager
Administrators
There are two levels of administrator accounts:
Regular administrators An administrator with any admin profile other than super_admin. A regular administrator account has access to configuration options as determined by its Admin Profile. If virtual domains are enabled, the regular administrator is assigned to one VDOM and cannot access global configuration options or the configuration for any other VDOM. For information about which options are global and which are per VDOM, see VDOM configuration settings on page 126 and Global configuration settings on page 129. Includes the factory default system administrator admin, any other administrators assigned to the super_admin profile, and any administrator that is assigned to the super_admin_readonly profile. Any administrator assigned to the super_admin admin profile, including the default administrator account admin, has full access to the FortiGate unit configuration and general system settings that includes the ability to: enable VDOM configuration create VDOMs configure VDOMs assign regular administrators to VDOMs configure global options customize the FortiGate web-based manager. The super_admin admin profile cannot be changed; it does not appear in the list of profiles in System > Admin > Admin Profile, but it is one of the selections in the Admin Profile drop-down list in System > Admin New/Edit Administrator dialog box.
System administrators
241
Administrators
System Admin
Figure 109: New Administrator dialog box displaying super_admin readonly option
Users assigned to the super_admin profile: cannot delete logged-in users who are also assigned the super_admin profile can delete other users assigned the super_admin profile and/or change the configured authentication method, password, or admin profile, only if the other users are not logged in can delete the default admin account only if the default admin user is not logged in.
242
System Admin
Administrators
There is also an admin profile that allows read-only super admin privileges called super_admin_readonly. This profile cannot be deleted or changed, similar to the super_admin profile. The read-only super_admin profile is suitable in a situation where it is necessary for a system administrator to troubleshoot a customer configuration without being able to make changes. Other than being read-only, the super_admin_readonly profile can view all the FortiGate configuration tools. You can authenticate an administrator by using a password stored on the FortiGate unit, a remote authentication server (such as LDAP, RADIUS, or TACACS+), or by using PKI certificate-based authentication. To authenticate an administrator with an LDAP or TACACS+ server, you must add the server to an authentication list, include the server in a user group, and associate the administrator with the user group. The RADIUS server authenticates users and authorizes access to internal network resources based on the admin profile of the user. Users authenticated with the PKI-based certificate are permitted access to internal network resources based on the user group they belong to and the associated admin profile. A VDOM/admin profile override feature supports authentication of administrators via RADIUS. The admin user will have access depending on which VDOM and associated admin profile he or she is restricted to. This feature is available only to wildcard administrators, and can be set only through the FortiGate CLI. There can only be one VDOM override user per system. For more information, see the FortiGate CLI Reference.
Edit Create New Name Add an administrator account. The login name for an administrator account.
Trusted Hosts The IP address and netmask of trusted hosts from which the administrator can log in. For more information, see Using trusted hosts on page 254. Profile Type The admin profile for the administrator. The type of authentication for this administrator, one of:
243
Administrators
System Admin
Local Remote
Authentication of an account with a local password stored on the FortiGate unit. Authentication of a specific account on a RADIUS, LDAP, or TACACS+ server.
Remote+ Authentication of any account on an LDAP, RADIUS, or TACACS+ server. Wildcard PKI Delete icon PKI-based certificate authentication of an account. Delete the administrator account. You cannot delete the original admin account until you create another user with the super_admin profile, log out of the admin account, and log in with the alternate user that has the super_admin profile. Edit or view the administrator account. Change the password for the administrator account. See Changing an administrator account password on page 246.
244
System Admin
Administrators
Administrator
Enter the login name for the administrator account. The name of the administrator should not contain the characters <>()#"'. Using these characters in the administrator account name can result in a cross site scripting (XSS) vulnerability. Select the type of administrator account: Select to create a Local administrator account. For more information, see Configuring regular (password) authentication for administrators on page 246. Select to authenticate the administrator using a RADIUS, LDAP, or TACACS+ server. Server authentication for administrators must be configured first. For more information, see Configuring remote authentication for administrators on page 246. Select to enable certificate-based authentication for the administrator. Only one administrator can be logged in with PKI authentication enabled. For more information, see Configuring PKI certificate authentication for administrators on page 252. Select the administrator user group that includes the Remote server/PKI (peer) users as members of the User Group. The administrator user group cannot be deleted once the group is selected for authentication. This is available only if Type is Remote or PKI. Select to allow all accounts on the RADIUS, LDAP, or TACACS+ server to be administrators. This is available only if Type is Remote. Only one wildcard user is permitted per VDOM. Enter a password for the administrator account. For improved security, the password should be at least 6 characters long. This is not available if Wildcard is selected or when Type is PKI. For more information see the Fortinet Knowledge Base article Recovering lost administrator account passwords if you forget or lose an administrator account password and cannot log in to your FortiGate unit. Type the password for the administrator account a second time to confirm that you have typed it correctly. This is not available if Wildcard is selected or when PKI authentication is selected.
Type Regular
Remote
PKI
User Group
Wildcard
Password
Confirm Password
245
Administrators
System Admin
Enter the trusted host IP address and netmask this administrator login is restricted to on the FortiGate unit. You can specify up to three trusted hosts. These addresses all default to 0.0.0.0/0 or 0.0.0.0/0.0.0.0. For more information, see Using trusted hosts on page 254.
IPv6 Trusted Host #1 Enter the trusted host IPv6 address and netmask this administrator login is IPv6 Trusted Host #2 restricted to on the FortiGate unit. You can specify up to three trusted hosts. IPv6 Trusted Host #3 These addresses all default to ::/0. For more information, see Using trusted hosts on page 254. Admin Profile Select the admin profile for the administrator. You can also select Create New to create a new admin profile. For more information on admin profiles, see Configuring an admin profile on page 258.
4 Configure additional features as required. For more information, see Configuring an administrator account on page 244. 5 Select OK. When you select Type > Regular, you will see Local as the entry in the Type column when you view the list of administrators. For more information, see Viewing the administrators list on page 243.
Note: If you forget or lose an administrator account password and cannot log in to your FortiGate unit, see the Fortinet Knowledge Base article Recovering lost administrator account passwords.
246
System Admin
Administrators
The following instructions assume there is a RADIUS server on your network populated with the names and passwords of your administrators. For information on how to set up a RADIUS server, see the documentation for your RADIUS server. To view the RADIUS server list, go to User > Remote > RADIUS.
Figure 114: Example RADIUS server list Delete
Edit Create New Name Server Name/IP Delete icon Add a new RADIUS server. The name that identifies the RADIUS server on the FortiGate unit. The domain name or IP address of the RADIUS server. Delete a RADIUS server configuration. You cannot delete a RADIUS server that has been added to a user group. Edit a RADIUS server configuration.
Edit icon
To configure the FortiGate unit to access the RADIUS server 1 Go to User > Remote > RADIUS. 2 Select Create New, or select the Edit icon beside an existing RADIUS server.
247
Administrators
System Admin
Authentication Select one of Use Default Authentication Scheme or Specify Authentication Protocol. If you chose to specify the scheme, select one of the schemes from Scheme the drop-down menu. NAS IP/Called Station ID Enter the Network Attached Storage (NAS) IP address.
Include in every Select to add this RADIUS server to every user group in this VDOM (optional). User Group
4 Select OK. For further information about RADIUS authentication, see Configuring a RADIUS server on page 648. To create the user group (RADIUS) 1 Go to User > User Group. 2 Select Create New or select the Edit icon beside an existing RADIUS group. 3 Enter the name that identifies the user group. 4 For Type, enter Firewall. 5 In the Available Users/Groups list, select the RADIUS server name and move it to the Members list. 6 Select OK. To configure an administrator to authenticate with a RADIUS server 1 Go to System > Admin. 2 Select Create New, or select the Edit icon beside an existing administrator. 3 Enter the following information:
Name Type User Group Password Confirm Password Admin Profile A name that identifies the administrator. Remote. The user group that includes the RADIUS server as a member. The password the administrator uses to authenticate. The re-entered password that confirms the original entry in Password. The admin profile to apply to the administrator.
4 Configure additional features as required. For more information, see Configuring an administrator account on page 244. 5 Select OK.
248
System Admin
Administrators
For more information about using a RADIUS server to authenticate system administrators, see the Fortinet Knowledge Base article Using RADIUS for Admin Access and Authorization. Admin profiles Configuring a RADIUS server Configuring a user group
To view the LDAP server list, go to User > Remote > LDAP.
Figure 115: Example LDAP server list Delete
Edit Create New Name Server Name/IP Port Distinguished Name Delete icon Edit icon Add a new LDAP server. The name that identifies the LDAP server on the FortiGate unit. The domain name or IP address of the LDAP server. The TCP port used to communicate with the LDAP server. The distinguished name used to look up entries on the LDAP server. Delete the LDAP server configuration. Edit the LDAP server configuration.
Common Name Identifier The common name identifier for the LDAP server.
To configure an LDAP server 1 Go to User > Remote > LDAP. 2 Select Create New or select the Edit icon beside an existing LDAP server. 3 Enter or select the following and select OK.
249
Administrators
System Admin
Name Server Name/IP Server Port Common Name Identifier Distinguished Name Query icon
The name that identifies the LDAP server on the FortiGate unit. The domain name or IP address of the LDAP server. The TCP port used to communicate with the LDAP server. The common name identifier for the LDAP server. The base distinguished name for the server in the correct X.500 or LDAP format. View the LDAP server Distinguished Name Query tree for the LDAP server that you are configuring so that you can cross-reference to the Distinguished Name. For more information, see Using Query on page 652. The type of binding for LDAP authentication. Bind using anonymous user search. Bind using a user name/password and then search. Bind using a simple password authentication without a search. Filter used for group searching. Available only if Bind Type is Anonymous or Regular. Distinguished name of user to be authenticated. Available only if Bind Type is Regular. Password of user to be authenticated. Available only if Bind Type is Regular. A check box that enables a secure LDAP server connection for authentication. The secure LDAP protocol to use for authentication. Available only if Secure Connection is selected. The certificate to use for authentication. Available only if Secure Connection is selected.
Bind Type Anonymous Regular Simple Filter User DN Password Secure Connection Protocol Certificate
For further information about LDAP authentication, see Configuring an LDAP server on page 650. To create the user group (LDAP) 1 Go to User > User Group. 2 Select Create New or select the Edit icon beside an existing user group. 3 Enter a Name that identifies the LDAP user group. 4 For Type, enter Firewall. 5 In the Available Users/Groups list, select the LDAP server name and move it to the Members list. 6 Select OK. To configure an administrator to authenticate with an LDAP server 1 Go to System > Admin. 2 Select Create New or select the Edit icon beside an existing administrator account. 3 Enter or select the following:
Administrator Type User Group Wildcard A name that identifies the administrator. Remote. The user group that includes the LDAP server as a member. A check box that allows all accounts on the LDAP server to be administrators. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
250
System Admin
Administrators
The password the administrator uses to authenticate. Not available if Wildcard is enabled. The re-entered password that confirms the original entry in Password. Not available if Wildcard is enabled. The admin profile to apply to the administrator.
4 Configure additional features as required. For more information, see Configuring an administrator account on page 244. 5 Select OK.
To view the TACACS+ server list, go to User > Remote > TACACS+.
Figure 116: Example TACACS+ server list Delete
Edit Create New Server Authentication Type Delete icon Edit icon Add a new TACACS+ server. The server domain name or IP address of the TACACS+ server. The supported authentication method. TACACS+ authentication methods include: Auto, ASCII, PAP, CHAP, and MSCHAP. Delete this TACACS+ server Edit this TACACS+ server.
To configure the FortiGate unit to access the TACACS+ server 1 Go to User > Remote > TACACS+. 2 Select Create New, or select the Edit icon beside an existing TACACS+ server. 3 Enter or select the following:
251
Administrators
System Admin
Enter a name that identifies the TACACS+ server. Enter the key to access the TACACS+ server. The maximum number is 16.
Server Name/IP Enter the server domain name or IP address of the TACACS+ server. Authentication Enter one of Auto, ASCII, PAP, CHAP, and MSCHAP. Auto authenticates using PAP, MSCHAP, and CHAP (in that order). Type
4 Select OK. For further information about TACACS+ authentication, see Configuring TACACS+ servers on page 653. To create the user group (TACACS+) 1 Go to User > User Group. 2 Select Create New, or select the Edit icon beside an existing user group. 3 Enter a Name that identifies the TACAS+ user group. 4 For Type, select Firewall. 5 In the Available Users/Groups list, select the TACACS+ server name and move it to the Members list. 6 Select OK. To configure an administrator to authenticate with a TACACS+ server 1 Go to System > Admin. 2 Select Create New, or select the Edit icon beside an existing administrator. 3 Enter or select the following:
Administrator Type User Group Wildcard Password Confirm Password Admin Profile A name that identifies the administrator. Remote. The user group that includes the TACACS+ server as a member. Select to allow all accounts on the TACACS+ server to be administrators. The password the administrator uses to authenticate. Not available if Wildcard is enabled. The re-entered password that confirms the original entry in Password. Not available if Wildcard is enabled. The admin profile to apply to the administrator.
4 Configure additional features as required. For more information, see Configuring an administrator account on page 244. 5 Select OK.
252
System Admin
Administrators
To create the user group (PKI) To configure an administrator to authenticate with a PKI certificate
Edit Create New Name Subject CA Delete icon Edit icon Add a new PKI user. The name of the PKI user. The text string that appears in the subject field of the certificate of the authenticating user. The CA certificate that is used to authenticate this user. Delete this PKI user. Edit this PKI user.
To configure a PKI user 1 Go to User > PKI. 2 Select Create New, or select the Edit icon beside an existing PKI user. 3 Enter the Name of the PKI user. 4 For Subject, enter the text string that appears in the subject field of the certificate of the authenticating user. 5 Select the CA certificate used to authenticate this user. 6 Select OK. To create the user group (PKI) 1 Go to User > User Group. 2 Select Create New, or select the Edit icon beside an existing user group. 3 Enter or select the following:
Name Type Available Users/Groups The name that identifies the PKI user group. Firewall. Select the PKI user name and move it to the Members list.
4 Select OK. To configure an administrator to authenticate with a PKI certificate 1 Go to System > Admin. 2 Select Create New, or select the Edit icon beside an existing administrator. 3 Enter or select the following:
253
Admin profiles
System Admin
A name that identifies the administrator. PKI. The user group that includes the PKI user as a member. The admin profile to apply to the administrator.
4 Configure additional features as required. For more information, see Configuring an administrator account on page 244. 5 Select OK.
Admin profiles
Each administrator account belongs to an admin profile. The admin profile separates FortiGate features into access control categories for which an administrator with read/write access can enable none (deny), read only, or read/write access. The following table lists the web-based manager pages to which each category provides access.
254
System Admin
Admin profiles
Table 40: Admin profile control of access to Web-based manager pages Access control Admin Users Antivirus Configuration Application Control Auth Users Data Leak Prevention (DLP) Email Filter Firewall Configuration FortiGuard Update IM, P2P & VoIP Configuration Affected web-based manager pages System > Admin > Administrators System > Admin > Admin Profile UTM > AntiVirus UTM > Application Control User UTM > Data Leak Prevention UTM > Email Filter Firewall System > Maintenance > FortiGuard IM, P2P & VoIP > Statistics IM, P2P & VoIP > User > Current Users IM, P2P & VoIP > User > User List IM, P2P & VoIP > User > Config UTM > Intrusion Protection Log&Report System > Maintenance System > Network > Interface System > Network > Zone System > Network > Web Proxy System > DHCP Router UTM > AntiSpam System > Status, including Session info System > Config System > Hostname System > Network > Options System > Admin > Central Management System > Admin > Settings System > Status > System Time WIreless Controller VPN UTM > Web Filter
Read-only access for a web-based manager page enables the administrator to view that page. However, the administrator needs write access to change the settings on the page. You can expand the firewall configuration access control to enable more granular control of access to the firewall functionality. You can control administrator access to policy, address, service, schedule, profile, and other virtual IP (VIP) configurations.
Note: When Virtual Domain Configuration is enabled (see Settings on page 261), only the administrators with the admin profile super_admin have access to global settings. Other administrator accounts are assigned to one VDOM and cannot access global configuration options or the configuration for any other VDOM. For information about which settings are global, see VDOM configuration settings on page 126.
255
Admin profiles
System Admin
The admin profile has a similar effect on administrator access to CLI commands. The following table shows which command types are available in each Access Control category. You can access get and show commands with Read Only access. Access to config commands requires Read-Write access.
Table 41: Admin profile control of access to CLI commands Access control Admin Users (admingrp) Antivirus Configuration (avgrp) Application Control Auth Users (authgrp) Data Leak Prevention (DLP) Email Filter Firewall Configuration (fwgrp) Available CLI commands system admin system accprofile antivirus application user dlp spamfilter firewall Use the set fwgrp custom and config fwgrppermission commands to set some firewall permissions individually. You can make selections for policy, address, service, schedule, profile, and other (VIP) configurations. For more information, see the FortiGate CLI Reference. system autoupdate execute update-av execute update-ips execute update-now ips system alertemail log system fortianalyzer execute log execute execute execute execute execute formatlogdisk restore backup batch usb-disk
Maintenance (mntgrp)
system arp-table system dhcp system interface system zone execute dhcp lease-clear execute dhcp lease-list execute clear system arp table execute interface
256
System Admin
Admin profiles
Table 41: Admin profile control of access to CLI commands (Continued) Access control Router Configuration (routegrp) Available CLI commands router execute router execute mrouter spamfilter system (except admingrp, loggrp, and netgrp commands). gui wireless-controller execute cfg execute cli execute date execute disconnect-admin-session execute enter execute factoryreset execute fortiguard-log execute ha execute ping execute ping-options execute ping6 execute ping6-options execute reboot execute send-fds-statistics execute set-next-reboot execute shutdown execute ssh execute telnet execute time execute traceroute execute usb-disk vpn execute vpn webfilter
To add admin profiles for FortiGate administrators, go to System > Admin > Admin Profile. Each administrator account belongs to an admin profile. An administrator with read/write access can create admin profiles that deny access to, allow read-only, or allow both readand write-access to FortiGate features. When an administrator has read-only access to a feature, the administrator can access the web-based manager page for that feature but cannot make changes to the configuration. There are no Create or Apply buttons and lists display only the View ( ) icon instead of icons for Edit, Delete or other modification commands.
257
Admin profiles
System Admin
Edit Create New Profile Name Delete icon Add a new admin profile. The name of the admin profile. Select to delete the admin profile. You cannot delete an admin profile that has administrators assigned to it. Select to modify the admin profile.
Edit icon
258
System Admin
Admin profiles
Profile Name Access Control None Read Only Read-Write Access Control (categories) GUI Control
Enter the name of the admin profile. List of the items that can customize access control settings if configured. Deny access to all Access Control categories. Enable Read access in all Access Control categories. Select to allow read/write access in all Access Control categories. Make specific control selections as required. For detailed information about the Access Control categories, see Admin profiles on page 254. Select Standard to use the default FortiGate web-based manager. Select Customize to create a custom web-based manager configuration for the administrators who login with this admin profile. For more information, see Customizable web-based manager on page 268.
259
Central Management
System Admin
Central Management
The Central Management tab provides the option of remotely managing your FortiGate unit by either a FortiManager unit or the FortiGuard Analysis and Management Service. From System > Admin > Central Management, you can configure your FortiGate unit to back up or restore configuration settings automatically to the specified central management server. The central management server is the type of service you enable, either a FortiManager unit or the FortiGuard Analysis and Management Service. If you have a subscription for FortiGuard Analysis and Management Service, you can also remotely upgrade the firmware on the FortiGate unit.
Figure 120: Central Management using FortiManager
Enables the Central Management feature on the FortiGate unit. Select the type of central management for this FortiGate unit. You can select FortiManager or the FortiGuard Management Service.
260
System Admin
Settings
FortiManager
Select to use FortiManager as the central management service for the FortiGate unit. Enter the IP address or name of the FortiManager unit in the IP/Name field. If your organization is operating a FortiManager cluster, add the IP address or name of the primary FortiManager unit to the IP/Name field and add the IP address or name of the backup FortiManager units to the Trusted FortiManager list. Status indicates whether or not the FortiGate unit can communicate with the FortiManager unit added to the IP/Name field. Select Register to include the FortiManager unit in the Trusted FortiManager List. A red arrow-down indicates that there is no connection enabled. A green arrow-up indicates that there is a connection. A yellow caution symbol appears when your FortiGate unit is considered an unregistered device by the FortiManager unit. Select to use the FortiGuard Management Service as the central management service for the FortiGate unit. Enter the Account ID in the Account ID field. If you do not have an account ID, register for the FortiGuard Management Service on the FortiGuard Management Service website. Select Change to go directly to System > Maintenance > FortiGuard. Under Analysis & Management Service Options, enter the account ID in the Account ID field.
When you are configuring your FortiGate unit to connect to and communicate with a FortiManager unit, the following steps must be taken because of the two different deployment scenarios. FortiGate is directly reachable from FortiManager: In the FortiManager GUI, add the FortiGate unit to the FortiManager database in the Device Manager module Change the FortiManager IP address Change the FortiGate IP address In System > Admin > Central Management, choose FortiManager Add the FortiManager unit to the Trusted FortiManager List, if applicable Change the FortiManager IP address Change the FortiGate IP address Contact the FortiManager administrator to verify the FortiGate unit displays in the Device list in the Device Manager module
Revision control
The Revision Control tab displays a list of the backed up configuration files. The list displays only when your FortiGate unit is managed by a central management server. For more information, see Managing configuration revisions on page 297.
Settings
The Settings tab includes the following features that you can configure: ports for HTTP/HTTPS administrative access and SSL VPN login password policy for administrators and IPsec pre-shared keys the idle timeout setting
261
Settings
System Admin
settings for the language of the web-based manager and the number of lines displayed in generated reports PIN protection for LCD and control buttons (LCD-equipped models only) SCP capability for users logged in via SSH Wireless controller capability IPv6 support on the web based manager.
To configure settings, go to System > Admin > Settings, enter or select the following and select OK.
Figure 122: Administrators Settings
Web Administration Ports HTTP HTTPS SSLVPN Login Port Telnet Port SSH Port TCP port to be used for administrative HTTP access. The default is 80. TCP port to be used for administrative HTTPS access. The default is 443. An alternative HTTPS port number for remote client web browsers to connect to the FortiGate unit. The default port number is 10443. TCP port to be used for administrative telnet access. The default is 23. TCP port to be used for administrative SSH access. The default is 22.
262
System Admin
Settings
Enable SSH v1 compatibility Password Policy Enable Minimum Length Must contain
Select to enable the password policy. Set the minimum acceptable length for passwords. Select any of the following special character types to require in a password. Each selected type must occur at least once in the password. Upper Case Letters A, B, C, ... Z Lower Case Letters a, b, c, ... z Numerical digits 0, 1, 2, 3, 4, 5, 6, 7 8, 9 Non-alphanumeric Letters punctuation marks, @,#, ... % Select where to apply the password policy: Admin Password Apply to administrator passwords. If any password does not conform to the policy, require that administrator to change the password at the next login. IPSEC Preshared Key Apply to preshared keys for IPSec VPNs. The policy applies only to new preshared keys. You are not required to change existing preshared keys.
Admin Password Require administrators to change password after a specified number Expires after n days of days. Specify 0 to remove required periodic password changes. Timeout Settings Idle Timeout The number of minutes an administrative connection must be idle before the administrator has to log in again. The maximum is 480 minutes (8 hours). To improve security, keep the idle timeout at the default value of 5 minutes. The language the web-based manager uses. Choose from English, Simplified Chinese, Japanese, Korean, Spanish, Traditional Chinese or French. You should select the language that the operating system of the management computer uses. Number of lines per page to display in table lists. The default is 50. Range is from 20 - 1000.
IPv6 Support on GUI Enable to configure IPv6 options from the GUI (Firewall policy, route, address and address group). Default allows configuration from CLI only. For more information on IPv6, see the sections that include IPv6 related fields, or see FortiGate IPv6 support on page 264. LCD Panel (LCD-equipped models only) PIN Protection Enable SCP Select and enter a 6-digit PIN. Administrators must enter the PIN to use the control buttons and LCD. Enable users logged in through the SSH to be able to use Secure Copy (SCP) to copy the configuration file.
Enable Wireless Controller Enable the Wireless Controller feature. Then you can access the Wireless Controller menu in the web-based manager and the corresponding CLI commands. For more information, see Wireless Controller on page 697. Note: If you make a change to the default port number for HTTP, HTTPS, Telnet, or SSH, ensure that the port number is unique.
263
Monitoring administrators
System Admin
Monitoring administrators
To see the number of logged-in administrators, go to System > Status. Under System Information, you will see Current Administrators. Select Details to view information about the administrators currently logged in to the FortiGate unit.
Figure 123: System Information displaying current administrators
Select to disconnect the selected administrators. This is available only if your admin profile gives you System Configuration write permission. Select to update the list. Select to close the window. Select an administrator session, then select Disconnect to log off this administrator. This is available only if your admin profile gives you System Configuration write access. You cannot log off the default admin user.
The administrator account name. The type of access: http, https, jsconsole, sshv2. If Type is jsconsole, the value in From is N/A. Otherwise, Type contains the administrators IP address. The date and time the administrator logged on.
See also
264
System Admin
implementing dual IP layers to support both IPv6 and IPv4 using IPv6 over IPv4 tunneling to encapsulate IPv6 packets within IPv4 headers.
FortiGate units are dual IP layer IPv6/IPv4 nodes, and support IPv6 in both NAT/Route, and Transparent operation modes. They support IPv6 overIPv4 tunneling as well as IPv6 routing, firewall policies and IPSec VPN. You can assign both an IPv4 and an IPv6 address to any interface on a FortiGate unitthe interface functions as two interfaces, one for IPv4-addressed packets and another for IPv6-addressed packets. For more information, see the FortiGate IPv6 Support Technical Note
Once IPv6 support is enabled, you can configure the IPv6 options using the web-based manager or the CLI. Note that some IPv6 configuration is only available in the CLI. See the FortiGate CLI Reference for information on configuring IPv6 support using the CLI.
IP version 6 address
While 32-bits of addresses, or just under 5 billion addresses, seems like a lot, they have been used up quickly. Between servers and routers that provide the backbone communications of the Internet, to large companies and governments with thousands of computers large portions of the IP address space were either reserved or used up. In 1998, IP version 6 was designed mainly to provide more addresses but also improve slightly on IP version 4 (IPv4). IP version 6 (IPv6) is defined in RFC 2460. With four bytes of addresses there are a total just under 5 billion addresses. IPv6 addresses are 32 bytes long, and have no problems of ever running out. This very large address space also allows for more logical organization of addresses which in turn promotes more efficient network management and routing.
265
System Admin
IPv6 addresses are normally written as eight groups of 4 hexadecimal digits each. For example, 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234 is a valid IPv6 address. If a 4 digit group is 0000, it may be omitted. For example, 3f2e:6a8b:78a3:0000:1725:6a2f:0370:6234 is the same IPv6 address as 3f2e:6a8b:78a3::1725:6a2f:0370:6234 You can use the :: notation to indicate multiple consecutive omitted zero groups. There must not be more than one use of :: in an address, as this is ambiguous. Also, you can omit leading zeros in a group. Thus 19a4:0478:0000:0000:0000:0000:1a57:ac9e 19a4:0478:0000:0000:0000::1a57:ac9e 19a4:478:0:0:0:0:1a57:ac9e 19a4:478:0::0:1a57:ac9e 19a4:478::1a57:ac9e are all valid and are the same address. For IPv4-compatible or IPv4-mapped IPv6 addresses, you can enter the IPv4 portion using either hexadecimal or dotted decimal, but the FortiGate CLI always shows the IPv4 portion in dotted decimal format. For all other IPv6 addresses, the CLI accepts and displays only hexadecimal.
IPv6 Netmasks
As with IP addresses, hexadecimal notation replaces the dotted decimal notation of IPv4. CIDR notation can also be used. This notation appends a slash (/) to the IP address, followed by the number of bits in the network portion of the address.
Table 42: IPv6 netmasks IP Address Netmask Network CIDR IP/Netmask 3ffe:ffff:1011:f101:0210:a4ff:fee3:9566 ffff:ffff:ffff:ffff:0000:0000:0000:0000 3ffe:ffff:1011:f101:0000:0000:0000:0000 3ffe:ffff:1011:f101:0210:a4ff:fee3:9566/64
266
System Admin
IPv4-compatible ::/96 IPv4-mapped Multicast Anycast ::FFFF/96 ::FF00/8 all prefixes except those listed above
Link-local
FE80::/10
Site-local
FEC0::/10
Global
all others
FortiGate units are dual IP layer IPv6/IPv4 nodesthey support both IPv4, and IPv6. FortiGate units also support IPv6 over IPv4 tunneling.
267
System Admin
IPv4-compatible addresses are used for hosts and routers to dynamically tunnel IPv6 packets over IPv4 routing infrastructure. IPv4-mapped addresses are used for nodes that do not support IPv6.
IPv6 tunneling
Networks using IPv6 addressing can be linked through IPv4-addressed infrastructure using several tunneling techniques:
Table 45: Tunneling techniques IPv6-over-IPv4 Configured Automatic Encapsulates IPv6 packets within IPv4 so that they can be carried across IPv4 routing infrastructures. The endpoint address is determined by configuration information on the encapsulating node. The IPv4 tunnel endpoint address is determined from the IPv4 address embedded in the IPv4-compatible destination address of the IPv6 packet being tunneled. IPv4 tunnel endpoint address is determined using Neighbor Discovery. No address configuration is required, but the IPv4 infrastructure must support IPv4 multicast.
IPv4 multicast
268
System Admin
Note: The current administrator Access Control settings apply only to the fixed components of the layout (default), not to the customized items. If you want to create a completely customized layout profile, you must set access for all fixed components to None and also set all the standard menu items to Hide from within the GUI layout dialog box (see Figure 128).
The following configuration will set up read-only administrative access to Log&Report items for the Report Profile profile, and prevent access to the default layout.
269
System Admin
Figure 126: Admin Profile dialog box - Log & Report access
Read-only access selected for Log & Report Standard GUI Control Menu Layout selection
To configure the admin profile 1 Enter the name Report Profile (see Figure 126). 2 To prevent access to the default layout items, set Access Control to None for all items except Log & Report. 3 Under GUI Control > Menu Layout, select Standard. 4 Select OK to save the settings. The admin profiles list reappears. 5 From the list, select the Edit icon beside Report Profile. 6 Under GUI Control > Menu Layout, select Customize, and then select OK. (see Figure 127 and Figure 128).
270
System Admin
Figure 127: Selection of Customize GUI Control option for Report Profile
Select Customize to access the layout dialog box Figure 128: Customize GUI layout dialog box for Report Profile Customization drop-down menu icon Edit Layout Add Content Show Preview
Layout preview icon Create new Tier-1 menu item Reset menu to default layout configuration
In the GUI layout dialog box, select the customization drop-down menu icon beside System and select hide (see Figure 128). Repeat for each menu item except Log&Report.
271
System Admin
To start the configuration of customized menu items, select the Create New (Tier-1 menu item) icon in the FortiGate menu. You will need to: configure Tier-1 and Tier-2 menu items add tabs to each of these items as required add content to the page layout.
To create Tier-1 and Tier-2 menu items 1 Select the Create New Tier-1 icon. The first Tier-1 menu item with the default name custom menu will appear, with an additional Create New Tier-1 icon below it (1). 2 Select and rename the default name to Custom Log Report (2). 3 Press Enter to save your change. The Create New Tier-2 icon will appear, with the default name custom menu. 4 Select the Create New Tier-2 icon (3). 5 The first Tier-2 menu item with the default name custom menu will appear, with an additional Create New Tier-2 icon below it (4). 6 Select and rename the default name to Custom Log Menu1 (5). 7 Press Enter to save your change. 8 Repeat steps 4 to 7 to create a second Tier-2 menu item called Custom Log Menu2 (5) and (6).
Figure 129: Creating Tier-1 and Tier-2 menu items in the FortiGate menu 1 Creation of new Tier-1 menu item Custom Log Report 2
After you create Tier-1 and Tier-2 menu items, you need to create the subset of tab items across the page layout. The Create New tab icon is not available until you have created the Tier-1 and Tier-2 menu items. To create a new tab 1 Select the Create New tab item icon (see Figure 5). A tab is created with the default name custom menu, and an additional Create New icon appears beside it.
272
System Admin
2 Select and rename the default name to Custom Log Report Tab1 (see Figure 131). 3 Press Enter to save your change. 4 Repeat steps 1 to 3 to create a second tab called Custom Log Report Tab2. 5 To save your customized layout, select Save in the GUI layout dialog box (see Figure 128).
Figure 130: Create New tab
Figure 131: Creating tabs in page layout Creation of tab Custom Log Report Tab1
Creation of tab Custom Log Report Tab2 To modify the configuration of the current page 1 Select the required tab, then select Edit Layout. The Edit this tab dialog box appears (see Figure 132). You may configure the page layout to display only one widget (Full page), a page layout with one column that displays up to 8 widgets (1 column), or a page layout with two columns (2 columns) that displays up to 8 widgets. 2 For the Custom Log Report Tab1, select 2 columns. 3 To save your modified configuration, select Save in the Edit this tab dialog box.
273
System Admin
To add content to the page layout, select Add Content (see Figure 128). The Add content to the Custom Log Report Tab1 dialog box appears (see Figure 133).
Figure 133: Add content dialog box
The Add content dialog box includes a search feature that you can use to find widgets. This search employs a real-time filtering mechanism with a contains type search on the widget names. For example, if you search on use, you will be shown User Group, IM User Monitor, Firewall User Monitor, Banned User, and Top Viruses (see Figure 134).
274
System Admin
Search results
For Custom Log Report Tab1, select the Log&Report category. All the items related to the Log&Report menu item are listed (see Figure 135). Select Add next to an item that you want to include in the tab. The item is placed in the page layout behind the Custom Log Report Tab1 dialog box. You will see the configured layout when you close the Add content to the Custom Log Report Tab1 dialog box. The maximum number of items that can be placed in a page layout is 8. For the Custom Log Report Tab1, select the following items for inclusion in the layout: Alert E-mail Schedule.
275
System Admin
For the Custom Log Report Tab2, select the following items for inclusion in the layout: Event Log Log Setting.
276
System Admin
Figure 137: Log&Report category selection for Custom Log Report Tab2
To preview a customized layout in the custom GUI layout dialog box, select Show Preview (see Figure 139). When you have completed the configuration selections for the page layout, select Save to close the custom GUI layout dialog box (see Figure 139). To abandon the configuration, select Reset menus (see Figure 139). To exit the GUI layout dialog box without saving your changes, select Cancel (see Figure 139).
277
System Admin
Figure 139: Report Profile customized GUI layout dialog box - complete Show Preview Cancel Save
Reset menus
When you complete the customization, close the dialog box to return to the Admin Profile dialog box in which you configured the custom GUI. To save the configuration, select OK to close the Admin Profile dialog box (see Figure 125). To view the web-based manager configuration created in Report Profile, you must log out of the FortiGate unit, then log back in using the name and password of an administrator assigned the Report Profile administrative profile. The FortiGate web-based manager reflects the customized configuration of Report Profile (see Figure 140).
Figure 140: Customized web-based manager page
278
System Certificates
System Certificates
This section explains how to manage X.509 security certificates using the FortiGate webbased manager. Certificate authentication allows administrators to generate certificate requests, install signed certificates, import CA root certificates and certificate revocation lists, and back up and restore installed certificates and private keys. Authentication is the process of determining if a remote host can be trusted with access to network resources. To establish its trustworthiness, the remote host must provide an acceptable authentication certificate by obtaining a certificate from a certification authority (CA). The FortiGate unit can then use certificate authentication to reject or allow administrative access via HTTPS, and to authenticate IPSec VPN peers or clients, as well as SSL VPN user groups or clients. If you enable virtual domains (VDOMs) on the FortiGate unit, system certificates are configured globally for the entire FortiGate unit. For details, see Using virtual domains on page 125. There are several certificates on the FortiGate unit that have been automatically generated.
Table 46: Automatically generated FortiGate certificates Fortinet_Firmware Embedded inside the firmware. Signed by Fortinet_CA. Same on all FortiGate units. Used so FortiGate units without Fortinet_Factory2 certificates have a built-in certificate signed by a FortiGate CA. Listed under Certificates > Local, or in FortiGate CLI under vpn certificate local. Embedded inside BIOS. Signed by Fortinet_CA. Unique to each FortiGate unit. Used for FortiGate/FortiManager tunnel, HTTPS administrative access if Fortinet_Factory2 is not available. Listed under Certificates > Local, or in FortiGate CLI under vpn certificate local. Embedded inside BIOS. Signed by Fortinet_CA2. Unique to each FortiGate unit. Used for FortiGate/FortiManager tunnel and HTTPS administrative access. Listed under Certificates > Local, or in FortiGate CLI under vpn certificate local. Found only on units shipped at the end of 2008 onward. Embedded inside firmware and BIOS. Fortinets CA certificate. Used to verify certificates that claim to be signed by Fortinet, for example with a FortiGate/FortiManager tunnel or an SSL connection to a FortiGuard server. Listed under Certificates > CA, or in FortiGate CLI under vpn certificate ca or vpn certificate ocsp. Embedded inside BIOS. Fortinets CA certificate. Will eventually replace Fortinet_CA, as Fortinet_CA will expire in 2020. Listed under Certificates > CA, or in FortiGate CLI under vpn certificate ca or vpn certificate ocsp. Found only on units shipped at the end of 2008 onward.
Fortinet_Factory
Fortinet_Factory2
Fortinet_CA
Fortinet_CA2
System administrators can use these certificates wherever they may be required, for example, with SSL VPN, IPSec, LDAP, and PKI. For additional background information on certificates, see the FortiGate Certificate Management User Guide.
279
Local Certificates
System Certificates
Local Certificates
Certificate requests and installed server certificates are displayed in the Local Certificates list. After you submit the request to a CA, the CA will verify the information and register the contact information on a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA will then sign the certificate and send it to you to install on the FortiGate unit. Local certificates can update automatically online prior to expiry. This must be configured in the CLI. See the vpn certificate local command in the FortiGate CLI Reference. To view certificate requests and/or import signed server certificates, go to System > Certificates > Local Certificates. To view certificate details, select the View Certificate Detail icon in the row that corresponds to the certificate.
Figure 141: Local Certificates list Download View Certificate Detail
Delete
Generate a local certificate request. For more information, see Generating a certificate request on page 281. Import a signed local certificate. For more information, see Importing a signed server certificate on page 283. The names of existing local certificates and pending certificate requests. The Distinguished Names (DNs) of local signed certificates.
280
System Certificates
Local Certificates
A description of the certificate. The status of the local certificate. PENDING designates a certificate request that needs to be downloaded and signed. Display certificate details such as the certificate name, issuer, subject, and valid certificate dates. Delete the selected certificate request or installed server certificate from the FortiGate configuration. This is available only if the certificate has PENDING status. Save a copy of the certificate request to a local computer. You can send the request to your CA to obtain a signed server certificate for the FortiGate unit (SCEP-based certificates only).
Download icon
For detailed information and step-by-step procedures related to obtaining and installing digital certificates, see the FortiGate Certificate Management User Guide.
Remove/Add OU
281
Local Certificates
System Certificates
Certification Name
Enter a certificate name. Typically, this would be the name of the FortiGate unit. To enable the export of a signed certificate as a PKCS12 file later on if required, do not include spaces in the name. Enter the information needed to identify the FortiGate unit: If the FortiGate unit has a static IP address, select Host IP and enter the public IP address of the FortiGate unit. If the FortiGate unit does not have a public IP address, use an email address (or domain name if available) instead. If the FortiGate unit has a static IP address and subscribes to a dynamic DNS service, use a domain name if available to identify the FortiGate unit. If you select Domain Name, enter the fully qualified domain name of the FortiGate unit. Do not include the protocol specification (http://) or any port number or path names. If a domain name is not available and the FortiGate unit subscribes to a dynamic DNS service, an unable to verify certificate message may be displayed in the users browser whenever the public IP address of the FortiGate unit changes. If you select E-mail, enter the email address of the owner of the FortiGate unit. Complete as described or leave blank. Enter the name of your department or departments. You can enter a maximum of 5 Organization Units. To add or remove a unit, use the plus (+) or minus (-) icon. Enter the legal name of your company or organization. Enter the name of the city or town where the FortiGate unit is installed. Enter the name of the state or province where the FortiGate unit is installed. Select the country where the FortiGate unit is installed. Enter the contact email address. Only RSA is supported. Select 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate but they provide better security. Select one of the following methods: Select to generate the certificate request. Select to obtain a signed SCEP-based certificate automatically over the network. CA Server URL: Enter the URL of the SCEP server from which to retrieve the CA certificate. Challenge Password: Enter the CA server challenge password.
Domain Name
Organization Locality (City) State/Province Country e-mail Key Type Key Size Enrollment Method File Based Online SCEP
282
System Certificates
Local Certificates
5 Submit the request to your CA as follows: Using the web browser on the management computer, browse to the CA web site. Follow the CA instructions to place a base-64 encoded PKCS#12 certificate request and upload your certificate request. Follow the CA instructions to download their root certificate and Certificate Revocation List (CRL), and then install the root certificate and CRL on each remote client (refer to the browser documentation). 6 When you receive the signed certificate from the CA, install the certificate on the FortiGate unit. See Importing a signed server certificate on page 283.
Select Local Certificate. Enter the full path to and file name of the signed server certificate. Alternatively, browse to the location on the management computer where the certificate has been saved and select the certificate.
3 Select OK.
283
Remote Certificates
System Certificates
Type
Certificate with key file Enter the full path to and file name of the previously exported PKCS12 file. Browse Alternatively, browse to the location on the management computer where the PKCS12 file has been saved, select the file, and then select OK. Type the password needed to upload the PKCS12 file.
Password
3 Select OK.
To import the certificate and private key files 1 Go to System > Certificates > Local Certificates and select Import. 2 Enter the following information:
Figure 145: Import certificate and private key file
Select Certificate. Enter the full path to and file name of the previously exported certificate file. Alternatively, browse to the location of the previously exported certificate file, select the file, and then select OK. Enter the full path to and file name of the previously exported key file. Alternatively, browse to the location of the previously exported key file, select the file, and then select OK. If a password is required to upload and open the files, type the password.
3 Select OK.
Remote Certificates
For dynamic certificate revocation, you need to use an Online Certificate Status Protocol (OCSP) server. Remote certificates are public certificates without a private key. The OCSP is configured in the CLI only. For more information, see the FortiGate CLI Reference. Installed Remote (OCSP) certificates are displayed in the Remote Certificates list.
284
System Certificates
Remote Certificates
To view installed Remote (OCSP) certificates or import a Remote (OCSP) certificate, go to System > Certificates > Remote. To view certificate details, select the View Certificate Detail icon in the row that corresponds to the certificate.
Note: There is one OCSP per VDOM.
Import Name
Import a public OCSP certificate. See Importing CA certificates on page 286. The names of existing Remote (OCSP) certificates. The FortiGate unit assigns unique names (REMOTE_Cert_1, REMOTE_Cert_2, REMOTE_Cert_3, and so on) to the Remote (OCSP) certificates when they are imported. Information about the Remote (OCSP) certificate. Delete a Remote (OCSP) certificate from the FortiGate configuration. Display certificate details. Save a copy of the Remote (OCSP) certificate to a local computer.
Local PC Browse
Enter the location in a management PC to upload a public certificate. Alternatively, browse to the location on the management computer where the certificate has been saved, select the certificate, and then select OK.
The system assigns a unique name to each Remote (OCSP) certificate. The names are numbered consecutively (REMOTE_Cert_1, REMOTE_Cert_2, REMOTE_Cert_3, and so on).
285
CA Certificates
System Certificates
CA Certificates
When you apply for a signed personal or group certificate to install on remote clients, you must obtain the corresponding root certificate and CRL from the issuing CA. When you receive the certificate, install it on the remote clients according to the browser documentation. Install the corresponding root certificate and CRL from the issuing CA on the FortiGate unit. CA certificates can update automatically online prior to expiry. This must be configured in the CLI. See the vpn certificate local command in the FortiGate CLI Reference. Installed CA certificates are displayed in the CA Certificates list. You cannot delete the Fortinet_CA certificate. To view installed CA root certificates or import a CA root certificate, go to System > Certificates > CA Certificates. To view root certificate details, select the View Certificate Detail icon in the row that corresponds to the certificate.
Figure 148: CA Certificates list
Import Name
Import a CA root certificate. See Importing CA certificates on page 286. The names of existing CA root certificates. The FortiGate unit assigns unique names (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on) to the CA certificates when they are imported. Information about the issuing CA. Delete a CA root certificate from the FortiGate configuration. Display certificate details. Save a copy of the CA root certificate to a local computer.
For detailed information and step-by-step procedures related to obtaining and installing digital certificates, see the FortiGate Certificate Management User Guide.
Importing CA certificates
After you download the root certificate of the CA, save the certificate on a PC that has management access to the FortiGate unit. To import a CA root certificate, go to System > Certificates > CA Certificates and select Import.
Figure 149: Import CA Certificate
286
System Certificates
CRL
SCEP
Select to use an SCEP server to access CA certificate for user authentication. Enter the URL of the SCEP server from which to retrieve the CA certificate. Optionally, enter identifying information of the CA, such as the file name. Select OK. Select to use a local administrators PC to upload a public certificate. Enter the location, or browse to the location on the management computer where the certificate has been saved, select the certificate, and then select OK.
Local PC
If you choose SCEP, the system starts the retrieval process as soon as you select OK. The system assigns a unique name to each CA certificate. The names are numbered consecutively (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on).
CRL
A Certificate Revocation List (CRL) is a list of CA certificate subscribers paired with certificate status information. Installed CRLs are displayed in the CRL list. The FortiGate unit uses CRLs to ensure that the certificates belonging to CAs and remote clients are valid. To view installed CRLs, go to System > Certificates > CRL.
Figure 150: Certificate revocation list View Certificate Detail
Download
Import Name
Import a CRL. For more information, see Importing a certificate revocation list on page 288. The names of existing certificate revocation lists. The FortiGate unit assigns unique names (CRL_1, CRL_2, CRL_3, and so on) to certificate revocation lists when they are imported. Information about the certificate revocation lists. Delete the selected CRL from the FortiGate configuration. Display CRL details such as the issuer name and CRL update dates. Save a copy of the CRL to a local computer.
287
CRL
System Certificates
To import a certificate revocation list, go to System > Certificates > CRL and select Import.
Figure 151: Import CRL
Select to use an HTTP server to retrieve the CRL. Enter the URL of the HTTP server. Select to use an LDAP server to retrieve the CRL, then select the LDAP server from the list. Select to use an SCEP server to retrieve the CRL, then select the Local Certificate from the list. Enter the URL of the SCEP server from which the CRL can be retrieved. Select to use a local administrators PC to upload a public certificate. Enter the location, or browse to the location on the management computer where the certificate has been saved, select the certificate, and then select OK.
Local PC
The system assigns a unique name to each CRL. The names are numbered consecutively (CRL_1, CRL_2, CRL_3, and so on).
288
System Maintenance
System Maintenance
This section describes how to maintain your system configuration as well as how to enable and update FDN services. This section also explains the types of FDN services that are available for your FortiGate unit. If you enable virtual domains (VDOMs) on the FortiGate unit, system maintenance is configured globally for the entire FortiGate unit. For more information, see Using virtual domains on page 125. This section includes the following topics: About the Maintenance menu Backing up and restoring Managing configuration revisions Using script files Configuring FortiGuard Services Troubleshooting FDN connectivity Updating antivirus and attack definitions Enabling push updates Adding VDOM Licenses
When backing up the system configuration, web content files and email filtering files are also included. You can save the configuration to the management computer or to a USB disk if your FortiGate unit includes a USB port (see Formatting USB Disks on page 296). You can also restore the system configuration from previously downloaded backup files in the Backup & Restore menu.
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
289
System Maintenance
When virtual domain configuration is enabled, the content of the backup file depends on the administrator account that created it. A backup of the system configuration from the super_admin account contains global settings and the settings included in each VDOM. Only the super_admin can restore the configuration from this file. When you back up the system configuration from a regular administrator account, the backup file contains the global settings and the settings for the VDOM that the regular administrator belongs to. A regular administrator is the only user account that can restore the configuration from this file. Some FortiGate models support FortiClient by storing a FortiClient image that users can download. The FortiClient section of Backup & Restore is available if your FortiGate model supports FortiClient.
Tip: For simplified procedures on managing firmware, including backup and restore options, and on uploading and downloading firmware for your FortiGate unit, see Managing firmware versions on page 113.
For
290
System Maintenance
Backup Backup configuration to: The options available for backing up your current configuration. Select one of the displayed options: Local PC Back up the configuration to the management computer the FortiGate unit is connected to. Local PC is always displayed regardless of whether a USB disk is available, FortiGuard Analysis & Management Service is enabled, or the FortiGate unit is connected to a FortiManager unit.
FortiGuard Analysis & Back up the configuration to the FortiGuard Analysis & Management Management Service Service. If the service is not enabled, Management Station is displayed. USB Disk Back up the configuration file to the USB disk connected to the FortiGate unit. USB Disk is displayed only if the FortiGate unit includes a USB port. If you do not connect a USB disk, this option is grayed out. For more information, see Formatting USB Disks on page 296. Back up the configuration to the configured FortiManager unit. If the FortiGate unit is not connected to a FortiManager unit, this option is not displayed.
FortiManager
Encrypt configuration Select to encrypt the backup file. file Encryption must be enabled to save VPN certificates with the configuration. This option is not available for configurations backed up to a FortiManager unit. Password Confirm Filename Enter a password to encrypt the configuration file. You will need this password to restore the configuration file. Enter the password again to confirm the password. Enter the name of the backup file or select Browse to locate the file. The Filename field is available only when you choose to back up the configuration to a USB disk. Select to back up the configuration. If you are backing up to a FortiManager device, a confirmation message is displayed after successful completion of the backup.
Backup
291
System Maintenance
Restore Restore configuration from: Local PC The options available for restoring the configuration from a specific file. Select one of the displayed options: Restore a configuration file from the management computer the FortiGate unit is connected to. Local PC is always displayed regardless of whether a USB disk is available, FortiGuard Analysis & Management Service is enabled, or the FortiGate unit is connected to a FortiManager unit. Restore a configuration file from the USB disk connected to the FortiGate unit. USB Disk is displayed only if the FortiGate unit includes a USB port. If you do not connect a USB disk, this option is grayed out. See Formatting USB Disks on page 296.
USB disk
FortiGuard Analysis & Restore a configuration from the FortiGuard Analysis & Management Management Service Service. If FortiGuard Management Services is not enabled, this option is not displayed and instead displays Management Station. FortiManager Restore a configuration from the configured FortiManager unit. If the FortiGate unit is not connected to a FortiManager unit, this option is not displayed. Select the configuration file name from the Browse list if you are restoring the configuration from a USB disk. Enter the configuration file name or select Browse if you are restoring the configuration from a file on the management computer. Enter the password you entered when backing up the configuration file. Select to restore the configuration.
Filename
Password Restore
Note: When central management is disabled, Management Station appears. FortiGuard appears when the FortiGuard Analysis & Management Service is enabled.
292
System Maintenance
Figure 154: Backup & Restore options with FortiManager option enabled
\
Backup
The options available for backing up your current configuration to a FortiManager unit.
Backup configuration Select FortiManager to upload the configuration to the FortiManager unit. to: The Local PC option is always available. Comments: Backup Enter a description or information about the file in the Comments field. This is optional. Select to back up the configuration file to the FortiManager unit. A confirmation message appears after successful completion of the backup. The options for restoring a configuration file.
Restore
Restore configuration Select the FortiManager option to download and restore the configuration from the FortiManager unit. from: Please Select: Select the configuration file you want to restore from the list. This list includes the comments you included in the Comment field before it was uploaded to the FortiManager unit. The list is in numerical order, with the recent uploaded configuration first. Select to restore the configuration from the FortiManager unit.
Restore
For
293
System Maintenance
When restoring the configuration from a remote location, a list of revisions is displayed so that you can choose the configuration file to restore. To view the basic backup and restore options, go to System > Maintenance > Backup & Restore.
Figure 155: Backup & Restore Central Management options
Backup
The options available for backing up your current configuration to the FortiGuard Analysis & Management Service.
Backup configuration Select the FortiGuard option to upload the configuration to the FortiGuard Analysis & Management Service. to: The Local PC option is always available. Comments: Backup Enter a description or information about the file in the Comments field. This is optional. Select to back up the configuration file to the FortiGuard Analysis & Management Service. A confirmation message appears after successful completion of the backup. The options for restoring a configuration file.
Restore
Restore configuration Select the FortiGuard option to download the configuration file from the FortiGuard Analysis & Management Service. from: Please Select: Select the configuration file you want to restore from the list. This list includes the comments you included in the Comment field before it was uploaded to the FortiGuard Analysis & Management Service. The list is in numerical order, with the recent uploaded configuration first. Select to restore the configuration from the FortiGuard Analysis & Management Service.
Restore
Note: The FortiGuard-FortiManager protocol is used when connecting to the FortiGuard Analysis & Management Service. This protocol runs over SSL using IPv4/TCP port 541 and includes the following functions: detects FortiGate unit dead or alive status detects management service dead or alive status notifies the FortiGate units about configuration changes, AV/IPS database update and firewall changes.
294
System Maintenance
Partition
A partition can contain one version of the firmware and the system configuration. FortiGate-100A units and higher have two partitions. One partition is active and the other is used as a backup. A green check mark indicates the partition currently in use. The date and time of the last update to this partition. The version and build number of the FortiGate firmware. If your FortiGate model has a backup partition, you can: Select Upload to replace with firmware from the management computer or a USB disk. The USB disk must be connected to the FortiGate unit USB port. See Formatting USB Disks on page 296. Select Upload and Reboot to replace the existing firmware and make this the active partition. Restart the FortiGate unit using the backup firmware. This is available only for FortiGate-100 units or higher.
Upgrade from FortiGuard Select one of the available firmware versions. The list contains the following information for each available firmware release: network to firmware continent (for example, North America) version: [Please Select] maintenance release number patch release number build number. For example, if you are upgrading to FortiOS 3.0 MR6 and the FortiGate unit is located in North America, the firmware version available is v3.0 MR6-NA (build 0700). Allow firmware downgrade Select to allow installation of older versions than the one currently installed. This is useful if the current version changed functionality you need and you have to revert to an older firmware image.
295
System Maintenance
Upgrade by File OK
Select Browse to locate a file on your local PC to upload to the FortiGate unit. Select OK to enable your selection.
On system restart, automatically update FortiGate configuration... On system restart, automatically update FortiGate firmware... Apply Download Debug Log
Automatically update the configuration on restart. Ensure that the default configuration file name matches the configuration file name on the USB disk. If the configuration file on the disk matches the currently installed configuration, the FortiGate unit skips the configuration update process. Automatically update the firmware on restart. Ensure that the default image name matches the firmware file name on the USB disk. If the firmware image on the disk matches the currently installed firmware, the FortiGate unit skips the firmware update process. Select to apply the selected settings. Download an encrypted debug log to a file. You can send this debug log to Fortinet Technical Support to help diagnose problems with your FortiGate unit.
There are two ways that you can format the USB disk, either by using the CLI or a Windows system. You can format the USB disk in the CLI using the command syntax, exe usb-disk format. When using a Windows system to format the disk, at the command prompt type, format <drive_letter>: /FS:FAT /V:<drive_label> where <drive_letter> is the letter of the connected USB drive you want to format, and <drive_label> is the name you want to give the USB drive for identification.
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
296
System Maintenance
When revision control is enabled on your FortiGate unit, and configurations have been backed up, a list of saved revisions of those backed-up configurations appears. To view the configuration revisions, go to System > Maintenance > Revision Control.
Figure 159: Revision Control page displaying system configuration backups
Current Page
Diff Download Revert Current Page The current page number of list items that are displayed. Select the left and right arrows to display the first, previous, next or last page of system configuration backups. For more information, see Using page controls on web-based manager lists on page 60. An incremental number indicating the order in which the configurations were saved. These may not be consecutive numbers if configurations are deleted. The most recent, and highest, number is first in the list. The date and time this configuration was saved on the FortiGate unit. The administrator account that was used to back up this revision. Any relevant information saved with the revision, such as why the revision was saved, who saved it, and if there is a date when it can be deleted to free up space. Select to compare two revisions. A window will appear, from which you can view and compare the selected revision to one of: the current configuration a selected revision from the displayed list including revision history and templates a specified revision number. Download this revision to your local PC. Restore the previous selected revision. You will be prompted to confirm this action.
Revision
Diff icon
297
System Maintenance
Scripts can be uploaded directly to the FortiGate unit from the management PC. If you have configured either a FortiManager unit or the FortiGuard Analysis & Management Service, scripts that have been stored remotely can also be run on the FortiGate unit. Select Browse to locate the script file and then select Apply to upload and execute the file. If the FortiGate unit is configured to use the FortiGuard Analysis & Management Service, the script will be saved on the server for later use. Select to execute a script from the FortiManager unit or the FortiGuard Analysis & Management Service. Choose the script you want to run from the list of all scripts stored remotely.
298
System Maintenance
A list of the 10 most recently executed scripts. The name of the script file. The source of the script file. A local file is uploaded directly to the FortiGate unit from the management PC and executed. A remote file is executed on the FortiGate unit after being sent from a FortiManager unit or the FortiGuard Analysis & Management Service. The date and time the script file was executed. The status of the script file, if its execution succeeded or failed. Delete the script entry from the list.
To execute a script 1 Go to System > Maintenance > Scripts. 2 Verify that Upload Bulk CLI Command File is selected. 3 Select Browse to locate the script file. 4 Select Apply. If the FortiGate unit is not configured for remote management, or if it is configured to use a FortiManager unit, uploaded scripts are discarded after execution. Save script files to your management PC if you want to execute them again later. If the FortiGate unit is configured to use the FortiGuard Analysis & Management Service, the script file is saved to the remote server for later reuse. You can view the script or run it from the FortiGuard Analysis & Management Service portal web site. For more information about viewing or running an uploaded script on the portal web site, see the FortiGuard Analysis & Management Service Users Guide.
299
System Maintenance
Registering your FortiGate unit on the Fortinet Support web page provides a valid license contract and connection to the FDN. On the Fortinet Support web page, go to Product Registration and follow the instructions. The FortiGate unit must be able to connect to the FDN using HTTPS on port 443 to receive scheduled updates. For more information, see To enable scheduled updates on page 307. You can also configure the FortiGate unit to receive push updates. When the FortiGate unit is receiving push updates, the FDN must be able to route packets to the FortiGate unit using UDP port 9443. For more information, see Enabling push updates on page 308. If the FortiGate unit is behind a NAT device, see Enabling push updates through a NAT device on page 309.
FortiGuard services
Worldwide coverage of FortiGuard services is provided by FortiGuard service points. When the FortiGate unit is connecting to the FDN, it is connecting to the closest FortiGuard service point. Fortinet adds new service points as required. If the closest service point becomes unreachable for any reason, the FortiGate unit contacts another service point and information is available within seconds. By default, the FortiGate unit communicates with the service point via UDP on port 53. Alternately, you can switch the UDP port used for service point communication to port 8888 by going to System > Maintenance > FortiGuard. If you need to change the default FortiGuard service point host name, use the hostname keyword in the system fortiguard CLI command. You cannot change the FortiGuard service point name using the web-based manager. For more information about FortiGuard services, see the FortiGuard Center web page.
300
System Maintenance
301
System Maintenance
Configuring the FortiGate unit for FDN and FortiGuard subscription services
FDN updates, as well as FortiGuard services, are configured in System > Maintenance > FortiGuard. The FDN page contains four sections of FortiGuard services: Support Contract and FortiGuard Subscription Services Downloading antivirus and IPS updates Configuring Web Filtering and Email Filtering Options Configuring FortiGuard Analysis & Management Service Options
[Register]
302
System Maintenance
[Availability]
The availability of this service on this FortiGate unit, dependent on your service subscription. The status can be Unreachable, Not Registered, Valid License, or Valid Contract. The option Subscribe appears if Availability is Not Registered. The option Renew appears if Availability has expired. Select to manually update this service on your FortiGate unit. This will prompt you to download the update file from your local computer. Select Update Now to immediately download current updates from FDN directly. Select to register the service. This is displayed in Analysis & Management Service. Indicates the status of the subscription service. The icon corresponds to the availability description. Gray (Unreachable) FortiGate unit is not able to connect to service. Orange (Not Registered) FortiGate unit can connect, but is not subscribed to this service. Yellow (Expired) FortiGate unit had a valid license that has expired. Green (Valid license) FortiGate unit can connect to FDN and has a registered support contract. If the Status icon is green, the expiry date is displayed. The version number of the definition file currently installed on the FortiGate unit for this service.
[Update]
[Version]
[Last update date and The date of the last update and method used for last attempt to download definition updates for this service. method] [Date] Local system date when the FortiGate unit last checked for updates for this service.
Expand arrow
303
System Maintenance
Select to configure an override server if you cannot connect to the FDN or if your organization provides updates using their own FortiGuard server. When selected, enter the IP address or domain name of a FortiGuard server and select Apply. If the FDN Status still indicates no connection to the FDN, see Troubleshooting FDN connectivity on page 306. Select to allow push updates. Updates are then sent automatically to your FortiGate unit when they are available, eliminating any need for you to check if they are available. The status of the FortiGate unit for receiving push updates: Gray (Unreachable) - theFortiGate unit is not able to connect to push update service Yellow (Not Available) - the push update service is not available with current support license Green (Available) - the push update service is allowed. See Enabling push updates on page 308. If the icon is gray or yellow, see Troubleshooting FDN connectivity on page 306. Available only if both Use override server address and Allow Push Update are enabled. Select to allow you to create a forwarding policy that redirects incoming FDS push updates to your FortiGate unit. Enter the IP address of the NAT device in front of your FortiGate unit. FDS will connect to this device when attempting to reach the FortiGate unit. The NAT device must be configured to forward the FDS traffic to the FortiGate unit on UDP port 9443. See Enabling push updates through a NAT device on page 309. Select the port on the NAT device that will receive the FDS push updates. This port must be forwarded to UDP port 9443 on the FortiGate unit. Available only if Use override push is enabled. Select this check box to enable scheduled updates. Attempt to update once every 1 to 23 hours. Select the number of hours between each update request. Attempt to update once a day. You can specify the hour of the day to check for updates. The update attempt occurs at a randomly determined time within the selected hour. Attempt to update once a week. You can specify the day of the week and the hour of the day to check for updates. The update attempt occurs at a randomly determined time within the selected hour. Select to manually initiate an FDN update. Fortinet recommends that you select this check box. It helps to improve the quality of IPS signature.
Port
Weekly
304
System Maintenance
Select to enable the FortiGuard Web Filter service. Select to enable caching of web filter queries. This improves performance by reducing FortiGate unit requests to the FortiGuard server. The cache uses 6 percent of the FortiGate memory. When the cache is full, the least recently used IP address or URL is deleted. Available if Enable Web Filter is selected. Time to live. The number of seconds to store blocked IP addresses and URLs in the cache before contacting the server again.TTL must be between 300 and 86400 seconds. Available only if both Enable Web Filter and Enable Cache are selected. Select to enable the FortiGuard AntiSpam service. Select to enable caching of antispam queries. This improves performance by reducing FortiGate unit requests to the FortiGuard server. The cache uses 6 percent of the FortiGate memory. When the cache is full, the least recently used IP address or URL is deleted. Available only if Enable Email Filter is selected. Time to live. The number of seconds to store blocked IP addresses and URLs in the cache before contacting the server again.TTL must be between 300 and 86400 seconds. Select one of the following ports for your web filtering and antispam requirements: Select to use port 53 for transmitting with FortiGuard Antispam servers. Select to use port 8888 for transmitting with FortiGuard Antispam servers. Select to test the connection to the servers. Results are shown below the button and on the Status indicators.
TTL
TTL
Port Section Use Default Port (53) Use Alternate Port (8888) Test Availability
To have a URL's category Select to re-evaluate a URLs category rating on the FortiGuard Web rating re-evaluated, please Filter service. click here.
305
System Maintenance
Account ID
Enter the name for the Analysis & Management Service that identifies the account. The account ID that you entered in the Account ID field when registering is used in this field. Select to go directly to the FortiGuard Analysis & Management Service portal web site to view logs or configuration. You can also select this to register your FortiGate unit with the FortiGuard Analysis & Management Service.
To configure FortiGuard Select the link please click here to configure and enable logging to the Analysis Service options, FortiGuard Analysis & Management server. The link redirects you to Log&Report > Log Config > Log Setting. please click here This appears only after registering for the service. To purge logs older than n Select the number of months from the list that will remove those logs months, please click here from the FortiGuard Analysis & Management server and select the link please click here. For example, if you select 2 months, the logs from the past two months will be removed from the server. You can also use this option to remove logs that may appear on a current report. This appears only after logging is enabled and log messages are sent to the FortiGuard Analysis server.
306
System Maintenance
To make sure the FortiGate unit can connect to the FDN 1 Go to System > Status and select Change on the System Time line in the System Information section. Verify that the time zone is set correctly, corresponding to the region where your FortiGate unit is located. 2 Go to System > Maintenance > FortiGuard. 3 Select the expand arrow beside Web Filtering and Email Filtering Options to reveal the available options. 4 Select Test Availability. The FortiGate unit tests its connection to the FDN. The test results displays at the top of the FortiGuard page. To update antivirus and attack definitions 1 Go to System > Maintenance > FortiGuard. 2 Select the expand arrow beside Antivirus and IPS Options to reveal the available options. 3 Select Update Now to update the antivirus and attack definitions. If the connection to the FDN or override server is successful, the web-based manager displays a message similar to the following: Your update request has been sent. Your database will be updated in a few minutes. Please check your update page for the status of the update. After a few minutes, if an update is available, the FortiGuard page lists new version information for antivirus definitions and IPS attack definitions. The page also displays new dates and version numbers for the updated definitions and engines. Messages are recorded to the event log, indicating whether the update was successful or not. To enable scheduled updates 1 Go to System > Maintenance > FortiGuard. 2 Select the expand arrow beside AntiVirus and IPS Options to reveal the available options. 3 Select the Scheduled Update check box. 4 Select one of the following:
Every Daily Weekly Once every 1 to 23 hours. Select the number of hours and minutes between each update request. Once a day. You can specify the time of day to check for updates. Once a week. You can specify the day of the week and the time of day to check for updates.
307
System Maintenance
5 Select Apply. The FortiGate unit starts the next scheduled update according to the new update schedule. Whenever the FortiGate unit runs a scheduled update, the event is recorded in the FortiGate event log. If you cannot connect to the FDN, or if your organization provides antivirus and IPS attack updates using its own FortiGuard server, you can use the following procedure to add the IP address of an override FortiGuard server. To add an override server 1 Go to System > Maintenance > FortiGuard. 2 Select the expand arrow beside AntiVirus and IPS Options to reveal the available options. 3 Select the Use override server address check box. 4 Type the fully qualified domain name or IP address of the FortiGuard server. 5 Select Apply. The FortiGate unit tests the connection to the override server. If the FortiGuard Distribution Network availability icon changes from gray to green, the FortiGate unit has successfully connected to the override server. If the FortiGuard Distribution Network availability icon stays gray, the FortiGate unit cannot connect to the override server. Check the FortiGate configuration and network configuration for settings that may prevent the FortiGate unit from connecting to the override FortiGuard server. To enable scheduled updates through a proxy server If your FortiGate unit must connect to the Internet through a proxy server, you can use the config system autoupdate tunneling command syntax to allow the FortiGate unit to connect (or tunnel) to the FDN using the proxy server. For more information, see the FortiGate CLI Reference.
308
System Maintenance
Fortinet does not recommend enabling push updates as the only method for obtaining updates. The FortiGate unit might not receive the push notification. When the FortiGate unit receives a push notification, it makes only one attempt to connect to the FDN and download updates.
The FDN must be able to connect to this IP address so that your FortiGate unit can receive push update messages. If your FortiGate unit is behind a NAT device, see Enabling push updates through a NAT device on page 309. If you have redundant connections to the Internet, the FortiGate unit also sends the SETUP message when one Internet connection goes down and the FortiGate unit fails over to another Internet connection. In transparent mode, if you change the management IP address, the FortiGate unit also sends the SETUP message to notify the FDN of the address change.
The overall process is: 1 Register the FortiGate unit on the internal network so that it has a current support license and can receive push updates.
309
System Maintenance
2 Configure the following FortiGuard options on the FortiGate unit on the internal network. Enable Allow push updates. Enable Use override push IP and enter the IP address. Usually this is the IP address of the external interface of the NAT device. If required, change the override push update port. 3 Add a port forwarding virtual IP to the NAT device. Set the external IP address of the virtual IP to match the override push update IP. Usually this is the IP address of the external interface of the NAT device. Add a firewall policy to the FortiGate NAT device that includes the port forwarding virtual IP.
Note: Push updates are not supported if the FortiGate unit must use a proxy server to connect to the FDN. See To enable scheduled updates through a proxy server on page 308 for more information.
To configure FortiGuard options on the FortiGate unit on the internal network 1 Go to System > Maintenance > FortiGuard. 2 Select the expand arrow beside AntiVirus and IPS Options to reveal the available options. 3 Select the Allow Push Update check box. 4 Select the Use override push IP check box. 5 Enter the IP address of the external interface of the NAT device. UDP port 9943 is changed only if it is blocked or in use. 6 Select Apply. You can change to the push override configuration if the external IP address of the external service port changes; select Apply to have the FortiGate unit send the updated push information to the FDN. When the FortiGate unit sends the override push IP address and port to the FDN, the FDN uses this IP address and port for push updates to the FortiGate unit. However, push updates will not actually work until a virtual IP is added to the NAT device so that the NAT device accepts push update packets and forwards them to the FortiGate unit on the internal network. If the NAT device is also a FortiGate unit, the following procedure, To add a port forwarding virtual IP to the FortiGate NAT device, allows you to configure the NAT device to use port forwarding to push update connections from the FDN to the FortiGate unit on the internal network. To add a port forwarding virtual IP to the FortiGate NAT device 1 Go to Firewall > Virtual IP. 2 Select Create New. 3 Enter the appropriate information for the following:
Name External Interface Enter a name for the Virtual IP. Select an external interface from the list. This is the interface that connects to the Internet.
310
System Maintenance
External IP Address/Range
Enter the IP address and/or range. This is the IP address to which the FDN sends the push updates. This is usually the IP address of the external interface of the NAT device. This IP address must be the same as the IP address in User override push update for the FortiGate unit on the internal network. Enter the IP address and/or range of the FortiGate unit on the internal network. Select Port Forwarding. When you select Port Forwarding, the options Protocol, External Services Port and Map to Port appear. Select UDP. Enter the external service port. The external service port is the port that the FDN connects to. The external service port for push updates is usually 9443. If you changed the push update port in the FortiGuard configuration of the FortiGate unit on the internal network, you must set the external service port to the changed push update port. Enter 9443. This is the port number to which the NAT FortiGate unit will send the push update after it comes through the virtual IP. FortiGate units expect push update notifications on port 9443.
Map to Port
4 Select OK. To add a firewall policy to the FortiGate NAT device 1 Go to Firewall > Policy. 2 Select Create New. 3 Configure the external to internal firewall policy.
Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action NAT Select the name of the interface that connects to the Internet. Select All Select the name of the interface of the NAT device that connects to the internal network. Select the virtual IP added to the NAT device. Select Always. Select ANY. Select Accept. Select NAT.
4 Select OK. Verify that push updates to the FortiGate unit on the internal network are working by going to System > Maintenance > FortiGuard and selecting Test Availability under Web Filtering and AntiSpam Options. The Push Update indicator should change to green.
311
System Maintenance
The current maximum number of virtual domains. Enter the license key supplied by Fortinet and select Apply.
Note: VDOMs created on a registered FortiGate unit are recognized as real devices by any connected FortiAnalyzer unit. The FortiAnalyzer unit includes VDOMs in its total number of registered devices. For example, if three FortiGate units are registered on the FortiAnalyzer unit and they contain a total of four VDOMs, the total number of registered FortiGate units on the FortiAnalyzer unit is seven. For more information, see the FortiAnalyzer Administration Guide.
312
Router Static
Routing concepts
Router Static
This section explains some general routing concepts, and how to define static routes and route policies. A route provides the FortiGate unit with the information it needs to forward a packet to a particular destination on the network. A static route causes packets to be forwarded to a destination other than the factory configured default gateway. The factory configured static default route provides you with a starting point to configure the default gateway. You must either edit the factory configured static default route to specify a different default gateway for the FortiGate unit, or delete the factory configured route and specify your own static default route that points to the default gateway for the FortiGate unit. For more information, see Default route and default gateway on page 318. You define static routes manually. Static routes control traffic exiting the FortiGate unit you can specify through which interface the packet will leave and to which device the packet should be routed. As an option, you can define route policies. Route policies specify additional criteria for examining the properties of incoming packets. Using route policies, you can configure the FortiGate unit to route packets based on the IP source and destination addresses in packet headers and other criteria such as on which interface the packet was received and which protocol (service) and port are being used to transport the packet. If you enable virtual domains (VDOMs) on the FortiGate unit, static routing is configured separately for each virtual domain. For more information, see Using virtual domains on page 125. This section describes: Routing concepts Static Route ECMP route failover and load balancing Policy Route
Routing concepts
The FortiGate unit functions as a security device on a network and packets must pass through it. You need to understand a number of basic routing concepts in order to configure the FortiGate unit appropriately. Whether you administer a small or large network, this section will help you understand how the FortiGate unit performs routing functions. The following topics are covered in this section: How the routing table is built How routing decisions are made Multipath routing and determining the best route Route priority Blackhole Route
313
Routing concepts
Router Static
Administrative Distance
Administrative distance is based on the expected reliability of a given route. It is determined through a combination of the number of hops from the source and the routing protocol being used. More hops from the source means more possible points of failure. The administrative distance can be from 1 to 255, with lower numbers being preferred. A distance of 255 is seen as infinite and will not be installed in the routing table. Here is an example to illustrate how administration distance worksif there are two possible routes traffic can take between 2 destinations with administration distances of 5 (always up) and 31 (sometimes not available), the traffic will use the route with an administrative distance of 5. whenever possible. Different routing protocols have different default administrative distances. The default administrative distances for any of these routing protocols are configurable. For more information on changing the administrative distance associated with a routing protocol, see the config routing in the FortiGate CLI Reference.
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
314
Router Static
Routing concepts
Table 47: Default administrative distances for routing protocols Routing protocol Direct physical connection Static EBGP OSPF RIP IBGP Default administrative distance 1 10 20 110 120 200
Another method to manually resolve multiple routes to the same destination is to manually change the priority of both of the routes. If the next-hop administrative distances of two routes on the FortiGate unit are equal, it may not be clear which route the packet will take. Configuring the priority for each of those routes will make it clear which next-hop will be used in the case of a tie. You can set the priority for a route only from the CLI. Lower priorities are preferred. For more information, see the FortiGate CLI Reference. All entries in the routing table are associated with an administrative distance. If the routing table contains several entries that point to the same destination (the entries may have different gateways or interface associations), the FortiGate unit compares the administrative distances of those entries, selects the entries having the lowest distances, and installs them as routes in the FortiGate forwarding table. As a result, the FortiGate forwarding table contains only those routes having the lowest distances to each destination. For information about how to change the administrative distance associated with a static route, see Adding a static route to the routing table on page 320.
Route priority
After the FortiGate unit selects static routes for the forwarding table based on their administrative distances, the priority field of those routes determines routing preference. You configure the priority field through the CLI. The route with the lowest value in the priority field is considered the best route, and the primary route. The command to set the priority field is: set priority <integer> under the config route static command. For more information, see the FortiGate CLI Reference. In summary, because you can use the CLI to specify which priority field settings to use when defining static routes, you can prioritize routes to the same destination according to their priority field settings. For a static route to be the preferred route, you must create the route using the config router static CLI command and specify a low priority for the route. If two routes have the same administrative distance and the same priority, then they are equal cost multipath (ECMP) routes. Since this means there is more than one route to the same destination, it can be confusing which route or routes to install and use. However, you can configure ECMP Route Failover and Load Balancing to control how sessions are load balanced among ECMP routes. See ECMP route failover and load balancing on page 322.
Blackhole Route
A blackhole route is a route that drops all traffic sent to it. It is very much like a /dev/null interface in Linux programming. Blackhole routes are used to dispose of packets instead of responding to suspicious inquiries. This provides added security since the originator will not discover any information from the target network.
315
Static Route
Router Static
Blackhole routes can also limit traffic on a subnet. If some subnet addresses are not in use, traffic to those addresses (traffic which may be valid or malicious) can be directed to a blackhole for added security and to reduce traffic on the subnet. The loopback interface, a virtual interface that does not forward traffic enables easier configuration of blackhole routing. Similar to a normal interface, this loopback interface has fewer parameters to configure, and all traffic sent to it stops there. Since it cannot have hardware connection or link status problems, it is always available, making it useful for other dynamic routing roles. Once configured, you can use a loopback interface in firewall policies, routing, and other places that refer to interfaces. Loopback interfaces can be configured from both the web-based manager and the CLI. For more information, see Adding loopback interfaces on page 158 or the system chapter of the FortiGate CLI Reference.
Static Route
You configure static routes by defining the destination IP address and netmask of packets that you intend the FortiGate unit to intercept, and by specifying a (gateway) IP address for those packets. The gateway address specifies the next-hop router to which traffic will be routed.
To view the static route list, go to Router > Static > Static Route. Figure 167 shows the static route list belonging to a FortiGate unit that has interfaces named port1 and port2. The names of the interfaces on your FortiGate unit may be different.
316
Router Static
Static Route
Figure 167: Static Route list when IPv6 is enabled in the GUI
Expand Arrow
Create New
Delete Edit Add a static route to the Static Route list. For more information, see Adding a static route to the routing table on page 320. Select the down arrow for the option to create an IPv6 static Route. Select the load balancing and failover method for ECMP routes. See ECMP route failover and load balancing on page 322. The FortiGate unit load balances sessions among ECMP routes based on the source IP address of the sessions to be load balanced. This is the default load balancing method. No configuration changes are required to support source IP load balancing. The FortiGate unit load balances sessions among ECMP routes based on weights added to ECMP routes. More traffic is directed to routes with higher weights. After selecting weight-based you must add weights to static routes. For more information, see Configuring weighted static route load balancing on page 326. The FortiGate unit distributes sessions among ECMP routes based on how busy the FortiGate interfaces associated with the routes are. After selecting spill-over you add route Spillover Thresholds to interfaces added to ECMP routes. For more information, see Configuring interface status detection for gateway load balancing on page 165. The FortiGate unit sends all ECMP-routed sessions to the lowest numbered interface until the bandwidth being processed by this interface reaches its spillover threshold. The FortiGate unit then spills additional sessions over to the next lowest numbered interface. For more information, including the order in which interfaces are selected, see Configuring spill-over or usage-based ECMP on page 323. Select to save the ECMP Route Failover and load balance method. Select the Expand Arrow to display or hide the IPv4 static routes. By default these routes are displayed. This is displayed only when IPv6 is enabled in the web-based manager. Select the Expand Arrow to display or hide the IPv6 static routes. By default these routes are hidden. This is displayed only when IPv6 is enabled in the web-based manager. The destination IP addresses and network masks of packets that the FortiGate unit intercepts. The IP addresses of the next-hop routers to which intercepted packets are forwarded. The names of the FortiGate interfaces through which intercepted packets are received and sent. The administrative distances associated with each route. The values represent distances to next-hop routers.
Weighted
Spill-over
Apply Route
IPv6 Route
317
Static Route
Router Static
Weight
If ECMP Route Failover & Load Balance Method is set to weighted, add weights for each route. Add higher weights to routes that you want to assign more sessions to when load balancing. For more information, see Configuring weighted static route load balancing on page 326. Delete or edit an entry.
For example, Figure 168 shows a FortiGate unit connected to a router. To ensure that all outbound packets destined to any network beyond the router are routed to the correct destination, you must edit the factory default configuration and make the router the default gateway for the FortiGate unit.
Figure 168: Making a router the default gateway
Internet
Gateway Router
192.168.10.1 external
FortiGate_1
internal
318
Router Static
Static Route
To route outbound packets from the internal network to destinations that are not on network 192.168.20.0/24, you would edit the default route and include the following settings: Destination IP/mask: 0.0.0.0/0.0.0.0 Gateway: 192.168.10.1 Device: Name of the interface connected to network 192.168.10.0/24 (in this example external). Distance: 10
The Gateway setting specifies the IP address of the next-hop router interface to the FortiGate external interface. The interface connected to the router (192.168.10.1) is the default gateway for FortiGate_1. In some cases, there may be routers behind the FortiGate unit. If the destination IP address of a packet is not on the local network but is on a network behind one of those routers, the FortiGate routing table must include a static route to that network. For example, in Figure 169, the FortiGate unit must be configured with static routes to interfaces 192.168.10.1 and 192.168.11.1 in order to forward packets to Network_1 and Network_2 respectively. Also firewall policies must be configured to allow traffic to pass through the FortiGate unit along these routes. For details, see Configuring firewall policies on
page 367. Figure 169: Destinations on networks behind internal routers
Internet
FortiGate_1
internal 192.168.10.1 Gateway Router_1 dmz 192.168.11.1 Gateway Router_2
Network_1 192.168.20.0/24
Network_2 192.168.30.0/24
To route packets from Network_1 to Network_2, Router_1 must be configured to use the FortiGate internal interface as its default gateway. On the FortiGate unit, you would create a new static route with these settings:
Destination IP/mask Gateway Device Distance 192.168.30.0/24 192.168.11.1 dmz 10
319
Static Route
Router Static
To route packets from Network_2 to Network_1, Router_2 must be configured to use the FortiGate dmz interface as its default gateway. On the FortiGate unit, you would create a new static route with these settings:
Destination IP/mask Gateway Device Distance 192.168.20.0/24 192.168.10.1 internal 10
To change the gateway for the default route 1 Go to Router > Static > Static Route. 2 Select the Edit icon in row 1. 3 If the FortiGate unit reaches the next-hop router through an interface other than the interface that is currently selected in the Device field, select the name of the interface from the Device field. 4 In the Gateway field, type the IP address of the next-hop router to which outbound traffic may be directed. 5 In the Distance field, optionally adjust the administrative distance value. The default route distance should be set high enough to allow other routes to be configured at lower distances so they will be preferred over the default route. 6 Select OK.
320
Router Static
Static Route
5 Enter the gateway IP address. Continuing with the example, 172.1.2.11 would be a valid address. 6 Enter the administrative distance of this route. The administrative distance allows you to weight one route to be preferred over another. This is useful when one route is unreliable. For example, if route A has an administrative distance of 30 and route B has an administrative distance of 10, the preferred route is route A with the smaller administrative distance of 10. If you discover that route A is unreliable, you can change the administrative distance for route A from 10 to 40, which will make the route B the preferred route. 7 Select OK to confirm and save your new static route. When you add a static route through the web-based manager, the FortiGate unit adds the entry to the Static Route list. Figure 170 shows the Edit Static Route dialog box belonging to a FortiGate unit that has an interface named internal. The names of the interfaces on your FortiGate unit may be different.
Figure 170: Edit Static Route
Type the destination IP address and network mask of packets that the FortiGate unit has to intercept. The value 0.0.0.0/0.0.0.0 is reserved for the default route.
Type the IP address of the next-hop router to which the FortiGate unit will forward intercepted packets. Select the name of the FortiGate interface through which the intercepted packets may be routed to the next-hop router. Type an administrative distance from 1 to 255 for the route. The distance value is arbitrary and should reflect the distance to the next-hop router. A lower value indicates a more preferred route. Add weights for each route. Add higher weights to routes that you want to load balance more sessions to. See Configuring weighted static route load balancing on page 326. Available if ECMP Route Failover & Load Balance Method is set to weighted.
Weight
321
Router Static
Using ECMP, if more than one ECMP route is available you can configure how the FortiGate unit selects the route to be used for a communication session. If only one ECMP route is available (for example, because an interface cannot process traffic because interface status detection does not receive a reply from the configured server) then all traffic uses this route. Previous versions of FortiOS provided source IP-based load balancing for ECMP routes. FortiOS 4.0 MR1 includes three configuration options for ECMP route failover and load balancing:
Source based The FortiGate unit load balances sessions among ECMP routes based on the source IP address of the sessions to be load balanced. This is the default load (also called source IP based) balancing method. No configuration changes are required to support source IP load balancing. Weighted (also called weight-based) Spill-over (also called usage-based) The FortiGate unit load balances sessions among ECMP routes based on weights added to ECMP routes. More traffic is directed to routes with higher weights. After selecting weight-based you must add weights to static routes. See Configuring weighted static route load balancing on page 326. The FortiGate unit distributes sessions among ECMP routes based on how busy the FortiGate interfaces added to the routes are. After selecting spill-over you add route Spillover Thresholds to interfaces added to ECMP routes. The FortiGate unit sends all ECMP-routed sessions to the lowest numbered interface until the bandwidth being processed by this interface reaches its spillover threshold. The FortiGate unit then spills additional sessions over to the next lowest numbered interface. The Spillover Thresholds range is 0-2097000 KBps. For more information, including the order in which interfaces are selected, see Configuring spill-over or usage-based ECMP on page 323.
You can configure only one of these ECMP route failover and load balancing methods in a single VDOM. If your FortiGate unit is configured for multiple VDOM operation, each VDOM can have its own ECMP route failover and load balancing configuration. To configure the ECMP route failover and load balancing method from the web-based manager 1 Go to Router > Static > Static Route. 2 Set ECMP Route failover & Load Balance Method to source based, weighted, or spill-over. 3 Select Apply.
322
Router Static
Figure 171: Configuring ECMP route failover and load balancing method
To configure the ECMP route failover and load balancing method from the CLI 1 Enter the following command: config system settings set v4-ecmp-mode {source-ip-based | usage-based | weight-based} end
323
Router Static
Destination IP/Mask Device Gateway Distance Destination IP/Mask Device Gateway Distance
5 Go to System > Network > Interface. 6 Edit port3 and port4 and add the following spillover-thresholds:
Interface Spillover Threshold (KBps) Interface Spillover Threshold (KBps) port3 100 port4 200
7 Go to Router > Monitor to view the routing table. The routes could be displayed in the order shown in Table 48.
Table 48: Example ECMP routes as listed on the routing monitor Type Static Static Network 192.168.20.0/24 192.168.20.0/24 Distance Metric 9 9 0 0 Gateway 172.20.130.3 172.20.140.4 Interface port3 port4
In this example, the FortiGate unit sends all sessions to the 192.168.20.0 network through port3. When port3 exceeds its spillover threshold of 100 Kbps the FortiGate unit sends all new sessions to the 192.168.20.0 network through port4. To add route-spillover thresholds to interfaces from the CLI 1 Enter the following command to set the ECMP route failover and load balance method to usage-based. config system settings set v4-ecmp-mode usage-based end 2 Enter the following commands to add three route-spillover thresholds to three interfaces. config system interface edit port1 set spillover-threshold 400 next edit port2 set spillover-threshold 200 next edit port3 set spillover-threshold 100 end
324
Router Static
3 Enter the following commands to add three ECMP default routes, one for each interface. config router static edit 1 set dst 0.0.0.0/0.0.0.0 set gwy 172.20.110.1 set dev port1 next edit 2 set dst 0.0.0.0/0.0.0.0 set gwy 172.20.120.2 set dev port2 next edit 3 set dst 0.0.0.0/0.0.0.0 set gwy 172.20.130.3 set dev port3 end 4 Enter the following command to display static routes in the routing table: get router info routing-table static S 0.0.0.0/0 [10/0] via 172.20.110.1, port1 [10/0] via 172.20.120.2, port2 [10/0] via 172.20.130.3, port3 In this example, the FortiGate unit sends all sessions to the Internet through port1. When port1 exceeds its spillover threshold of 400 KBps the FortiGate unit sends all new sessions to the Internet through port2. If both port1 and port2 exceed their spillover thresholds the FortiGate unit would send all new sessions to the Internet through port3.
For example, consider a FortiGate unit with interfaces port3 and port4 both connected to the Internet through different ISPs. ECMP routing is set to usage-based and route spillover for to 100 KBps for port3 and 200 KBps for port4. Two ECMP default routes are added, one for port3 and one for port4. If the route to port3 is higher in the routing table than the route to port4, the FortiGate unit sends all default route sessions out port3 until port3 is processing 100 KBps of data. When port3 reaches its configured bandwidth limit, the FortiGate unit sends all default route sessions out port4. When the bandwidth usage of port3 falls below 100 KBps, the FortiGate again sends all default route sessions out port3.
325
Router Static
New sessions to designating IP addresses that are already in the routing cache; however, use the cached routes. This means that even of port3 is exceeding its bandwidth limit, new sessions can continue to be sent out port3 if their destination addresses are already in the routing cache. As a result, new sessions are sent out port4 only if port3 exceeds its bandwidth limit and if the routing cache does not contain a route for the destination IP address of the new session. The limit on port4 is important only if there are additional interfaces for spillover. Also, the switchover to port4 does not occur as soon as port3 exceeds its bandwidth limit. Bandwidth usage has to exceed the limit for a period of time before the switchover takes place. If port3 bandwidth usage drops below the bandwidth limit during this time period, sessions are not switched over to port4. This delay reduces route flapping. Route flapping occurs when routes change their status frequently, forcing routers to continually change their routing tables and broadcast the new information. FortiGate usage-based ECMP routing is not actually load balancing, since routes are not distributed evenly among FortiGate interfaces. Depending on traffic volumes, most traffic would usually be processed by the first interface with only spillover traffic being processed by other interfaces. If you are configuring usage-based ECMP in most cases you should add spillover thresholds to all of the interfaces with ECMP routes. The default spillover threshold is 0 which means no bandwidth limiting. If any interface has a spillover threshold of 0, no sessions will be routed to interfaces lower in the list unless the interface goes down or is disconnected. An interface can go down if Detect interface status for Gateway Load Balancing does not receive a response from the configured server.
326
Router Static
Weights only affect how routes are selected for sessions to new destination IP addresses. New sessions to IP addresses already in the routing cache are routed using the route for the session already in the cache. So in practice sessions will not always be distributed according to the routing weight distribution. To add weights to static routes from the web-based manager 1 Go to Router > Static > Static Route. 2 Set ECMP Route failover & Load Balance Method to weighted. 3 Go to Router > Static > Static Route. 4 Add new or edit static routes and add weights to them. The following example shows two ECMP routes with weights added.
Destination IP/Mask Device Gateway Distance Weight Destination IP/Mask Device Gateway Distance Weight 192.168.20.0/24 port1 172.20.110.1 10 100 192.168.20.0/24 port2 172.20.120.2 10 200
In this example: one third of the sessions to the 192.168.20.0 network will use the first route and be sent out port1 to the gateway with IP address 172.20.110.1. the other two thirds of the sessions to the 192.168.20.0 network will use the second route and be sent out port2 to the gateway with IP address 172.20.120.2.
To add weights to static routes from the CLI 1 Enter the following command to set the ECMP route failover and load balance method to weighted. config system settings set v4-ecmp-mode weight-based end 2 Enter the following commands to add three ECMP static routes and add weights to each route. config router static
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
327
Policy Route
Router Static
edit 1 set dst 192.168.20.0/24 set gwy 172.20.110.1 set dev port1 set weight 100 next edit 2 set dst 192.168.20.0/24 set gwy 172.20.120.2 set dev port2 set weight 200 next edit 3 set dst 192.168.20.0/24 set gwy 172.20.130.3 set dev port3 set weight 300 end
Note: In this example the priority remains set to 0 and the distance remains set to 10 for all three routes. Any other routes with a distance set to 10 will not have their weight set, so will have a weight of 0 and will not be part of the load balancing.
In this example: one sixth of the sessions to the 192.168.20.0 network will use the first route and be sent out port1 to the gateway with IP address 172.20.110.1. one third of the sessions to the 192.168.20.0 network will use the second route and be sent out port2 to the gateway with IP address 172.20.120.2. one half of the sessions to the 192.168.20.0 network will use the third route and be sent out port3 to the gateway with IP address 172.20.130.3.
Policy Route
A routing policy allows you to redirect traffic away from a static route. This can be useful if you want to route certain types of network traffic differently. You can use incoming traffics protocol, source address or interface, destination address, or port number to determine where to send the traffic. For example, generally network traffic would go to the router of a subnet, but you might want to direct SMTP or POP3 traffic addressed to that subnet directly to the mail server. If you have configured the FortiGate unit with routing policies and a packet arrives at the FortiGate unit, the FortiGate unit starts at the top of the Policy Route list and attempts to match the packet with a policy. If a match is found and the policy contains enough information to route the packet (a minimum of the IP address of the next-hop router and the FortiGate interface for forwarding packets to it), the FortiGate unit routes the packet using the information in the policy. If no policy route matches the packet, the FortiGate unit routes the packet using the routing table.
328
Router Static
Policy Route
Note: Most policy settings are optional, so a matching policy alone might not provide enough information for forwarding the packet. The FortiGate unit may refer to the routing table in an attempt to match the information in the packet header with a route in the routing table. For example, if the outgoing interface is the only item in the policy, the FortiGate unit looks up the IP address of the next-hop router in the routing table. This situation could happen when the interfaces are dynamic (such as DHCP or PPPoE) and you do not want or are unable to specify the IP address of the next-hop router.
Policy route options define which attributes of a incoming packet cause policy routing to occur. If the attributes of a packet match all the specified conditions, the FortiGate unit routes the packet through the specified interface to the specified gateway. Figure 173 shows the policy route list belonging to a FortiGate unit that has interfaces named external and internal. The names of the interfaces on your FortiGate unit may be different. To edit an existing policy route, see Adding a policy route on page 329.
Figure 173: Policy Route list
329
Policy Route
Router Static
Figure 174: Example policy route to route all HTTP traffic received at port5 to port4
Protocol
To perform policy routing based on the value in the protocol field of the packet, enter the protocol number to match. The Internet Protocol Number is found in the IP packet header. RFC 5237 describes protocol numbers and you can find a list of the assigned protocol numbers here. The range is from 0 to 255. A value of 0 disables the feature. Tip: Commonly used Protocol settings include 6 to route TCP sessions, 17 for UDP sessions, 1 for ICMP sessions, 47 for GRE sessions, and 92 for multicast sessions. For protocols other than 6 and 17, the port number is ignored.
Incoming Interface Select the name of the interface through which incoming packets subjected to the policy are received. Source Address / Mask Destination Address / Mask Destination Ports To perform policy routing based on the IP source address of the packet, type the source address and network mask to match. A value of 0.0.0.0/0.0.0.0 disables the feature. To perform policy routing based on the IP destination address of the packet, type the destination address and network mask to match. A value of 0.0.0.0/0.0.0.0 disables the feature. To perform policy routing based on the port on which the packet is received, type the same port number in the From and To fields. To apply policy routing to a range of ports, type the starting port number in the From field and the ending port number in the To field. A value of 0 disables this feature. The Destination Ports fields are only used for TCP and UDP protocols. The ports are skipped over for all other protocols. Use a two digit hexadecimal bit pattern to match the service, or use a two digit hexadecimal bit mask to mask out. For more information, see Type of Service on page 331.
Type of Service
Outgoing Interface Select the name of the interface through which packets affected by the policy will be routed. Gateway Address Type the IP address of the next-hop router that the FortiGate unit can access through the specified interface. A value of 0.0.0.0 is not valid.
Destination address / mask 0.0.0.0/0.0.0.0 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
330
Router Static
Policy Route
Figure 175: Example policy route to route all FTP traffic received at port1 to port10
Type of Service
Type of service (TOS) is an 8-bit field in the IP header that enables you to determine how the IP datagram should be delivered, with such qualities as delay, priority, reliability, and minimum cost. Each quality helps gateways determine the best way to route datagrams. A router maintains a ToS value for each route in its routing table.The lowest priority TOS is 0, the highest is 7 - when bits 3, 4,and 5 are all set to 1. The router tries to match the TOS of the datagram to the TOS on one of the possible routes to the destination. If there is no match, the datagram is sent over a zero TOS route. Using increased quality may increase the cost of delivery because better performance may consume limited network resources. For more information, see RFC 791 and RFC 1349.
Table 49: The role of each bit in the IP header TOS 8-bit field bits 0, 1, 2 Precedence Some networks treat high precedence traffic as more important traffic. Precedence should only be used within a network, and can be used differently in each network. Typically you do not care about these bits. When set to 1, this bit indicates low delay is a priority. This is useful for such services as VoIP where delays degrade the quality of the sound. When set to 1, this bit indicates high throughput is a priority. This is useful for services that require lots of bandwidth such as video conferencing. When set to 1, this bit indicates high reliability is a priority. This is useful when a service must always be available such as with DNS servers. When set to 1, this bit indicates low cost is a priority. Generally there is a higher delivery cost associated with enabling bits 3,4, or 5, and bit 6 indicates to use the lowest cost route. Not used at this time.
bit 3
Delay
bit 4
Throughput
bit 5
Reliability
bit 6
Cost
bit 7
331
Policy Route
Router Static
For example, if you want to assign low delay, and high reliability, say for a VoIP application where delays are unacceptable, you would use a bit pattern of xxx1x1xx where an x indicates that bit can be any value. Since all bits are not set, this is a good use for the bit mask; if the mask is set to 0x14, it will match any TOS packets that are set to low delay and high reliability.
Select Before to place the selected Policy Route before the indicated route. Select After to place it following the indicated route. Enter the Policy route ID of the route in the Policy route table to move the selected route before or after.
332
Router Dynamic
Router Dynamic
This section explains how to configure dynamic protocols to route traffic through large or complex networks. Dynamic routing protocols enable the FortiGate unit to automatically share information about routes with neighboring routers and learn about routes and networks advertised by them. The FortiGate unit supports these dynamic routing protocols: Routing Information Protocol (RIP) Open Shortest Path First (OSPF) Border Gateway Protocol (BGP).
The FortiGate unit selects routes and updates its routing table dynamically based on the rules you specify. Given a set of rules, the unit can determine the best route or path for sending packets to a destination. You can also define rules to suppress the advertising of routes to neighboring routers and change FortiGate routing information before it is advertised. If you enable virtual domains (VDOMs) on the FortiGate unit, dynamic routing is configured separately for each virtual domain. For details, see Using virtual domains on page 125.
Note: A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router in the root virtual domain. FortiGate units support PIM sparse mode and dense mode and can service multicast servers or receivers on the network segment to which a FortiGate interface is connected. PIM can use static routes, RIP, OSPF, or BGP to forward multicast packets to their destinations.
Bi-Directional Forwarding (BFD) is a protocol that works with BGP and OSPF to quickly discover routers on the network that cannot be contacted, and to re-route traffic accordingly until those routers can be contacted. A useful part of the FortiOS web-based management interface is the customizable menus and widgets. These widgets include the following routing widgets: access list, distribute list, key chain, offset list, prefix list, and route map. For more information on these routing widgets, see Customizable routing widgets on page 353. This section describes: RIP OSPF BGP Multicast Bi-directional Forwarding Detection (BFD) Customizable routing widgets
333
RIP
Router Dynamic
RIP
Routing Information Protocol (RIP) is a distance-vector routing protocol intended for small, relatively homogeneous networks. The FortiGate implementation of RIP supports RIP version 1 (see RFC 1058) and RIP version 2 (see RFC 2453).
334
Router Dynamic
RIP
Expand Arrow
Delete Edit RIP Version Select the level of RIP compatibility needed at the FortiGate unit. You can enable global RIP settings on all FortiGate interfaces connected to RIP-enabled networks: 1 send and receive RIP version 1 packets. 2 send and receive RIP version 2 packets. You can override the global settings for a specific FortiGate interface if required. For more information, see Configuring a RIP-enabled interface on page 337. Select the Expand Arrow to view or hide advanced RIP options. For more information, see Selecting advanced RIP options on page 336. The IP addresses and network masks of the major networks (connected to the FortiGate unit) that run RIP. When you add a network to the Networks list, the FortiGate interfaces that are part of the network are advertised in RIP updates. You can enable RIP on all FortiGate interfaces whose IP addresses match the RIP network address space. Enter the IP address and netmask that defines the RIP-enabled network. Select to add the network information to the Networks list.
IP/Netmask Add
335
RIP
Router Dynamic
Any additional settings needed to adjust RIP operation on a FortiGate interface. Add new RIP operating parameters for an interface. These parameters will override the global RIP settings for that interface. For more information, see Configuring a RIP-enabled interface on page 337. The name of the unit RIP interface. The version of RIP used to send updates through each interface: 1, 2, or both. The versions of RIP used to listen for updates on each interface: 1, 2, or both. The type of authentication used on this interface: None, Text or MD5. Permissions for RIP broadcasts on this interface. A green checkmark means the RIP broadcasts are blocked. Delete or edit a RIP network entry or a RIP interface definition.
Interface Send Version Receive Version Authentication Passive Delete and Edit icons
Expand Arrow
Select the version of RIP packets to send and receive. Select the Expand Arrow to view or hide advanced options. Enter the default hop count that the FortiGate unit should assign to routes that are added to the FortiGate routing table. The range is from 1 to 16. This metric is the hop count, with 1 being best or shortest. This value also applies to Redistribute unless otherwise specified.
336
Router Dynamic
RIP
Default-information- Select to generate and advertise a default route into the FortiGate units RIPenabled networks. The generated route may be based on routes learned originate through a dynamic routing protocol, routes in the routing table, or both. RIP Timers Enter new values to override the default RIP timer settings. The default settings are effective in most configurations if you change these settings, ensure that the new settings are compatible with local routers and access servers. If the Update timer is smaller than Timeout or Garbage timers, you will get an error. Enter the amount of time (in seconds) that the FortiGate unit will wait between sending RIP updates. Enter the maximum amount of time (in seconds) that a route is considered reachable while no updates are received for the route. This is the maximum time the FortiGate unit will keep a reachable route in the routing table while no updates for that route are received. If the FortiGate unit receives an update for the route before the timeout period expires, the timer is restarted. The Timeout period should be at least three times longer than the Update period. Enter the amount of time (in seconds) that the FortiGate unit will advertise a route as being unreachable before deleting the route from the routing table. The value determines how long an unreachable route is kept in the routing table. Select one or more of the options to redistribute RIP updates about routes that were not learned through RIP. The FortiGate unit can use RIP to redistribute routes learned from directly connected networks, static routes, OSPF, and BGP. Select to redistribute routes learned from directly connected networks. To specify a hop count for those routes, select Metric, and enter the hop count in the Metric field. The valid hop count range is from 1 to 16. Select to redistribute routes learned from static routes. To specify a hop count for those routes, select Metric, and enter the hop count in the Metric field. The range is from 1 to 16. Select to redistribute routes learned through OSPF. To specify a hop count for those routes, select Metric, and enter the hop count in the Metric field. The range is from 1 to 16. Select to redistribute routes learned through BGP. To specify a hop count for those routes, select Metric, and enter the hop count in the Metric field. The range is from 1 to 16.
Update Timeout
Garbage
Redistribute
Connected
Static
OSPF
BGP
337
OSPF
Router Dynamic
Figure 179 shows the New/Edit RIP Interface dialog box belonging to a FortiGate unit that has an interface named internal. The names of the interfaces on your FortiGate unit may be different.
Figure 179: New/Edit RIP Interface
Interface
Select the name of the FortiGate interface to which these settings apply. The interface must be connected to a RIP-enabled network. The interface can be a virtual IPSec or GRE interface. Select to override the default RIP-compatibility setting for sending and receiving updates through the interface: RIP version 1, version 2 or Both. Select an authentication method for RIP exchanges on the specified interface: None Disable authentication. Text Select if the interface is connected to a network that runs RIP version 2. Type a password (up to 35 characters) in the Password field. The FortiGate unit and the RIP updates router must both be configured with the same password. The password is sent in clear text over the network. MD5 Authenticate the exchange using MD5. Select to suppress the advertising of FortiGate unit routing information over the specified interface. Clear the check box to allow the interface to respond normally to RIP requests.
Passive Interface
OSPF
Open Shortest Path First (OSPF) is a link-state routing protocol that is most often used in large heterogeneous networks to share routing information among routers in the same Autonomous System (AS). FortiGate units support OSPF version 2 (see RFC 2328). The main benefit of OSPF is that it advertises routes only when neighbors change state instead of at timed intervals, so routing overhead is reduced.
338
Router Dynamic
OSPF
OSPF-enabled routers generate Link-State Advertisements (LSA) and send them to their neighbors whenever the status of a neighbor changes or a new neighbor comes online. As long as the OSPF network is stable, LSAs between OSPF neighbors do not occur. An LSA identifies the interfaces of all OSPF-enabled routers in an area, and provides information that enables OSPF-enabled routers to select the shortest path to a destination. All LSA exchanges between OSPF-enabled routers are authenticated. The FortiGate unit maintains a database of link-state information based on the advertisements that it receives from OSPF-enabled routers. To calculate the best route (shortest path) to a destination, the FortiGate unit applies the Shortest Path First (SPF) algorithm to the accumulated link-state information. OSPF uses relative path cost metric for choosing the best route. The path cost can be any metric, but is typically the speed of the pathhow fast traffic will get from one point to another. The path cost, similar to distance for RIP, imposes a penalty on the outgoing direction of a FortiGate interface. The path cost of a route is calculated by adding together all of the costs associated with the outgoing interfaces along the path to a destination. The lowest overall path cost indicates the best route, and generally the fastest route.
Note: The inter-area routes may not be calculated when a Cisco type ABR has no fully adjacent neighbor in the backbone area. In this situation, the router considers summaryLSAs from all Actively summary-LSAs from all Actively Attached areas (RFC 3509).
The FortiGate unit dynamically updates its routing table based on the results of the SPF calculation to ensure that an OSPF packet will be routed using the shortest path to its destination. Depending on the network topology, the entries in the FortiGate routing table may include: the addresses of networks in the local OSPF area (to which packets are sent directly) routes to OSPF area border routers (to which packets destined for another area are sent) if the network contains OSPF areas and non-OSPF domains, routes to AS boundary routers, which reside on the OSPF network backbone and are configured to forward packets to destinations outside the OSPF AS.
The number of routes that a FortiGate unit can learn through OSPF depends on the network topology. A single unit can support tens of thousands of routes if the OSPF network is configured properly.
If you are using the web-based manager to perform these tasks, follow the procedures summarized below. To define an OSPF AS 1 Go to Router > Dynamic > OSPF. 2 Under Areas, select Create New. 3 Define the characteristics of one or more OSPF areas. See Defining OSPF areas on page 343. 4 Under Networks, select Create New.
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
339
OSPF
Router Dynamic
5 Create associations between the OSPF areas that you defined and the local networks to include in the OSPF AS. See Specifying OSPF networks on page 344. 6 If you need to adjust the default settings of an OSPF-enabled interface, select Create New under Interfaces. 7 Select the OSPF operating parameters for the interface. See Selecting operating parameters for an OSPF interface on page 344. Repeat steps 6 and 7 for any additional OSPF-enabled interfaces. 8 Optionally select advanced OSPF options for the OSPF AS. See Selecting advanced OSPF options on page 342. 9 Select Apply.
Expand Arrow
Router ID
Enter a unique router ID to identify the FortiGate unit to other OSPF routers. By convention, the router ID is the numerically highest IP address assigned to any of the FortiGate interfaces in the OSPF AS. If you change the router ID while OSPF is configured on an interface, all connections to OSPF neighbors will be broken temporarily. The connections will re-establish themselves. If Router ID is not explicitly set, the highest IP address of the VDOM or unit will be used.
Advanced Options Select the Expand Arrow to view or hide advanced OSPF settings. For more information, see Selecting advanced OSPF options on page 342.
340
Router Dynamic
OSPF
Areas
Information about the areas making up an OSPF AS. The header of an OSPF packet contains an area ID, which helps to identify the origination of a packet inside the AS. Define and add a new OSPF area to the Areas list. For more information, see Defining OSPF areas on page 343. The unique 32-bit identifiers of areas in the AS, in dotted-decimal notation. Area ID 0.0.0.0 references the backbone of the AS and cannot be changed or deleted. The types of areas in the AS: Regular - a normal OSPF area NSSA - a not so stubby area Stub - a stub area. For more information, see Defining OSPF areas on page 343. The methods for authenticating OSPF packets sent and received through all FortiGate interfaces linked to each area: None authentication is disabled Text text-based authentication is enabled MD5 MD5 authentication is enabled. A different authentication setting may apply to some of the interfaces in an area, as displayed under Interfaces. For example, if an area employs simple passwords for authentication, you can configure a different password for one or more of the networks in that area. The networks in the OSPF AS and their area IDs. When you add a network to the Networks list, all FortiGate interfaces that are part of the network are advertised in OSPF link-state advertisements. You can enable OSPF on all FortiGate interfaces whose IP addresses match the OSPF network address space. For more information, see Specifying OSPF networks on page 344. Add a network to the AS, specify its area ID, and add the definition to the Networks list. The IP addresses and network masks of networks in the AS on which OSPF runs. The FortiGate unit may have physical or VLAN interfaces connected to the network. The area IDs that have been assigned to the OSPF network address space. Any additional settings needed to adjust OSPF operation on a FortiGate interface. For more information, see Selecting operating parameters for an OSPF interface on page 344. Create additional/different OSPF operating parameters for a unit interface and add the configuration to the Interfaces list. The names of OSPF interface definitions. The names of FortiGate physical or VLAN interfaces having OSPF settings that differ from the default values assigned to all other interfaces in the same area. The IP addresses of the OSPF-enabled interfaces having additional/different settings. The methods for authenticating LSA exchanges sent and received on specific OSPF-enabled interfaces. These settings override the area Authentication settings. Delete or edit an OSPF area entry, network entry, or interface definition. Icons are visible only when there are entries in Areas, Networks, and Interfaces sections.
Type
Authentication
Networks
Area Interfaces
IP Authentication
341
OSPF
Router Dynamic
Expand Arrow
Enter a unique router ID to identify the FortiGate unit to other OSPF routers. Generate and advertise a default (external) route to the OSPF AS. You may base the generated route on routes learned through a dynamic routing protocol, routes in the routing table, or both. Prevent the generation of a default route. Generate a default route into the OSPF AS and advertise the route to neighboring autonomous systems only if the route is stored in the FortiGate routing table. Generate a default route into the OSPF AS and advertise the route to neighboring autonomous systems unconditionally, even if the route is not stored in the FortiGate routing table. Select one or more of the options listed to redistribute OSPF link-state advertisements about routes that were not learned through OSPF. The FortiGate unit can use OSPF to redistribute routes learned from directly connected networks, static routes, RIP, and BGP.
Redistribute
Connected Select to redistribute routes learned from directly connected networks. Enter a cost for those routes in the Metric field. The range is from 1 to 16 777 214. Static RIP BGP Select to redistribute routes learned from static routes. Enter a cost for those routes in the Metric field. The range is from 1 to 16 777 214. Select to redistribute routes learned through RIP. Enter a cost for those routes in the Metric field. The range is from 1 to 16 777 214. Select to redistribute routes learned through BGP. Enter a cost for those routes in the Metric field. The range is from 1 to 16 777 214. Note: You can configure additional advanced options through customizable GUI widgets, and the CLI. For example, you can filter incoming or outgoing updates by using a route map, an access list, or a prefix list. The FortiGate unit also supports offset lists, which add the specified offset to the metric of a route. For more information on customizable GUI widgets, see Customizable routing widgets on page 353. For more information on CLI routing commands, see the router chapter of the FortiGate CLI Reference.
342
Router Dynamic
OSPF
Area
Type a 32-bit identifier for the area. The value must resemble an IP address in dotted-decimal notation. Once you have created the OSPF area, the area IP value cannot be changed; you must delete the area and restart. Select an area type to classify the characteristics of the network that will be assigned to the area: Regular If the area contains more than one router, each having at least one OSPF-enabled interface to the area. NSSA If you want routes to external non-OSPF domains made known to OSPF AS and you want the area to be treated like a stub area by the rest of the AS. STUB If the routers in the area must send packets to an area border router in order to reach the backbone and you do not want routes to non-OSPF domains to be advertised to the routers in the area.
Type
343
OSPF
Router Dynamic
Authentication Select the method for authenticating OSPF packets sent and received through all interfaces in the area: None Disable authentication. Text Enables text-based password authentication. to authenticate LSA exchanges using a plain-text password. The password is sent in clear text over the network. MD5 Enable MD5-based authentication using an MD5 cryptographic hash (RFC 1321). If required, you can override this setting for one or more of the interfaces in the area. For more information, see Selecting operating parameters for an OSPF interface on page 344. Note: To assign a network to the area, see Specifying OSPF networks on page 344.
IP/Netmask Area
Enter the IP address and network mask of the local network that you want to assign to an OSPF area. Select an area ID for the network. The attributes of the area must match the characteristics and topology of the specified network. You must define the area before you can select the area ID. For more information, see Defining OSPF areas on page 343.
344
Router Dynamic
OSPF
You can configure different OSPF parameters for the same FortiGate interface when more than one IP address has been assigned to the interface. For example, the same FortiGate interface could be connected to two neighbors through different subnets. You could configure an OSPF interface definition containing one set of Hello and dead-interval parameters for compatibility with one neighbors settings, and a second OSPF interface definition for the same interface to ensure compatibility with the second neighbors settings. To select OSPF operating parameters for a FortiGate interface, go to Router > Dynamic > OSPF, and then under Interfaces, select Create New. To edit the operating parameters of an OSPF-enabled interface, go to Router > Dynamic > OSPF and select the Edit icon in the row that corresponds to the OSPF-enabled interface. Figure 184 shows the New/Edit OSPF Interface dialog box belonging to a FortiGate unit that has an interface named port1. The interface names on your FortiGate unit may differ.
Figure 184: New/Edit OSPF Interface
Add
Name Interface
Enter a name to identify the OSPF interface definition. For example, the name could indicate to which OSPF area the interface will be linked. Select the name of the FortiGate interface to associate with this OSPF interface definition (for example, port1, external, or VLAN_1). The FortiGate unit can have physical, VLAN, virtual IPSec or GRE interfaces connected to the OSPF-enabled network. Enter the IP address that has been assigned to the OSPF-enabled interface. The interface becomes OSPF-enabled because its IP address matches the OSPF network address space. For example, if you defined an OSPF network of 172.20.120.0/24 and port1 has been assigned the IP address 172.20.120.140, type 172.20.120.140.
IP
Authentication Select an authentication method for LSA exchanges on the specified interface: None Disable authentication. Text Authenticate LSA exchanges using a plain-text password. The password can be up to 35 characters, and is sent in clear text over the network. MD5 Use one or more keys to generate an MD5 cryptographic hash. Password Enter the plain-text password. Enter an alphanumeric value of up to 15 characters. The OSPF neighbors that send link-state advertisements to this FortiGate interface must be configured with an identical password. This field is available only if you selected plain-text authentication.
345
BGP
Router Dynamic
MD5 Keys
Enter the key identifier for the (first) password in the ID field (the range is from 1 to 255) and then type the associated password in the Key field. The password is a 128-bit hash, represented by an alphanumeric string of up to 16 characters. The OSPF neighbors that send link-state advertisements to this FortiGate interface must be configured with an identical MD5 key. If the OSPF neighbor uses more than one password to generate MD5 hash, select the Add icon to add additional MD5 keys to the list. This field is available only if you selected MD5 authentication. Optionally, set the Hello Interval to be compatible with Hello Interval settings on all OSPF neighbors. This setting defines the period of time (in seconds) that the FortiGate unit waits between sending Hello packets through this interface. Optionally, set the Dead Interval to be compatible with Dead Interval settings on all OSPF neighbors. This setting defines the period of time (in seconds) that the FortiGate unit waits to receive a Hello packet from an OSPF neighbor through the interface. If the FortiGate unit does not receive a Hello packet within the specified amount of time, the FortiGate unit declares the neighbor inaccessible. By convention, the Dead Interval value is usually four times greater than the Hello Interval value.
Hello Interval
Dead Interval
BGP
Border Gateway Protocol (BGP) is an Internet routing protocol typically used by ISPs to exchange routing information between different ISP networks. For example, BGP enables the sharing of network paths between the ISP network and an autonomous system (AS) that uses RIP, OSPF, or both to route packets within the AS. The FortiGate implementation of BGP supports BGP-4 and complies with RFC 1771 and RFC 2385.
346
Router Dynamic
BGP
To view and edit BGP settings, go to Router > Dynamic > BGP. The web-based manager offers a simplified user interface to configure basic BGP options. You can also configure many advanced BGP options through the CLI. For more information, see the router chapter of the FortiGate CLI Reference.
Figure 185: Basic BGP options
Delete
Local AS Router ID Enter the number of the local AS to which the FortiGate unit belongs. Enter a unique router ID to identify the FortiGate unit to other BGP routers. The router ID is an IP address written in dotted-decimal format, for example 192.168.0.1. If you change the router ID while BGP is configured on an interface, all connections to BGP peers will be broken temporarily. The connections will reestablish themselves. If Router ID is not explicitly set, the highest IP address of the VDOM will be used. The IP addresses and AS numbers of BGP peers in neighboring autonomous systems. Enter the IP address of the neighbor interface to the BGP-enabled network. Enter the number of the AS that the neighbor belongs to. Add the neighbor information to the Neighbors list, or edit an entry in the list. The IP addresses of BGP peers. The numbers of the autonomous systems associated with the BGP peers. Delete a BGP neighbor entry. The IP addresses and network masks of networks to advertise to BGP peers. The FortiGate unit may have a physical or VLAN interface connected to those networks. Enter the IP address and netmask of the network to be advertised. Add the network information to the Networks list. The IP addresses and network masks of major networks that are advertised to BGP peers. Delete a BGP network definition.
Note: The get router info bgp CLI command provides detailed information about configured BGP settings. For a complete list of the command options, see the router chapter of the FortiGate CLI Reference.
347
Multicast
Router Dynamic
Multicast
A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router in the root virtual domain. FortiGate units support PIM sparse mode (RFC 2362) and PIM dense mode (RFC 3973) and can service multicast servers or receivers on the network segment to which a FortiGate interface is connected.
A PIM domain is a logical area comprising a number of contiguous networks. The domain contains at least one Boot Strap Router (BSR). If sparse mode is enabled, the domain also contains a number of Rendezvous Points (RPs) and Designated Routers (DRs). When you enable PIM on a FortiGate unit, the FortiGate unit can perform any of these functions at any time as configured. If required for sparse mode operation, you can define static RPs.
Note: You can configure basic options through the web-based manager. Many additional options are available, but only through the CLI. For complete descriptions and examples of how to use CLI commands to configure PIM settings, see multicast in the router chapter of the FortiGate CLI Reference.
Note: For more information about FortiGate multicast support, see the FortiGate Multicast Technical Note or the FortiGate Routing Guide.
348
Router Dynamic
Multicast
Delete Edit
Enable Multicast Routing Add Static RP Select to enable PIM version 2 routing. A firewall policy must be created on PIM-enabled interfaces to pass encapsulated packets and decapsulated data between the source and destination, If required for sparse mode operation, enter the IP address of a Rendezvous Point (RP) that may be used as the root of a packet distribution tree for a multicast group. Join messages from the multicast group are sent to the RP, and data from the source is sent to the RP. If an RP for the specified IPs multicast group is already known to the Boot Strap Router (BSR), the RP known to the BSR is used and the static RP address that you specify is ignored. Save the specified static RP addresses. Create a new multicast entry for an interface. You can use the new entry to fine-tune PIM operation on a specific FortiGate interface or override the global PIM settings on a particular interface. For more information, see Overriding the multicast settings on an interface on page 350. The names of FortiGate interfaces having specific PIM settings. The mode of PIM operation (Sparse or Dense) on that interface. The status of parse-mode RP candidacy on the interface. To change the status of RP candidacy on an interface, select the Edit icon in the row that corresponds to the interface. The priority number assigned to RP candidacy on that interface. Available only when RP candidacy is enabled. The priority number assigned to Designated Router (DR) candidacy on the interface. Available only when sparse mode is enabled. Delete or edit the PIM settings on the interface.
349
Multicast
Router Dynamic
Interface
Select the name of the root VDOM FortiGate interface to which these settings apply. The interface must be connected to a PIM version 2 enabled network segment. Select the mode of operation: Sparse Mode or Dense Mode. All PIM routers connected to the same network segment must be running the same mode of operation. If you select Sparse Mode, adjust the remaining options as described below. Enter the priority number for advertising DR candidacy on the FortiGate units interface. The range is from 1 to 4 294 967 295. The unit compares this value to the DR interfaces of all other PIM routers on the same network segment, and selects the router having the highest DR priority to be the DR. Enable RP candidacy on the interface.
PIM Mode
DR Priority
RP Candidate
RP Candidate Priority Enter the priority number for advertising RP candidacy on the FortiGate interface. The range is from 1 to 255.
350
Router Dynamic
Configuring BFD
BFD is intended for networks that use BGP or OSPF routing protocols. This generally excludes smaller networks. BFD configuration on your FortiGate unit is very flexible. You can enable BFD for the whole unit, and turn it off for one or two interfaces. Alternatively you can specifically enable BFD for each neighbor router, or interface. Which method you choose will be determined by the amount of configuring required for your network The timeout period determines how long the unit waits before labeling a connection as down. The length of the timeout period is importantif it is too short connections will be labeled down prematurely, and if it is too long time will be wasted waiting for a reply from a connection that is down. There is no easy number, as it varies for each network and unit. High end FortiGate models will respond very quickly unless loaded down with traffic. Also the size of the network will slow down the response timepackets need to make more hops than on a smaller network. Those two factors (CPU load and network traversal time) affect how long the timeout you select should be. With too short a timeout period, BFD will not connect to the network device but it will keep trying. This state generates unnecessary network traffic, and leaves the device unmonitored. If this happens, you should try setting a longer timeout period to allow BFD more time to discover the device on the network.
351
Router Dynamic
Configuring BFD on your FortiGate unit For this example, BFD is enabled on the FortiGate unit using the default values. This means that once a connection is established, your unit will wait for up to 150 milliseconds for a reply from a BFD router before declaring that router down and rerouting traffica 50 millisecond minimum transmit interval multiplied by a detection multiplier of 3. The port that BFD traffic originates from will be checked for security purposes as indicated by disabling bfd-dont-enforce-src-port. config system settings set bfd enable set bfd-desired-min-tx 50 set bfd-required-min-rx 50 set bfd-detect-mult 3 set bfd-dont-enforce-src-port disable end
Note: The minimum receive interval (bfd-required-min-rx) and the detection multiplier (bfd-detect-mult) combine to determine how long a period your unit will wait for a reply before declaring the neighbor down. The correct value for your situation will vary based on the size of your network and the speed of your units CPU. The numbers used in this example may not work for your network.
Disabling BFD for a specific interface The previous example enables BFD for your entire FortiGate unit. If an interface is not connected to any BFD enabled routers, you can reduce network traffic by disabling BFD for that interface. For this example, BFD is disabled for the internal interface using CLI commands. config system interface edit <interface> set bfd disable end Configuring BFD on BGP Configuring BFD on a BGP network involves only one step enable BFD globally and then disable it for each neighbor that is running the protocol. config system settings set bfd enable end config router bgp config neighbor edit <ip_address> set bfd disable end end
352
Router Dynamic
Configuring BFD on OSPF Configuring BFD on an OSPF network is very much like enabling BFD on your unityou can enable it globally for OSPF, and you can override the global settings at the interface level. To enable BFD on OSPF: configure routing OSPF set bfd enable end To override BFD on an interface: configure routing OSPF configure ospf-interface edit <interface_name> set bfd disable end end
Access List
Access lists are filters used by FortiGate unit routing processes to limit access to the network based on IP addresses. For an access list to take effect, it must be called by a FortiGate unit routing process (for example, a process that supports RIP or OSPF). The offset list is part of the RIP and OSPF routing protocols. For more information about RIP, see RIP on page 334. For more information about OSPF, see OSPF on page 338. Each rule in an access list consists of a prefix (IP address and netmask), the action to take for this prefix (permit or deny), and whether to match the prefix exactly or to match the prefix and any more specific prefix.
Note: If you are setting a prefix of 128.0.0.0, use the format 128.0.0.0/1. The default route, 0.0.0.0/0 can not be exactly matched with an access-list. A prefix-list must be used for this purpose. For more information, see Prefix List on page 356.
353
Router Dynamic
The FortiGate unit attempts to match a packet against the rules in an access list starting at the top of the list. If it finds a match for the prefix, it takes the action specified for that prefix. If no match is found the default action is deny.
Figure 188: Access List GUI widget
Enter the name of a new access list. Select Add to save the new access list. The name of the access list. The action to take when the prefix of this access list is matched. Actions can be either permit or deny. The IP address prefix for this access-list. When this prefix is matched, the action is taken. The prefix can match any address, or a specific address. Select delete to remove this access-list. Select to add a rule to this access-list. Rules include actions and prefixes. Rules are processed from smallest to highest number.
For more information on access list, see the router chapter of the FortiGate CLI Reference.
Distribute List
The distribute list is a subcommand of OSPF. It filters the networks in routing updates using an access or prefix list. Routes not matched by any of the distribution lists will not be advertised. The offset list is part of the RIP and OSPF routing protocols. For more information about OSPF, see OSPF on page 338.
Note: You must configure the access list that you want the distribution list to use before you configure the distribution list. To configure an access list, see Access List on page 353. Figure 189: Distribute List GUI widget
Create New Direction Filter Interface Enable Delete Icon Edit Icon
Select to create a new distribute list. This includes setting the direction, selecting either the prefix-list or access-list, and interface. The name of the access list. The prefix-list or access-list to apply to this interface. The interface to apply the filter on. A green check indicates this distribute list is enabled. Select to remove a distribution list rule. Select to change the direction, filter, or interface of the distribute list.
For more information on the distribute list, see the router chapter of the FortiGate CLI Reference.
354
Router Dynamic
Key Chain
A key chain is a list of one or more keys and the send and receive lifetimes for each key. Keys are used for authenticating routing packets only during the specified lifetimes. The FortiGate unit migrates from one key to the next according to the scheduled send and receive lifetimes. The sending and receiving routers should have their system dates and times synchronized, but overlapping the key lifetimes ensures that a key is always available even if there is some difference in the system times. RIP version 2 uses authentication keys to ensure that the routing information exchanged between routers is reliable. For authentication to work both the sending and receiving routers must be set to use authentication, and must be configured with the same keys. The offset list is part of the RIP and OSPF routing protocols. For more information about RIP, see RIP on page 334.
Figure 190: Key Chain GUI widget
Key-chain Name Accept Lifetime Start End Send Lifetime Start End Delete Icon Add Icon Edit Icon
Enter the name for a new key-chain. Select Add to save the new key-chain. The name of the key-chain, or the number of the key on that chain. The start and end time that this key can accept routing packets. The start time for this key. The format is H:M:S M/D/YYYY. The end time for this key. The end can be infinite, a set duration in seconds, or a set time as with the start time. The start and end time that this key can send routing packets. The start time for this key. The format is H:M:S M/D/YYYY. The end time for this key. The end can be infinite, a set duration in seconds, or a set time as with the start time. Select to remove a key or key-chain Select to add keys to the key-chain. Select to edit an existing key.
For more information on key-chains, see the router chapter of the FortiGate CLI Reference.
Offset List
Use the offset list to change the weighting of the metric (hop count) for a route from the offset list. The offset list is part of the RIP and OSPF routing protocols. For more information about RIP, see RIP on page 334. For more information about OSPF, see OSPF on page 338.
Figure 191: Offset List GUI widget
355
Router Dynamic
Create New Direction Access-list Offset Interface Delete Icon Edit Icon
Select to add a new offset to the list. The direction can be In or Out. The access-list to use to match the traffic. The adjustment to the hop count metric. The interface this offset list applies to. Select to remove a offset entry. Select to edit an existing offset entry.
For more information on the offset list, see the router chapter of the FortiGate CLI Reference.
Prefix List
A prefix list is an enhanced version of an access list that allows you to control the length of the prefix netmask. Each rule in a prefix list consists of a prefix (IP address and netmask), the action to take for this prefix (permit or deny), and maximum and minimum prefix length settings. The FortiGate unit attempts to match a packet against the rules in a prefix list starting at the top of the list. If it finds a match for the prefix it takes the action specified for that prefix. If no match is found the default action is deny. A prefix-list should be used to match the default route 0.0.0.0/0. For a prefix list to take effect, it must be called by another FortiGate unit routing feature such as RIP or OSPF. For more information about RIP, see RIP on page 334. For more information about OSPF, see OSPF on page 338.
Figure 192: Prefix List GUI widget
Prefix-list Name Action Prefix GE LE Delete Icon Add Icon Edit Icon
Enter the name of a new prefix-list. Select Add to save the new prefix list entry. The name of the prefix list, or the number of the prefix entry. The action of the prefix entry. Actions can be permit or deny. The IP address and netmask associated with this prefix. Optionally this can be set to match any address. Select the number of bits to match in the address. This number or greater will be matched for there to be a match. Select the number of bits to match in the address. This number or less will be matched for there to be a match Select to remove a prefix entry or list. Select to add a prefix entry to a list. Select to edit an existing prefix entry.
For more information on the prefix list, see the router chapter of the FortiGate CLI Reference.
356
Router Dynamic
Route Map
Route maps provide a way for the FortiGate unit to evaluate optimum routes for forwarding packets or suppressing the routing of packets to particular destinations using the BGP routing protocol. Compared to access lists, route maps support enhanced packet-matching criteria. In addition, route maps can be configured to permit or deny the addition of routes to the FortiGate unit routing table and make changes to routing information dynamically as defined through route-map rules. The FortiGate unit compares the rules in a route map to the attributes of a route. The rules are examined in ascending order until one or more of the rules in the route map are found to match one or more of the route attributes: When a single matching match-* rule is found, changes to the routing information are made as defined through the rules set-ip-nexthop, set-metric, set-metric-type, and/or set-tag settings. If no matching rule is found, no changes are made to the routing information. When more than one match-* rule is defined, all of the defined match-* rules must evaluate to TRUE or the routing information is not changed. If no match-* rules are defined, the FortiGate unit makes changes to the routing information only when all of the default match-* rules happen to match the attributes of the route.
The default rule in the route map (which the FortiGate unit applies last) denies all routes. For a route map to take effect, it must be called by a FortiGate unit routing process.
Figure 193: Route Map GUI widget
Enter the name of a new route-map. Select Add to save the new routemap. The name of the route map, or the number of the prefix entry. The action of the route map. Actions can be permit or deny. The rules include the criteria to match and a value to set. The criteria to match can be an interface, address from access or prefix list, the next-hop to match from access or prefix list, a metrics, or other information. The value to set can be the next-hop IP address, the metric, metric type, and a tag number. Select to remove a route map or entry. Select to add a route map entry to a route map. Select to edit an existing route map entry.
For more information on the route map, see the router chapter of the FortiGate CLI Reference.
357
Router Dynamic
358
Router Monitor
Router Monitor
This section explains how to interpret the Routing Monitor list. The list displays the entries in the FortiGate routing table. If you enable virtual domains (VDOMs) on the FortiGate unit, router monitoring is available separately for each virtual domain. For more information, see Using virtual domains on page 125. This section describes: Viewing routing information Searching the FortiGate routing table
359
Router Monitor
IP version
Select IPv4 or IPv6 routes. Fields displayed vary depending on which IP version is selected. Displayed only if IPv6 display is enabled on the web-based manager Select one of the following route types to search the routing table and display routes of the selected type only: All all routes recorded in the routing table. Connected all routes associated with direct connections to FortiGate interfaces. Static the static routes that have been added to the routing table manually. For more information see Static Route on page 316. RIP all routes learned through RIP. For more information see RIP on page 334. OSPF all routes learned through OSPF. For more information see OSPF on page 338. BGP all routes learned through BGP. For more information see BGP on page 346 HA RIP, OSPF, and BGP routes synchronized between the primary unit and the subordinate units of a high availability (HA) cluster. HA routes are maintained on subordinate units and are visible only if you are viewing the router monitor from a virtual domain that is configured as a subordinate virtual domain in a virtual cluster. Not displayed when IP version IPv6 is selected. For details about HA routing synchronization, see the FortiGate HA User Guide. Enter an IP address and netmask (for example, 172.16.14.0/24) to search the routing table and display routes that match the specified network. Not displayed when IP version IPv6 is selected. Enter an IP address and netmask (for example, 192.168.12.1/32) to search the routing table and display routes that match the specified gateway. Not displayed when IP version IPv6 is selected.
Type
Network
Gateway
Apply Filter Select to search the entries in the routing table based on the specified search criteria and display any matching routes. Not displayed when IP version IPv6 is selected. Type The type values assigned to FortiGate routes (Static, Connected, RIP, OSPF, or BGP). Not displayed when IP version IPv6 is selected. If applicable, the subtype classification assigned to OSPF routes. An empty string implies an intra-area route. The destination is in an area to which the FortiGate unit is connected. OSPF inter area the destination is in the OSPF AS, but the FortiGate unit is not connected to that area. External 1 the destination is outside the OSPF AS. The metric of a redistributed route is calculated by adding the external cost and the OSPF cost together. External 2 the destination is outside the OSPF AS. In this case, the metric of the redistributed route is equivalent to the external cost only, expressed as an OSPF cost. OSPF NSSA 1 same as External 1, but the route was received through a notso-stubby area (NSSA). OSPF NSSA 2 same as External 2, but the route was received through a notso-stubby area. Not displayed when IP version IPv6 is selected. The IP addresses and network masks of destination networks that the FortiGate unit can reach. The administrative distance associated with the route. A value of 0 means the route is preferable compared to routes to the same destination. To modify the administrative distance assigned to static routes, see Adding a static route to the routing table on page 320. To modify this distance for dynamic routes, see FortiGate CLI Reference.
Subtype
Network Distance
360
Router Monitor
Metric
The metric associated with the route type. The metric of a route influences how the FortiGate unit dynamically adds it to the routing table. The following are types of metrics and the protocols they are applied to. Hop count routes learned through RIP. Relative cost routes learned through OSPF. Multi-Exit Discriminator (MED) routes learned through BGP. However, several attributes in addition to MED determine the best path to a destination network. The IP addresses of gateways to the destination networks. The interface through which packets are forwarded to the gateway of the destination network. The total accumulated amount of time that a route learned through RIP, OSPF, or BGP has been reachable. Not displayed when IP version IPv6 is selected.
361
Router Monitor
362
Firewall Policy
Firewall Policy
Firewall policies control all traffic attempting to pass through the FortiGate unit, between FortiGate interfaces, zones, and VLAN subinterfaces. Firewall policies are instructions the FortiGate unit uses to decide connection acceptance and packet processing for traffic attempting to pass through. When the firewall receives a connection packet, it analyzes the packets source address, destination address, and service (by port number), and attempts to locate a firewall policy matching the packet. Firewall policies can contain many instructions for the FortiGate unit to follow when it receives matching packets. Some instructions are required, such as whether to drop or accept and process the packets, while other instructions, such as logging and authentication, are optional. Policy instructions may include network address translation (NAT), or port address translation (PAT), by using virtual IPs or IP pools to translate source and destination IP addresses and port numbers. For details on using virtual IPs and IP pools, see Firewall Virtual IP on page 421. Policy instructions may also include protection profiles, which can specify application-layer inspection and other protocol-specific protection and logging. For details on using protection profiles, see Firewall Protection Profile on page 467. If you enable virtual domains (VDOMs) on the FortiGate unit, firewall policies are configured separately for each virtual domain, and you must first enter the virtual domain to configure its firewall policies. For details, see Using virtual domains on page 125. This section describes: How list order affects policy matching Multicast policies Viewing the firewall policy list Configuring firewall policies Using DoS policies to detect and prevent attacks Using one-arm sniffer policies to detect network attacks How FortiOS selects unused NAT ports Firewall policy examples
363
Firewall Policy
If no policy matches, the connection is dropped. As a general rule, you should order the firewall policy list from most specific to most general because of the order in which policies are evaluated for a match, and because only the first matching firewall policy is applied to a connection. Subsequent possible matches are not considered or applied. Ordering policies from most specific to most general prevents policies that match a wide range of traffic from superseding and effectively masking policies that match exceptions. For example, you might have a general policy that allows all connections from the internal network to the Internet, but want to make an exception that blocks FTP. In this case, you would add a policy that denies FTP connections above the general policy.
Figure 196: Example: Blocking FTP Correct policy order
}Exception
}General FTP connections would immediately match the deny policy, blocking the connection. Other kinds of services do not match the FTP policy, and so policy evaluation would continue until reaching the matching general policy. This policy order has the intended effect. But if you reversed the order of the two policies, positioning the general policy before the policy to block FTP, all connections, including FTP, would immediately match the general policy, and the policy to block FTP would never be applied. This policy order would not have the intended effect.
Figure 197: Example: Blocking FTP Incorrect policy order
}General
}Exception
Similarly, if specific traffic requires authentication, IPSec VPN, or SSL VPN, you would position those policies above other potential matches in the policy list. Otherwise, the other matching policies could always take precedence, and the required authentication, IPSec VPN, or SSL VPN might never occur.
Note: A default firewall policy may exist which accepts all connections. You can move, disable or delete it. If you move the default policy to the bottom of the firewall policy list and no other policy matches the packet, the connection will be accepted. If you disable or delete the default policy and no other policy matches the packet, the connection will be dropped.
364
Firewall Policy
Multicast policies
To move a policy in the policy list 1 Go to Firewall > Policy. Or go to Firewall > Policy > Dos Policy. Or go to Firewall > Policy > Sniffer Policy. Or go to Firewall > Policy > Policy6. 2 In the firewall policy list, note the ID of a firewall policy that is before or after your intended destination. 3 In the row corresponding to the firewall policy that you want to move, select the Move To icon. 4 Select Before or After, and enter the ID of the firewall policy that is before or after your intended destination. This specifies the policys new position in the firewall policy list. 5 Select OK.
Multicast policies
FortiGate units support multicast policies. You can configure and create multicast policies using the following CLI command: config firewall multicast-policy For more information, see the FortiOS CLI Reference and the FortiGate Multicast Technical Note.
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
365
Firewall Policy
Filter
Create New
Add a new firewall policy. Select the down arrow beside Create New to add a new section to the list to visually group the policies. For security purposes, selecting Create New adds the new policy to the bottom of the list. Once the policy is added to the list you can use the Move To icon to move the policy to the required position in the list. You can also use the Insert Policy before icon to add a new policy above another policy in the list. See How list order affects policy matching on page 363.
Column Settings Customize the table view. You can select the columns to hide or display and specify the column displaying order in the table. For more information, see Using column settings to control the columns displayed on page 61 and Web-based manager icons on page 63. Section View Select to display firewall policies organized by source and destination interfaces. Note: Section View is not available if any policy selects Any as the source or destination interface. Select to list all firewall policies in order according to a sequence number.
Global View
366
Firewall Policy
Filter icons
Edit the column filters to filter or sort the policy list according to the criteria you specify. For more information, see Adding filters to web-based manager lists on page 57. The policy identifier. Policies are numbered in the order they are added to the policy list. The source interface of the policy. Global view only. The destination interface of the policy. Global view only. The source address or address group to which the policy applies. For more information, see Firewall Address on page 395. The destination address or address group to which the policy applies. For more information, see Firewall Address on page 395. The schedule that controls when the policy should be active. For more information, see Firewall Schedule on page 411. The service to which the policy applies. For more information, see Firewall Service on page 401. The protection profile that is associated with the policy. The response to make when the policy matches a connection attempt. Select the checkbox to enable a policy or deselect it to disable a policy. See Enabling and disabling policies on page 365. The source interface. The destination interface. The VPN tunnel the VPN policy uses. The user authentication method the policy uses. Comments entered when creating or editing the policy. A green check mark indicates traffic logging is enabled for the policy; a grey cross mark indicates traffic logging is disabled for the policy. The FortiGate unit counts the number of packets and bytes that hit the firewall policy. For example, 5/50B means that five packets and 50 bytes in total have hit the policy. The counter is reset when the FortiGate unit is restarted or the policy is deleted and re-configured. Delete the policy from the list. Edit a policy. Add a new policy above the corresponding policy. Use this option to simplify policy ordering. See How list order affects policy matching on page 363. Move the corresponding policy before or after another policy in the list. For more information, see Moving a policy to a different position in the policy list on page 364.
ID From To Source Destination Schedule Service Profile Action Status From To VPN Tunnel Authentication Comments Log Count
Delete icon Edit icon Insert Policy Before icon Move To icon
367
Firewall Policy
Destination Address schedule and time of the sessions initiation service and the packets port numbers.
If the initial packet matches the firewall policy, the FortiGate unit performs the configured Action and any other configured options on all packets in the session. Packet handling actions can be ACCEPT, DENY, IPSEC or SSL-VPN. ACCEPT policy actions permit communication sessions, and may optionally include other packet processing instructions, such as requiring authentication to use the policy, or specifying a protection profile to apply features such as virus scanning to packets in the session. An ACCEPT policy can also apply interface-mode IPSec VPN traffic if either the selected source or destination interface is an IPSec virtual interface. For more information, see Overview of IPSec VPN configuration on page 603. DENY policy actions block communication sessions, and may optionally log the denied traffic. IPSEC and SSL-VPN policy actions apply a tunnel mode IPSec VPN or SSL VPN tunnel, respectively, and may optionally apply NAT and allow traffic for one or both directions. If permitted by the firewall encryption policy, a tunnel may be initiated automatically whenever a packet matching the policy arrives on the specified network interface, destined for the local private network. For more information, see Configuring IPSec firewall policies on page 376 and Configuring SSL VPN identity-based firewall policies on page 376.
To add or edit a firewall policy, go to Firewall > Policy. Select Create New to add a policy or select the edit icon beside an existing firewall policy. Configure the settings as described in the following table and in the references to specific features for IPSec, SSL VPN and other specialized settings, and then select OK. If you want to create a DoS policy, go to Firewall > Policy > DoS Policy, and configure the settings according to the following table. DoS policies are independent from firewall policies and are used to associate DoS sensors with traffic that reaches a FortiGate interface. DoS policies deliver packets to the IPS before they are accepted by firewall policies. This arrangement results in more effective protection from denial service attacks and other benefits. For more information, see Using DoS policies to detect and prevent attacks on page 379. If you want to create a Sniffer policy, go to Firewall > Policy > Sniffer Policy, and configure the settings according to the following table. For more information, see Using one-arm sniffer policies to detect network attacks on page 382. If you want to use IPv6 firewall addresses in your firewall policy, first go to System > Admin > Settings. Select IPv6 Support on GUI. Then go to Firewall > Policy > IPv6 Policy, and configure the settings according to the following table. Configuring IPv6 policies is the same as configuring IPv4 policies. You can add a protection profile to and IPv6 firewall policy and you can also configure shared traffic shaping and log allowed or denied traffic. You cannot create IPv6 firewall policies for IPSec or SSL VPN and you cannot add authentication to IPv6 policies. Firewall policy order affects policy matching. Each time that you create or edit a policy, make sure that you position it in the correct location in the list. You can create a new policy and position it right away before an existing one in the firewall policy list, by selecting Insert Policy before (see Viewing the firewall policy list on page 366).
Note: You can configure differentiated services (DSCP) firewall policy options through the CLI. See the firewall chapter of the FortiGate CLI Reference.
368
Firewall Policy
369
Firewall Policy
Source Interface/Zone
Select the name of the FortiGate network interface, virtual domain (VDOM) link, or zone on which IP packets are received. Interfaces and zones are configured on the System Network page. For more information, see Configuring interfaces on page 145 and Configuring zones on page 170. If you select Any as the source interface, the policy matches all interfaces as source. If Action is set to IPSEC, the interface is associated with the local private network. If Action is set to SSL-VPN, the interface is associated with connections from remote SSL VPN clients.
Source Address Select the name of a firewall address to associate with the Source Interface/Zone. Only packets whose header contains an IP address matching the selected firewall address will be subject to this policy. You can also create firewall addresses by selecting Create New from this list. For more information, see Configuring addresses on page 397. If you want to associate multiple firewall addresses or address groups with the Source Interface/Zone, from Source Address, select Multiple. In the dialog box, move the firewall addresses or address groups from the Available Addresses section to the Members section, then select OK. If Action is set to IPSEC, the address is the private IP address of the host, server, or network behind the FortiGate unit. If Action is set to SSL-VPN and the policy is for web-only mode clients, select all. If Action is set to SSL-VPN and the policy is for tunnel mode clients, select the name of the address that you reserved for tunnel mode clients. Destination Interface/Zone Select the name of the FortiGate network interface, virtual domain (VDOM) link, or zone to which IP packets are forwarded. Interfaces and zones are configured on the System Network page. For more information, see Configuring interfaces on page 145 and Configuring zones on page 170. If you select Any as the destination interface, the policy matches all interfaces as destination. If Action is set to IPSEC, the interface is associated with the entrance to the VPN tunnel. If Action is set to SSL-VPN, the interface is associated with the local private network. Select the name of a firewall address to associate with the Destination Interface/Zone. Only packets whose header contains an IP address matching the selected firewall address will be subject to this policy. You can also create firewall addresses by selecting Create New from this list. For more information, see Configuring addresses on page 397. If you want to associate multiple firewall addresses or address groups with the Destination Interface/Zone, from Destination Address, select Multiple. In the dialog box, move the firewall addresses or address groups from the Available Addresses section to the Members section, then select OK. If you select a virtual IP, the FortiGate unit applies NAT or PAT. The applied translation varies by the settings specified in the virtual IP, and whether you select NAT (below). For more information on using virtual IPs, see Firewall Virtual IP on page 421. If Action is set to IPSEC, the address is the private IP address to which packets may be delivered at the remote end of the VPN tunnel. If Action is set to SSL-VPN, select the name of the IP address that corresponds to the host, server, or network that remote clients need to access behind the FortiGate unit. Select a one-time or recurring schedule or a schedule group that controls when the policy is in effect. You can also create schedules by selecting Create New from this list. For more information, see Firewall Schedule on page 411.
Destination Address
Schedule
370
Firewall Policy
Service
Select the name of a firewall service or service group that packets must match to trigger this policy. You can select from a wide range of predefined firewall services, or you can create a custom service or service group by selecting Create New from this list. For more information, see Configuring custom services on page 406 and Configuring service groups on page 408. By selecting the Multiple button beside Service, you can select multiple services or service groups. Select how you want the firewall to respond when a packet matches the conditions of the policy. The options available will vary widely depending on this selection. Accept traffic matched by the policy. You can configure NAT, protection profiles, log traffic, shape traffic, set authentication options, or add a comment to the policy. Reject traffic matched by the policy. The only other configurable policy options are Log Violation Traffic to log the connections denied by this policy and adding a Comment. You can configure an IPSec firewall encryption policy to process IPSec VPN packets, as well as configure protection profiles, log traffic, shape traffic or add a comment to the policy. See Configuring IPSec firewall policies on page 376. You can configure an SSL-VPN firewall encryption policy to accept SSL VPN traffic. This option is available only after you have added a SSL-VPN user group. You can also configure NAT and protection profiles, log traffic, shape traffic or add a comment to the policy. See Configuring SSL VPN identity-based firewall policies on page 376. Available only if Action is set to ACCEPT or SSL-VPN. Enable or disable Network Address Translation (NAT) of the source address and port of packets accepted by the policy. When NAT is enabled, you can also configure Dynamic IP Pool and Fixed Port. If you select a virtual IP as the Destination Address, but do not select the NAT option, the FortiGate unit performs destination NAT (DNAT) rather than full NAT. Source NAT (SNAT) is not performed.
Action
ACCEPT
DENY
IPSEC
SSL-VPN
NAT
Dynamic IP Pool Select the check box, then select an IP pool to translate the source address to an IP address randomly selected from addresses in the IP Pool. IP Pool cannot be selected if the destination interface, VLAN subinterface, or one of the interfaces or VLAN subinterfaces in the destination zone is configured using DHCP or PPPoE. For details, see Configuring IP pools on page 437. Fixed Port Select Fixed Port to prevent NAT from translating the source port. Some applications do not function correctly if the source port is translated. In most cases, if Fixed Port is selected, Dynamic IP pool is also selected. If Dynamic IP pool is not selected, a policy with Fixed Port selected can allow only one connection to that service at a time. Note: Fixed Port is only visible if enabled from the CLI. Enable Identity Based Policy Protection Profile Select to configure firewall policies that require authentication. For more information, see Adding authentication to firewall policies on page 372. This section also describes the Firewall, Directory Service (FSAE), NTLM Authentication, and Enable Disclaimer and Redirect URL to options. Select a protection profile to apply to a firewall policy. You can also create a protection profile by selecting Create New from this list. For more information, see Firewall Protection Profile on page 467. If you intend to apply authentication to this policy, do not make a Protection Profile selection. The user group you choose for authentication is already linked to a protection profile. For more information, see Adding authentication to firewall policies on page 372. Select a shared traffic shaper for the policy. You can also create a new shared traffic shaper. Shared traffic shapers control the bandwidth available to and set the priority of the traffic as its processed by, the policy. For information about configuring shared traffic shapers, see Configuring shared traffic shapers on page 417.
Traffic Shaping
371
Firewall Policy
Select to enable reverse traffic shaping and select a shared traffic shaper. For example, if the traffic direction that a policy controls is from port1 to port2, select this option will also apply the policy shaping configuration to traffic from port2 to port1. For information about configuring shared traffic shapers, see Configuring shared traffic shapers on page 417. Select a Per-IP traffic shaper for the policy. Per-IP traffic shaping applies traffic shaping to the traffic generated from the IP addresses added to the Per-IP traffic shaper added to the firewall policy. For information about configuring per-IP traffic shapers, see Configuring Per IP traffic shaping on page 419. Select to record messages to the traffic log whenever the policy processes a connection. You must also enable traffic log for a logging location (syslog, WebTrends, local disk if available, memory, or FortiAnalyzer) and set the logging severity level to Notification or lower using the Log and Report screen. For more information see Log&Report on page 703. Available only if Action is set to DENY. Select Log Violation Traffic, for Deny policies, to record messages to the traffic log whenever the policy processes a connection. You must also enable traffic log for a logging location (syslog, WebTrends, local disk if available, memory, or FortiAnalyzer) and set the logging severity level to Notification or lower using the Log and Report screen. For more information, see Log&Report on page 703.
Enable Endpoint Select to enable the Endpoint NAC feature and select the Endpoint NAC profile to apply. For more information, see Endpoint NAC on page 687. NAC Notes: You cannot enable Endpoint NAC in firewall policies if Redirect HTTP Challenge to a Secure Channel (HTTPS) is enabled in User > Options > Authentication. If the firewall policy involves a load balancing virtual IP, the Endpoint NAC check is not performed. Comments Add information about the policy. The maximum length is 63 characters.
The authentication style depends on which of these supported protocols you have included in the selected firewall services group and which of those enabled protocols the network user applies to trigger the authentication challenge. The authentication style will be one of two types. For certificate-based (HTTPS or HTTP redirected to HTTPS only) authentication, you must install customized certificates on the FortiGate unit and on the browsers of network users, which the FortiGate unit matches. For user name and password-based (HTTP, FTP, and Telnet) authentication, the FortiGate unit prompts network users to input their firewall user name and password.
372
Firewall Policy
For example, if you want to require HTTPS certificate-based authentication before allowing SMTP and POP3 traffic, you must select a firewall service (in the firewall policy) that includes SMTP, POP3 and HTTPS services. Prior to using either POP3 or SMTP, the network user would send traffic using the HTTPS service, which the FortiGate unit would use to verify the network users certificate; upon successful certificate-based authentication, the network user would then be able to access his or her email. In most cases, you should ensure that users can use DNS through the FortiGate unit without authentication. If DNS is not available, users will not be able to use a domain name when using a supported authentication protocol to trigger the FortiGate units authentication challenge.
Note: If you do not install certificates on the network users web browser, the network users may see an SSL certificate warning message and have to manually accept the default FortiGate certificate, which the network users web browsers may then deem as invalid. For information on installing certificates, see System Certificates on page 279. Note: When you use certificate authentication, if you do not specify any certificate when you create a firewall policy, the FortiGate unit will use the default certificate from the global settings will be used. If you specify a certificate, the per-policy setting will override the global setting. For information on global authentication settings, see Options on
page 667. Authentication requires that Action is ACCEPT or SSL-VPN, and that you first create users, assign them to a firewall user group, and assign a protection profile to that user group. For information on configuring user groups, see User Group on page 658. For information on configuring authentication settings, see Configuring identity-based firewall policies on page 373 and Configuring SSL VPN identity-based firewall policies on page 376.
373
Firewall Policy
Add Delete icon Edit icon Move To icon User Group Service
Select to enable identity-based policy authentication. When the Action is set to ACCEPT, you can select one or more authentication server types. When a network user attempts to authenticate, the server types selected indicate which local or remote authentication servers the FortiGate unit will consult to verify the users credentials. The selected user groups that must authenticate to be allowed to use this policy. Select to remove this identity-based policy. Select to modify this identity-based policy. Select to change the position of this identity-based policy in the identity-based policy list. The selected user groups that must authenticate to be allowed to use this policy. The firewall service or service group that packets must match to trigger this policy.
374
Firewall Policy
Schedule
The one-time or recurring schedule that controls when the policy is in effect. You can also create schedules by selecting Create New from this list. For more information, see Firewall Schedule on page 411. Protection Profile The protection profile to apply to this policy. You can also create a protection profile by selecting Create New from this list. For more information, see Firewall Protection Profile on page 467. Traffic Shaping The traffic shaping configuration for this policy. For more information, see Firewall Policy on page 363. Reverse Select to enable the reverse traffic shaping and choose the traffic shaper. For example, if the traffic direction that a policy controls is from port1 to port2, select Direction Traffic Shaping this option to apply traffic shaping to traffic from port2 to port1. Log Allowed Traffic Firewall If the Log Allowed Traffic option is selected when adding an identity-based policy, a green check mark appears. Otherwise, a white cross mark appears.
Include firewall user groups defined locally on the FortiGate unit, as well as on any connected LDAP and RADIUS servers. This option is selected by default. Directory Service Include Directory Service groups defined in User > User Group. The groups are authenticated through a domain controller using Fortinet Server Authentication (FSAE) Extensions (FSAE). If you select this option, you must install the FSAE on the Directory Service domain controller. For information about FSAE, see the Fortinet Server Authentication Extension Administration Guide. For information about configuring user groups, see User Group on page 658. NTLM Include Directory Service groups defined in User > User Group. If you select this option, you must use Directory Service groups as the members of the Authentication authentication group for NTLM. For information about configuring user groups, see User Group on page 658. Certificate Certificate-based authentication only. Select the protection profile that guest accounts will use. Note: In order to implement certificate-based authentication, you must select a firewall service group that includes one of the supported authentication protocols that use certificate-based authentication. You should also install the certificate on the network users web browser. For more information, see Adding authentication to firewall policies on page 372. Enable Disclaimer Select this option to display the Authentication Disclaimer replacement and Redirect URL message HTML page after the user authenticates. The user must accept the disclaimer to connect to the destination. For information about customizing user to authentication replacement messages, see User authentication replacement messages on page 232. You can also optionally enter an IP address or domain name to redirect user HTTP requests after accepting the authentication disclaimer. The redirect URL could be to a web page with extra information (for example, terms of usage). .To prevent web browser security warnings, this should match the CN field of the specified auth-cert, which is usually a fully qualified domain name (FQDN).
To create an identity-based firewall policy (non-SSL-VPN) 1 Go to Firewall > Policy > Policy and select Create New. 2 Configure Source Interface/Zone, Source Address, Destination Interface/Zone, Destination Address, Schedule, and Service. For more information, see Configuring firewall policies on page 367. 3 In the Action field, select ACCEPT. 4 Select Enable Identity Based Policy to be able to add identity-based policies. 5 Select Add. 6 From the Available User Groups list, select one or more user groups that must authenticate to be allowed to use this policy. Select the right arrow to move the selected user groups to the Selected User Groups list. 7 Select services in the Available Services list and then select the right arrow to move them to the Selected Services list. 8 Select a Schedule.
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
375
Firewall Policy
9 Optionally, select Protection Profile and choose a protection profile. 10 Optionally, select Traffic Shaping and choose a traffic shaper. 11 If you selected Traffic Shaping optionally, select Reverse Direction Traffic Shaping and choose a traffic shaper. 12 Optionally select Log Allowed Traffic. 13 Select OK.
VPN Tunnel Allow Inbound Allow outbound Inbound NAT Outbound NAT
Select the VPN tunnel name defined in the phase 1 configuration. The specified tunnel will be subject to this firewall encryption policy. Select to enable traffic from a dialup client or computers on the remote private network to initiate the tunnel. Select to enable traffic from computers on the local private network to initiate the tunnel. Select to translate the source IP addresses of inbound decrypted packets into the IP address of the FortiGate interface to the local private network. Select only in combination with a natip CLI value to translate the source addresses of outbound cleartext packets into the IP address that you specify. When a natip value is specified, the source addresses of outbound IP packets are replaced before the packets are sent through the tunnel. For more information, see the firewall chapter of the FortiGate CLI Reference.
Note: For a route-based (interface mode) VPN, you do not configure an IPSec firewall policy. Instead, you configure two regular ACCEPT firewall policies, one for each direction of communication, with the IPSec virtual interface as the source or destination interface as appropriate.
For more information, see the FortiGate IPSec VPN User Guide.
376
Firewall Policy
377
Firewall Policy
Select the name of the FortiGate network interface, virtual domain (VDOM) link, or zone on which IP packets are received. Select the name of a firewall address to associate with the Source Interface/Zone. Only packets whose header contains an IP address matching the selected firewall address will be subject to this policy. You can also create firewall addresses by selecting Create New from this list. For more information, see Configuring addresses on page 397. If Action is set to SSL-VPN and the policy is for web-only mode clients, select all. If Action is set to SSL-VPN and the policy is for tunnel mode clients, select the name of the address that you reserved for tunnel mode clients. Select the name of the FortiGate network interface, virtual domain (VDOM) link, or zone to which IP packets are forwarded. If Action is set to SSL-VPN, the interface is associated with the local private network.
Destination Interface/Zone
Destination Address Select the name of a firewall address to associate with the Destination Interface/Zone. Only packets whose header contains an IP address matching the selected firewall address will be subject to this policy. You can also create firewall addresses by selecting Create New from this list. For more information, see Configuring addresses on page 397. If you want to associate multiple firewall addresses or address groups with the Destination Interface/Zone, from Destination Address, select Multiple. In the dialog box, move the firewall addresses or address groups from the Available Addresses section to the Members section, then select OK. If you select a virtual IP, the FortiGate unit applies NAT or PAT. The applied translation varies by the settings specified in the virtual IP, and whether you select NAT (below). For more information on using virtual IPs, see Firewall Virtual IP on page 421. If Action is set to IPSEC, the address is the private IP address to which packets may be delivered at the remote end of the VPN tunnel. If Action is set to SSL-VPN, select the name of the IP address that corresponds to the host, server, or network that remote clients need to access behind the FortiGate unit. Action Select SSL-VPN to configure the firewall encryption policy to accept SSL VPN traffic. This option is available only after you have added a SSL-VPN user group.
SSL Client Certificate Allow traffic generated by holders of a (shared) group certificate. The holders of the group certificate must be members of an SSL VPN user Restrictive group, and the name of that user group must be present in the Allowed field. Cipher Strength Select the bit level of SSL encryption. The web browser on the remote client must be capable of matching the level that you select: Any, High >= 164, or Medium >= 128. Select the authentication server type by which the user will be authenticated: For all of the above authentication methods. Local is attempted first, then RADIUS, then LDAP. For a local user group that will be bound to this firewall policy. For remote clients that will be authenticated by an external RADIUS server. For remote clients that will be authenticated by an external LDAP server. For remote clients that will be authenticated by an external TACACS+ server.
378
Firewall Policy
NAT
Enable or disable Network Address Translation (NAT) of the source address and port of packets accepted by the policy. When NAT is enabled, you can also configure Dynamic IP Pool and Fixed Port. If you select a virtual IP as the Destination Address, but do not select the NAT option, the FortiGate unit performs destination NAT (DNAT) rather than full NAT. Source NAT (SNAT) is not performed. Tip: If you select NAT, the IP address of the outgoing interface of the FortiGate unit is used as the source address for new sessions started by SSL VPN.
Fixed Port Add Delete icon Edit icon Move To icon User Group Service Schedule
Select Fixed Port to prevent NAT from translating the source port. Note: Fixed Port is only visible if enabled from the CLI. Select to add identity-based policies to the SSL VPN policy. Select to remove this identity-based policy. Select to modify this identity-based policy. Select to change the position of this identity-based policy in the identitybased policy list. The selected user groups that must authenticate to be allowed to use this policy. The firewall service or service group that packets must match to trigger this policy. Select a one-time or recurring schedule that controls when the policy is in effect. You can also create schedules by selecting Create New from this list. For more information, see Firewall Schedule on page 411. Select a protection profile to apply to a firewall policy. You can also create a protection profile by selecting Create New from this list. For more information, see Firewall Protection Profile on page 467. Select a traffic shaper for the policy. You can also select to create a new traffic shaper. Traffic Shaping controls the bandwidth available to, and sets the priority of the traffic processed by, the policy. For information about traffic shaping, see Traffic Shaping on page 415. Note: The traffic shaping option can be used to traffic shape tunnel-mode SSL VPN traffic, but has no effect on web-mode SSL VPN traffic.
Protection Profile
Traffic Shaping
Reverse Direction Select to enable the reverse traffic shaping. For example, if the traffic direction that a policy controls is from port1 to port2, select this option will Traffic Shaping also apply the policy shaping configuration to traffic from port2 to port1. Log Allowed Traffic Select to record messages to the traffic log whenever the policy processes a connection. You must also enable traffic log for a logging location (syslog, WebTrends, local disk if available, memory, or FortiAnalyzer) and set the logging severity level to Notification or lower using the Log and Report screen. For more information see Log&Report on page 703. Add information about the policy. The maximum length is 63 characters.
Comments
379
Firewall Policy
DoS policies examine network traffic very early in the sequence of protective measures the FortiGate unit deploys to protect your network. Because of this, DoS policies are a very efficient defence, using few resources. The previously mentioned denial of service would be detected and its packets dropped before requiring firewall policy look-ups, antivirus scans, and other protective but resource-intensive operations. This section provides an introduction to configuring DoS Policies. For more information see the FortiGate UTM User Guide.
Filter
Add a new DoS policy. Select the down arrow beside Create New to add a new section to the list to visually group the policies. Customize the table view. You can select the columns to hide or display and specify the column displaying order in the table. See Using column settings to control the columns displayed on page 61. Select to display firewall policies organized by interface. Select to list all firewall policies in order according to a sequence number. Edit the column filters to filter or sort the policy list according to the criteria you specify. For more information, see Adding filters to web-based manager lists on page 57. When selected, the DoS policy is enabled. Clear the checkbox to disable the policy. See Enabling and disabling policies on page 365.
Status
380
Firewall Policy
ID Source Destination Service DoS Interface Delete icon Edit icon Insert Policy Before icon Move To icon
A unique identifier for each policy. Policies are numbered in the order they are created. The source address or address group to which the policy applies. For more information, see Firewall Address on page 395. The destination address or address group to which the policy applies. For more information, see Firewall Address on page 395. The service to which the policy applies. For more information, see Firewall Service on page 401. The DoS sensor selected in this policy. The interface to which this policy applies. Delete the policy from the list. Edit the policy. Add a new policy above the corresponding policy (the New Policy screen appears). Move the corresponding policy before or after another policy in the list.
The interface or zone to be monitored. Select an address, address range, or address group to limit traffic monitoring to network traffic sent from the specified address or range. Select Multiple to include multiple addresses or ranges. You can also select Create New to add a new address or address group. Select an address, address range, or address group to limit traffic monitoring to network traffic sent to the specified address or range. Select Multiple to include multiple addresses or ranges. You can also select Create New to add a new address or address group.
Destination Address
381
Firewall Policy
Service
Select a firewall pre-defined service or a custom service to limit traffic monitoring to only the selected service or services. You can also select Create new to add a custom service. Select and specify a DoS sensor to have the FortiGate unit apply the sensor to matching network traffic. You can also select Create new to add a new DoS Sensor. See DoS sensors on page 537.
DoS Sensor
After you have configured the interface for one-arm sniffer mode, connect the interface to a hub or to the SPAN port of a switch that is processing network traffic.
Figure 207: One-arm IDS topology
Internet
Hub or switch
SPAN port
Internal network
Then you can go to Firewall > Policy > Sniffer Policy and add Sniffer policies for that FortiGate interface that include a DoS sensor, an IPS sensors, and an Application black/white list to detect attacks and other activity in the traffic that the FortiGate interface receives from the hub or switch SPAN port. In one-arm sniffer mode, the interface receives packets accepted by sniffer mode policies only. All packets not received by sniffer model policies are dropped. All packets received by sniffer mode policies go through IPS inspection and are dropped after then are analyzed by IPS.
382
Firewall Policy
One-arm IDS cannot block traffic. However, if you enable logging in the DoS and IPS sensors and the application black/white lists, the FortiGate unit records log messages for all detected attacks and applications. This section provides an introduction to configuring sniffer policies. For more information see the FortiGate UTM User Guide.
Filter
Add new a sniffer policy. Select the down arrow beside Create New to add a new section to the list to visually group the policies. Customize the table view. You can select the columns to hide or display and specify the column displaying order in the table. See Using column settings to control the columns displayed on page 61. Select to display firewall policies organized by interface. Select to list all firewall policies in order according to a sequence number. Edit column filters to filter or sort the policy list according to the criteria you specify. For more information, see Adding filters to web-based manager lists on page 57. When selected, the DoS policy is enabled. Clear the checkbox to disable the policy. See Enabling and disabling policies on page 365.
Status
383
Firewall Policy
ID Source Destination Service DoS Sensor Application Black/White List Delete icon Edit icon Insert Policy Before icon Move To icon
A unique identifier for each policy. Policies are numbered in the order they are created. The source address or address group to which the policy applies. For more information, see Firewall Address on page 395. The destination address or address group to which the policy applies. For more information, see Firewall Address on page 395. The service to which the policy applies. For more information, see Firewall Service on page 401. The DoS sensor selected in this policy. The IPS sensor selected in this policy. The Application Black/White List selected in this policy. Delete the policy from the list. Edit the policy. Add a new policy above the corresponding policy (the New Policy screen appears). Move the corresponding policy before or after another policy in the list.
The interface or zone to be monitored. Select an address, address range, or address group to limit traffic monitoring to network traffic sent from the specified address or range. Select Multiple to include multiple addresses or ranges. You can also select Create New to add a new address or address group.
384
Firewall Policy
Destination Address
Select an address, address range, or address group to limit traffic monitoring to network traffic sent to the specified address or range. Select Multiple to include multiple addresses or ranges. You can also select Create New to add a new address or address group. Select a firewall pre-defined service or a custom service to limit traffic monitoring to only the selected service or services. You can also select Create new to add a custom service. Select and specify a DoS sensor to have the FortiGate unit apply the sensor to matching network traffic. You can also select Create new to add a new DoS Sensor. See DoS sensors on page 537. Select and specify an IPS sensor to have the FortiGate unit apply the sensor to matching network traffic. You can also select Create new to add a new IPS Sensor. See IPS sensors on page 529. Select and specify an Application Black/White List sensor to have the FortiGate unit apply the application control black/white list to matching network traffic. You can also select Create new to add a new Application Black/White List. See Creating a new application control black/white list on page 597.
Service
DoS Sensor
IPS Sensor
Student A
Student B
Student Z
The university does not give a publicly routable IP address to its students. Instead each student uses DHCP to obtain an IP address from the 10.0.0.0/8 range from the FortiGate unit. The FortiGate unit then uses Network Address Port Translation (NAPT) to translate all traffic so that it appears to come from IP address 192.168.1.1.
385
Firewall Policy
For example, consider student A (IP address 10.78.33.97) who wants to connect to search engine (IP address 172.20.120.2) and sends a packet with the following IP addresses and port numbers: src-ip: 10.78.33.97 dst-ip: 172.20.120.2 src-port: 10000 dst-port: 80 When this packet passes through the FortiGate unit with NAT enabled the packet is modified to be: src-ip: 92.168.1.1 dst-ip: 172.20.120.2 src-port: 46372 dst-port: 80 Where 192.168.1.1 is the external IP address of the FortiGate unit and 46372 is an unused port chosen by the FortiGate unit. The following sections describe three solutions to choosing the unused port. These solutions provide some context for the last section which describes how FortiOS chooses an unused port.
Global pool
In this approach there is a single pool of ports which are available for assignment. When a port is assigned it is removed from the pool. Because the port is removed from the pool, it is not possible to assign the same port twice. Once a port is no longer needed for NAT it is returned to the pool so that it can be assigned again. For example if the range is from 0x7000 (28672) to 0xF000 (61440) then there 215 (32768) possible ports that can be simultaneously used (the reason for choosing this range is described below). The maximum number of simultaneous connections is 32768. This maximum is independent of transport protocol. This approach was one of the first approaches used to choosing a NAT port because it is simple to implement. It is viable if the number of connections is unlikely to reach the pool size, for example in the case of a NAT firewall for home use. However, it is not really a viable solution for a large university or ISP that would usually be processing thousands of simultaneous sessions. This is not the approach that FortiOS uses.
386
Firewall Policy
Figure 211: Example university Internet connection topology with two Internet connections
Student A
Student B
Student Z
If the FortiGate configuration includes equal-cost multipath (ECMP) routing, both Internet connections can be used simultaneously and the maximum number of connections is N*R*P where N is the number of NAT IP addresses, R is the port range, and P is the number of protocols. So for the case where there are two NAT IPs, the range is 32768 and the protocols are TCP and UDP then the maximum number of simultaneous connections is: 2*32768*2 = 131,072 This solution scales with the number of NAT IPs that can be deployed and so could feasibly be used by a university or a small ISP. This is not the approach that FortiOS uses.
387
Firewall Policy
dst-port: 80 And the other index is for traffic flowing in the opposite/reply direction: src-ip: 172.20.120.2 dst-ip: 192.168.1.1 proto: tcp src-port: 80 dst-port: 46372 Where 46372 is the chosen NAT port. In both cases when traffic matches either of these indexes the session that the traffic belongs to can be uniquely identified. Using a per NAT IP, destination IP, port, and protocol pool, when choosing the NAT port FortiOS only has to ensure that the chosen port combined with the other four attributes are unique to uniquely identify the session. So for example, if student A simultaneously makes a connection to the search engine (destination IP address 172.20.120.2) on port 443 this would create another session and the index in the reply direction would be: src-ip: 172.20.120.2 dst-ip: 192.168.1.1 proto: tcp src-port: 443 dst-port: NP The value of NP can be any value as long as the five values together are unique. For example, FortiOS could choose 46372 again: src-ip: 172.20.120.2 dst-ip: 192.168.1.1 proto: tcp src-port: 443 dst-port: 46372 This is acceptable because: src-ip: 172.20.120.2 dst-ip: 192.168.1.1 proto: tcp src-port: 80 dst-port: 46372 and src-ip: 172.20.120.2 dst-ip: 192.168.1.1 proto: tcp src-port: 443 dst-port: 46372 have different src-port values. The result of using the per NAT IP, destination IP, port, and protocol pool approach is that a pool of 32768 ports are available for each unique combination of src-ip, dst-ip, proto and src-port. The maximum number of simultaneous connections that can be supported is N*R*P*D*Dp where N is the number of NAT IP addresses, R is the port range, P is the number of protocols, D is the number of unique destination IP addresses and Dp the number of unique destination ports. Considering the large number of destination IP addresses available, the number of simultaneous connections that can be supported is very large. To get an idea of how large, for one destination IP address and one NAT IP address the calculation would be N=1, R=32, 768, P=2, D=1 and Dp=32,768:
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
388
Firewall Policy
1 * 32,768 * 2 * 1 * 32,768 = 2,147,483,648. A problem with this calculation is that not all 32,768 possible destination ports are used. In fact for many organizations, must Internet traffic is web traffic using destination port 80 and all using the TCP protocol. So the pool size limit for web traffic to one destination IP address from one NAT IP address using the TCP protocol would be N=1, R=32, 768, P=1, D=1 and Dp=1: 1* 32,768 * 1 * 1 * 1 = 32,768 Using the topology in Figure 210 on page 385, for students simultaneously connecting to the search engine, the social networking and the video sharing sites on TCP port 80 then assuming each site uses one IP address a maximum of 32,768 simultaneous connections are allowed to each site or 32,768 * 3 = 98,304 connections in total. Many large public web sites may use round-robin DNS to rotate through at least four IP addresses. If the search engine and the video sharing site did this with an even balance of IP usage the result would be a maximum of 4 * 32,768 = 131,072 connections to the search engine, 131,072 connections to the video sharing site and 32,768 connections to the social networking site for a total of 294,912 different connections supported by the single FortiGate unit with one NAT IP and for a total of 9 destination IP addresses and one destination port.
389
Firewall Policy
Internet
192.168.100.1
Help Desk
Engineering Department
Company A requires secure connections for home-based workers. Like many companies, they rely heavily on email and Internet access to conduct business. They want a comprehensive security solution to detect and prevent network attacks, block viruses, and decrease spam. They want to apply different protection settings for different departments. They also want to integrate web and email servers into the security solution. To deal with their first requirement, Company A configures specific policies for each home-based worker to ensure secure communication between the home-based worker and the internal network. 1 Go to Firewall > Policy. 2 Select Create New and enter or select the following settings for Home_User_1:
Interface / Zone Address Schedule Service Action VPN Tunnel Allow Inbound Allow outbound Inbound NAT Source: internal Source: CompanyA_Network Always ANY IPSEC Home1 yes yes yes Destination: wan1 Destination: Home_User_1
390
Firewall Policy
3 Select OK. 4 Select Create New and enter or select the following settings for Home_User_2:
Interface / Zone Address Schedule Service Action VPN Tunnel Allow Inbound Allow outbound Inbound NAT Outbound NAT Protection Profile Source: internal Source: CompanyA_network Always ANY IPSEC Home2_Tunnel yes yes yes no Select the check mark and select standard_profile Destination: wan1 Destination: All
5 Select OK.
Figure 213: SOHO network topology with FortiGate-100
VPN Tunnel
Internet
VPN Tunnel
External 172.30.120.8
FortiGate 100A
Internal 192.168.100.1
The proposed network is based around a ForitGate 100A unit. The 15 internal computers are behind the FortiGate unit. They now access the email and web servers in a DMZ, which is also behind the FortiGate unit. All home-based employees now access the office network through the FortiGate unit via VPN tunnels.
391
Firewall Policy
The library must be able to set different access levels for patrons and staff members. The first firewall policy for main office staff members allows full access to the Internet at all times. A second policy will allow direct access to the DMZ for staff members. A second pair of policies is required to allow branch staff members the same access. The staff firewall policies will all use a protection profile configured specifically for staff access. Enabled features include virus scanning, email filtering, IPS, and blocking of all P2P traffic. FortiGuard web filtering is also used to block advertising, malware, and spyware sites.
392
Firewall Policy
A few users may need special web and catalog server access to update information on those servers, depending on how they are configured. Special access can be allowed based on IP address or user. The proposed topography has the main branch staff and the catalog access terminals going through a FortiGate HA cluster to the servers in a DMZ. The public access terminals first go through a FortiWiFi unit, where additional policies can be applied, to the HA Cluster and finally to the servers. The branch office has all three users routed through a FortiWiFi unit to the main branch via VPN tunnels.
Figure 215: Proposed library system network topology
Policies are configured in Firewall > Policy. Protection Profiles are configured in Firewall > Protection Profile. Main office staff to Internet policy:
Source Interface Source Address Destination Interface Destination Address Schedule Action Internal All External All Always Accept
393
Firewall Policy
For more information about these examples, see: SOHO and SMB Configuration Example Guide FortiGate Enterprise Configuration Example
394
Firewall Address
Firewall Address
Firewall addresses and address groups define network addresses that you can use when configuring firewall policies source and destination address fields. The FortiGate unit compares the IP addresses contained in packet headers with firewall policy source and destination addresses to determine if the firewall policy matches the traffic. You can add IPv4 addresses and address ranges, IPv6 addresses, and fully qualified domain names (FQDNs). You can organize related addresses into address groups and related IPv6 addresses into IPv6 address groups to simplify your firewall policy lists. If you enable virtual domains (VDOMs) on the FortiGate unit, firewall addresses are configured separately for each virtual domain, and you must first enter the virtual domain to configure its firewall addresses. For details, see Using virtual domains on page 125. This section describes: About firewall addresses About IPv6 firewall addresses Viewing the firewall address list Configuring addresses Viewing the address group list Configuring address groups
The netmask corresponds to the subnet class of the address being added, and can be represented in either dotted decimal or CIDR format. The FortiGate unit automatically converts CIDR formatted netmasks to dotted decimal format. Example formats: netmask for a single computer: 255.255.255.255, or /32 netmask for a class A subnet: 255.0.0.0, or /8 netmask for a class B subnet: 255.255.0.0, or /16 netmask for a class C subnet: 255.255.255.0, or /24 netmask including all IP addresses: 0.0.0.0
395
Firewall Address
Valid IP address and netmask formats include: x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0 x.x.x.x/x, such as 192.168.1.0/24
Note: An IP address 0.0.0.0 with netmask 255.255.255.255 is not a valid firewall address.
When representing hosts by an IP Range, the range indicates hosts with continuous IP addresses in a subnet, such as 192.168.1.[2-10], or 192.168.1.* to indicate the complete range of hosts on that subnet. Valid IP Range formats include: x.x.x.x-x.x.x.x, such as 192.168.110.100-192.168.110.120 x.x.x.[x-x], such as 192.168.110.[100-120] x.x.x.*, such as 192.168.110.*
When representing hosts by a FQDN, the domain name can be a subdomain, such as mail.example.com. A single FQDN firewall address may be used to apply a firewall policy to multiple hosts, as in load balancing and high availability (HA) configurations. FortiGate units automatically resolve and maintain a record of all addresses to which the FQDN resolves. Valid FQDN formats include: <host_name>.<second_level_domain_name>.<top_level_domain_name>, such as mail.example.com <host_name>.<top_level_domain_name>
Caution: Be cautious if employing FQDN firewall addresses. Using a fully qualified domain name in a firewall policy, while convenient, does present some security risks, because policy matching then relies on a trusted DNS server. Should the DNS server be compromised, firewall policies requiring domain name resolution may no longer function properly.
396
Firewall Address
Delete Edit
Create New Add a firewall address. If IPv6 Support is enabled you can select the down arrow in the Create New button and select IPv6 Address, to add an IPv6 firewall address. To enable IPv6 support on the web-based manager, see Settings on page 261. The name of the firewall address. The IP address and mask, IP address range, or fully qualified domain name. The interface, zone, or virtual domain (VDOM) to which you bind the IP address. The list of IPv4 firewall addresses and address ranges. The list of fully qualified domain name firewall addresses. The list of IPv6 firewall addresses. Select to remove the address. The Delete icon appears only if a firewall policy or address group is not currently using the address. Select to edit the address.
Name Address / FQDN Interface IP/Netmask FQDN IPv6 Delete icon Edit icon
Configuring addresses
To add a firewall address go to Firewall > Address and select Create New. You can add a static IP address, an IP address range, or a FQDN.
Caution: Be cautious when FQDN firewall addresses. Using a fully qualified domain name in a firewall policy, while convenient, does present some security risks, because policy matching then relies on a trusted DNS server. Should the DNS server be compromised, firewall policies requiring domain name resolution may no longer function properly.
If IPv6 Support is enabled, to add an IPv6 firewall address, go to Firewall > Address and select Create New > IPv6 Address.
Tip: You can also add firewall addresses when configuring a firewall policy: Go to Firewall > Policy, select the appropriate policy tab and then Create New. From the Source Address list, select Address > Create New. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
397
Firewall Address
Enter a name to identify the firewall address. Addresses, address groups, and virtual IPs must have unique names. Select the type of address: Subnet/IP Range or FQDN. You can enter either an IP range or an IP address with subnet mask. Enter the firewall IP address, followed by a forward slash (/), then subnet mask, or enter an IP address range separated by a hyphen. See About firewall addresses on page 395. Select the interface, zone, or virtual domain (VDOM) link to which you want to bind the IP address. Select Any if you want to bind the IP address with the interface/zone when you create a firewall policy. Enter the firewall IPv6 address, followed by a forward slash (/), then subnet mask. See About IPv6 firewall addresses on page 396.
IPv6 Address
Delete Edit
Create New Add an address group. If IPv6 Support is enabled you can select the down arrow in the Create New button and select IPv6 Address Group, to add an IPv6 firewall address. To enable IPv6 support on the web-based manager, see Settings on page 261.
398
Firewall Address
The name of the address group. The addresses in the address group. The list of firewall IPv4 address groups. Select to remove the address group. The Delete icon appears only if the address group is not currently being used by a firewall policy. Select to edit the address group.
399
Firewall Address
Enter a name to identify the address group. Addresses, address groups, and virtual IPs must have unique names. The list of all IPv4 or IPv6 firewall addresses. Use the arrows to move selected addresses between the lists of available and member addresses. You cannot add IPv4 and IPv6 firewall addresses to the same address group. If you are adding an IPv4 firewall address group only the IPv4 addresses and FQDN addresses appear. If you are added an IPv6 firewall address group, only the IPv6 addresses appear. The list of addresses included in the address group. Use the arrows to move selected addresses between the lists of available and member addresses.
Members
400
Firewall Service
Firewall Service
Firewall services define one or more protocols and port numbers associated with each service. Firewall policies use service definitions to match session types. You can organize related services into service groups to simplify your firewall policy list. If you enable virtual domains (VDOMs) on the FortiGate unit, you must configure firewall services separately for each virtual domain. For more information, see Using virtual domains on page 125. This section describes: Viewing the predefined service list Viewing the custom service list Configuring custom services Viewing the service group list Configuring service groups
401
Firewall Service
Name Detail
The name of the predefined service. The protocol (TCP, UDP, IP, ICMP) and port number or numbers of the predefined service.
Advanced File Security Encrypted File, version 3, of TCP the AFS distributed file system protocol. UDP Authentication Header. AH provides source host authentication and data integrity, but not secrecy. This protocol is used for authentication by IPSec remote gateways set to aggressive mode. Matches connections using any protocol over IP. America Online Instant Message protocol. Border Gateway Protocol. BGP is an interior/exterior routing protocol. Concurrent Versions System Proxy Server.CSSPServer is very good for providing anonymous CVS access to a repository. Distributed Computing Environment / Remote Procedure Calls. Applications using DCE-RPC can call procedures from another application without having to know on which host the other application is running. Dynamic Host Configuration Protocol. DHCP allocates network addresses and delivers configuration parameters from DHCP servers to hosts. Dynamic Host Configuration Protocol for IPv6. Domain Name Service. DNS resolves domain names into IP addresses. Encapsulating Security Payload. ESP is used by manual key and AutoIKE IPSec VPN tunnels for communicating encrypted data. AutoIKE VPN tunnels use ESP after establishing the tunnel by IKE. A network service providing information about users. File Transfer Protocol. File Transfer Protocol. FTP GET sessions transfer remote files from an FTP server to an FTP client computer. File Transfer Protocol. FTP PUT sessions transfer local files from an FTP client to an FTP server. Gopher organizes and displays Internet server contents as a hierarchically structured list of files. Generic Routing Encapsulation. GRE allows an arbitrary network protocol to be transmitted over any other arbitrary network protocol, by encapsulating the packets of the protocol within GRE packets. TCP TCP TCP all TCP TCP TCP UDP TCP UDP
DCE-RPC
DHCP
UDP
67 68 546, 547 53 53 50
79 21 21
TCP TCP
21 70 47
402
Firewall Service
Table 50: Predefined services (Continued) Service name H323 Description IP Protocol Port 1720, 1503 1719
H.323 multimedia protocol. H.323 is a standard TCP approved by the International Telecommunication Union (ITU) defining how audiovisual conferencing UDP data can be transmitted across networks. For more information, see the FortiGate Support for H.323 Technical Note. Hypertext Transfer Protocol. HTTP is used to browse web pages on the World Wide Web. HTTP with secure socket layer (SSL). HTTPS is used for secure communication with web servers. Internet Control Message Protocol. ICMP allows control messages and error reporting between a host and gateway (Internet). Internet Key Exchange. IKE obtains authenticated keying material for use with the Internet Security Association and Key Management Protocol (ISAKMP) for IPSEC. TCP TCP ICMP
80 443 Any
IKE
UDP
500, 4500
IMAP
Internet Message Access Protocol. IMAP is used by TCP email clients to retrieves email messages from email servers. IMAP with SSL. IMAPS is used for secure IMAP communication between email clients and servers. IMAPS is only available on FortiGate units that support SSL content scanning and inspection. TCP
143
IMAPS
993
INFO_ADDRESS ICMP information request messages. INFO_REQUEST ICMP address mask request messages. IRC Internet Relay Chat. IRC allows users to join chat channels.
InternetInternet Locator Service. ILS includes LDAP, User Locator-Service Locator Service, and LDAP over TLS/SSL. L2TP LDAP MGCP Layer 2 Tunneling Protocol. L2TP is a PPP-based tunnel protocol for remote access. Lightweight Directory Access Protocol. LDAP is used to access information directories.
Media Gateway Control Protocol. MGCP is used by UDP call agents and media gateways in distributed Voice over IP (VoIP) systems. Microsoft SQL Server is a relational database TCP management system (RDBMS) produced by Microsoft. Its primary query languages are MS-SQL and T-SQL. MySQL is a relational database management system (RDBMS) which runs as a server providing multi-user access to a number of databases. Network File System. NFS allows network users to mount shared files. TCP
MS-SQL
1433, 1434
MYSQL
3306
TCP UDP
Network News Transport Protocol. NNTP is used to TCP post, distribute, and retrieve Usenet messages. Network Time Protocol. NTP synchronizes a hosts TCP time with a time server. UDP NetMeeting allows users to teleconference using the Internet as the transmission medium. TCP
403
Firewall Service
Table 50: Predefined services (Continued) Service name ONC-RPC Description Open Network Computing Remote Procedure Call. ONC-RPC is a widely deployed remote procedure call system. Open Shortest Path First. OSPF is a common link state routing protocol. PC-Anywhere is a remote control and file transfer protocol. Ping sends ICMP echo request/replies to test connectivity to other hosts. Ping6 sends ICMPv6 echo request/replies to network hosts to test IPv6 connectivity to other hosts. Post Office Protocol v3. POP retrieves email messages. Post Office Protocol v3 with secure socket layer (SSL). POP3S is used for secure retrieval of email messages. POP3S is only available on FortiGate units that support SSL content scanning and inspection. Point-to-Point Tunneling Protocol. PPTP is used to tunnel connections between private network hosts over the Internet. Note: Also requires IP protocol 47. Quake multi-player computer game traffic. TCP TCP TCP UDP ICMP IP Protocol Port TCP UDP 111 111 89 5631 5632 8 58
POP3 POP3S
110 995
PPTP
QUAKE
RADIUS
Remote Authentication Dial In User Service. RADIUS is a networking protocol that provides centralized access, authorization and accounting management for people or computers to connect and use a network service. RealAudio multimedia traffic. Remote Desktop Protocol is a multi-channel protocol that allows a user to connect to a networked computer. Rexec traffic allows specified commands to be executed on a remote host running the rexecd service (daemon). Routing Information Protocol. RIP is a common distance vector routing protocol. This service matches RIP v1. Remote login traffic. Remote Shell traffic allows specified commands to be executed on a remote host running the rshd service (daemon).
TCP
RAUDIO RDP
UDP TCP
7070 3389
REXEC
TCP
512
RIP
UDP
520
RLOGIN RSH
TCP TCP
513 514
RTSP
Real Time Streaming Protocol is a protocol for use TCP in streaming media systems which allows a client to remotely control a streaming media server, issuing VCR-like commands such as play and pause, and UDP allowing time-based access to files on a server. Server Message Block. SMB allows clients to use file and print shares from enabled hosts. This is primarily used for Microsoft Windows hosts, but may be used with operating systems running the Samba daemon. TCP
SAMBA
404
Firewall Service
Table 50: Predefined services (Continued) Service name SCCP Description IP Protocol Port 2000
Skinny Client Control Protocol. SCCP is a Cisco TCP proprietary standard for terminal control for use with voice over IP (VoIP). Session Initiation Protocol. SIP allows audiovisual conferencing data to be transmitted across networks. For more information, see the FortiGate SIP Support Technical Note. Session Initiation Protocol used by Microsoft Messenger to initiate an interactive, possibly multimedia session. UDP
SIP
5060
SIPMSNmessenger SMTP
TCP
1863
Simple Mail Transfer Protocol. SMTP is used for TCP sending email messages between email clients and email servers, and between email servers. SMTP with SSL. Used for sending email messages TCP between email clients and email servers, and between email servers securely. SMTPS is only available on FortiGate units that support SSL content scanning and inspection. Simple Network Management Protocol. SNMP can TCP be used to monitor and manage complex networks. UDP SOCKetS. SOCKS is an Internet protocol that allows client-server applications to transparently use the services of a network firewall. A proxy server and web cache daemon that has a wide variety of uses that includes speeding up a web server by caching repeated requests; caching web, DNS and other computer network lookups for a group of people sharing network resources; aiding security by filtering traffic. Secure Shell. SSH allows secure remote management and tunneling. Syslog service for remote logging. Talk allows conversations between two or more users. Matches connections using any TCP port. Allows plain text remote management. Trivial File Transfer Protocol. TFTP is similar to FTP, but without security features such as authentication. ICMP timestamp request messages. A computer network tool used to determine the route taken by packets across an IP network. Matches connections using any UDP port. TCP UDP TCP
25
SMTPS
465
SNMP SOCKS
SQUID
Unix to Unix Copy Protocol. UUCP provides simple UDP file copying. VDO Live streaming multimedia traffic. Virtual Network Computing.VNC is a graphical desktop sharing system which uses the RFB protocol to remotely control another computer. Wide Area Information Server. WAIS is an Internet search protocol which may be used in conjunction with Gopher. TCP TCP
WAIS
TCP
210
405
Firewall Service
Table 50: Predefined services (Continued) Service name WINFRAME Description WinFrame provides communications between computers running Windows NT, or Citrix WinFrame/MetaFrame. IP Protocol Port TCP 1494
WINS
Windows Internet Name Service is Microsoft's TCP implementation of NetBIOS Name Service (NBNS), UDP a name server and service for NetBIOS computer names. X Window System (also known as X11) can forward TCP the graphical shell from an X Window server to X Window client.
X-WINDOWS
Delete Edit
Create New Service Name Detail Delete icon Edit icon Add a custom service. The name of the custom service. The protocol and port numbers for each custom service. Remove the custom service. The Delete icon appears only if the service is not currently being used by a firewall policy. Edit the custom service.
To add a custom TCP or UDP service 1 Go to Firewall > Service > Custom. 2 Select Create New. 3 Set Protocol Type to TCP/UDP. 4 Complete the fields in the following table and select OK.
406
Firewall Service
Delete
Enter a name for the custom service. Select TCP/UDP. Select TCP or UDP as the protocol of the port range being added. Specify the source port number range for the service by entering the low and high port numbers. If the service uses one port number, enter this number in both the Low and High fields. The default values allow the use of any source port.
Destination Port Specify the destination port number range for the service by entering the low and high port numbers. If the service uses one port number, enter this number in both the Low and High fields. Add Delete Icon If your custom service requires more than one port range, select Add to allow more source and destination ranges. Remove the entry from the list.
To add a custom ICMP service 1 Go to Firewall > Service > Custom. 2 Select Create New. 3 Set Protocol Type to ICMP. 4 Complete the fields in the following table and select OK.
Figure 224: New Custom Service - ICMP
Enter a name for the ICMP custom service. Select ICMP. Enter the ICMP type number for the service. If required, enter the ICMP code number for the service.
To add a custom IP service 1 Go to Firewall > Service > Custom. 2 Select Create New. 3 Set Protocol Type to IP.
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
407
Firewall Service
Enter a name for the IP custom service. Select IP. Enter the IP protocol number for the service.
Delete Edit
Create New Group Name Members Delete icon Edit icon Add a service group. The name to identify the service group. The services added to the service group. Remove the entry from the list. The Delete icon appears only if the service group is not selected in a firewall policy. Select to edit the Group Name and Members.
408
Firewall Service
To organize services into a service group, go to Firewall > Service > Group.
Tip: You can also create custom service groups when you configure a firewall policy. Go to Firewall > Policy, select the appropriate policy tab and then Create New. From the Service list, select Service Group > Create New. Figure 227: Service Group
Enter a name to identify the service group. The list of configured and predefined services available for your group, with custom services at the bottom. Use the arrows to move selected services between this list and Members. The list of services in the group. Use the arrows to move selected services between this list and Available Services.
409
Firewall Service
410
Firewall Schedule
Firewall Schedule
Firewall schedules control when policies are in effect. You can create one-time schedules or recurring schedules. One-time schedules are in effect only once for the period of time specified in the schedule. Recurring schedules are in effect repeatedly at specified times of specified days of the week. If you enable virtual domains (VDOMs) on the FortiGate unit, you must configure firewall schedules separately for each virtual domain. For more information, see Using virtual domains on page 125. This section describes: Viewing the recurring schedule list Configuring recurring schedules Viewing the one-time schedule list Configuring one-time schedules Configuring schedule groups
To view the recurring schedule list, go to Firewall > Schedule > Recurring.
Figure 228: Recurring schedule list
Delete
Edit
Create New Name Day Start Stop Add a recurring schedule. The name of the recurring schedule. The initials of the days of the week on which the schedule is active. The start time of the recurring schedule. The stop time of the recurring schedule.
411
Firewall Schedule
Remove the schedule from the list. The Delete icon appears only if the schedule is not being used in a firewall policy. Edit the schedule.
Enter a name to identify the recurring schedule. Select the days of the week for the schedule to be active. Select the start time for the recurring schedule. Select the stop time for the recurring schedule. Tip: You can also create recurring schedules when you configure a firewall policy. Go to Firewall > Policy, select the appropriate policy tab and then Create New. From the Schedule list, select Recurring > Create New.
Delete Edit
Create New Name Start Stop Add a one-time schedule. The name of the one-time schedule. The start date and time for the schedule. The stop date and time for the schedule.
412
Firewall Schedule
Remove the schedule from the list. The Delete icon appears only if the schedule is not being used in a firewall policy. Edit the schedule.
Enter a name to identify the one-time schedule. Select the start date and time for the schedule. Select the stop date and time for the schedule. Tip: You can also create one-time schedules when you configure a firewall policy. Go to Firewall > Policy, select the appropriate policy tab and then Create New. From the Schedule list, select One-time > Create New.
413
Firewall Schedule
Enter a name to identify the schedule group. The list of recurring and one-time schedules available for your group. Use the arrow buttons to move selected schedules between this list and Members. The list of schedules in the group. Use the arrows to move selected schedules between this list and Available Schedule.
414
Traffic Shaping
Traffic Shaping
Traffic shaping, once included in a firewall policy, controls the bandwidth available to, and sets the priority of the traffic processed by, the policy. Traffic shaping makes it possible to control which policies have the highest priority when large amounts of data are moving through the FortiGate unit. For example, the policy for the corporate web server might be given higher priority than the policies for most employees computers. An employee who needs extra high speed Internet access could have a special outgoing policy set up with higher bandwidth. Traffic shaping is available for firewall policies whose Action is ACCEPT, IPSEC, or SSLVPN. It is also available for all supported services, including H.323, TCP, UDP, ICMP, and ESP. Guaranteed and maximum bandwidth in combination with queuing ensures minimum and maximum bandwidth is available for traffic. Traffic shaping cannot increase the total amount of bandwidth available, but you can use it to improve the quality of bandwidth-intensive and sensitive traffic. For more information about firewall policy, see Firewall Policy on page 363.
Note: For more information about traffic shaping you can also see the FortiGate Traffic Shaping Technical Note.
This section describes: Guaranteed bandwidth and maximum bandwidth Traffic priority Traffic shaping considerations Configuring shared traffic shapers Configuring Per IP traffic shaping Accounting and quota enforcement
415
Traffic priority
Traffic Shaping
Once included in a firewall policy, the guaranteed and maximum bandwidth is the total bandwidth available to all traffic controlled by the policy. If multiple users start multiple communications session using the same policy, all of these communications sessions must share from the bandwidth available for the policy. However, bandwidth availability is not shared between multiple instances of using the same service if these multiple instances are controlled by different policies. For example, you can create one FTP policy to limit the amount of bandwidth available for FTP for one network address and create another FTP policy with a different bandwidth availability for another network address.
Note: If you set both guaranteed bandwidth and maximum bandwidth to 0 (zero), the policy does not allow any traffic.
Traffic priority
when adding a traffic shaper, you can set traffic priority to manage the relative priorities of different types of traffic. Important and latency-sensitive traffic should be assigned a high priority. Less important and less sensitive traffic should be assigned a low priority. The FortiGate unit provides bandwidth to low-priority connections only when bandwidth is not needed for high-priority connections. For example, you can add policies to guarantee bandwidth for voice and ecommerce traffic. Then you can assign a high priority to the policy that controls voice traffic and a medium priority to the policy that controls e-commerce traffic. During a busy time, if both voice and e-commerce traffic are competing for bandwidth, the higher priority voice traffic will be transmitted before the ecommerce traffic.
416
Traffic Shaping
Note that traffic shaping is effective for normal IP traffic at normal traffic rates. Traffic shaping is not effective during periods when traffic exceeds the capacity of the FortiGate unit. Since packets must be received by the FortiGate unit before they are subject to traffic shaping, if the FortiGate unit cannot process all of the traffic it receives, then dropped packets, delays, and latency are likely to occur. To ensure that traffic shaping is working at its best, make sure that the interface ethernet statistics show no errors, collisions or buffer overruns. If any of these problems do appear, then FortiGate and switch settings may require adjusting. For more information, see the FortiGate Traffic Shaping Technical Note.
417
Traffic Shaping
Edit Delete
Shared Traffic Shaper list Create New Name Delete icon Edit icon Apply Shaping Select to add a new shared traffic shaper. Type a name for this traffic shaper. Select to remove a traffic shaper. Select to modify a traffic shaper. Select Per Policy to apply this traffic shaper to a single firewall policy that uses it. Select For all policies using this shaper to apply this traffic shaper to all firewall policies that use it. Select a value to ensure there is enough bandwidth available for a high-priority service. Be sure that the sum of all Guaranteed Bandwidth in all firewall policies is significantly less than the bandwidth capacity of the interface. Select to limit bandwidth in order to keep less important services from using bandwidth needed for more important ones. Do not set both Guaranteed Bandwidth and Maximum Bandwidth to 0 (zero), or the firewall policy that the shared traffic shaper is added to will not allow any traffic.
Shaping Methods Configure the traffic shaping methods used by the shared traffic shaper. Guaranteed Bandwidth Maximum Bandwidth
Traffic Priority Select High, Medium, or Low. Select Traffic Priority so the FortiGate unit manages the relative priorities of different types of traffic. For example, a policy for connecting to a secure web server needed to support ecommerce traffic should be assigned a high traffic priority. Less important services should be assigned a low priority. The firewall provides bandwidth to low-priority connections only when bandwidth is not needed for high-priority connections. Be sure to enable traffic shaping on all firewall policies. If you do not apply any traffic shaping rule to a policy, the policy is set to high priority by default. Distribute firewall policies over all three priority queues. Quotas and Accounting See Accounting and quota enforcement on page 420.
418
Traffic Shaping
Edit Delete
Delete
Per-IP Traffic Shaper list Create New Name Delete icon Edit icon Maximum Bandwidth Select to add a new per-IP traffic shaper. The name of this per-IP traffic shaper. Select to remove a per-IP traffic shaper. Select to modify a per-IP traffic shaper. Enter the maximum allowed bandwidth in Kbps. This limit applies to each IP address. Range 1 to 2 097 000. Enter 0 to disable bandwidth limit. See Accounting and quota enforcement on page 420. Add the IP addresses or IP add ranges that this per-IP traffic shaper applies to. Delete an IP address/range entry. Add an single IP address or an address range.
419
Traffic Shaping
Select to disable accounting and quotas. Select and enter a traffic quota to be enforced by the traffic shaper. Enter the amount of data in MBytes allowed for the selected time (hour, day, week, or month). If the amount of data transferred during a single session is exceeded in the time, the traffic shaper blocks additional traffic until the time expires. Users attempting to connect through the FortiGate unit while blocked by the traffic quota see one of the traffic control quota replacement messages. See Traffic quota control replacement messages on page 236.
Generate Accounting Log Enable to monitor and write accounting log messages that record the volume of traffic accepted by the traffic shaper. Select the log period: every Hour, Day, Week, or Month.
420
Firewall Virtual IP
Firewall Virtual IP
Virtual IP addresses (VIPs) can be used when configuring firewall policies to translate IP addresses and ports of packets received by a network interface, including a modem interface. When the FortiGate unit receives inbound packets matching a firewall policy whose Destination Address field is a virtual IP, the FortiGate unit applies NAT, replacing packets IP addresses with the virtual IPs mapped IP address. IP pools, similarly to virtual IPs, can be used to configure aspects of NAT; however, IP pools configure dynamic translation of packets IP addresses based on the Destination Interface/Zone, whereas virtual IPs configure dynamic or static translation of a packets IP addresses based upon the Source Interface/Zone. To implement the translation configured in the virtual IP or IP pool, you must add it to a NAT firewall policy. For details, see Configuring virtual IPs on page 426.
Note: In Transparent mode from the FortiGate CLI you can configure NAT firewall policies that include Virtual IPs and IP pools. See Adding NAT firewall policies in transparent mode on page 442.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall virtual IPs are configured separately for each virtual domain. For details, see Using virtual domains on page 125. This section describes: How virtual IPs map connections through FortiGate units Viewing the virtual IP list Configuring virtual IPs Virtual IP Groups Viewing the VIP group list Configuring VIP groups Configuring IP pools Viewing the IP pool list Configuring IP Pools Double NAT: combining IP pool with virtual IP Adding NAT firewall policies in transparent mode
Inbound connections
Virtual IPs can be used in conjunction with firewall policies whose Action is not DENY to apply bidirectional NAT, also known as inbound NAT.
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
421
Firewall Virtual IP
When comparing packets with the firewall policy list to locate a matching policy, if a firewall policys Destination Address is a virtual IP, FortiGate units compares packets destination address to the virtual IPs external IP address. If they match, the FortiGate unit applies the virtual IPs inbound NAT mapping, which specifies how the FortiGate unit translates network addresses and/or port numbers of packets from the receiving (external) network interface to the network interface connected to the destination (mapped) IP address or IP address range. In addition to specifying IP address and port mappings between interfaces, virtual IP configurations can optionally bind an additional IP address or IP address range to the receiving network interface. By binding an additional IP address, you can configure a separate set of mappings that the FortiGate unit can apply to packets whose destination matches that bound IP address, rather than the IP address already configured for the network interface. Depending on your configuration of the virtual IP, its mapping may involve port address translation (PAT), also known as port forwarding or network address port translation (NAPT), and/or network address translation (NAT) of IP addresses. If you configure NAT in the virtual IP and firewall policy, the NAT behavior varies by your selection of: static vs. dynamic NAT mapping the dynamic NATs load balancing style, if using dynamic NAT mapping full NAT vs. destination NAT (DNAT)
The following table describes combinations of PAT and/or NAT that are possible when configuring a firewall policy with a virtual IP.
Static NAT Static, one-to-one NAT mapping: an external IP address is always translated to the same mapped IP address. If using IP address ranges, the external IP address range corresponds to a mapped IP address range containing an equal number of IP addresses, and each IP address in the external range is always translated to the same IP address in the mapped range.
Static NAT with Static, one-to-one NAT mapping with port forwarding: an external IP address is Port Forwarding always translated to the same mapped IP address, and an external port number is always translated to the same mapped port number. If using IP address ranges, the external IP address range corresponds to a mapped IP address range containing an equal number of IP addresses, and each IP address in the external range is always translated to the same IP address in the mapped range. If using port number ranges, the external port number range corresponds to a mapped port number range containing an equal number of port numbers, and each port number in the external range is always translated to the same port number in the mapped range. Server Load Balancing Dynamic, one-to-many NAT mapping: an external IP address is translated to one of the mapped IP addresses, as determined by the selected load balancing algorithm for more even traffic distribution. The external IP address is not always translated to the same mapped IP address. Server load balancing requires that you configure at least one real server, but can use up to eight. Real servers can be configured with health check monitors. Health check monitors can be used to gauge server responsiveness before forwarding packets.
Server Load Dynamic, one-to-many NAT mapping with port forwarding: an external IP Balancing with address is translated to one of the mapped IP addresses, as determined by the Port Forwarding selected load balancing algorithm for more even traffic distribution. The external IP address is not always translated to the same mapped IP address. Server load balancing requires that you configure at least one real server, but can use up to eight. Real servers can be configured with health check monitors. Health check monitors can be used to gauge server responsiveness before forwarding packets.
422
Firewall Virtual IP
Note: If the NAT check box is not selected when building the firewall policy, the resulting policy does not perform full (source and destination) NAT; instead, it performs destination network address translation (DNAT). For inbound traffic, DNAT translates packets destination address to the mapped private IP address, but does not translate the source address. The private network is aware of the sources public IP address. For reply traffic, the FortiGate unit translates packets private network source IP address to match the destination address of the originating packets, which is maintained in the session table.
A typical example of static NAT is to allow client access from a public network to a web server on a private network that is protected by a FortiGate unit. Reduced to its essence, this example involves only three hosts, as shown in Figure 236: the web server on a private network, the client computer on another network, such as the Internet, and the FortiGate unit connecting the two networks. When a client computer attempts to contact the web server, it uses the virtual IP on the FortiGate units external interface. The FortiGate unit receives the packets. The addresses in the packets are translated to private network IP addresses, and the packet is forwarded to the web server on the private network.
Figure 236: A simple static NAT virtual IP example
The packets sent from the client computer have a source IP of 192.168.37.55 and a destination IP of 192.168.37.4. The FortiGate unit receives these packets at its external interface, and matches them to a firewall policy for the virtual IP. The virtual IP settings map 192.168.37.4 to 10.10.10.42, so the FortiGate unit changes the packets addresses. The source address is changed to 10.10.10.2 and the destination is changed to 10.10.10.42. The FortiGate unit makes a note of this translation in the firewall session table it maintains internally. The packets are then sent on to the web server.
Figure 237: Example of packet address remapping during NAT from client to server
Note that the client computers address does not appear in the packets the server receives. After the FortiGate unit translates the network addresses, there is no reference to the client computers IP address, except in its session table. The web server has no indication that another network exists. As far as the server can tell, all packets are sent by the FortiGate unit.
423
Firewall Virtual IP
When the web server replies to the client computer, address translation works similarly, but in the opposite direction. The web server sends its response packets having a source IP address of 10.10.10.42 and a destination IP address of 10.10.10.2. The FortiGate unit receives these packets on its internal interface. This time, however, the session table is used to recall the client computers IP address as the destination address for the address translation. In the reply packets, the source address is changed to 192.168.37.4 and the destination is changed to 192.168.37.55. The packets are then sent on to the client computer. The web servers private IP address does not appear in the packets the client receives. After the FortiGate unit translates the network addresses, there is no reference to the web servers network. The client has no indication that the web servers IP address is not the virtual IP. As far as the client is concerned, the FortiGate units virtual IP is the web server.
Figure 238: Example of packet address remapping during NAT from server to client
In the previous example, the NAT check box is checked when configuring the firewall policy. If the NAT check box is not selected when building the firewall policy, the resulting policy does not perform full NAT; instead, it performs destination network address translation (DNAT). For inbound traffic, DNAT translates packets destination address to the mapped private IP address, but does not translate the source address. The web server would be aware of the clients IP address. For reply traffic, the FortiGate unit translates packets private network source IP address to match the destination address of the originating packets, which is maintained in the session table.
Outbound connections
Virtual IPs can also affect outbound NAT, even though they are not selected in an outbound firewall policy. If no virtual IPs are configured, FortiGate units apply traditional outbound NAT to connections outbound from private network IP addresses to public network IP addresses. However, if virtual IP configurations exist, FortiGate units use virtual IPs inbound NAT mappings in reverse to apply outbound NAT, causing IP address mappings for both inbound and outbound traffic to be symmetric. For example, if a network interfaces IP address is 10.10.10.1, and its bound virtual IPs external IP is 10.10.10.2, mapping inbound traffic to the private network IP address 192.168.2.1, traffic outbound from 192.168.2.1 will be translated to 10.10.10.2, not 10.10.10.1
424
Firewall Virtual IP
Virtual IP, load balance virtual server and load balance real server limitations
The following limitations apply when adding virtual IPs, Load balancing virtual servers, and load balancing real servers. Load balancing virtual servers are actually server load balancing virtual IPs. You can add server load balance virtual IPs from the CLI. Virtual IP External IP Address/Range entries or ranges cannot overlap with each other or with load balancing virtual server Virtual Server IP entries. A virtual IP Mapped IP Address/Range cannot be 0.0.0.0 or 255.255.255.255. A real server IP cannot be 0.0.0.0 or 255.255.255.255. If a static NAT virtual IP External IP Address/Range is 0.0.0.0, the Mapped IP Address/Range must be a single IP address. If a load balance virtual IP External IP Address/Range is 0.0.0.0, the Mapped IP Address/Range can be an address range. When port forwarding, the count of mapped port numbers and external port numbers must be the same. The web-based manager does this automatically but the CLI does not. Virtual IP and virtual server names must be different from firewall address or address group names.
Delete Edit
Create New Name IP Service Port Map to IP/IP Range Map to Port Delete icon Edit icon Select to add a virtual IP. The name of the virtual IP. The bound network interface and external IP address or IP address, separated by a slash (/). The external port number or port number range. This field is empty if the virtual IP does not specify port forwarding. The mapped to IP address or address range on the destination network. The mapped to port number or port number range. This field is empty if the virtual IP does not specify port forwarding. Remove the virtual IP from the list. The Delete icon only appears if the virtual IP is not selected in a firewall policy. Edit the virtual IP to change any virtual IP option including the virtual IP name.
425
Firewall Virtual IP
Name
Enter or change the name to identify the virtual IP. To avoid confusion, addresses, address groups, and virtual IPs cannot have the same names.
External Interface Select the virtual IP external interface from the list. The external interface is connected to the source network and receives the packets to be forwarded to the destination network. You can select any FortiGate interface, VLAN subinterface, VPN interface, or modem interface. Type VIP type is Static NAT, read only.
426
Firewall Virtual IP
External IP Address/Range
Enter the external IP address that you want to map to an address on the destination network. To configure a dynamic virtual IP that accepts connections for any IP address, set the external IP address to 0.0.0.0. For a static NAT dynamic virtual IP you can only add one mapped IP address. For a load balance dynamic virtual IP you can specify a single mapped address or a mapped address range. Enter the real IP address on the destination network to which the external IP address is mapped. You can also enter an address range to forward packets to multiple IP addresses on the destination network. For a static NAT virtual IP, if you add a mapped IP address range the FortiGate unit calculates the external IP address range and adds the IP address range to the External IP Address/Range field. This option appears only if Type is Static NAT. Select to perform port address translation (PAT). Select the protocol of the forwarded packets. This option appears only if Port Forwarding is enabled. Enter the external interface port number for which you want to configure port forwarding. This option appears only if Port Forwarding is enabled. Enter the port number on the destination network to which the external port number is mapped. You can also enter a port number range to forward packets to multiple ports on the destination network. For a virtual IP with static NAT, if you add a map to port range the FortiGate unit calculates the external port number range and adds the port number range to the External Service port field. This option appears only if Port Forwarding is enabled.
Mapped IP Address/Range
To configure a virtual IP 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New. 3 Configure the virtual IP by entering the virtual IP address, if any, that will be bound to the network interface, and selecting the mapping type and mapped IP address(es) and/or port(s). For configuration examples of each type, see: Adding a static NAT virtual IP for a single IP address on page 428 Adding a static NAT virtual IP for an IP address range on page 429 Adding static NAT port forwarding for a single IP address and a single port on page 431 Adding static NAT port forwarding for an IP address range and a port range on page 432 Adding dynamic virtual IPs on page 434 Adding a virtual IP with port translation only on page 435 4 Select OK. The virtual IP appears in the virtual IP list. 5 To implement the virtual IP, select the virtual IP in a firewall policy. For example, to add a firewall policy that maps public network addresses to a private network, you might add an external to internal firewall policy and select the Source Interface/Zone to which a virtual IP is bound, then select the virtual IP in the Destination Address field of the policy. For details, see Configuring firewall policies on page 367.
427
Firewall Virtual IP
Server IP 10.10.10.42
Internal IP 10.10.10.2
Virtual IP 192.168.37.4
Client IP 192.168.37.55
To add a static NAT virtual IP for a single IP address 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New. 3 Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network. In our example, the wan1 interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network.
Figure 243: Virtual IP options: static NAT virtual IP for a single IP address
static_NAT Static NAT The Internet IP address of the web server. The external IP address is usually a static IP address obtained from your ISP for your web server. This address must be a unique IP address that is not used by another host and cannot be the same as the IP address of the external interface the virtual IP will be using. However, the external IP address must be routed to the selected interface. The virtual IP address and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP address. The IP address of the server on the internal network. Since there is only one IP address, leave the second field blank.
Mapped IP Address/Range
428
Firewall Virtual IP
4 Select OK. To add a static NAT virtual IP for a single IP address to a firewall policy Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP address packets pass through the FortiGate unit from the external interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the external IP to the DMZ network IP address of the web server. 1 Go to Firewall > Policy and select Create New. 2 Configure the firewall policy:
Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action external All (or a more specific address) dmz1 simple_static_nat always HTTP ACCEPT
3 2
Source IP 172.168.37.55 Destination IP 192.168.37.4 Source IP 172.20.37.126 Destination IP 192.168.37.5 Source IP 172.199.190.25 Destination IP 192.168.37.6
3 2
3 2
3 2
3 2
Internet
To add a static NAT virtual IP for an IP address range 1 Go to Firewall > Virtual IP > Virtual IP.
429
Firewall Virtual IP
2 Select Create New. 3 Use the following procedure to add a virtual IP that allows users on the Internet to connect to three individual web servers on the DMZ network. In this example, the wan1 interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network.
Figure 245: Virtual IP options: static NAT virtual IP with an IP address range
static_NAT_range wan1 Static NAT The Internet IP address range of the web servers. The external IP addresses are usually static IP addresses obtained from your ISP for your web server. These addresses must be unique IP addresses that are not used by another host and cannot be the same as the IP addresses of the external interface the virtual IP will be using. However, the external IP addresses must be routed to the selected interface. The virtual IP addresses and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP addresses. The IP address range of the servers on the internal network. Define the range by entering the first address of the range in the first field and the last address of the range in the second field.
Mapped IP Address/Range
4 Select OK. To add a static NAT virtual IP with an IP address range to a firewall policy Add a wan1 to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the server IP addresses, packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination addresses of these packets from the wan1 IP to the DMZ network IP addresses of the servers. 1 Go to Firewall > Policy and select Create New. 2 Configure the firewall policy:
Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action wan1 All (or a more specific address) dmz1 static_NAT_range always HTTP ACCEPT
430
Firewall Virtual IP
Adding static NAT port forwarding for a single IP address and a single port
The IP address 192.168.37.4, port 80 on the Internet is mapped to 10.10.10.42, port 8000 on a private network. Attempts to communicate with 192.168.37.4, port 80 from the Internet are translated and sent to 10.10.10.42, port 8000 by the FortiGate unit. The computers on the Internet are unaware of this translation and see a single computer at 192.168.37.4, port 80 rather than a FortiGate unit with a private network behind it.
Figure 246: Static NAT virtual IP port forwarding for a single IP address and a single port example
3 2 1 3 2 1
Server IP 10.10.10.42
Internal IP 10.10.10.2
Virtual IP 192.168.37.4
Client IP 192.168.37.55
To add static NAT virtual IP port forwarding for a single IP address and a single port 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New. 3 Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network. In our example, the wan1 interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network.
Figure 247: Virtual IP options: Static NAT port forwarding virtual IP for a single IP address and a single port
Port_fwd_NAT_VIP wan1
431
Firewall Virtual IP
Static NAT The Internet IP address of the web server. The external IP address is usually a static IP address obtained from your ISP for your web server. This address must be a unique IP address that is not used by another host and cannot be the same as the IP address of the external interface the virtual IP will be using. However, the external IP address must be routed to the selected interface. The virtual IP address and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP address. The IP address of the server on the internal network. Since there is only one IP address, leave the second field blank. Selected TCP The port traffic from the Internet will use. For a web server, this will typically be port 80. The port on which the server expects traffic. Since there is only one port, leave the second field blank.
Mapped IP Address/Range Port Forwarding Protocol External Service Port Map to Port
4 Select OK. To add static NAT virtual IP port forwarding for a single IP address and a single port to a firewall policy Add a wan1 to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP addresses, packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination addresses and ports of these packets from the external IP to the dmz network IP addresses of the web servers. 1 Go to Firewall > Policy and select Create New. 2 Configure the firewall policy:
Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action wan1 All (or a more specific address) dmz1 Port_fwd_NAT_VIP always HTTP ACCEPT
Adding static NAT port forwarding for an IP address range and a port range
Ports 80 to 83 of addresses 192.168.37.4 to 192.168.37.7 on the Internet are mapped to ports 8000 to 8003 of addresses 10.10.10.42 to 10.10.10.44 on a private network. Attempts to communicate with 192.168.37.5, port 82 from the Internet, for example, are translated and sent to 10.10.10.43, port 8002 by the FortiGate unit. The computers on the Internet are unaware of this translation and see a single computer at 192.168.37.5 rather than a FortiGate unit with a private network behind it.
432
Firewall Virtual IP
Figure 248: Static NAT virtual IP port forwarding for an IP address range and a port range example
To add static NAT virtual IP port forwarding for an IP address range and a port range 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New. 3 Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network. In this example, the external interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network.
Figure 249: Virtual IP options: Static NAT port forwarding virtual IP for a range of IP addresses and a range of ports
Port_fwd_NAT_VIP_port_range external Static NAT The external IP addresses are usually static IP addresses obtained from your ISP. This addresses must be unique, not used by another host, and cannot be the same as the IP address of the external interface the virtual IP will be using. However, the external IP addresses must be routed to the selected interface. The virtual IP addresses and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP addresses. The IP addresses of the server on the internal network. Define the range by entering the first address of the range in the first field and the last address of the range in the second field. Selected
433
Firewall Virtual IP
TCP The ports that traffic from the Internet will use. For a web server, this will typically be port 80. The ports on which the server expects traffic. Define the range by entering the first port of the range in the first field and the last port of the range in the second field. If there is only one port, leave the second field blank.
4 Select OK. To add static NAT virtual IP port forwarding for an IP address range and a port range to a firewall policy Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP addresses, packets pass through the FortiGate unit from the external interface to the dmz1 interface. The virtual IP translates the destination addresses and ports of these packets from the external IP to the dmz network IP addresses of the web servers. 1 Go to Firewall > Policy and select Create New. 2 Configure the firewall policy:
Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action external All (or a more specific address) dmz1 Port_fwd_NAT_VIP_port_range always HTTP ACCEPT
434
Firewall Virtual IP
7 Select Port Forwarding. 8 For Protocol, select TCP. 9 Enter the External Service Port number for which to configure dynamic port forwarding. The external service port number must match the destination port of the packets to be forwarded. For example, if the virtual IP provides PPTP passthrough access from the Internet to a PPTP server, the external service port number should be 1723 (the PPTP port). 10 Enter the Map to Port number to be added to packets when they are forwarded. Enter the same number as the External Service Port if the port is not to be translated. 11 Select OK.
To add a virtual IP with port translation only 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New. 3 Enter a name for the dynamic virtual IP. 4 Select the virtual IP External Interface from the list. The external interface is connected to the source network and receives the packets to be forwarded to the destination network. Select any firewall interface or a VLAN subinterface. 5 Set the External IP Address as the mapped IP address. 6 Enter the Mapped IP Address to which to map the external IP address. For example, the IP address of a PPTP server on an internal network. 7 Select Port Forwarding. 8 For Protocol, select TCP. 9 Enter the External Service Port number for which to configure dynamic port forwarding. The external service port number must match the destination port of the packets to be forwarded. For example, if the virtual IP provides PPTP passthrough access from the Internet to a PPTP server, the external service port number should be 1723 (the PPTP port). 10 Enter the Map to Port number to be added to packets when they are forwarded. 11 Select OK.
435
Virtual IP Groups
Firewall Virtual IP
To disable arp-reply In some cases, when you have completed this configuration the FortiGate unit will drop the packets received on the External Interface. To make sure this does not happen you can log into the FortiGate CLI and use the following procedure to disable arp replies for the port translation only virtual IP. 1 Log into the FortiGate CLI. 2 Enter the following command where <vip_name> is the name of the port translation only virtual IP. config firewall vip edit <vip_name> set arp-reply disable end
Virtual IP Groups
You can organize multiple virtual IPs into a virtual IP group to simplify your firewall policy list. For example, instead of having five identical policies for five different but related virtual IPs located on the same network interface, you might combine the five virtual IPs into a single virtual IP group, which is used by a single firewall policy. Firewall policies using VIP Groups are matched by comparing both the member VIP IP address(es) and port number(s).
Delete Edit
Create New Group Name Members Interface Delete icon Edit icon Select to add a new VIP group. See Configuring VIP groups on page 436. The name of the virtual IP group. Lists the group members. Displays the interface that the VIP group belongs to. Remove the VIP group from the list. The Delete icon only appears if the VIP group is not being used in a firewall policy. Edit the VIP group information, including the group name and membership.
436
Firewall Virtual IP
Configuring IP pools
Enter or modify the group name. Select the interface for which you want to create the VIP group. If you are editing the group, the Interface box is grayed out. Select the up or down arrow to move virtual IPs between Available VIPs and Members. Members contains virtual IPs that are a part of this virtual IP group.
Configuring IP pools
Use IP pools to add NAT policies that translate source addresses to addresses randomly selected from the IP pool, rather than the IP address assigned to that FortiGate unit interface. In Transparent mode, IP pools are available only from the FortiGate CLI. An IP pool defines a single IP address or a range of IP addresses. A single IP address in an IP pool becomes a range of one IP address. For example, if you enter an IP pool as 1.1.1.1 the IP pool is actually the address range 1.1.1.1 to 1.1.1.1. If a FortiGate interface IP address overlaps with one or more IP pool address ranges, the interface responds to ARP requests for all of the IP addresses in the overlapping IP pools. For example, consider a FortiGate unit with the following IP addresses for the port1 and port2 interfaces: port1 IP address: 1.1.1.1/255.255.255.0 (range is 1.1.1.0-1.1.1.255) port2 IP address: 2.2.2.2/255.255.255.0 (range is 2.2.2.0-2.2.2.255) IP_pool_1: 1.1.1.10-1.1.1.20 IP_pool_2: 2.2.2.10-2.2.2.20 IP_pool_3: 2.2.2.30-2.2.2.40 (1.1.1.0-1.1.1.255) and (1.1.1.10-1.1.1.20) = 1.1.1.10-1.1.1.20
437
Configuring IP pools
Firewall Virtual IP
The port2 interface overlap IP range with IP_pool_2 is: (2.2.2.0-2.2.2.255) & (2.2.2.10-2.2.2.20) = 2.2.2.10-2.2.2.20 (2.2.2.0-2.2.2.255) & (2.2.2.30-2.2.2.40) = 2.2.2.30-2.2.2.40 The port1 interface answers ARP requests for 1.1.1.10-1.1.1.20 The port2 interface answers ARP requests for 2.2.2.10-2.2.2.20 and for 2.2.2.302.2.2.40 The port2 interface overlap IP range with IP_pool_3 is: And the result is:
Select NAT in a firewall policy and then select Dynamic IP Pool and select an IP pool to translate the source address of packets leaving the FortiGate unit to an address randomly selected from the IP pool.
438
Firewall Virtual IP
Scenario 2: The number of source addresses is more than that of IP pool addresses In this case, the FortiGate unit translates IP addresses using a wrap-around mechanism. If you enable fixedport in such a case, the FortiGate unit preserves the original source port. But conflicts may occur since users may have different sessions using the same TCP 5 tuples.
Original address 192.168.1.1 192.168.1.2 ...... 192.168.1.10 192.168.1.11 192.168.1.12 192.168.1.13 ...... Change to 172.16.30.10 172.16.30.11 ...... 172.16.30.19 172.16.30.10 172.16.30.11 172.16.30.12 ......
Scenario 3: The number of source addresses is fewer than that of IP pool addresses In this case, some of the IP pool addresses are used and the rest of them are not be used.
Original address 192.168.1.1 192.168.1.2 192.168.1.3 No more source addresses Change to 172.16.30.10 172.16.30.11 172.16.30.12 172.16.30.13 and other addresses are not used
Delete Edit
439
Configuring IP Pools
Firewall Virtual IP
Select to add an IP pool. The name of the IP pool. Select this name in a firewall policy. Enter the start IP defines the start of the IP pool address range. Enter the end IP defines the end of the IP pool address range. Select to remove the entry from the list. The Delete icon only appears if the IP pool is not being used in a firewall policy. Select to edit the IP pool. You can change the Name, Interface, IP Range/Subnet.
Configuring IP Pools
To add an IP pool, go to Firewall > Virtual IP > IP Pool.
Figure 253: New Dynamic IP Pool
Name
IP Range/Subnet Enter the IP address range for the IP pool. The IP range defines the start and end of an address range. The start of the range must be lower than the end of the range. The start and end of the IP range does not have to be on the same subnet as the IP address of the interface to which you are adding the IP pool.
A single IP address is entered normally. For example, 192.168.110.100 is a valid IP pool address. If an IP address range is required, use either of the following formats. x.x.x.x-x.x.x.x, for example 192.168.110.100-192.168.110.120 x.x.x.[x-x], for example 192.168.110.[100-120]
440
Firewall Virtual IP
10.1.2.0/24
Internal 10.1.3.0/16
External
Internet
DMZ 172.16.1.2
To allow the local users to access the server, you can use fixed port and IP pool to allow more than one user connection while using virtual IP to translate the destination port from 8080 to 80. To create an IP pool 1 Go to Firewall > Virtual IP > IP Pool. 2 Select Create New. 3 Enter the following information and select OK.
Name pool-1
IP Range/Subnet 10.1.3.1-10.1.3.254
To create a Virtual IP with port translation only 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New. 3 Enter the following information and select OK.
Name External Interface Type External IP Address/Range Mapped IP Address/Range Port Forwarding Protocol External Service Port Map to Port server-1 Internal Static NAT 172.16.1.1 Note this address is the same as the server address. 172.16.1.1. Enable TCP 8080 80
441
Firewall Virtual IP
To create a firewall policy Add an internal to dmz firewall policy that uses the virtual IP to translate the destination port number and the IP pool to translate the source addresses. 1 Go to Firewall > Policy. 2 Select Create New. 3 Configure the firewall policy:
Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action NAT Dynamic IP Pool internal 10.1.1.0/24 dmz server-1 always HTTP ACCEPT Select Select, and select the pool-1 IP pool.
4 Select OK.
For NAT firewall policies to work in NAT/Route mode you must have two interfaces on two different networks with two different subnet addresses. Then you can create firewall policies to translate source or destination addresses for packets as they are relayed by the FortiGate unit from one interface to the other. A FortiGate unit operating in Transparent mode normally has only one IP address, the management IP. To support NAT in Transparent mode you can add a second management IP. These two management IPs must be on different subnets. When you add two management IP addresses, all FortiGate unit network interfaces will respond to connections to both of these IP addresses. In the example shown in Figure 255, all of the PCs on the internal network (subnet address 192.168.1.0/24) are configured with 192.168.1.99 as their default route. One of the management IPs of the FortiGate unit is set to 192.168.1.99. This configuration results in a typical NAT mode firewall. When a PC on the internal network attempts to connect to the Internet, the PC's default route sends packets destined for the Internet to the FortiGate unit internal interface. Similarly on the DMZ network (subnet address 10.1.1.0/24) all of the PCs have a default route of 10.1.1.99.
442
Firewall Virtual IP
The example describes adding an internal to wan1 firewall policy to relay these packets from the internal interface out the wan1 interface to the Internet. Because the wan1 interface does not have an IP address of its own, you must add an IP pool to the wan1 interface that translates the source addresses of the outgoing packets to an IP address on the network connected to the wan1 interface. The example describes adding an IP pool with a single IP address of 10.1.1.201. So all packets sent by a PC on the internal network that are accepted by the internal to wan1 policy leave the wan1 interface with their source address translated to 10.1.1.201. These packets can now travel across the Internet to their destination. Reply packets return to the wan1 interface because they have a destination address of 10.1.1.201. The internal to wan1 NAT policy translates the destination address of these return packets to the IP address of the originating PC and sends them out the internal interface to the originating PC. Use the following steps to configure NAT in Transparent mode Adding two management IPs Adding an IP pool to the wan1 interface Adding an internal to wan1 firewall policy
Router 10.1.1.0/24
To add a source address translation NAT policy in Transparent mode 1 Enter the following command to add two management IPs. The second management IP is the default gateway for the internal network. config system settings set manageip 10.1.1.99/24 192.168.1.99/24 end 2 Enter the following command to add an IP pool to the wan1 interface: config firewall ippool edit nat-out
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
443
Firewall Virtual IP
set interface "wan1" set startip 10.1.1.201 set endip 10.1.1.201 end 3 Enter the following command to add an internal to wan1 firewall policy with NAT enabled that also includes an IP pool: config firewall policy edit 1 set srcintf "internal" set dstintf "wan1" set scraddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable set ippool enable set poolname nat-out end
Note: You can add the firewall policy from the web-based manager and then use the CLI to enable NAT and add the IP Pool.
444
445
Internet/Intranet User
Real Server
Delete Edit Create New Name Type Comments Virtual Server IP Select to add virtual servers. For more information, see To create a virtual server on page 447. Name of the virtual server. The protocol load balanced by the virtual server. A description of the virtual server. The IP address of the virtual server. This is an IP address on the external interface that you want to map to an address on the destination network.
446
The external port number that you want to map to a port number on the destination network. Sessions with this destination port are load balanced by this virtual server. The load balancing method for this virtual server. The health check monitor selected for this virtual server. For more information, see Health Check on page 450. The type of persistence applied to this virtual server. Remove the virtual server from the list. The Delete icon only appears if the virtual server is not bound to a real server. Edit the virtual server to change any virtual server option including the virtual server name.
Load Balance Method Health Check Persistence Delete icon Edit icon
To create a virtual server 1 Go to Firewall > Load Balance > Virtual Server > Create New.
Figure 258: Creating a virtual server
447
Name Type
Enter the name for the virtual server. This name is not the hostname for the FortiGate unit. Select the protocol to be load balanced by the virtual server. If you select a general protocol such as IP, TCP, or UDP the virtual server load balances all IP, TCP, or UDP sessions. If you select specific protocols such as HTTP, HTTPS, or SSL you can apply additional server load balancing features such as Persistence and HTTP Multiplexing. Select HTTP to load balance only HTTP sessions with destination port number that matches the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the sessions to be load balanced (usually port 80 for HTTP sessions). You can also select HTTP Multiplex. You can also set Persistence to HTTP Cookie to select cookie-based persistence. See the description of the config firewall VIP command in the FortiGate CLI Reference for information about advanced HTTP Cookie persistence options. Select HTTPS to load balance only HTTPS sessions with destination port number that matches the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the sessions to be load balanced (usually port 443 for HTTPS sessions). You can also select HTTP Multiplex. You can also set Persistence to HTTP Cookie to select cookie-based persistence. You can also set Persistence to SSL Session ID. See the description of the config firewall VIP command in the FortiGate CLI Reference for information about advanced HTTP Cookie persistence options and advanced SSL options. HTTPS is available on FortiGate units that support SSL acceleration. Select IP to load balance all sessions accepted by the firewall policy that contains this virtual server. Select SSL to load balance only SSL sessions with destination port number that matches the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the sessions to be load balanced.See the description of the config firewall VIP command in the FortiGate CLI Reference for information about advanced SSL options. Select TCP to load balance only TCP sessions with destination port number that matches the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the sessions to be load balanced. Select UDP to load balance only UDP sessions with destination port number that matches the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the sessions to be load balanced. Select the virtual server external interface from the list. The external interface is connected to the source network and receives the packets to be forwarded to the destination network.
Interface
Virtual Server The IP address of the virtual server. This is an IP address on the external interface that you want to map to an address on the destination network. IP Virtual server Enter the external port number that you want to map to a port number on the destination network. Sessions with this destination port are load balanced by this Port virtual server.
448
Load Balance Load balancing methods include: Method Static: The traffic load is spread evenly across all servers, no additional server is required. This load balancing method provides some persistence because all sessions from the same source address always go to the same server. However, the distribution is stateless, so if a real server is added or removed (or goes up or down) the distribution is changed so persistence will be lost. Separate real servers are not required. Round Robin: Directs requests to the next server, and treats all servers as equals regardless of response time or number of connections. Dead servers or non responsive servers are avoided. A separate server is required. Weighted: Servers with a higher weight value will receive a larger percentage of connections. Set the server weight when adding a server. First Alive: Always directs requests to the first alive real server. In this case first refers to the order of the real servers in the virtual server configuration. For example, if you add real servers A, B and C in that order, then traffic always go to A as long as it is alive. If A goes down then traffic goes to B and if B goes down the traffic goes to C. If A comes back up traffic goes to A. Real servers are ordered in the virtual server configuration in the order in which you add them, with the most recently added real server last. If you want to change the order you must delete and re-add real servers as required. Least RTT: Directs requests to the server with the least round trip time. The round trip time is determined by a Ping health check monitor and is defaulted to 0 if no Ping health check monitors are added to the virtual server. Least Session: Directs requests to the server that has the least number of current connections. This method works best in environments where the servers or other equipment you are load balancing have similar capabilities. Persistence Configure persistence to make sure that a user is connected to the same server every time they make a request that is part of the same session. When you configure persistence, the FortiGate unit load balances a new session to a real server according to the Load Balance Method. If the session has an HTTP cookie or an SSL session ID, the FortiGate unit sends all subsequent sessions with the same HTTP cookie or SSL session ID to the same real server. You can configure persistence if Type is set to HTTP, HTTPS, or SSL. Select None for no persistence. Sessions are distributed solely according to the Load Balance Method. Setting Load Balance Method to Static (the default) results in behavior equivalent to persistence. See the description of Load Balance Method for more information. Select HTTP Cookie so that all HTTP or HTTPS sessions with the same HTTP session cookie are sent to the same real server. HTTP Cookie is available if Type is set to HTTP or HTTPS. See the description of the config firewall VIP command in the FortiGate CLI Reference for information about advanced HTTP Cookie persistence options. Select SSL Session ID so that all sessions with the same SSL session ID are sent to the same real server. SSL Session ID is available if Type is set to HTTPS or SSL. Note: The Static load balancing method provides persistence as long as the number of real servers does not change. HTTP Select to use the FortiGate unit to multiplex multiple client connections into a few Multiplexing connections between the FortiGate unit and the real server. This can improve performance by reducing server overhead associated with establishing multiple connections. The server must be HTTP/1.1 compliant. This option appears only if HTTP or HTTS are selected for Type. Note: Additional HTTP Multiplexing options are available in the CLI. For more information, see the FortiGate CLI Reference. Preserve Client IP Select to preserve the IP address of the client in the X-Forwarded-For HTTP header. This can be useful if you want log messages on the real servers to the clients original IP address. If this option is not selected, the header will contain the IP address of the FortiGate unit. This option appears only if HTTP or HTTS are selected for Type, and is available only if HTTP Multiplexing is selected.
449
SSL Offloading
Select to accelerate clients SSL connections to the server by using the FortiGate unit to perform SSL operations, then select which segments of the connection will receive SSL offloading. Client <-> FortiGate Select to apply hardware accelerated SSL only to the part of the connection between the client and the FortiGate unit. The segment between the FortiGate unit and the server will use clear text communications. This results in best performance, but cannot be used in failover configurations where the failover path does not have an SSL accelerator. Client <-> FortiGate <-> Server Select to apply hardware accelerated SSL to both parts of the connection: the segment between client and the FortiGate unit, and the segment between the FortiGate unit and the server. The segment between the FortiGate unit and the server will use encrypted communications, but the handshakes will be abbreviated. This results in performance which is less than the other option, but still improved over communications without SSL acceleration, and can be used in failover configurations where the failover path does not have an SSL accelerator. If the server is already configured to use SSL, this also enables SSL acceleration without requiring changes to the servers configuration. SSL 3.0 and TLS 1.0 are supported. SSL Offloading appears only if HTTPS or SSL are selected for Type, and only on FortiGate models with hardware that supports SSL acceleration. Note: Additional SSL Offloading options are available in the CLI. For more information, see the FortiGate CLI Reference. Select the certificate to use with SSL Offloading. The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported. This option appears only if HTTPS or SSL are selected for Type, and is available only if SSL Offloading is selected.
Certificate
Health Check Select which health check monitor configuration will be used to determine a servers connectivity status. For information on configuring health check monitors, see Configuring health check monitors on page 451. Comments Any comments or notes about this virtual server.
3 Select OK.
Delete Edit Create New IP Address Port Select to add real servers. For more information, see To create a real server on page 451. Select the blue arrow beside a virtual server name to view the IP addresses of the real servers that are bound to it. The port number on the destination network to which the external port number is mapped.
450
The weight value of the real server. The higher the weight value, the higher the percentage of connections the server will handle. The limit on the number of active connections directed to a real server. If the maximum number of connections is reached for the real server, the FortiGate unit will automatically switch all further connection requests to another server until the connection number drops below the specified limit. Remove the real server from the list. Edit the real server to change any virtual server option.
To create a real server 1 Go to Firewall > Load Balance > Real Server > Create New.
Figure 260: Creating a real server
Maximum Connections Enter the limit on the number of active connections directed to a real server. A range of 1-99999 can be used. If the maximum number of connections is reached for the real server, the FortiGate unit will automatically switch all further connection requests to another server until the connection number drops below the specified limit. Setting Maximum Connections to 0 means that the FortiGate unit does not limit the number of connections to the real server.
3 Select OK.
451
Delete Edit Create New Name Details Select to add a health check monitor configuration. For more information, see To create a health check monitor configuration on page 452. The name of the health check monitor configuration. The names are grouped by the health check monitor types. The details of the health check monitor configuration, which vary by the type of the health check monitor, and do not include the interval, timeout, or retry, which are settings common to all types. This field is empty if the type of the health check monitor is PING. Select to remove the health check monitor configuration. This option appears only if the health check monitor configuration is not currently being used by a virtual server configuration. Select to change the health check monitor configuration.
Delete
Edit
To create a health check monitor configuration 1 Go to Firewall > Virtual IP > Health Check Monitor > Create New.
Figure 262: Creating a health check monitor
Port
452
URL
For HTTP health check monitors, add a URL that the FortiGate unit uses when sending a get request to check the health of a HTTP server. The URL should match an actual URL for the real HTTP servers. The URL is optional. The URL would not usually include an IP address or domain name. Instead it should start with a / and be followed by the address of an actual web page on the real server. For example, if the IP address of the real server is 10.10.10.1, the URL /test_page.htm causes the FortiGate unit to send an HTTP get request to http://10.10.10.1/test_page.htm. This option appears only if Type is HTTP.
Matched Content For HTTP health check monitors, add a phrase that a real HTTP server should include in response to the get request sent by the FortiGate unit using the content of the URL option. If the URL returns a web page, the Matched Content should exactly match some of the text on the web page. You can use the URL and Matched Content options to verify that an HTTP server is actually operating correctly by responding to get requests with expected web pages. Matched content is only required if you add a URL. For example, you can set Matched Content to server test page if the real HTTP server page defined by the URL option contains the phrase server test page. When the FortiGate unit receives the web page in response to the URL get request, the system searches the content of the web page for the Matched Content phrase. This option appears only if Type is HTTP. Interval Timeout Retry Enter the number of seconds between each server health check. Enter the number of seconds which must pass after the server health check to indicate a failed health check. Enter the number of times, if any, a failed health check will be retried before the server is determined to be inaccessible.
3 Select OK.
The IP addresses of the existing virtual servers. The IP addresses of the existing real servers. Display the health status according to the health check results for each real server. A green arrow means the server is up. A red arrow means the server is down. Display each real server's up and down times. Display each real server's active sessions. Display the Round Trip Time of each real server. By default, the RTT is <1". This value will change only when ping monitoring is enabled on a real server.
453
Display the traffic processed by each real server. Select to start or stop real servers. When stopping a server, the FortiGate unit will not accept new sessions but will wait for the active sessions to finish.
3 2
To add an HTTP health check monitor In this example, the HTTP health check monitor includes the URL /index.html and the Matched Phrase Fortinet products. 1 Go to Firewall > Load Balance > Health Check Monitor. 2 Select Create New. 3 Add an HTTP health check monitor that sends get requests to http://<real_server_IP_address>/index.html and searches the returned web page for the phrase Fortinet products.
454
4 Select OK. To add the HTTP virtual server 1 Go to Firewall > Load Balance > Virtual Server. 2 Select Create New. 3 Add an HTTP virtual server that allows users on the Internet to connect to the real servers on the internal network. In this example, the FortiGate wan1 interface is connected to the Internet.
455
Load_Bal_VS1 HTTP wan1 192.168.37.4 The public IP address of the web server. The virtual server IP address is usually a static IP address obtained from your ISP for your web server. This address must be a unique IP address that is not used by another host and cannot be the same as the IP address of the external interface the virtual IP will be using. However, the external IP address must be routed to the selected interface. The virtual IP address and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP address. 80 First Alive HTTP cookie Select. The FortiGate unit multiplexes multiple client into a few connections between the FortiGate unit and a real HTTP server. This can improve performance by reducing server overhead associated with establishing multiple connections. Select The FortiGate unit preserves the IP address of the client in the XForwarded-For HTTP header. Move the HTTP_health_chk_1 health check monitor to the Selected list.
Preserve Client IP
Health Check
456
4 Select OK. To add the real servers and associate them with the virtual server 1 Go to Firewall > Load Balance > Real Server. 2 Select Create New. 3 Configure three real servers that include the virtual server Load_Bal_VS1. Each real server must include the IP address of a real server on the internal network.
Figure 267: Configuration for the real server at IP address 10.10.10.42
457
Cannot be configured because the virtual server does not include weighted load balancing. 0 Setting Maximum Connections to 0 means the FortiGate unit does not limit the number of connections to the real server. Since the virtual server uses First Alive load balancing you may want to limit the number of connections to each real server to limit the traffic received by each server. In this example, the Maximum Connections is initially set to 0 but can be adjusted later if the real servers are getting too much traffic.
To add the virtual server to a firewall policy Add a wan1 to dmz1 firewall policy that uses the virtual server so that when users on the Internet attempt to connect to the web servers IP address, packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the virtual server IP address to the real server IP addresses. 1 Go to Firewall > Policy. 2 Select Create New. 3 Configure the firewall policy:
Figure 268: Adding a firewall policy for the virtual server
458
3 2
To complete this configuration, all of the steps would be the same as in Configuring a virtual web server with three real web servers on page 454 except for configuring the real servers. To add the real servers and associate them with the virtual server Use the following steps to configure the FortiGate unit to port forward HTTP packets to the three real servers on ports 8080, 8081, and 8082. 1 Go to Firewall > Load Balance > Real Server. 2 Select Create New. 3 Configure three real servers that include the virtual server Load_Bal_VS1. Each real server must include the IP address of a real server on the internal network and have a different port number. Configuration for the first real server.
Virtual Server IP Port Weight Maximum Connections Load_Bal_VS1 10.10.10.42 8080 Cannot be configured because the virtual server does not include weighted load balancing. 0
459
Load_Bal_VS1 10.10.10.43 8081 Cannot be configured because the virtual server does not include weighted load balancing. 0
All other virtual server settings are not required or cannot be changed. 4 Select OK. To add the real servers and associate them with the virtual server 1 Go to Firewall > Load Balance > Real Server. 2 Select Create New. 3 Configure three real servers that include the virtual server All_Load _Balance. Because the Load Balancing Method is Weighted, each real server includes a weight. Servers with a greater weight receive a greater proportion of forwarded connections, Configuration for the first real server.
460
All_Load_Balance 10.10.10.1 Cannot be configured because the virtual server is an IP server. 1 0 Setting Maximum Connections to 0 means the FortiGate unit does not limit the number of connections to the real server. Since the virtual server uses First Alive load balancing you may want to limit the number of connections to each real server to limit the traffic received by each server. In this example, the Maximum Connections is initially set to 0 but can be adjusted later if the real servers are getting too much traffic.
To add the virtual server to a firewall policy Add a prot2 to port1 firewall policy that uses the virtual server so that when users on the Internet attempt to connect to the web servers IP address, packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the virtual server IP address to the real server IP addresses. 1 Go to Firewall > Policy. 2 Select Create New. 3 Configure the firewall policy:
461
Source Interface/Zone Source Address Destination Address Schedule Service Action NAT
port2 all (or a more specific address) All_Load_Balance always ANY ACCEPT Select
CLI configuration
Load balancing is configured from the CLI using the config firewall vip command and by setting type to server-load-balance. The default weight is 1 and does not have to be changed for the first real server. Use the following command to add the virtual server and the three weighted real servers. config firewall vip edit All_Load_Balance set type server-load-balance set server-type ip set extintf port2 set extip 192.168.20.20 set ldb-method weighted config realservers edit 1 set ip 10.10.10.1 next edit 2 set ip 10.10.10.2 set weight 2 next edit 3 set ip 10.10.10.3 set weight 3 end end
462
To add the HTTP and HTTPS virtual servers 1 Go to Firewall > Load Balance > Virtual Server. 2 Add the HTTP virtual server that includes HTTP Cookie persistence.
Name Type Interface Virtual Server IP Virtual Server Port HTTP_Load_Balance HTTP port2 192.168.20.20 80 In this example the virtual server uses port 8080 for HTTP sessions instead of port 80. Static HTTP cookie
3 Select OK. 4 Select Create New. 5 Add the HTTPs virtual server that also includes HTTP Cookie persistence.
Name Type Interface Virtual Server IP Virtual Server Port Load Balance Method Persistence HTTPS_Load_Balance HTTPS port2 192.168.20.20 443 Static HTTP cookie
6 Select OK. To add the real servers and associate them with the virtual servers 1 Go to Firewall > Load Balance > Real Server. 2 Select Create New. 3 Configure three real servers for HTTP that include the virtual server HTTP_Load_Balance. Configuration for the first HTTP real server.
Virtual Server IP Port Weight Maximum Connections HTTP_Load_Balance 10.10.10.1 80 Cannot be configured because the virtual server does not include weighted load balancing. 0
463
HTTP_Load_Balance 10.10.10.2 80 Cannot be configured because the virtual server does not include weighted load balancing. 0
4 Configure three real servers for HTTPS that include the virtual server HTTPS_Load_Balance. Configuration for the first HTTPS real server.
Virtual Server IP Port Weight Maximum Connections HTTP_Load_Balance 10.10.10.1 443 Cannot be configured because the virtual server does not include weighted load balancing. 0
464
To add the virtual servers to firewall policies Add a port2 to port1 firewall policy that uses the virtual server so that when users on the Internet attempt to connect to the web servers IP address, packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the virtual server IP address to the real server IP addresses. 1 Go to Firewall > Policy. 2 Select Create New. 3 Configure the HTTP firewall policy:
Source Interface/Zone Source Address Destination Address Schedule Service Action NAT port2 all HTTP_Load_Balance always HTTP ACCEPT Select
4 Select other firewall options as required. 5 Select OK. 6 Select Create New. 7 Configure the HTTP firewall policy:
Source Interface/Zone Source Address Destination Address Schedule Service Action NAT port2 all HTTPS_Load_Balance always HTTPS ACCEPT Select
465
set extport 8080 set extintf port2 set extip 192.168.20.20 set persistence http-cookie set http-cookie-domain .example.org config realservers edit 1 set ip 10.10.10.1 next edit 2 set ip 10.10.10.2 next edit 3 set ip 10.10.10.3 end end Second, the configuration for the HTTPS virtual IP. In this configuration you dont have to set extport to 443 because extport is automatically set to 443 when server-type is set to https. config firewall vip edit HTTPS_Load_Balance set type server-load-balance set server-type https set extport 443 set extintf port2 set extip 192.168.20.20 set persistence http-cookie set http-cookie-domain .example.org config realservers edit 1 set ip 10.10.10.1 next edit 2 set ip 10.10.10.2 next edit 3 set ip 10.10.10.3 end end
466
You can use protection profiles to configure: antivirus protection web filtering FortiGuard Web Filtering email filtering IPS data leak prevention sensor dashboard statistics
467
application control logging for traffic which violates the protection profile.
Scan
Web Unfiltered
468
Delete Edit
Create New Name Delete icon Edit icon Add a protection profile. The name of the protection profile. Delete a protection profile from the list. The Delete icon appears only if the protection profile is not currently selected in a firewall policy or user group. Modify a protection profile.
469
Figure 271: FortiGate SSL content scanning and inspection packet flow
3 2 1
Decrypted packets 4 Protection Profile content scanning and inspection applied (antivirus, web filtering, spam filtering, DLP, content archiving) SSL decrypt/encrypt process decrypts SSL sessions using session certificate and key Content scanning and inspection
Protection profile
Encrypted packets
3 2
3 2
Firewall 6
Encrypted packets
HTTPS, IMAPS, POP3S or 1 SMTPS encrypted packets Client Starts HTTPS, IMAPS, accepted by firewall policy POP3S or SMTPS session
470
While the SSL sessions are being set up, the client and server communicate in clear text to exchange SSL session keys. The session keys are based on the client and server certificates. The FortiGate SSL decrypt/encrypt process intercepts these keys and uses a built-in signing CA certificate named Fortinet_CA_SSLProxy to create keys to send to the client and the server. This signing CA certificate is used only by the SSL decrypt/encrypt process. The SSL decrypt/encrypt process then sets up encrypted SSL sessions with the client and server and uses these keys to decrypt the SSL traffic to apply content scanning and inspection. Some client programs (for example, web browsers) can detect this key replacement and will display a security warning message. The traffic is still encrypted and secure, but the security warning indicates that a key substitution has occurred. You can stop these security warnings by importing the signing CA certificate used by the server into the FortiGate unit SSL content scanning and inspection configuration. Then the FortiGate unit creates keys that appear to come from the server and not the FortiGate unit.
Note: You can add one signing CA certificate for SSL content scanning and inspection. The CA certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported for SSL content scanning and encryption.
You can replace the default signing CA certificate, Fortinet_CA_SSLProxy, with another signing CA certificate. To do this you need the signing CA certificate file, the CA certificate key file, and the CA certificate password. All SSL content scanning and inspection uses the same signing CA certificate. If your FortiGate unit is operating with virtual domains enabled, the same signing CA certificate is used by all virtual domains. To add a signing CA certificate for SSL content scanning and inspection 1 Obtain a copy of the signing CA certificate file, the CA certificate key file, and the password for the CA certificate. 2 Go to System > Certificates > Local Certificates and select Import. 3 Set Type to Certificate. 4 For Certificate file use the Browse button to select the signing CA certificate file. 5 For Key file use the Browse button to select the CA certificate key file. 6 Enter the CA certificate Password.
Figure 272: Importing a signing CA certificate for SSL content scanning and inspection
7 Select OK. The CA certificate is added to the Local Certificates list. In this example the signing CA certificate name is Example_CA. This name comes from the certificate file and key file name. If you want the certificate to have a different name, change these file names. 8 Add the imported signing CA certificate to the SSL content scanning and inspection configuration. Use the following CLI command if the certificate name is Example_CA.
471
config firewall ssl setting set caname Example_CA end The Example_CA signing CA certificate will now be used by SSL content scanning and inspection for establishing encrypted SSL sessions.
Antivirus
Antivirus quarantine
Web Filtering
472
FortiGuard Web Filtering options for HTTPS: Enable FortiGuard Web Filtering Enable FortiGuard Web Filtering Overrides Provide details for blocked HTTP 4xx and 5xx errors Rate images by URL (blocked images will be replaced with blanks) Allow websites when a rating error occurs Strict Blocking Rate URLs by domain and IP address Go to Firewall > Profile. Add or edit a protection profile and configure Web Filtering > FortiGuard Web Filtering for HTTPS. For more information, see FortiGuard Web Filtering options on page 483. Email filtering options for IMAPS, POP3S, and SMTPS: FortiGuard Email Filtering (or Antispam) IP address check, URL check, E-mail checksum check, and Spam submission IP address BWL check HELO DNS lookup E-mail address BWL check Return e-mail DNS check Banned word check Spam Action Tag Location Tag Format Go to Firewall > Protection Profile. Add or edit a protection profile and configure Email Filtering for IMAPS, POP3S, and SMTPS. For more information, see Email Filtering options on page 485. DLP for HTTPS, IMAPS, POP3S, and SMTPS. To apply DLP, follow the steps below: Go to UTM > Data Leak Prevention > Rule to add DLP rules. For HTTPS, add an HTTP rule and select HTTPS POST and HTTPS GET. For IMAPS, POP3S, and SMTPS, add an Email rule and select IMAPS, POP3S, and SMTPS. See Adding or configuring DLP rules on page 588. Go to UTM > Data Leak Prevention > Sensor and add the DLP rules to a DLP sensor. See Adding or editing a rule or compound rule in a DLP sensor on page 577. Go to Firewall > Protection Profile. Add or edit a protection profile and use Data Leak Prevention Sensor to add the DLP sensor to a protection profile. Note: In a protection profile, if you set Protocol Recognition > HTTPS Content Filtering Mode to URL Filtering, DLP rules cannot inspect HTTPS. Set this option to Deep Scan. Go to Firewall > Policy and add the protection profile to a firewall policy. See Data Leak Prevention Sensor options on page 488. DLP archiving for HTTPS, IMAPS, POP3S, and SMTPS. Add DLP Rules for the protocol to be archived. See DLP archiving on page 580.
Email Filtering
DLP archiving
473
Displaying DLP meta- DLP archive information on the Log and Archive Statistics widget on the system dashboard for HTTPS, IMAPS, POP3S, and SMTPS. information on the Go to Firewall > Protection Profile. Add or edit a protection profile and system dashboard open Data Leak Prevention Sensor. For Displaying content metainformation on the system dashboard select HTTPS, IMAPS, POP3S, and SMTPS as required. These options display meta-information on the Statistics dashboard widget. For more information, see Viewing DLP Archive information on the Statistics widget on page 91. Archive SPAM email DLP archiving of email tagged as spam by FortiGate Email Filtering in IMAPS, POP3S, and SMTPS sessions. Archive SPAMed emails to FortiAnalyzer/FortiGuard is available only if you have configured logging to a FortiAnalyzer unit or to the FortiGuard Analysis and Management Service. Go to Firewall > Protection Profile. Add or edit a protection profile and select the Expand Arrow to view Data Leak Prevention Sensor. For Archive SPAMed emails to FortiAnalyzer/FortiGuard, select IMAPS, POP3S, and SMTPS as required. For more information, see Data Leak Prevention Sensor options on page 488 and DLP archiving on page 580.
Expand Arrow
474
Expand Arrow
Profile Name Comments Protocol Recognition Anti-Virus IPS Web Filtering Email Filtering Data Leak Prevention Sensor Application Control Logging Enter a name for the protection profile. Enter a description of the profile. The maximum length is 63 characters. See Protocol recognition options on page 475. See Anti-Virus options on page 477. See IPS options on page 480. See Web Filtering options on page 480. See Email Filtering options on page 485. See Data Leak Prevention Sensor options on page 488. See Application Control options on page 489 See Logging options on page 489.
FortiGuard Web Filtering See FortiGuard Web Filtering options on page 483.
475
Figure 274: Protection profile Protocol Recognition options (SSL content scanning and inspection)
Note: If your FortiGate unit supports SSL content scanning and inspection, you must set HTTPS Content Filtering Mode to Deep Scan before you can configure additional HTTPS content scanning protection profile options.
476
HTTPS Content Filtering Mode If your FortiGate unit supports SSL content scanning and inspection, you can select the content filtering mode used for HTTPS traffic. The mode can be: URL Filtering This option limits HTTPS content filtering to URL filtering only. If you select this option the FortiGate unit does not perform SSL content scanning and inspection of HTTPS traffic. Instead the FortiGate unit just applies web filtering to HTTPS URLs. Also, if you select URL Filtering, you cannot select any Anti-Virus options for HTTPS. Under Web Filtering you can select only Web URL Filter and Block invalid URLs for HTTPS. Selecting URL Filtering also limits the FortiGuard Web Filtering options that you can select for HTTPS. Select this option to apply full SSL content scanning and inspection of HTTPS traffic. The names of the content protocols that you can configure recognition for: HTTP, HTTPS, SMTP, POP3, IMAP, NNTP, and FTP. If your FortiGate unit supports SSL content scanning and inspection the content protocols also include SMTPS, POP3S, and IMAPS. The port numbers that the protection profile monitors for each content protocol. You can select multiple port numbers to monitor for each content protocol. For HTTP, SMTP, POP3, IMAP, NNTP, and FTP you can also select Inspect All Ports to monitor all ports for these content protocols. Monitoring all ports means the protection profile uses protocol recognition techniques to determine the protocol of a communication session independent of the port number that the session uses. Select Edit for a content protocol to configure how the protection profile monitors traffic for that content protocol. Select one of the following options: Select to monitor all ports for the content protocol. This option is available for HTTP, SMTP, POP3, IMAP, NNTP, and FTP. Select this option and then enter the port numbers to monitor for the content protocol. You can specify up to 20 ports for each content protocol.
Monitored Ports
Edit icon
Anti-Virus options
You can apply antivirus options through a protection profile for the HTTP, SMTP, POP3, IMAP, NNTP, and content protocols. If your FortiGate unit includes SSL content inspection and filtering, you can also apply antivirus scanning options through a protection profile for HTTPS, IMAPS, POP3S, and SMTPS content protocols. For more information, see SSL content scanning and inspection on page 469.
Note: You cannot select Anti-Virus options for HTTPS if under protocol recognition HTTPS Content Filtering Mode is set to URL Filtering. For more information, see Protocol recognition options on page 475.
To configure antivirus options, go to Firewall > Protection Profile. Select Create New to add a protection profile, or the Edit icon beside an existing protection profile. Then select the Expand Arrow beside Anti-Virus, enter the information as described below, and select OK. For more antivirus configuration options, see AntiVirus on page 509.
477
Figure 276: Protection Profile Anti-Virus options (including SSL content scanning and inspection)
Virus Scan
Select virus scanning for each protocol. Virus Scan includes grayware, as well as heuristic scanning. However, by default neither is enabled. To enable specific grayware, go to UTM > AntiVirus > Grayware. To enable heuristic scanning, see the config antivirus heuristic command in the FortiGate CLI Reference. Note: When you enable virus scanning, scanning by splice, also called streaming mode, is enabled automatically. When scanning by splice, the FortiGate unit simultaneously scans and streams traffic to the destination, terminating the stream to the destination if a virus is detected. For details on configuring splicing, see the splice option for each protocol in the config firewall profile command in the FortiGate CLI Reference. For details on splicing behavior for each protocol, see the Knowledge Center article FortiGate Proxy Splice and Client Comforting Technical Note. Select to filter files, then under Option, specify a file filter, which can consist of file name patterns and file types. For more information, see File Filter on page 513. Select for each protocol to quarantine suspect files for later inspection or submission to Fortinet for analysis. This option appears only if the FortiGate unit has a hard drive or a configured FortiAnalyzer unit, and will take effect only if you have first enabled and configured the quarantine. For more information, see File Quarantine on page 516.
File Filter
Quarantine
Pass Fragmented Emails Select to allow fragmented email for mail protocols (IMAP, POP3, and SMTP as well as IMAPS, POP3S, and SMTPS if SSL content scanning and inspection is supported). Fragmented email messages cannot be scanned for viruses. Comfort Clients Interval Select client comforting for the HTTP, FTP, and HTTPS protocols. See HTTP and FTP client comforting on page 479. The time in seconds before client comforting starts sending data after the download has begun, and also the time interval between sending subsequent data. The number of bytes sent at each interval. Select Block or Pass for files and email messages exceeding configured thresholds for each protocol. For email scanning, the oversize threshold refers to the final size of the email, including attachments, after encoding by the email client. Email clients can use a variety of encoding types; some result in larger file sizes than the original attachment. The most common encoding, base64, translates 3 bytes of binary data into 4 bytes of base64 data. As a result, a file may be blocked or logged as oversized even if the attachment is several megabytes smaller than the configured oversize threshold. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
478
Threshold
If the file is larger than the threshold value in megabytes, the file is passed or blocked. The maximum threshold for scanning in memory is 10% of the FortiGate units RAM. If your FortiGate unit supports SSL content scanning and inspection, you can allow HTTPS, IMAPS, POP3S, and SMTPS sessions that include an invalid server certificate. If these options are not selected, HTTPS, IMAPS, POP3S, and SMTPS with invalid server certificates are blocked. Use this feature to validate server certificates. Select Enabled to quarantine or ban either the IP address of the sender of the virus or the FortiGate interface that received the virus. The senders IP address or the interface that received the virus is added to the banned users list. For more information about the banned user list including how to manage the duration of items and how to remove them manually, see NAC quarantine and the Banned User list on page 670. If a virus is found, select the method used to quarantine the virus sender. You can select Source IP Address to add the senders source IP address to the banned users list, or you can select Viruss Incoming Interface to add the interface that received the virus to the banned user list. Select Indefinite to permanently quarantine virus senders. Only a FortiGate administrator can remove them from the banned users list. Or, configure how long the virus sender remains on the banned user list in minutes, hours, or days. A FortiGate administrator can manually remove a virus sender from the banned user list before the expiry time.
Method
Expires
Add signature to outgoing Create and enable a signature to append to outgoing SMTP email messages. The signature will also be appended to outgoing SMTPS emails email messages if your FortiGate unit supports SSL content scanning and inspection.
479
FTP and HTTP client comforting steps The following steps show how client comforting works for an FTP or HTTP download of a 10 Mbyte file with the client comforting interval set to 20 seconds and the client comforting amount set to 512 bytes. 1 The FTP or HTTP client requests the file. 2 The FortiGate unit buffers the file from the server. The connection is slow, so after 20 seconds about one half of the file has been buffered. 3 The FortiGate unit continues buffering the file from the server, and also sends 512 bytes to the client. 4 After 20 more seconds, the FortiGate unit sends the next 512 bytes of the buffered file to the client. 5 When the file has been completely buffered, the client has received the following amount of data: ca * (T/ci) bytes == 512 * (40/20) == 512 * 2 == 1024 bytes, where ca is the client comforting amount, T is the buffering time and ci is the client comforting interval. 6 FTP client: If the file does not contain a virus, the FortiGate unit sends the rest of the file to the client. If the file is infected, the FortiGate unit closes the data connection and sends the FTP Virus replacement message to the client. HTTP client: If the file does not contain a virus, the FortiGate unit sends the rest of the file to the client. If the file is infected, the FortiGate unit closes the data connection but cannot send a message to the client.
IPS options
You can use the IPS options in a protection profile to enable IPS for the protection profile and add an IPS sensor. To add an IPS sensor, go to Firewall > Protection Profile. Select Create New to add a protection profile, or the Edit icon beside an existing protection profile. Then select the Expand Arrow beside IPS, select the check box to enable IPS, select an IPS Sensor, and select OK. For more information on IPS, see Intrusion Protection on page 523.
Figure 277: Protection Profile IPS options
IPS
Select to enable and use the specified IPS sensor. You cannot select denial of service (DoS) sensors through this option. For information on configuring DoS sensors, see DoS sensors on page 537.
480
Note: Protection profile web filtering also includes FortiGuard Web Filtering. For information about FortiGuard Web Filtering, see FortiGuard Web Filtering options on page 483.
You can configure web filtering for HTTP and HTTPS traffic. If your FortiGate unit supports SSL content scanning and inspection and if you have set HTTPS Content Filtering Mode in the Protocol Recognition part of this protection profile to Deep Scan, you can select the same web filtering options for HTTPS and HTTP. For more information, see SSL content scanning and inspection on page 469 and Protocol recognition options on page 475. Filters defined in the web filtering settings are turned on through a protection profile. To configure web filtering options, go to Firewall > Protection Profile. Select Create New to add a protection profile, or the Edit icon beside an existing protection profile. Then select the Expand Arrow beside Web Filtering, enter the information as described below, and select OK.
Note: If your FortiGate unit does not support SSL content scanning and inspection, or if you have set HTTPS Content Filtering Mode to URL Filtering, you can only select URL filtering and blocking invalid URLs for HTTPS. Figure 278: Protection Profile Web Filtering options
Select to filter HTTP and HTTPS web pages based on matching the content of the web page with the words or patterns in the selected web content filter list. For more information, see Web content filter on page 544. Select the web content filter list to add to the protection profile. For more information, see Creating a new web content filter list on page 545. Enter a web content filter threshold. Each entry in the web content filter list added to the protection profile incudes a score. When a web page is matched with an entry in the content block list the score is recorded. If a web page matches more than one entry the score for the web page increases. When the total score for a web page equals or exceeds the threshold the page is blocked. The default score for content block list entry is 10 and the default threshold is 10. This means that by default a web page is blocked by a single match. You can change the scores and threshold so that web pages can only be blocked if there are multiple matches. Select to block HTTP and HTTPS web pages based on matching the URL of the web page with a URL in the selected URL filter list. For more information, see URL filter on page 547. Select the URL filter list to add to this protection profile. For more information, see Creating a new URL filter list on page 548.
Threshold
481
Select to block downloading parts of a file that have already been downloaded. Enabling this option will prevent the unintentional download of virus files hidden in fragmented files. Note that some types of files, such as PDFs, are fragmented to increase download speed, and that selecting this option can cause download interruptions with these types. Select to block web sites whose SSL certificates CN field does not contain a valid domain name. FortiGate units always validate the CN field, regardless of whether this option is enabled. However, if this option is not selected, the following behavior occurs: If the request is made directly to the web server, rather than a web server proxy, the FortiGate unit queries for FortiGuard Web Filtering category or class ratings using the IP address only, not the domain name. If the request is to a web server proxy, the real IP address of the web server is not known. Therefore, rating queries by either or both the IP address and the domain name is not reliable. In this case, the FortiGate unit does not perform FortiGuard Web Filtering. Select the action to take with HTTP POST traffic. Do not affect HTTP POST traffic. Block HTTP POST requests. When the post request is blocked the FortiGate unit sends a web page to the users web browser instead of the requested POST page. You can configure the content of this web page by going to from System > Config > Replacement Message by customizing the HTTP > POST message. Use the comfort amount and interval settings to send comfort bytes to the server in case the client connection is too slow. Select this option to prevent a server timeout when scanning or other filtering tool is turned on. Enforce the strictest level the safe search feature of the Google, Yahoo!, and Bing search engines. This feature works by manipulating search URL requests to add code used by the safe search features of the search engines. Enforcing safe searching provides additional protection in environments such as schools or other environments that use web filtering to block sites with inappropriate content. Web Filtering alone may not block offensive content that appears search results. This offensive content could include offensive text in search results or offensive images in image search results. Enforce the strict filtering level of safe search protection for Google searches by adding &safe=on to search URL requests. Strict filtering filters both explicit text and explicit images. Enforce filtering out adult web, video, and image search results from Yahoo! searches by adding &vm=r to search URL requests. Enforce the strict level of safe search protection for Bing searches by adding adlt=strict to search URL requests.
Comfort
Safe Search
Yahoo! Bing
Blocked pages are replaced with a message indicating that the page is not accessible according to the Internet usage policy. To configure replacement messages, go to System > Config > Replacement Messages. For more information on web filter configuration options, see Web Filter on page 541. For details on how web URL filter lists are used with HTTP and HTTPS URLs, see URL formats on page 550.
482
Character sets and Web content filtering, Email filtering banned word, and DLP scanning
The FortiGate unit converts HTTP, HTTPS, and email content to the UTF-8 character set before applying email filtering banned word checking, web filtering and DLP content scanning as specified in the protection profile. For email messages, while parsing the MIME content, the FortiGate unit converts the content to UTF-8 encoding according to the email message charset field before applying Email filtering banned word checking and DLP scanning. For HTTP get pages, the FortiGate unit converts the content to UTF-8 encoding according to the character set specified for the page before applying web content filtering and DLP scanning. For HTTP post pages, because character sets are not always accurately indicated in HTTP posts, you can use the following CLI command to specify up to five character set encodings. config firewall profile edit <profile_name> set http-post-lang <charset1> [<charset2> ... <charset5>] end The FortiGate unit performs a forced conversion of HTTP post pages to UTF-8 for each specified character set. After each conversion the FortiGate unit applies web content filtering and DLP scanning to the content of the converted page.
Caution: Specifying multiple character sets reduces web filtering and DLP performance.
To view the list of available character sets, enter set http-post-lang ? from within the edit shell for the protection profile. Separate multiple character set names with a space. You can add up to 5 character set names.
483
Enable FortiGuard Web Select to enable FortiGuard Web Filtering for this protection profile. Filtering Enable FortiGuard Web Select to enable category overrides. For more information, see FortiGuard Web filtering overrides on page 552 and Configuring Filtering Overrides administrative override rules on page 553. Provide details for Display a replacement message for 400 and 500-series HTTP errors. If blocked HTTP 4xx and the error is allowed through, malicious or objectionable sites can use these common error pages to circumvent web filtering. Only supported 5xx errors for HTTPS if your FortiGate unit supports SSL content scanning and inspection. Rate images by URL Block images that have been rated by FortiGuard. Blocked images are (blocked images will be replaced on the originating web pages with blanks. Rated image file replaced with blanks) types include GIF, JPEG, PNG, BMP, and TIFF. Only supported for HTTPS if your FortiGate unit supports SSL content scanning and inspection. Allow websites when a Allow web pages that return a rating error from the web filtering service. rating error occurs
484
Strict Blocking
This option is enabled by default. Strict Blocking only has an effect when either a URL fits into a protection profile category and classification or Rate URLs by domain and IP address is enabled. With Rate URLs by domain and IP address enabled, all URLs have two categories and up to two classifications (one set for the domain and one set for the IP address). All URLs belong to at least one category (including the Unrated category) and may also belong to a classification. If you enable Strict Blocking, a site is blocked if it is in at least one blocked category or classification and only allowed if all categories or classifications it falls under are allowed. If you do not enable Strict Blocking, a site is allowed if it belongs to at least one allowed category or classification and only blocked if all categories or classifications it falls under are allowed. For example, suppose that a protection profile blocks Search Engines but allows Image Search, and that the URL images.example.com falls into the General Interest / Search Engines category and the Image Search classification. With Strict Blocking enabled, this URL is blocked because it belongs to the Search Engines category, which is blocked. With Strict Blocking disabled, the URL is allowed because it is classified as Image Search, which the profile allows. It would be blocked only if both the Search Engines category and Image Search classification were blocked. Select to send both the URL and the IP address of the requested site for checking, and thus provide additional security against attempts to bypass the FortiGuard system. However, because IP rating is not updated as quickly as URL rating, some false ratings may occur. Enable to block HTTP redirects. Many web sites use HTTP redirects legitimately; however, in some cases, redirects may be designed specifically to circumvent web filtering, as the initial web page could have a different rating than the destination web page of the redirect. Not supported for HTTPS. FortiGuard Web Filtering provides many content categories for filtering web traffic. Categories reflect the subject matter of the content. For each category, select to Allow or Block and, if the category is blocked, whether or not to Allow Override to permit users to override the filter if they successfully authenticate. You can also select to log each traffic occurrence of the category. In addition to content categories, FortiGuard Web Filtering provides functional classifications that block whole classes of web sites based upon their functionality, media type, or source, rather than the web sites subject matter. Using classifications, you can block web sites that host cached content or that facilitate image, audio, or video searches, or web sites from spam URLs. Classification is in addition to, and can be configured separately from, the category. For each class, select to Allow or Block and, if the class is blocked, whether or not to Allow Override to permit users to override the filter if they successfully authenticate. You can also select to log each traffic occurrence of the class.
Category
Classification
485
session. If FortiGuard Antispam does not find a match, the email server sends the email to the recipient. The email checksum filter calculates the checksum of an email message and sends this checksum to the FortiGuard servers to determine if the checksum is in the blacklist. The FortiGate unit then passes or marks/blocks the email message according to the server response. To configure email filtering options, go to Firewall > Protection Profile. Select Create New to add a protection profile, or the Edit icon beside an existing protection profile. Then select the Expand Arrow beside Email Filtering, enter the information as described below, and select OK. You can configure email filtering for IMAP, POP3, and SMTP email. If your FortiGate unit supports SSL content scanning and inspection you can also configure email filtering for IMAPS, POP3S, and SMTPS email. For information about SSL content scanning and inspection, see SSL content scanning and inspection on page 469. For more information about the FortiGuard Antispam service, see FortiGuard Antispam service on page 301 and Configuring the FortiGate unit for FDN and FortiGuard subscription services on page 302. For more email filter configuration options, see Email filtering on page 559. For information about character sets and email filter banned word, see Character sets and Web content filtering, Email filtering banned word, and DLP scanning on page 483.
Note: Some popular email clients cannot filter messages based on the MIME header. For these clients, select to tag email message subject lines instead. Figure 280: Protection Profile Email Filtering options
Also called FortiGuard Antispam. Select one or more check boxes to enable protocols (IMAP, POP3, SMTP), then apply the options that you need. If your FortiGate unit supports SSL content scanning and inspection you can also enable FortiGuard Antispam for IMAPS, POP3S, and SMTPS. Select to enable the FortiGuard AntiSpam IP address blacklist. Select to enable the FortiGuard AntiSpam URL blacklist.
E-mail checksum check Select to enable the FortiGuard Antispam email message checksum blacklist.
486
Spam submission
Select to add a spam submission message and a link to the message body of all email messages marked as spam by FortiGuard Antispam. If the receiver considers that the email message is not spam, he or she can use the link in the message to inform FortiGuard Antispam. You can change the content of this message by going to System > Config > Replacement Message and customizing the Spam > Spam submission message. For more information, see Spam replacement messages on page 231. Select to compare the IP address of email message senders to the selected IP address black/white list and, if a match is found, to take the action configured in the list for the IP address. For more information, see IP address and email address black/white lists on page 565. Select the IP address black/white list to add to the protection profile. For more information, see Creating a new IP address list on page 566. Select to look up the source domain name (from the SMTP HELO command) for SMTP email messages.
E-mail address BWL check Select to compare the email address of message senders to the selected email address black/white list and if a match is found to take the action configured in the list for the email address. For more information, see IP address and email address black/white lists on page 565. E-mail address BWL list Select the email address black/white list to add to the protection profile. For more information, see Creating a new email address list on page 568. Return e-mail DNS check Banned word check Select to enable checking that the domain specified in the reply-to or from address has an A or MX record. Select to block email messages based on matching the content of the message with the words or patterns in the selected email filter banned word list. For more information, see Banned word on page 562. Select the banned word list to add to the protection profile. For more information, see Creating a new banned word list on page 563. Enter a email filter banned word block threshold. Each entry in the banned word list added to the protection profile incudes a score. When an email message is matched with an entry in the banned word list, the score is recorded. If an email message matches more than one entry, the score for the email message increases. When the total score for an email message equals or exceeds the threshold, the message is tagged as spam. The default score for a banned word list entry is 10 and the default threshold is 10. This means that by default an email message is tagged as spam by a single match. You can change the scores and threshold so email messages are only tagged as spam if there are multiple matches. Select to either tag or discard email that the FortiGate unit determines to be spam. Tagging adds the text in the Tag Format field to the subject line or header of email identified as spam. Note: When you enable virus scanning for SMTP and SMTPS in the Anti-virus section of the protection profile, scanning by splice, also called streaming mode, is enabled automatically. When scanning by splice, the FortiGate unit simultaneously scans and streams traffic to the destination, terminating the stream to the destination if a virus is detected. For details on configuring splicing, see the splice option for each protocol in the config firewall profile command in the FortiGate CLI Reference. For details on splicing behavior for SMTP, see the Knowledge Center article FortiGate Proxy Splice and Client Comforting Technical Note. When virus scanning is enabled for SMTP the FortiGate unit can only discard spam email if a virus is detected. Discarding immediately drops the connection. If virus scanning is not enabled, you can choose to either tag or discard SMTP spam.
Spam Action
487
Tag Location
Select to add the tag to the subject or MIME header of email identified as spam. If you select to add the tag to the subject line, the FortiGate unit converts the entire subject line, including the tag, to UTF-8 format. This improves display for some email clients that cannot properly display subject lines that use more than one encoding. For details on preventing conversion of subject line to UTF-8, see the System Settings chapter of the FortiGate CLI Reference. To add the tag to the MIME header, you must enable spamhdrcheck in the CLI for each protocol (IMAP, SMTP, and POP3). For more information see profile in the FortiGate CLI Reference. Enter a word or phrase with which to tag email identified as spam. When typing a tag, use the same language as the FortiGate units current administrator language setting. Tag text using other encodings may not be accepted. For example, when entering a spam tag that uses Japanese characters, first verify that the administrator language setting is Japanese; the FortiGate unit will not accept a spam tag written in Japanese characters while the administrator language setting is English. For details on changing the language setting, see Settings on page 261. Tags must not exceed 64 bytes. The number of characters constituting 64 bytes of data varies by text encoding, which may vary by the FortiGate administrator language setting.
Tag Format
To configure DLP sensor options, go to Firewall > Protection Profile. Select Create New to add a protection profile, or the Edit icon beside an existing protection profile. Then select the Expand Arrow beside Data Leak Prevention Sensor. Select a DLP sensor, enter the information as described below, and select OK. For information about DLP, see Data Leak Prevention on page 575. For information about character sets and DLP scanning, see Character sets and Web content filtering, Email filtering banned word, and DLP scanning on page 483.
Figure 281: Data Leak Prevention Sensor options
Figure 282: Data Leak Prevention Sensor options (SSL content scanning inspection and FortiAnalyzer unit configured)
488
Data Leak Prevention Sensor Display DLP metainformation on the system dashboard Archive SPAMed emails to FortiAnalyzer/ FortiGuard
Select the check box and then specify the DLP sensor to add to the protection profile. For more information, see Adding and configuring a DLP sensor on page 577. For each protocol, select whether or not to display DLP archiving data in the dashboard Log and Archive Statistics widget. You can select HTTP, HTTPS, FTP, IMAP, POP3, and SMTP. If your FortiGate unit supports SSL content scanning and inspection you can also select IMAPS, POP3S, and SMTPS. For more information about the Log and Archive Statistics widget, see Log and Archive Statistics on page 77. For each email protocol, select to archive email messages identified as spam by FortiGate Email filtering or by FortiGuard Antispam. You must configure the FortiGate unit to log to a FortiAnalyzer unit or enable the FortiGuard Analysis and Management Service. For more information, see Configuring spam email message archiving on page 585.
Select the check box and then specify the application control black/white list to add to the protection profile. For more information, see Creating a new application control black/white list on page 597.
Logging options
You can enable logging options in a protection profile to write log messages when the options that you have enabled in this protection profile perform an action. For example, if you enable antivirus protection you could also enable the antivirus protection profile logging options to write a an antivirus log message every time a virus is detected by this protection profile. To record these log messages you must first configure how the FortiGate unit stores log messages. See Configuring how a FortiGate unit stores logs on page 704. For information about viewing log messages, see Accessing and viewing log messages on page 714. You can also view and customize reports based on these log messages. See Viewing Executive Summary reports from SQL logs on page 724 and Viewing FortiAnalyzer reports on page 724. To configure Logging options, go to Firewall > Protection Profile. Select Create New to add a protection profile, or the Edit icon beside an existing protection profile. Then select the Expand Arrow beside Logging, select logging options, and select OK.
489
Antivirus Viruses Blocked Files Oversized Files / E-mails Web Filtering Content Block
If antivirus settings are enabled for this protection profile, select the following options to record Antivirus Log messages. Record a log message when this protection profile detects a virus. Record a log message when antivirus file filtering enabled in this protection profile blocks a file. Record a log message when this protection profile encounters and oversized file or email. Oversized files and emails cannot be scanned for viruses. If Web Filtering settings are enabled for this protection profile, select the following options to record Web Filter Log messages. Record a log message when this protection profile matches the content of a web page with the web content filter added to this protection profile. The log message records whether the web page was blocked or exempted. Record a log message when this protection profile matches the URL of a web page with the web URL filter added to this protection profile. The log message records whether the web page was blocked, exempted, or allowed.
URL Filter
Invalid Domain Name Record a log message when this protection profile detects an invalid domain name. A domain name is considered invalid if the name fails a Warnings reverse DNS lookup. FortiGuard Web Filtering If FortiGuard Web Filtering settings are enabled for this protection profile, select the following option to record Web Filter Log messages. Rating Errors (HTTP only) Email Filtering Log Spam IPS Record a log message when FortiGuard Web Filtering configured in this protection profile encounters a rating error. If Email Filtering settings are enabled for this protection profile, select the following option to record Email Filter Log messages. Record a log message when the email filtering configured in this profile determines that an email message is spam. If Intrusion Protection is enabled for this protection profile, select the following option to record Attack Log messages.
490
Log Intrusions
Record a log message when this protection profile encounters a session that the IPS Sensor added to this protection profile determines is an attack or intrusion. The log message records the IPS signature that detected the attack or intrusion. If Application Control is enabled for this protection profile, select the following option to record Application Control Log messages. Record a log message when the Application Control list added to this protection profile detects an application. The log message records the application detected and the action taken by application control. If Data Leak Prevention is enabled for this protection profile, select the following option to record DLP Log messages. Record a log message when the data leak prevention sensor added to this protection profile matches the content of a session.
Application Control Log Application Control Data Leak Prevention Sensor Log DLP
491
492
SIP support
SIP support
The Session Initiation Protocol (SIP) is a signaling protocol used for establishing and conducting multiuser calls over TCP/IP networks using any media. Due to the complexity of the call setup, not every firewall can handle SIP calls correctly, even if the firewall is stateful. The FortiGate unit has a pre-defined SIP firewall service that tracks and scans SIP calls and makes adjustments, to both the firewall state and call data, to ensure a seamless call is established through the FortiGate unit regardless of its operation mode, NAT, route, or transparent. FortiGate units support SIP RFC 3261. You can use protection profiles to control the SIP protocol and SIP call activity. A statistical summary of SIP protocol activity is also available for managing SIP use. This section includes some information about VoIP and SIP. It also describes how FortiOS SIP support works and how to configure the key SIP features. For more configuration information, see the FortiGate CLI Reference. The FortiGate unit supports the following SIP features: stateful SIP tracking RTP Pinholing request control rate limiting event logging communication archiving NAT IP preservation client connection control register response acceptance Application Level Gateway (ALG) control SIP stateful HA IPv6 support VoIP and SIP The FortiGate unit and VoIP security How SIP support works Configuring SIP
493
SIP support
In proxy mode (shown in Figure 285), SIP clients send requests to the proxy server. The proxy server either handles the requests or forwards them to other SIP servers. Proxy servers can insulate and hide SIP users by proxying the signaling messages. To the other users on the VoIP network, the signaling invitations look as if they come from the SIP proxy server.
Figure 285: SIP in proxy mode
SIP Proxy Server
2. Client A dials Client B and a request is sent to the SIP proxy server 3. Proxy server looks up phone number or URL of destination client (Client B) and sends invite to Client B
IP Network
RTP Session
SIP Client A
(a@example.com)
SIP Client B
(b@example.com)
When the SIP server operates in redirect mode (shown in Figure 286), the SIP client sends its signaling request to a SIP server, which then looks up the destination address. The SIP server returns the destination address to the originator of the call, who uses it to signal the destination SIP client.
Figure 286: SIP in redirect mode
SIP Redirect Server
2. Client A dials Client B and request is sent to SIP redirect server 3. Redirect server looks up phone number or URL of destination client (Client B) and sends address back to the caller (Client A)
IP Network
RTP Session
SIP Client A
(a@example.com)
SIP Client B
(b@example.com)
494
SIP support
SIP NAT
The FortiGate unit supports network address translation (NAT) of SIP because the FortiGate ALG can modify the SIP headers correctly. This section uses scenarios to explain the FortiGate SIP NAT support.
SIP service provider has a SIP server and a separate RTP server
217.233.122.132
Internet
10.72.0.57
495
SIP support
SIP service provider has a SIP server and a separate RTP server
10.72.0.60
217.233.122.132
Internet
10.72.0.57
In the scenario, shown in Figure 288, the SIP phone connects to a VIP (10.72.0.60). The FortiGate SIP ALG translates the SIP contact header to 217.10.79.9. The FortiGate ALG will open the Real-time Transport Protocol (RTP) pinholes and manage NAT. The FortiGate unit also supports a variation of this scenariothe RTP server hides its real address.
Figure 289: SIP destination NAT-RTP server hidden
192.168.200.99
219.29.81.21
RTP Server
10.0.0.60 217.233.90.60
Internet
SIP Server
In this scenario, shown in Figure 289, a SIP phone connects to the Internet. The VoIP service provider only publishes a single public IP (a VIP). The SIP phone connects to the FortiGate unit (217.233.90.60) and the FortiGate unit then translates the SIP contact header to the SIP server (10.0.0.60). The SIP server changes the SIP/SDP connection information (which tells the SIP phone which RTP IP it should contact) also to 217.233.90.60.
496
SIP support
RTP Server
10.0.0.60
Internet
SIP Server SIP: 217.233.90.60
In this scenario, shown in Figure 290, assume there is a SIP server and a separate media gateway. The SIP server is configured so that the SIP phone (219.29.81.20) will connect to 217.233.90.60. The media gateway (RTP server: 219.29.81.10) will connect to 217.233.90.65. What happens is as follows: 1 The SIP phone connects to the SIP VIP. The FortiGate ALG translates the SIP contact header to the SIP server: 219.29.81.20 > 217.233.90.60 (> 10.0.0.60). 2 The SIP server carries out RTP to 217.233.90.65. 3 The FortiGate ALG opens pinholes, assuming that it knows the ports to be opened. 4 RTP is sent to the RTP-VIP (217.233.90.65.) The FortiGate ALG translates the SIP contact header to 192.168.0.21.
497
Configuring SIP
SIP support
You need to configure the FortiOS SIP support in the following order: 1 Create a firewall protection profile that enables SIP (see Enabling SIP support and setting rate limiting from the web-based manager on page 498). Once the profile is included in a policy, the ALG will parse the SIP traffic and open the RTP ports for each specific VoIP call. When creating a protection profile, you configure SIP features using the web-based manager and CLI. You then apply the profile to a firewall policy. You can apply a profile to multiple policies. 2 Create a firewall policy that allows SIP and includes a SIP-enabled protection profile. Specifically, select the SIP or ANY pre-defined service for the policy. When the FortiGate unit receives a SIP packet, it checks the packet against the firewall policies. If the packet matches a policy, the FortiGate firewall inspects and processes the packet according to the SIP profile applied to the policy. For more information about firewall policies, see Firewall Policy on page 363. 3 Configure advanced SIP features as required (see Configuring SIP on page 498).
Configuring SIP
You can enable SIP support, set two rate limits, enable SIP logging, and view SIP statistics using the web-based manager. You can do this plus configure many other SIP support features from the CLI. This section describes the following SIP configuration options: Enabling SIP support and setting rate limiting from the web-based manager Enabling SIP support from the CLI More about rate limiting Enabling SIP logging Enabling advanced SIP features in an application list Turning on SIP tracking Managing RTP pinholing Blocking SIP requests Archiving SIP communication Preserving NAT IP Controlling SIP client connections Accepting SIP register responses Controlling how SIP handles contact header NAT Opening and closing SIP register and non-register pinholes Blocking SIP requests Support for RFC 2543-compliant branch parameters
Enabling SIP support and setting rate limiting from the web-based manager
To enable SIP support you need to: enable SIP in an application control list select this application control list in a protection profile add this protection profile to a firewall policy that accepts SIP traffic.
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
498
SIP support
Configuring SIP
From the web-based manager, you can also configure some SIP rate limiting settings. Rate limiting for SIP also limits SIMPLE traffic. SIP rate limiting is useful for protecting a SIP server within a company. Most SIP servers do not have integrated controls and it is very easy to flood SIP servers with INVITE or REGISTER requests. Enabling SIP in an application control list actually enables the SIP application level gateway (SIP ALG) for sessions accepted by a firewall policy that includes the SIP application.
Tip: The SIP and SCCP application control list entries are used only for enabling the SIP or SCCP application level gateways (ALGs). They are not like any other application control list entry. For example, you cannot use the SIP and SCCP application control list entries to block SIP or SCCP traffic. From the CLI SIP is application number 12 and SCCP is application number 13. Tip: The SIP.TCP and SIP.UDP application control list entries are normal application control list entries and are not involved with the SIP ALG. You can use the SIP.TCP or SIP.UDP application control list entries to block SIP sessions.
To enable SIP and set REGISTER and INVITE rate limiting from the web-based manager 1 Go to UTM > Application Control. 2 If you want to enable SIP for an existing application control list, select the Edit icon for an application control list. Otherwise, select Create New to add a new application control list. 3 Then, select Create New in the list to add a new application to the list. 4 Set Application to SIP. You can optionally set Category to voip to make the SIP application easier to find. 5 Optionally configure REGISTER and INVITE limiting. For example: Set Limit REGISTER request to 100. Set Limit INVITE request to 100.
Figure 291: Example SIP Application control configuration
6 Select OK. 7 Go to Firewall > Profile and add the application control list to a protection profile. 8 Go to Firewall > Policy and add the protection profile to a firewall policy that accepts SIP sessions. For more information about application control, see Application Control on page 595.
499
Configuring SIP
SIP support
500
SIP support
Configuring SIP
You can use rate limiting of these VoIP protocols to protect the FortiGate unit and your network from SIP and SCCP Denial of Service (DoS) attacks. Rate limiting protects against SIP DoS attacks by limiting the number of SIP REGISTER and INVITE requests that the FortiGate unit receives per second. Rate limiting protects against SCCP DoS attacks by limiting the number of SCCP call setup messages that the FortiGate unit receives per minute. When VoIP rate limiting is enabled, if the FortiGate unit receives more messages per second (or minute) than the configured rate, the extra messages are dropped. If you are experiencing denial of service attacks from traffic using these VoIP protocols, you can enable VoIP rate limiting and limit the rates for your network. Limit the rates depending on the amount of SIP and SCCP traffic that you expect the FortiGate unit to be handling. You can adjust the settings if some calls are lost or if the amount of SIP or SCCP traffic is affecting FortiGate unit performance. From the CLI you can configure additional SIP, SCCP, as well as SIMPLE extensions. For more information, see the description of the config sip, config sccp, and config simple subcommands of the application command in the FortiGate CLI Reference. You can also block SIMPLE sessions by enabling block login for the SIMPLE application. For more information, see Application Control on page 595.
501
Configuring SIP
SIP support
To enable SIP logging from the CLI 1 Enter the following command to add an application control list called App_list_SIP, enable SIP support and enable SIP logging. You can also optionally enable logging of SIP violations. Logging is enabled by default but you can use the following command to verify that logging is enabled and to also enable logging SIP violations. config application list edit App_list_SIP config entries edit 1 set category voip set application SIP set log enable set sip-log-violations enable end end 2 Enter the following command to add the App_list_SIP to a protection profile called SIP_Profile and enable application control logging for the protection profile. config firewall profile edit SIP_Profile set application-list-status enable set application-list App_list_SIP config log set log-app-ctrl enable end end
502
SIP support
Configuring SIP
Table 51: Application control list advanced SIP features SIP CLI Option block-options {enable | disable} block-prack {enable | disable} block-publish {enable | disable} block-refer {enable | disable} Description Enable to block SIP OPTIONS requests. Enable to block SIP PRACK requests. Enable to block SIP PUBLISH requests. Enable to block SIP REFER requests.
block-register {enable Enable to block SIP REGISTER requests. | disable} block-subscribe {enable | disable} block-unknown {enable | disable} block-update {enable | disable} call-keepalive <minutes_int> max-dialogs <calls_int> max-line-length <length_int> open-contact-pinhole {disable | enable} Enable to block SIP SUBSCRIBE requests. Enable to block unrecognized SIP requests. Enable to block SIP UPDATE requests. Enter the number of minutes the FortiGate unit continues tracking SIP calls with no RTP. Enter the maximum number of concurrent SIP dialogs. Enter the maximum SIP header line length. The value must be between 78 and 4096. The default is 998 characters. Enable block-long-lines to enforce this limit. Open or close SIP pinholes for SIP NON-REGISTER requests (usually INVITE requests). By default open-contact-pinhole is enabled and the FortiGate unit opens pinholes for non-REGISTER requests. Set to disable to prevent the FortiGate unit from opening these pinholes. Open or close SIP pinholes for SIP REGISTER requests. By default open-register-pinhole is enabled and the FortiGate unit opens pinholes for REGISTER requests. Set to disable prevent the FortiGate unit from opening these pinholes. Enable to accept SIP REGISTER responses even if the source port is different from the destination port in the register request.
rfc2543-branch {enable Enable to support RFC 2543-complaint SIP calls involving branch commands that are missing or that are valid for RFC 2543 but | disable} invalid for RFC 3261. RFC 3261 is the most recent SIP RFC. RFC 3261 obsoletes RFC 2543. rtp {enable | disable} Enable to allow RTP traffic. strict-register {enable | disable} Enable to allow only the SIP registrar to connect.
503
Configuring SIP
SIP support
From the CLI, type the following commands: config application list edit <list_name> config entries edit 1 set category voip set application SIP set call-keepalive <integer> end end
504
SIP support
Configuring SIP
Preserving NAT IP
In NAT operation mode, you can preserve the original source IP address in the SDP i line. This allows the SIP server to parse this IP for billing purposes. From the CLI, type the following commands: config application list edit <list_name> config entries edit 1 set category voip set application SIP set nat-trace enable end end In addition, you can overwrite or append the SDP i line: config application list edit <list_name> config entries edit 1 set category voip set application SIP set preserve-override {enable | disable} end end where selecting enable removes the original source IP address from the SDP i line and disable appends the address.
505
Configuring SIP
SIP support
From the CLI, type the following commands: config application list edit <list_name> config entries edit 1 set category voip set application SIP set reg-diff-port enable end end
If contact-fixup is disabled, the FortiGate ALG must be able to identify the external network. To identify the external network, you must use the config system interface command to set the external keyword to enable for the interface that is connected to the external network. From the CLI, type the following commands: config application list edit <list_name> config entries edit 1 set category voip set application SIP set contact-fixup {enable | disable} end end
506
SIP support
Configuring SIP
Usually you would want to open these pinholes. Keeping the closed may prevent SIP from functioning properly through the FortiGate unit.They can be disabled, however, for interconnect scenarios (where all SIP traffic is between proxies and traveling over a single session). In some cases these settings can also be disabled in access scenarios if it is known that all users will be registering regularly so that their contact information can be learned from the register request. You might want to prevent pinholes from being opened to avoid creating a pinhole for every register or non-register request. Each pinhole uses additional system memory, which can affect system performance if there are hundreds or thousands of users, and requires refreshing which can take a relatively long amount of time if there are thousands of active calls. To stop the FortiGate unit from opening register and non-register pinholes: config application list edit <list_name> config entries edit 1 set category voip set application SIP set open-register-pinhole disable set open-contact-pinhole disable end end
You can selectively enable SIP block options to block SIP messages that you consider a security risk or that are not required for you implementation. For example, enter the following command to block SIP OPTIONS and PUBLISH messages: config application list edit <list_name> config entries edit 1 set category voip set application SIP set block-options enable set block-publish enable end end
507
Configuring SIP
SIP support
508
AntiVirus
Order of operations
AntiVirus
This section describes how to configure the antivirus options associated with firewall protection profiles. From a protection profile you can configure the FortiGate unit to apply antivirus protection to HTTP, FTP, IMAP, POP3, SMTP, IM, and NNTP sessions. If your FortiGate unit supports SSL content scanning and inspection you can also configure antivirus protection for HTTPS, IMAPS,POP3S, and SMTPS sessions. For more information, see SSL content scanning and inspection on page 469. This section provides an introduction to antivirus settings. For more information see the FortiGate UTM User Guide. If you enable virtual domains (VDOMs) on the FortiGate unit, UTM > Antivirus options are configured separately for each virtual domain. For details, see Using virtual domains on page 125. This section describes: Order of operations Antivirus tasks Antivirus settings and controls File Filter File Quarantine Selecting the virus database Antivirus CLI configuration
Order of operations
Antivirus scanning function includes various modules and engines that perform separate tasks. The FortiGate unit performs antivirus processing in the following order: File size File pattern File type Virus scan Grayware Heuristics
If a file fails any of the tasks of the antivirus scan, no further scans are performed. For example, if the file fakefile.EXE is recognized as a blocked pattern, the FortiGate unit will send the end user a replacement message and the file will be deleted or quarantined. The virus scan, grayware, heuristics, and file type scans will not be performed as the file is already been determined to be a threat and has been dealt with.
Note: File filter includes file pattern and file type scans which are applied at different stages in the antivirus process.
509
Antivirus tasks
AntiVirus
Block
Yes
No
Block file/email
Block
Yes
Allow
No
Pass file/email
Yes
Pass file/email
No
No
Block Allow
Yes
No
Antivirus tasks
The antivirus tasks work in sequence to efficiently scan incoming files and offer your network unparalleled antivirus protection. The first four tasks have specific functions, the fifth, the heuristics, is to cover any new, previously unknown, virus threats. To ensure that your system is providing the most protection available, all virus definitions and signatures are updated regularly through the FortiGuard antivirus services. The tasks will be discussed in the order that they are applied followed by FortiGuard antivirus.
File size
This task checks if files and email messages exceed configured thresholds. It is enabled by setting the Oversized File/Email option under Firewall > Protection Profile > Antivirus to Pass. For more information, see Anti-Virus options on page 477.
510
AntiVirus
Antivirus tasks
File pattern
Once a file is accepted, the FortiGate unit applies the file pattern recognition filter. The FortiGate unit will check the file against the file pattern setting you have configured. If the file is a blocked pattern, .EXE for example, then it is stopped and a replacement message is sent to the end user. No other levels of protections are applied. If the file is not a blocked pattern the next level of protection is applied.
File type
Once a file passes the heuristic scan, the FortiGate unit applies the file type recognition filter. The FortiGate unit will check the file against the file type setting you have configured. If the file is a blocked type, then it is stopped and a replacement message is sent to the end user. No other levels of protections are applied. If the file is not a blocked type, the next level of protection is applied.
Virus scan
If the file passes the file pattern scan, it will have a virus scan applied to it. The virus definitions are keep up to date through the FortiNet Distribution Network. The list is updated on a regular basis so you do not have to wait for a firmware upgrade. For more information on updating virus definitions, see FortiGuard antivirus on page 511.
Grayware
Once past the virus scan, the incoming file will be checked for grayware. Grayware checking can be turned on and off as required. Grayware signatures are kept up to date because the are included in the antivirus definitions. For more information on see Selecting the virus database on page 519.
Heuristics
After an incoming file has passed the grayware scan, it is subjected to the heuristics scan. The FortiGate heuristic antivirus engine, if enabled, performs tests on the file to detect virus-like behavior or known virus indicators. In this way, heuristic scanning may detect new viruses, but may also produce some false positive results.
Note: Heuristics is configurable only through the CLI. See the FortiGate CLI Reference.
FortiGuard antivirus
FortiGuard antivirus services are an excellent resource and include automatic updates of virus and IPS (attack) engines and definitions, as well as the local spam DNSBL, through the FortiGuard Distribution Network (FDN). The FortiGuard Center also provides the FortiGuard antivirus virus and attack encyclopedia and the FortiGuard Bulletin. Visit the Fortinet Knowledge Center for details and a link to the FortiGuard Center. The connection between the FortiGate unit and FortiGuard Center is configured in System > Maintenance > FortiGuard. See Configuring the FortiGate unit for FDN and FortiGuard subscription services on page 302 for more information.
511
AntiVirus
UTM > AntiVirus > File Filter Configure file patterns and types to block or allow files. Patterns and types can also be individually enabled or disabled. UTM > AntiVirus > Quarantine Configure file patterns to upload automatically to Fortinet for analysis, and configure quarantine options in AntiVirus.
512
AntiVirus
File Filter
File Filter
Configure the FortiGate file filter to block files by: File pattern: Files can be blocked by name, extension, or any other pattern. File pattern blocking provides the flexibility to block potentially harmful content. File pattern entries are not case sensitive. For example, adding *.exe to the file pattern list also blocks any files ending in .EXE. In addition to the built-in patterns, you can specify more file patterns to block. For details, see Configuring the file filter list on page 516. File type: Files can be blocked by type, without relying on the file name to indicate what type of files they are. When blocking by file type, the FortiGate unit analyzes the file and determines the file type regardless of the file name. For details about supported file types, see Built-in patterns and supported file types on page 513.
For standard operation, you can choose to disable file filter in the protection profile, and enable it temporarily to block specific threats as they occur. The FortiGate unit can take either of these actions toward files that match a configured file pattern or type: Allow: the file is allowed to pass. Block: the file is blocked and a replacement messages will be sent to the user. If both file filter and virus scan are enabled, the FortiGate unit blocks files that match the enabled file filter and does not scan these files for viruses.
The FortiGate unit also writes a message to the virus log and sends an alert email message if configured to do so. Files are compared to the enabled file patterns and then the file types from top to bottom. If a file does not match any specified patterns or types, it is passed along to antivirus scanning (if enabled). In effect, files are passed if not explicitly blocked. Using the allow action, this behavior can be reversed with all files being blocked unless explicitly passed. Simply enter all the file patterns or types to be passed with the allow attribute. At the end of the list, add an all-inclusive wildcard (*.*) with a block action. Allowed files continue to antivirus scanning (if enabled) while files not matching any allowed patterns are blocked by the wildcard at the end.
The FortiGate unit can take actions against the following file types:
513
File Filter
AntiVirus
Table 53: Supported file types arj cab hta petite unknown activemime class html prc ignored aspack cod jad rar base64 elf javascript sis bat exe lzh tar binhex fsg mime upx bzip gzip msc uue bzip2 hlp msoffice zip
Note: The unknown type is any file type that is not listed in the table. The ignored type is the traffic the FortiGate unit typically does not scan. This includes primarily streaming audio and video.
Create New Name # Entries Profiles DLP Rule Comments Delete icon Edit icon
Select Create New to add a new file filter list to the catalog. The available file filter lists. The number of file patterns or file types in each file filter list. The protection profiles each file filter list has been applied to. The DLP rules in which each filter is used. An optional description of each file filter list. Select to remove the file filter list from the catalog. The delete icon is only available if the file filter list is not selected in any protection profiles. Select to edit the file filter.
File filter lists are selected in protection profiles. For more information, see Anti-Virus options on page 477.
514
AntiVirus
File Filter
Name Comments
Enter the name of the new list. Enter a comment to describe the list, if required.
The file filter list has the following icons and features:
Name Comment OK Create New Filter Action Enable Delete icon Edit icon Move To icon File filter list name. To change the name, edit the text in the name field and select OK. Optional comment. To add or edit comment, enter text in comment field and select OK. If you make changes to the list name or comments, select OK to save the changes. Select Create New to add a new file pattern or type to the file filter list. The current list of file patterns and types. Files matching the file patterns and types can be set to Block or Allow. For information about actions, see File Filter on page 513. Clear the checkbox to disable the file pattern or type. Select to remove the file pattern or type from the list. Select to edit the file pattern/type and action. Select to move the file pattern or type to any position in the list.
515
File Quarantine
AntiVirus
To add a file pattern or type go to UTM > AntiVirus > File Filter. Select the Edit icon for a file filter catalog. Select Create New.
Filter Type Pattern File Type Action Enable Select File Name Pattern or File Type. Enter the file pattern. The file pattern can be an exact file name or can include wildcards. The file pattern can be 80 characters long. Select a file type from the list. For information about supported file types, see Builtin patterns and supported file types on page 513. Select an action from the drop down list: Block or Allow. For more information about actions, see File Filter on page 513. Select to enable the pattern.
File Quarantine
FortiGate units with a local disk can quarantine blocked and infected files. View the file name and status information about the file in the Quarantined Files list. Submit specific files and add file patterns to the AutoSubmit list so they will automatically be uploaded to Fortinet for analysis. FortiGate units can also quarantine blocked and infected files to a FortiAnalyzer unit. Files stored on the FortiAnalyzer unit can also be viewed from the Quarantined Files list. To configure quarantine to a FortiAnalyzer unit, go to Log & Report > Log Config > Log Setting. To configure and enable file quarantine 1 Go to UTM > AntiVirus > Config to configure the quarantine service and destination. For details, see Configuring quarantine options on page 518. 2 Go to Firewall > Protection Profile > Antivirus to enable quarantine for required protocols in the protection profiles. For details, see Configuring a protection profile on page 474. You can configure a protection profile to quarantine blocked and infected files from HTTP, FTP, IMAP, POP3, SMTP, IM, and NNTP Traffic. If your FortiGate unit supports SSL content scanning and inspection you can also quarantine blocked and infected files from HTTPS, IMAPS, POP3S, and SMTPS traffic. To enable HTTPS quarantine you must set HTTPS Content Filtering Mode to Deep Scan in the Protocol Recognition part of the protection profile. For more information, see SSL content scanning and inspection on page 469. 3 Go to Firewall > Policy and add the protection profile to a firewall policy.
516
AntiVirus
File Quarantine
Enter the file pattern or file name to be upload automatically to Fortinet. Select to enable the file pattern
Note: To enable automatic uploading of the configured file patterns, go to UTM > AntiVirus > Quarantine, select Enable AutoSubmit, and select Use File Pattern.
517
File Quarantine
AntiVirus
Figure 300: Quarantine Configuration (SSL content scanning and inspection and quarantine to disk)
518
AntiVirus
Options
Quarantine Infected Files: Select the protocols from which to quarantine infected files identified by antivirus scanning. Quarantine Suspicious Files: Select the protocols from which to quarantine suspicious files identified by heuristic scanning. Quarantine Blocked Files. Select the protocols from which to quarantine blocked files identified by antivirus file filtering. The Quarantine Blocked Files option is not available for IM and HTTPS because a file name is blocked before downloading and cannot be quarantined. The time limit in hours for which to keep files in quarantine. The age limit is used to formulate the value in the TTL column of the quarantined files list. When the limit is reached, the TTL column displays EXP. and the file is deleted (although the entry in the quarantined files list is maintained). Entering an age limit of 0 (zero) means files are stored on disk indefinitely, depending on low disk space action.
Age Limit
Max Filesize to The maximum size of quarantined files in MB. Setting the maximum file size too large may affect performance. Quarantine Low Disk Space Select the action to take when the local disk is full: overwrite the oldest file or drop the newest file. Quarantine to FortiAnalyzer Enable AutoSubmit Select to enable storage of blocked and quarantined files on a FortiAnalyzer unit. See Log&Report on page 703 for more information about configuring a FortiAnalyzer unit. Enable AutoSubmit: enables the automatic submission feature. Select one or both of the options below. Use File Pattern: Enables the automatic upload of files matching the file patterns in the autoSubmit list. Use File Status: Enables the automatic upload of quarantined files based on their status. Select either Heuristics or Block Pattern. Select to save the configuration.
Apply
519
AntiVirus
Usually the FortiGuard AV definitions are updated automatically from the FortiGuard Distribution Network (FDN). Go to System > Maintenance > FortiGuard to configure automatic antivirus definition updates from the FDN. You can also update the antivirus definitions manually from the system dashboard (go to System > Status).
Use optimize antivirus in conjunction with antivirus failopen to ensure maximum efficiency and safeguard against system crashes if the system does become overloaded because of high traffic.
520
AntiVirus
The heuristic engine is disabled by default. You need to enable it to pass suspected files to the recipient and send a copy to the file quarantine. Once enabled in the CLI, heuristic scanning is enabled in a protection profile when Virus Scan is enabled. Use the heuristic command to change the heuristic scanning mode.
521
AntiVirus
522
Intrusion Protection
Intrusion Protection
The FortiGate Intrusion Protection system combines signature and anomaly detection and prevention with low latency and excellent reliability. With intrusion Protection, you can create multiple IPS sensors, each containing a complete configuration based on signatures. Then, you can apply any IPS sensor to each protection profile. You can also create DoS sensors to examine traffic for anomaly-based attacks. This section describes how to configure the FortiGate Intrusion Protection settings. For more information about Intrusion Protection, see the FortiGate UTM User Guide. If you enable virtual domains (VDOMs) on the FortiGate unit, intrusion protection is configured separately for each virtual domain. For details, see Using virtual domains on page 125. This section describes: About intrusion protection Signatures Custom signatures Protocol decoders IPS sensors DoS sensors Intrusion protection CLI configuration
523
Signatures
Intrusion Protection
Using Intrusion Protection, you can configure the FortiGate unit to check for and automatically download updated attack definition files containing the latest signatures, or download the updated attack definition file manually. Alternately, you can configure the FortiGate unit to allow push updates of the latest attack definition files as soon as they are available from the FortiGuard Distribution Network. You can also create custom attack signatures for the FortiGate unit to use in addition to an extensive list of predefined attack signatures. Whenever the Intrusion Protection system detects or prevents an attack, it generates an attack log message. You can configure the FortiGate unit to add the message to the attack log and send an alert email to administrators, as well as schedule how often it should send this alert email. You can also reduce the number of log messages and alerts by disabling signatures for attacks that will not affect your network. For example, you do not need to enable signatures to detect web attacks when there is no web server to protect. You can also use the packet logging feature to analyze packets for false positive detection. For more information about FortiGate logging and alert email, see Log&Report on page 703.
Signatures
The FortiGate Intrusion Protection system can use signatures once you have grouped the required signatures in an IPS sensor, and then selected the IPS sensor in the protection profile. If required, you can override the default settings of the signatures specified in an IPS sensor. The FortiGate unit provides a number of pre-built IPS sensors, but you should check their settings before using them, to ensure they meet your network requirements.
524
Intrusion Protection
Signatures
By using only the signatures you require, you can improve system performance and reduce the number of log messages and alert email messages the IPS sensor generates. For example, if the FortiGate unit is not protecting a web server, do not include any web server signatures.
Note: Some default protection profiles include IPS Sensors that use all the available signatures. By using these default settings, you may be slowing down the overall performance of the FortiGate unit. By creating IPS sensors with only the signatures your network requires, you can ensure maximum performance as well as maximum protection.
To view the predefined signature list, go to UTM > Intrusion Protection > Predefined. You can also use filters and column settings to display the signatures you want to view. For more information, see Using display filters on page 526.
Figure 302: Predefined signature list
Current page
Filter
By default, the signatures are sorted by name. To sort the table by another column, select the header of the column to sort by.
Current Page The current page number of list items that are displayed. Select the left and right arrows to display the first, previous, next or last page of signatures.
Column Settings Select to customize the signature information displayed in the table. You can also readjust the column order. For more information, see Using column settings to control the columns displayed on page 61 and Web-based manager icons on page 63.
525
Signatures
Intrusion Protection
If you have applied filtering to the predefined signature list display, select this option to clear all filters and display all the signatures. Edit the column filters to filter or sort the predefined signature list according to the criteria you specify. For more information, see Adding filters to web-based manager lists on page 57. The name of the signature. Each name is also a link to the description of the signature in the FortiGuard Center Vulnerability Encyclopedia. The severity rating of the signature. The severity levels, from lowest to highest, are Information, Low, Medium, High, and Critical. The target of the signature: servers, clients, or both. The protocol the signature applies to. The operating system the signature applies to. The applications the signature applies to. The default status of the signature. A green circle indicates the signature is enabled. A gray circle indicates the signature is not enabled. The default action for the signature: Pass allows the traffic to continue without any modification. Drop prevents the traffic with detected signatures from reaching its destination. If Logging is enabled, the action appears in the status field of the log message generated by the signature. A unique numeric identifier for the signature. The default logging behavior of the signature. A green circle indicates logging is enabled. A gray circle indicates logging is disabled. A functional group that is assigned to that signature. This group is only for reference and cannot be used to define filters. The default packet log status of the signature. A green circle indicates that the packet log is enabled. A gray circle indicates that the packet log is not enabled. The revision level of the signature. If the signature is updated, the revision number will be incremented.
Tip: To determine what effect IPS protection would have on your network traffic, you can enable the required signatures, set the action to pass, and enable logging. Traffic will not be interrupted, but you will be able to examine in detail which signatures were detected.
526
Intrusion Protection
Custom signatures
Custom signatures
Custom signatures provide the power and flexibility to customize the FortiGate Intrusion Protection system for diverse network environments. The FortiGate predefined signatures represent common attacks. If you use an unusual or specialized application or an uncommon platform, you can add custom signatures based on the security alerts released by the application and platform vendors. You can also create custom signatures to help you block P2P protocols. After creation, you need to specify custom signatures in IPS sensors created to scan traffic. For more information about creating IPS sensors, see Adding an IPS sensor on page 530. For more information about custom signatures, see the FortiGate UTM User Guide.
Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings are configured separately in each VDOM. All sensors and custom signatures will appear only in the VDOM in which they were created.
Edit Delete
Create New Name Signature Select to create a new custom signature. The custom signature name. The signature syntax.
Note: Custom signatures must be added to a signature override in an IPS filter to have any effect. Creating a custom signature is a necessary step, but a custom signature does not affect traffic simply by being created.
527
Protocol decoders
Intrusion Protection
Name Signature
Enter a name for the custom signature. Enter the custom signature, using the appropriate syntax. For more information, see the FortiGate UTM User Guide.
Protocol decoders
The FortiGate Intrusion Protection system uses protocol decoders to identify the abnormal traffic patterns that do not meet the protocol requirements and standards. For example, the HTTP decoder monitors traffic to identify any HTTP packets that do not meet the HTTP protocol standards.
Protocols Ports
The protocol decoder name. The port number or numbers that the decoder monitors.
528
Intrusion Protection
IPS sensors
IPS sensors
You can group signatures into IPS sensors for easy selection in protection profiles. You can define signatures for specific types of traffic in separate IPS sensors, and then select those sensors in profiles designed to handle that type of traffic. For example, you can specify all of the web-server related signatures in an IPS sensor, and the sensor can then be used by a protection profile in a policy that controls all of the traffic to and from a web server protected by the FortiGate unit. The FortiGuard Service periodically updates the pre-defined signatures, with signatures added to counter new threats. Because the signatures included in filters are defined by specifying signature attributes, new signatures matching existing filter specifications will automatically be included in those filters. For example, if you have a filter that includes all signatures for the Windows operating system, your filter will automatically incorporate new Windows signatures as they are added.
Edit Delete
Create New Name Comments Delete and Edit icons Add a new IPS sensor. For more information, see Adding an IPS sensor on page 530. The name of each IPS sensor. An optional description of the IPS sensor. Delete or edit an IPS sensor.
Five default IPS sensors are provided with the default configuration.
all_default all_default_pass protect_client Includes all signatures. The sensor is set to use the default enable status and action of each signature. Includes all signatures. The sensor is set to use the default enable status of each signature, but the action is set to pass. Includes only the signatures designed to detect attacks against clients and uses the default enable status and action of each signature.
529
IPS sensors
Intrusion Protection
protect_email_server
Includes only the signatures designed to detect attacks against servers and the SMTP, POP3, or IMAP protocols and uses the default enable status and action of each signature. Includes only the signatures designed to detect attacks against servers and the HTTP protocol and uses the default enable status and action of each signature.
protect_http_server
Name Comment
Enter the name of the new IPS sensor. Enter an optional comment to display in the IPS sensor list.
530
Intrusion Protection
IPS sensors
Figure 308: Edit IPS sensor Insert Signature attributes Edit Delete Move To View
IPS sensor attributes: Name Comments OK IPS sensor filters: Add Filter # Name Signature attributes Add a new filter to the end of the filter list. For more information, see Configuring filters on page 532. Current position of each filter in the list. The name of the filter. Signature attributes specify the type of network traffic the signature applies to. Severity Target Protocol OS Application Enable The severity of the included signatures. The type of system targeted by the attack. The targets are client and server. The protocols to which the signatures apply. Examples include HTTP, POP3, H323, and DNS. The operating systems to which the signatures apply. The applications to which the signatures apply. The name of the IPS sensor. You can change it at any time. An optional comment describing the IPS sensor. You can change it at any time. Select to save changes to Name or Comments
The status of the signatures included in the filter. The signatures can be set to enabled, disabled, or default. The default setting uses the default status of each individual signature as displayed in the signature list. The logging status of the signatures included in the filter. Logging can be set to enabled, disabled, or default. The default setting uses the default status of each individual signature as displayed in the signature list. The action of the signatures included in the filter. The action can be set to pass all, block all, reset all, or default. The default setting uses the action of each individual signature as displayed in the signature list. The number of signatures included in the filter. Overrides are not included in this total. Delete the filter. Edit the filter. Create a new filter and insert it above the current filter. After selecting this icon, enter the destination position in the window that appears, and select OK.
Logging
Action
531
IPS sensors
Intrusion Protection
View Rules icon Open a window listing all of the signatures included in the filter. IPS sensor overrides: Add Pre-defined Select to create an override based on a pre-defined signature. Override Add Custom Override # Name Enable Logging Action Delete and Edit icons Select to create an override based on a custom signature. Current position of each override in the list. The name of the signature. The status of the override. A green circle indicates the override is enabled. A gray circle indicates the override is not enabled. The logging status of the override. A green circle indicates logging is enabled. A gray circle indicates logging is not enabled. The action set for the override. The action can be set to pass, block, or reset. Delete or edit the filter.
Configuring filters
To configure a filter, go to UTM > Intrusion Protection > IPS Sensor. Select the Edit icon of the IPS sensor containing the filter you want to edit. When the sensor window opens, select the Edit icon of the filter you want to change, or select Add Filter to create a new filter. Enter the information as described below and select OK.
Figure 309: Edit IPS Filter
Name Severity
Enter or change the name of the IPS filter. Select All, or select Specify and then choose one or more severity rating. Severity defines the relative importance of each signature. Signatures rated critical detect the most dangerous attacks while those rated as info pose a much smaller threat.
532
Intrusion Protection
IPS sensors
Target OS
Select All, or select Specify and then choose the type of system targeted by the attack. The choices are server or client. Select All, or select Specify and then select one or more operating systems that are vulnerable to the attack. Signatures with an OS attribute of All affect all operating systems. These signatures will be automatically included in any filter regardless of whether a single, multiple, or all operating systems are specified. Select All, or select Specify to list what network protocols are used by the attack. Use the Right Arrow to move the ones you want to include in the filter from the Available to the Selected list, or the Left Arrow to remove previously selected protocols from the filter. Select All, or select Specify to list the applications or application suites vulnerable to the attack. Use the Right Arrow to move the ones you want to include in the filter from the Available to the Selected list, or the Left Arrow to remove previously selected protocols from the filter. Select to enable NAC quarantine for this filter. For more information about NAC quarantine, see NAC quarantine and the Banned User list on page 670. The FortiGate unit deals with the attack according to the IPS sensor or DoS sensor configuration regardless of this setting. Select Attackers IP address to block all traffic sent from the attackers IP address. The attackers IP address is also added to the banned user list. The targets address is not affected. Select Attacker and Victim IP Addresses to block all traffic sent from the attacker IP address to the target (victim) IP address. Traffic from the attacker IP address to addresses other than the victim IP address is allowed. The attacker and target IP addresses are added to the banned user list as one entry. Select Attacks Incoming Interface to block all traffic from connecting to the FortiGate interface that received the attack. The interface is added to the banned user list. You can select whether the attacker is banned indefinitely or for a specified number of days, hours, or minutes. Configure whether the filter overrides the following signature settings or accepts the settings in the signatures. Select from the options to specify what the FortiGate unit will do with the signatures included in the filter: enable all, disable all, or enable or disable each according to the individual default values shown in the signature list. Select from the options to specify whether the FortiGate unit will create log entries for the signatures included in the filter: enable all, disable all, or enable or disable logging for each according to the individual default values shown in the signature list. Select from the options to specify what the FortiGate unit will do with traffic containing a signature match: pass all, block all, reset all, or block or pass traffic according to the individual default values shown in the signature list.
Protocol
Application
Logging
Action
The signatures included in the filter are only those matching every attribute specified. When created, a new filter has every attribute set to all which causes every signature to be included in the filter. If the severity is changed to high, and the target is changed to server, the filter includes only signatures checking for high priority attacks targeted at servers.
533
IPS sensors
Intrusion Protection
To add an individual signature, not included in any filters, to an IPS sensor. This is the only way to add custom signatures to IPS sensors.
When a pre-defined signature is specified in an override, the default status and action attributes have no effect. These settings must be explicitly set when creating the override.
Note: Before an override can affect network traffic, you must add it to a filter, and you must select the sensor in a protection profile applied to a policy. An override does not have the ability to affect network traffic until these steps are taken.
To edit a pre-defined or custom override, go to UTM > Intrusion Protection > IPS Sensor and select the Edit icon of the IPS sensor containing the override you want to edit. When the sensor window opens, select the Edit icon of the override you want to change.
Figure 310: Configure IPS override
Select the browse icon to view the list of available signatures. From this list, select a signature the override will apply to and then select OK. Select to enable the signature override. Select Pass, Block or Reset. When the override is enabled, the action determines what the FortiGate will do with traffic containing the specified signature. Select to enable creation of a log entry if the signature is discovered in network traffic. Select to save packets that trigger the override to the FortiGate hard drive for later examination. Select to enable NAC quarantine for this override. For more information about NAC quarantine, see NAC quarantine and the Banned User list on page 670. The FortiGate unit deals with the attack according to the IPS sensor or DoS sensor configuration regardless of this setting.
534
Intrusion Protection
IPS sensors
Method
Select Attackers IP address to block all traffic sent from the attackers IP address. The attackers IP address is also added to the banned user list. The target address is not affected. Select Attacker and Victim IP Addresses to block all traffic sent from the attacker IP address to the target (victim) IP address. Traffic from the attacker IP address to addresses other than the victim IP address is allowed. The attacker and target IP addresses are added to the banned user list as one entry. Select Attacks Incoming Interface to block all traffic from connecting to the FortiGate interface that received the attack. The interface is added to the banned user list. You can select whether the attacker is banned indefinitely or for a specified number of days, hours, or minutes. Enter IP addresses to exclude from the override. The override will then apply to all IP addresses except those defined as exempt. The exempt IP addresses are defined in pairs, with a source and destination, and traffic moving from the source to the destination is exempt from the override. The exempt source IP address. Enter 0.0.0.0/0 to include all source IP addresses. The exempt destination IP address. Enter 0.0.0.0/0 to include all destination IP addresses.
Expires Exempt IP
Source Destination:
Packet logging
Packet logging is a way you can debug custom signatures or how any signature is functioning in your network environment. If a signature is selected in a custom override, and packet logging is enabled, the FortiGate unit will save any network packet triggering the signature to memory, the internal hard drive (if so equipped), a FortiAnalyzer, or the FortiGuard Analysis and Management Service. These saved packets can be later viewed and saved in PCAP format for closer examination.
535
IPS sensors
Intrusion Protection
Note: Setting packet-log-history to a value larger than 1 can affect the maximum performance of the FortiGate unit because network traffic must be buffered. The performance penalty depends on the model, the setting, and the traffic load.
To enable packet logging for a signature 1 Create either a pre-defined override or a custom override in an IPS sensor. For more information. For more information, see Configuring pre-defined and custom overrides on page 533. 2 Enable Packet Log in the override. 3 Select the IPS sensor in the protection profile applied to the firewall policy that allows the network traffic the FortiGate unit will examine for the signature.
536
Intrusion Protection
DoS sensors
5 Select the packet to view the packet in binary and ASCII. Each table row represents a captured packet. 6 Select Save to save the packet data in a PCAP formatted file. PCAP files can be opened and examined in network analysis software such as Wireshark.
DoS sensors
The FortiGate IPS uses a traffic anomaly detection feature to identify network traffic that does not fit known or common traffic patterns and behavior. For example, one type of flooding is the denial of service (DoS) attack that occurs when an attacking system starts an abnormally large number of sessions with a target system. The large number of sessions slows down or disables the target system so legitimate users can no longer use it. This type of attack gives the DoS sensor its name, although it is capable of detecting and protecting against a number of anomaly attacks. You can enable or disable logging for each traffic anomaly, and configure the detection threshold and action to take when the detection threshold is exceeded. You can create multiple DoS sensors. Each sensor consists of 12 anomaly types that you can configure. When a sensor detects an anomaly, it applies the configured action. One sensor can be selected for use in each DoS policy, allowing you to configure the anomaly thresholds separately for each interface. Multiple sensors allow great granularity in detecting anomalies because each sensor can be configured for the specific needs of the interface it is attached to by the DoS policy. The traffic anomaly detection list can be updated only when the FortiGate firmware image is upgraded.
Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings must be configured separately in each VDOM. All sensors and custom signatures will appear only in the VDOM in which they were created.
537
DoS sensors
Intrusion Protection
Add a new DoS sensor to the bottom of the list. The DoS sensor name. An optional description of the DoS sensor. Delete the DoS sensor. Edit the following information: Action, Severity, and Threshold.
To configure DoS sensors, go to UTM > Intrusion Protection > DoS Sensor. Select the Edit icon of an existing DoS sensor, or select Create New to create a new DoS sensor.
Note: You can configure NAC quarantine for DoS sensors from the FortiGate CLI. For more information, see Configuring NAC quarantine on page 671.
538
Intrusion Protection
DoS sensors
Logging
Action Threshold
tcp_port_scan
539
Intrusion Protection
Table 54: The twelve individually configurable anomalies (Continued) Anomaly tcp_src_session tcp_dst_session udp_flood Description If the number of concurrent TCP connections from one source IP address exceeds the configured threshold value, the action is executed. If the number of concurrent TCP connections to one destination IP address exceeds the configured threshold value, the action is executed. If the UDP traffic to one destination IP address exceeds the configured threshold value, the action is executed. The threshold is expressed in packets per second. If the number of UDP sessions originating from one source IP address exceeds the configured threshold value, the action is executed. The threshold is expressed in packets per second. If the number of concurrent UDP connections from one source IP address exceeds the configured threshold value, the action is executed. If the number of concurrent UDP connections to one destination IP address exceeds the configured threshold value, the action is executed. If the number of ICMP packets sent to one destination IP address exceeds the configured threshold value, the action is executed. The threshold is expressed in packets per second. If the number of ICMP packets originating from one source IP address exceeds the configured threshold value, the action is executed. The threshold is expressed in packets per second. If the number of concurrent ICMP connections from one source IP address exceeds the configured threshold value, the action is executed. If the number of concurrent ICMP connections to one destination IP address exceeds the configured threshold value, the action is executed.
udp_scan
icmp_sweep
icmp_src_session icmp_dst_session
540
Web Filter
Web Filter
This chapter describes how to configure FortiGate web filtering for HTTP traffic. If your FortiGate unit supports SSL content scanning and inspection you can also configure web filtering for HTTPS traffic. For information about SSL content scanning and inspection, see SSL content scanning and inspection on page 469. if your FortiGate unit does not support HTTPS content scanning and inspection you can configure URL filtering for HTTPS traffic. The three main sections of the web filtering function, the Web Content Filter, the URL Filter, and the FortiGuard Web filter, interact with each other in such a way as to provide maximum control and protection for the Internet users. This section provides an introduction to configuring web filtering. For more information see the FortiGate UTM User Guide. If you enable virtual domains (VDOMs) on the FortiGate unit, web filtering is configured separately for each virtual domain. For details, see Using virtual domains on page 125. This section describes: Order of web filtering How web filtering works Web filter controls Web content filter URL filter FortiGuard Web Filtering FortiGuard Web filtering overrides Category block CLI configuration FortiGuard Web Filtering reports
541
Web Filter
FortiGuard - Web Filter is described in detail inFortiGuard Web Filtering options on page 483. Rating corrections as well as suggesting ratings for new pages can be submitted on the FortiGuard Center web page. Visit the Fortinet Knowledge Center for details and a link to the FortiGuard Center. The following tables compare web filtering options in protection profiles and the web filter menu.
542
Web Filter
Table 55: Web filter and Protection Profile protocol recognition configuration Protection Profile web filtering options HTTPS Content Filtering Mode On FortiGate units that support SSL content scanning and inspection you can select URL filtering to only apply URL filtering and FortiGuard URL filtering to encrypted HTTPS traffic. Or you can select Deep Scan to decrypt HTTPS traffic and apply all web filtering and FortiGuard web filtering options to HTTPS traffic. Table 56: Web filter and Protection Profile web content filter configuration Protection Profile web filtering options Web Content Filter Web Filter setting UTM > Web Filter > Web Content Filter Web Filter setting n/a
Enable or disable web page filtering based on Add words and patterns to block or exempt web the web content filter list for HTTP or HTTPS pages containing those words or patterns. traffic. Table 57: Web filter and Protection Profile web URL filtering configuration Protection Profile web filtering options Web URL Filter Web Filter setting UTM > Web Filter > URL Filter
Enable or disable web page filtering for HTTP Add URLs and URL patterns to exempt or block traffic based on the URL filter list. web pages from specific sources. Table 58: Web filter and Protection Profile web script filtering and download configuration Protection Profile web filtering options Enable or disable blocking scripts from web pages for HTTP traffic. Web resume Download Block Enable to block downloading the remainder of a file that has already been partially downloaded. Enabling this option prevents the unintentional download of virus files, but can cause download interruptions. n/a Web Filter setting
543
Web Filter
Table 59: Web filter and Protection Profile FortiGuard web filtering configuration Protection Profile web filtering options Enable FortiGuard Web Filtering (HTTP only). Enable FortiGuard Web Filtering Overrides (HTTP only). Provide details for blocked HTTP 4xx and 5xx errors (HTTP only.) Rate images by URL (Blocked images will be replaced with blanks) (HTTP only). Allow web sites when a rating error occurs (HTTP only). Strict Blocking (HTTP only) Category / Action FortiGuard Web Filtering service provides many categories by which to filter web traffic. Set the action to take on web pages for each category. Choose from allow, block, log, or allow override. Local Categories can be configured to best suit local requirements. Classification/Action When selected, users can access web sites that provide content cache, and provide searches for image, audio, and video files. Choose from allow, block, log, or allow override. UTM > Web Filter > Local Categories | Local Ratings UTM > Web Filter> Overrides Web Filter setting
To access protection profile web filter options 1 Go to Firewall > Protection Profile. 2 Select Edit or Create New. 3 Select Web Filtering or Web Category Filtering.
Note: If virtual domains are enabled on the FortiGate unit, web filtering features are configured globally. To access these features, select Global Configuration on the main menu.
For each pattern you can select Block or Exempt. Block, blocks access to a web page that matches with the pattern. Exempt allows access to the web page even if other entries in the list that would block access to the page.
544
Web Filter
Select to add a new web content filter list to the catalog. The available web content filter lists. The number of content patterns in each web content filter list. The protection profiles each web content filter list has been applied to. Optional description of each web content filter list. The comment text must be less than 63 characters long. Otherwise, it will be truncated. Select to remove the web content filter list from the catalog. The delete icon is only available if the web content filter list is not selected in any protection profiles. Select to edit the web content filter list, list name, or list comment.
Edit icon
Select web content filter lists in protection profiles. For more information, see Web Filtering options on page 480.
Name Comment
Enter the name of the new list. Enter a comment to describe the list, if required.
545
Web Filter
Note: Enable UTM > Web Filtering > Web Content Filter in a firewall Protection Profile to activate the content filter settings.
The web content filter list has the following icons and features:
Name Comment Create new Previous Page icon Remove All Entries icon Check Box Web content filter list name. To change the name, edit text in the name field and select OK. Optional comment. To add or edit comment, enter text in comment field and select OK. Select to add a pattern to the web content filter list. Select to view the previous page.
Next Page icon Select to view the next page. Select to clear the table. Select the check box to enable all the patterns in the list. Clear the check box to disable all of the patterns in the list. Use the check box for individual patterns to enable or disable them. The current list of patterns. The pattern type used in the pattern list entry. Pattern type can be wildcard or regular expression. See Using wildcards and Perl regular expressions on page 571. The character set to which the pattern belongs: Simplified Chinese, Traditional Chinese, Cyrillic, French, Japanese, Korean, Spanish, Thai, or Western. Action can be block or exempt. A numerical weighting applied to the pattern. The score values of all the matching patterns appearing on a page are added, and if the total is greater than the threshold value set in the protection profile, the page is blocked. Select to delete an entry from the list. Select to edit the following information: Banned Word, Pattern Type, Language, and Enable.
546
Web Filter
URL filter
Action
Select one of: Block If the pattern matches, the Score is added to the total for the web page. The page is blocked if the total score of the web page exceeds the web content block threshold defined in the protection profile. Exempt If the pattern matches, the web page will not be blocked even if there are matching Block entries. Enter the content pattern. Web content patterns can be one word or a text string up to 80 characters long. For a single word, the FortiGate unit checks all web pages for that word. For a phrase, the FortiGate checks all web pages for any word in the phrase. For a phrase in quotation marks, the FortiGate unit checks all web pages for the entire phrase. Select a pattern type from the dropdown list: Wildcard or Regular Expression. The character set to which the pattern belongs: Simplified Chinese, Traditional Chinese, Cyrillic, French, Japanese, Korean, Spanish, Thai, or Western. Enter a score for the pattern. When you add a web content list to a protection profile you configure a web content filter threshold for the protection profile. When a web page is matched with an entry in the content block list, the score is recorded. If a web page matches more than one entry the score for the web page increases. When the total score for a web page equals or exceeds the threshold, the page is blocked. The default score for a content list entry is 10 and the default threshold is 10. This means that by default a web page is blocked by a single match. You can change the scores and threshold so that web pages are blocked only if there are multiple matches. For more information, see Web Filtering options on page 480. Select to enable the entry.
Pattern
Enable
URL filter
Allow or block access to specific URLs by adding them to the URL filter list. Add patterns using text and regular expressions (or wildcard characters) to allow or block URLs. The FortiGate unit allows or blocks web pages matching any specified URLs or patterns and displays a replacement message instead.
Note: Enable Web filtering > Web URL Filter in a firewall Protection Profile to activate the URL filter settings. Note: URL blocking does not block access to other services that users can access with a web browser. For example, URL blocking does not block access to ftp://ftp.example.com. Instead, use firewall policies to deny FTP connections.
547
URL filter
Web Filter
The URL filter list catalogue has the following icons and features:
Create New Name # Entries Profiles Comment Delete icon Edit icon Select to add a new web content URL list to the catalog. The available URL filter lists. The number of URL patterns in each URL filter list. The protection profiles each URL filter list has been applied to. Optional description of each URL filter list. Select to remove the URL filter list from the catalog. The delete icon is only available if the URL filter list is not selected in any protection profiles. Select to edit the URL filter list, list name, or list comment.
Select URL filter lists in protection profiles. For more information, see Web Filtering options on page 480.
Name Comment
Enter the name of the new list. Enter a comment to describe the list, if required.
548
Web Filter
URL filter
To view the URL filter list go to UTM > Web Filter > URL Filter. Select the Edit icon of the URL filter list you want to view.
Figure 321: URL filter list
The URL filter list has the following icons and features:
Name Comment Create New Previous Page icon next Page icon Clear All URL Filters icon URL Type Action URL filter list name. To change the name, edit text in the name field and select OK. Optional comment. To add or edit comment, enter text in comment field and select OK. Select to add a URL to the URL block list. Select to view the previous page. Select to view the next page. Select to clear the table. The current list of blocked/exempt URLs. Select the check box to enable all the URLs in the list. The type of URL: Simple or Regex (regular expression). The action taken when the URL matches: Allow, Block, or Exempt. An allow match exits the URL filter list and checks the other web filters. An exempt match stops all further checking including AV scanning. A block match blocks the URL and no further checking will be done. Select to remove an entry from the list. Select to edit the following information: URL, Type, Action, and Enable. Select to open the Move URL Filter dialog box.
549
URL filter
Web Filter
To add a URL to the URL filter list go to UTM > Web Filter > URL Filter. Select Create New or edit an existing list.
Figure 322: New URL Filter
Enter the URL. Do not include http://. For details about URL formats, see URL formats on page 550. Select a type from the dropdown list: Simple or Regex (regular expression). Select an action from the dropdown list: Allow, Block, or Exempt. An allow match exits the URL filter list and checks the other web filters. An exempt match stops all further checking including AV scanning. A block match blocks the URL and no further checking will be done. Select to enable the URL.
Enable
URL formats
When adding a URL to the URL filter list (see Configuring the URL filter list on page 550), follow these rules:
550
Web Filter
URL filter
URL of this website to the URL filter list with an action set to exempt so the
FortiGate unit does not virus scan files downloaded from this URL.
Note: Enable Web Filtering > Web URL Filter > HTTP or HTTPS in a firewall Protection Profile to activate the web URL filter settings for HTTP and/or HTTPS traffic.
Move to (URL)
Select the location in the list to place the URL. Enter the URL before or after which the new URL is to be located in the list.
551
Web Filter
552
Web Filter
553
Web Filter
Select Directory or Domain. Enter the URL or the domain name of the website. Select one of the following: User, User Group, IP, or Profile. Depending on the option selected, a different option appears below Scope. Enter the name of the user selected in Scope. Select a user group from the dropdown list. User groups must be configured before FortiGuard Web Filtering configuration. For more information, see User Group on page 658. This option defines whether the override web page will display the images and other contents from the blocked offsite URLs. For example, all FortiGuard categories are blocked, and you want to visit a site whose images are served from a different domain. You can create a directory override for the site and view the page. If the offsite feature was set to deny, all the images on the page will appear broken because they come from a different domain for which the existing override rule does not apply. If you set the offsite feature to allow, the images on the page will then show up. Only users that apply under the scope for the page override can see the images from the temporary overrides. The users will not be able to view any pages on the sites where the images come from (unless the pages are served from the same directory as the images themselves) without having to create a new override rule. Specify when the override rule will end.
Off-site URLs
To create an override for categories, go to UTM > Web Filter > Override.
Figure 326: New Override Rule - Categories
554
Web Filter
Select Categories. Select the categories to which the override applies. A category group or a subcategory can be selected. Local categories are also displayed. Select the classifications to which the override applies. When selected, users can access web sites that provide content cache, and provide searches for image, audio, and video files. Select one of the following: User, User Group, IP, or Profile. Depending on the option selected, a different option appears below Scope. Enter the name of the user selected in Scope. Select a user group from the dropdown list. Enter the IP address of the computer initiating the override. Select a protection profile from the dropdown list. Select Allow or Block. See the previous table for details about off-site URLs. Specify when the override rule will end.
Scope User User Group IP Profile Off-site URLs Override End Time
Enter the name of the category then select Add. Select to remove the entry from the list.
The local ratings list has the following icons and features:
Create New Search 1 - 3 of 3 Select to add a rating to the list. Enter search criteria to filter the list. The total number of local ratings in the list.
555
Web Filter
Select to view the next page. Select to clear the table. The rated URL. Select the green arrow to sort the list by URL. The category or classification in which the URL has been placed. If the URL is rated in more than one category or classification, trailing dots appear. Select the gray funnel to open the Category Filter dialog box. When the list has been filtered, the funnel changes to green. Select to remove the entry from the list. Select to edit the following information: URL, Category Rating, and Classification Rating.
Clear Filter Category Name Enable Filter Classification Name Enable Filter
Select to remove all filters. Select the blue arrow to expand the category. Select to enable the filter for the category or the individual sub-category. The classifications that can be filtered. Select to enable the classification filter.
556
Web Filter
Enter the URL to be rated. Select the blue arrow to expand the category. Select to enable the filter for the category or the individual sub-category. The classifications that can be filtered. Select to enable the classification filter.
Generate a text and pie chart format report on FortiGuard Web Filtering for any protection profile. The FortiGate unit maintains statistics for allowed, blocked, and monitored web pages for each category. View reports for a range of hours or days, or view a complete report of all activity. To create a web filter report go to UTM > Web Filter > Reports.
557
Web Filter
Get Report
See also Creating local categories Viewing the local ratings list Configuring local ratings FortiGuard Web filtering overrides Configuring administrative override rules Configuring FortiGuard Web Filtering FortiGuard Web Filtering
558
Email filtering
Email filtering
This chapter describes how to configure FortiGate email filtering for IMAP, POP3, and SMTP email. If your FortiGate unit supports SSL content scanning and inspection you can also configure email filtering for IMAPS, POP3S, and SMTPS email traffic. For information about SSL content scanning and inspection, see SSL content scanning and inspection on page 469. If you enable virtual domains (VDOMs) on the FortiGate unit, Email filtering is configured separately for each virtual domain. For details, see Using virtual domains on page 125. This section provides an introduction to configuring email filtering. For more information see the FortiGate UTM User Guide. This section describes: FortiGuard Email Filtering (also called the FortiGuard Antispam Service) Banned word IP address and email address black/white lists Advanced Email Filter configuration Using wildcards and Perl regular expressions
559
Email filtering
If the action in the filter is Mark as Clear, the email is exempt from any remaining filters. If the action in the filter is Mark as Reject, the email session is dropped. Rejected SMTP or SMTPS email messages are substituted with a configurable replacement message.
560
Email filtering
Table 60: Email filtering and Protection Profile email filtering configuration (Continued) Protection Profile Email filtering options Enable or disable checking email traffic against configured DNS Blackhole List (DNSBL) and Open Relay Database List (ORDBL) servers (SMTP and SMTPS). Email Filter setting Add or remove DNSBL and ORDBL servers to and from the list. You can configure the action to take as spam or reject for email identified as spam from each server (SMTP and SMTPS). DNSBL and ORDBL configuration can only be changed using the command line interface. For more information, see the FortiGate CLI Reference. n/a
HELO DNS lookup Enable or disable checking the source domain name against the registered IP address in the Domain Name Server. If the source domain name does not match the IP address the email is marked as spam and the action selected in the protection profile is taken. E-mail address BWL check
Enable or disable checking incoming email Add to and edit email addresses to the list, with the addresses against the configured email filter option of using wildcards and regular expressions. email address list. You can configure the action as spam or clear for each email address. You can place an email address anywhere in the list. The filter checks each email address in sequence. Return e-mail DNS check Enable or disable checking incoming email return address domain against the registered IP address in the Domain Name Server. If the return address domain name does not match the IP address the email is marked as spam and the action selected in the protection profile is taken. MIME headers check Enable or disable checking source MIME headers against the configured email filter MIME header list. Command line only Add to and edit MIME headers, with the option of using wildcards and regular expressions. You can configure the action for each MIME header as spam or clear. DNSBL and ORDBL configuration can only be changed using the command line interface. For more information, see the FortiGate CLI Reference. UTM> Email Filter > Banned Word Add to and edit banned words to the list, with the option of using wildcards and regular expressions. You can configure the language and whether to search the email body, subject, or both. You can configure the action to take as spam or clear for each word. n/a n/a
Banned word check Enable or disable checking source email against the configured email filter banned word list.
Spam Action
561
Banned word
Email filtering
Table 60: Email filtering and Protection Profile email filtering configuration (Continued) Protection Profile Email filtering options The action to take on email identified as spam. POP3 and IMAP messages are tagged. Choose Tagged or Discard for SMTP or SMTPS messages. You can append a custom word or phrase to the subject or MIME header of tagged email. You can choose to log any spam action in the event log. For IMAP, spam email may be tagged only after the user downloads the entire message by opening the email, since the some IMAP email clients download the envelope portion of the email message initially. For details, see Email Filtering options on page 485. Tag location: Affix the tag to the subject or MIME header of the email identified as spam. Tag format: Enter a word or phrase (tag) to affix to email identified as spam. Add event into the system log Enable or disable logging of spam actions to the event log. Email Filter setting
Banned word
Control spam by blocking email messages containing specific words or patterns. You can add words, phrases, wild cards and Perl regular expressions to match content in email messages. For information, about wild cards and Perl regular expressions, see Using wildcards and Perl regular expressions on page 571.
Note: Perl regular expression patterns are case sensitive for banned words. To make a word or phrase case insensitive, use the regular expression /i. For example, /bad language/i will block all instances of bad language regardless of case. Wildcard patterns are not case sensitive.
Add a new list to the catalog. For more information, see Creating a new banned word list on page 563. The available Email Filter banned word lists.
562
Email filtering
Banned word
The number of entries in each banned word list. The protection profiles each banned word list has been applied to. Optional description of each banned word list. Remove the banned word list from the catalog. The delete icon is available only if the banned word list is not selected in any protection profiles. Modify the banned word list, list name, or list comment.
To use the banned word list, select banned word lists in protection profiles. For more information, see Email Filtering options on page 485.
Name Comments
Enter the name of the new list. Enter a comment to describe the list, if required.
563
Banned word
Email filtering
Name Comments Create New Current Page Remove All Entries icon Pattern Pattern Type
Banned word list name. To change the name, edit text in the name field and select OK. Optional comment. To add or edit comment, enter text in comment field and select OK. Select to add a word or phrase to the banned word list. The current page number of list items that are displayed. Select the left and right arrows to display the first, previous, next or last page of the banned word list. Delete all table entries. The list of banned words. Select the check box to enable all the banned words in the list. The pattern type used in the banned word list entry. Choose from wildcard or regular expression. For more information, see Using wildcards and Perl regular expressions on page 571. The character set to which the banned word belongs. The location where the FortiGate unit searches for the banned word: Subject, Body, or All. A numerical weighting applied to the banned word. The score values of all the matching words appearing in an email message are added, and if the total is greater than the Banned word check value set in the protection profile, the email is processed according to whether the spam action is set to Discard or Tagged in the protection profile. The score for a banned word is counted once even if the word appears multiple times on the web page in the email. For more information, see Configuring a protection profile on page 474.
Pattern Type
Language
564
Email filtering
Where Score
Select where the FortiGate unit should search for the banned word: Subject, Body, or All. Enter a score for the pattern. Each entry in the banned word list added to the protection profile incudes a score. When an email message is matched with an entry in the banned word list, the score is recorded. If an email message matches more than one entry, the score for the email message increases. When the total score for an email message equals or exceeds the threshold, the message is considered spam and handled according to the spam action configured in the protection profile. The default score for a banned word list entry is 10 and the default threshold is 10. This means that by default an email message is considered spam by a single match. You can change the scores and threshold so email messages are only tagged as spam if there are multiple matches. For more information, see Email Filtering options on page 485. Select to enable scanning for the banned word.
Enable
4 Select OK.
Create New Name # Entries Profiles Comments Delete icon Edit icon
Add a new IP address list to the catalog. The available name of the IP address lists. The number of entries in each IP address list. The protection profiles each IP address list has been applied to. Optional description of each IP address list. Remove the IP address list from the catalog. The delete icon is available only if the IP address list is not selected in any protection profiles. Edit the IP address list, list name, or list comment.
565
Email filtering
Name Comments
Enter the name of the new list. Enter a comment to describe the list, if required.
Move To Edit Delete Name Comments Create New Current Page IP address list name. To change the name, edit text in the name field and select OK. Optional comment. To add or edit a comment, enter text in the comments field and select OK. Add an IP address to the IP address list. The current page number of list items that are displayed. Select the left and right arrows to display the first, previous, next or last page of the IP address list.
Remove All Entries Delete all table entries. icon IP address/Mask The list of IP addresses.
566
Email filtering
Action
The action to take on email from the configured IP address. Actions are: Spam to apply the configured spam action, Clear to bypass this and remaining email filters, or Reject (SMTP or SMTPS) to drop the session. If an IP address is set to reject but mail is delivered from that IP address via using POP3 or IMAP, the email messages will be marked as spam. Remove the address from the list. Edit address information. Select to move the entry to a different position in the list. The firewall policy executes the list from top to bottom. For example, if you have IP address 192.168.100.1 listed as spam and 192.168.100.2 listed as clear, you must put 192.168.100.1 above 192.168.100.2 for 192.168.100.1 to take effect.
Adding an IP address
After creating an IP address list, you can add IP addresses to the list. Enter an IP address or a pair of IP address and mask in the following formats: x.x.x.x, for example, 192.168.69.100. x.x.x.x/x.x.x.x, for example, 192.168.69.100/255.255.255.0 x.x.x.x/x, for example, 192.168.69.100/24
To add an IP address go to UTM > Email Filter > IP Address. Select Edit for the IP address list name to which you want to add an IP address. Then select Create New.
Figure 338: Adding an IP address
IP Address/Mask Action
Enter the IP address or the IP address/mask pair. Select: Mark as Spam to apply the spam action configured in the protection profile, Mark as Clear to bypass this and remaining email filters, or Mark as Reject (SMTP or SMTPS) to drop the session. Select to enable the address.
Enable
567
Email filtering
Create New Name # Entries Profiles Comments Delete icon Edit icon
Create a new address list. The name of the email address list. The number of entries in each email address list. The protection profiles each email address list has been applied to. Optional description of each email address list. Remove the email address list from the catalog. The delete icon is only available if the email address list is not selected in any protection profiles. Edit the email address list, list name, or list comment.
You enable email filter addresses in protection profiles. For more information, see Email Filtering options on page 485.
Name Comment
Enter the name of the new list. Enter a comment to describe the list, if required.
568
Email filtering
Delete Edit Move To Remove All Entries Name Comments Create New Current Page The email address list name. To change the name, edit text in the name field and select OK. Optional comment. To add or edit comment, enter text in comment field and select OK. Add a new email address to the email address list. The current page number of list items that are displayed. Select the left and right arrows to display the first, previous, next or last page of the email address list.
Remove All Entries Delete all table entries. icon Email address Pattern Type Action The list of email addresses. The pattern type used in the email address entry. The action to take on email from the configured address. Actions are: Spam to apply the spam action configured in the protection profile, or Clear to let the email message bypass this and remaining email filters. Remove the email address from the list. Edit the address information. Move the entry to a different position in the list. The email address scan executes the list from top to bottom. For example, if you have abc@example.com listed as clear and *@example.com as spam, you must put abc@example.com above *@example.com for abc@example.com to take effect.
569
Email filtering
Enter the email address. Select a pattern type: Wildcard or Regular Expression. For more information, see Using wildcards and Perl regular expressions on page 571. Select: Mark as Spam to apply the spam action configured in the protection profile, or Mark as Clear to bypass this and remaining email filters. Select to enable the email address for spam checking.
The first part of the MIME header is called the header or header key. The second part is called the value. Spammers often insert comments into header values or leave them blank. These malformed headers can fool some spam and virus filters. Use the MIME headers list to mark email from certain bulk mail programs or with certain types of content that are common in spam messages. Mark the email as spam or clear for each header configured.
570
Email filtering
To match a special character such as '.' and * use the escape character \. For example: To match fortinet.com, the regular expression should be: fortinet\.com In Perl regular expressions, * means match 0 or more times of the character before it, not 0 or more times of any character. For example: forti*.com matches fortiiii.com but does not match fortinet.com To match any character 0 or more times, use .* where . means any character and the * means 0 or more times. For example, the wildcard match pattern forti*.com should therefore be fort.*\.com.
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
571
Email filtering
Word boundary
In Perl regular expressions, the pattern does not have an implicit word boundary. For example, the regular expression test not only matches the word test but also any word that contains test such as atest, mytest, testimony, atestb. The notation \b specifies the word boundary. To match exactly the word test, the expression should be \btest\b.
Case sensitivity
Regular expression pattern matching is case sensitive in the web and Email Filter filters. To make a word or phrase case insensitive, use the regular expression /i. For example, /bad language/i will block all instances of bad language, regardless of case.
572
Email filtering
Table 61: Perl regular expression formats (Continued) \x Tells the regular expression parser to ignore white space that is neither preceded by a backslash character nor within a character class. Use this to break up a regular expression into (slightly) more readable parts. Used to add regular expressions within other text. If the first character in a pattern is forward slash '/', the '/' is treated as the delimiter. The pattern must contain a second '/'. The pattern between / will be taken as a regular expressions, and anything after the second / will be parsed as a list of regular expression options ('i', 'x', etc). An error occurs if the second '/' is missing. In regular expressions, the leading and trailing space is treated as part of the regular expression.
/x
573
Email filtering
Figure 344: MMS Duplicate Message Remove All Entries Current Page
574
DLP Sensors
DLP Sensors
DLP sensors are simply collections of DLP rules and DLP compound rules. The DLP sensor also includes settings such as action, archive, and severity for each rule or compound rule. Once a DLP sensor is configured, it can be specified in a protection profile. Any traffic handled by the policy in which the protection profile is specified will enforce the DLP sensor configuration.
Delete Edit
575
DLP Sensors
Create New Name Comment Protection Profiles Delete and Edit icons
Select to create a new DLP sensor. The DLP sensor name. The optional description of the DLP sensor. The names of the protection profiles that the DLP sensor has been added to. Delete or edit the DLP sensor.
Note: DLP prevents duplicate action. Even if more than one rule in a sensor matches some content, DLP will not create more than one DLP archive entry, quarantine item, or ban entry from the same content. Content_Archive DLP archive all email (POP3, IMAP, and SMTP), FTP, HTTP, and IM traffic. For each rule in the sensor, Archive is set to Full. No blocking or quarantine is performed. See DLP archiving on page 580. You can add the All-Session-Control rule to also archive session control content. If you have a FortiGate unit that supports SSL content scanning and inspection, you can edit the All-Email rule to archive POP3S, IMAPS, and SMTPS traffic. You can also edit the All-HTTP rule to archive HTTPS traffic.
Content_Summary DLP summary archive all email (POP3, IMAP, and SMTP), FTP, HTTP, and IM traffic. For each rule in the sensor, Archive is set to Summary Only. No blocking or quarantine is performed. See DLP archiving on page 580. You can add the All-Session-Control rule to also archive session control content. If you have a FortiGate unit that supports SSL content scanning and inspection, you can edit the All-Email rule to archive POP3S, IMAPS, and SMTPS traffic. You can also edit the All-HTTP rule to archive HTTPS traffic. Credit-Card The number formats used by American Express, Visa, and Mastercard credit cards are detected in HTTP and email traffic. As provided, the sensor is configured not to archive matching traffic and an action of None is set. Configure the action and archive options as required. Files larger than 5MB will be detected if attached to email messages or if send using HTTP or FTP. As provided, the sensor is configured not to archive matching traffic and an action of None is set. Configure the action and archive options as required. The number formats used by U.S. Social Security and Canadian Social Insurance numbers are detected in email and HTTP traffic. As provided, the sensor is configured not to archive matching traffic and an action of None is set. Configure the action and archive options as required.
Large-File
SSN-Sensor
576
DLP Sensors
Delete Edit
Name Comment Create New Enable Rule name Action The DLP sensor name. The optional description of the DLP sensor. Select Create New to add a new rule or compound rule to the sensor. You can disable a rule or compound rule by clearing this check box. The item will be listed as part of the sensor, but it will not be used. The names of the rules and compound rules included in the sensor. The action configured for each rule. If the selected action is None, no action will be listed. Although archiving is enabled independent of the action, the Archive designation appears with the selected action. For example, if you select the Block action and set Archive to Full for a rule, the action displayed in the sensor rule list is Block, Archive. The optional description of the rule or compound rule. Delete or edit a rule or compound rule.
577
DLP Sensors
To edit a rule or compound rule already included in a sensor, go to UTM > Data Leak Prevention > Sensor and select the Edit icon of the sensor to be configured. Select the edit icon of the rule or compound rule to edit. Change the settings for the rule or compound rule.
Figure 347: Adding a DLP rule to a DLP sensor
578
DLP Sensors
Action
Select the action to be taken against traffic matching the configured DLP rule or DLP compound rule. The actions are: None prevents the DLP rule from taking any action on network traffic. Other matching rules in the same sensor and other sensors may still operate on matching traffic. Block prevents the traffic matching the rule from being delivered. The matching message or download is replaced with the Data leak prevention replacement message. Exempt prevents any DLP sensors from taking action on matching traffic. This action overrides any other action from any matching sensors. Ban if the user is authenticated, blocks all traffic to or from the user using the protocol that triggered the rule and the user will be added to the Banned User list. If the user is not authenticated, all traffic of the protocol that triggered the rule from the users IP address will be blocked. If the user that is banned is using HTTP, FTP, NNTP (or HTTPS if the FortiGate unit supports SSL content scanning and inspection) the FortiGate unit displays the Banned by data leak prevention replacement message for the protocol. If the user is using IM, the IM and P2P Banned by data leak prevention message replaces the banned IM message and this message is forwarded to the recipient. If the user is using IMAP, POP3, SMTP (or MAPS, POP3S, SMTPS if your FortiGate unit supports SSL content scanning and inspection) the Mail Banned by data leak prevention message replaces the banned email message and this message is forwarded to the recipient. These replacement messages also replace all subsequent communication attempts until the user is removed from the banned user list. Ban Sender blocks email or IM traffic from the sender of matching email or IM messages and adds the sender to the Banned User list. This action is available only for email and IM protocols. For email, the sender is determined by the From: address in the email header. For IM, all members of an IM session are senders and the senders are determined by finding the IM user IDs in the session. Similar to Ban, the IM or Mail Banned by data leak prevention message replaces the banned message and this message is forwarded to the recipient. These replacement messages also replace all subsequent communication attempts until the user is removed from the banned user list. Quarantine IP address blocks access through the FortiGate unit for any IP address that sends traffic matching a sensor with this action. The IP address is added to the Banned User list. The FortiGate unit displays the NAC Quarantine DLP Message replacement message for all connection attempts from this IP address until the IP address is removed from the banned user list. Quarantine Interface blocks access to the network for all users connecting to the interface that received traffic matching a sensor with this action. The FortiGate unit displays the NAC Quarantine DLP Message replacement message for all connection attempts to the interface until the interface is removed from the banned user list. Ban, Ban Sender, Quarantine IP, and Quarantine Interface provide functionality similar to NAC quarantine. However, these DLP options cause DLP to block users and IP addresses at the application layer while NAC quarantine blocks IP addresses and interfaces at the network layer. For more information, see NAC quarantine and the Banned User list on page 670. For more information about configuring DLP replacement messages, see Replacement messages on page 225. If you have configured DLP to block IP addresses and if the FortiGate unit receives sessions that have passed through a NAT device, all traffic from that NAT device could be blocked not just individual users. You can avoid this problem by implementing authentication or where possible select Ban Sender. Configure DLP archiving for the rule. Archive is available for Email, FTP, HTTP, IM, and Session Control rules and compound rules. The options are: Disable, do not archive. Full, perform full DLP archiving. Summary Only, perform summary DLP archiving. See DLP archiving on page 580.
Archive
579
DLP archiving
Severity
Enter the severity of the content that the rule or compound rule is a match for. Use the severity to indicate the seriousness of the problems that would result from the content passing through the FortiGate unit. For example, if the DLP rule finds high-security content the severity could be 5. On the other hand if the DLP rule finds any content the severity should be 1. DLP adds the severity to the severity field of the log message generated when the rule or compound rule matches content. The higher the number the greater the severity. When the action is set to Ban, Ban Sender, or Quarantine IP address, you can specify how long the ban will last. Select Indefinite for a ban ending only if the offender is manually removed from the banned user list, or select After and enter the required number of minutes, hours or days the ban will last. When the specified duration expires, the offender is automatically removed from the banned user list. Select Rule or Compound Rule. The rules of the selected type will be displayed in the table below. The names of all available rules or compound rules.
Expires
Description The optional description entered for each rule or compound rule.
DLP archiving
You can use DLP archiving to collect and view historical logs that have been archived to a FortiAnalyzer unit or the FortiGuard Analysis and Management service. DLP archiving is available for FortiAnalyzer when you add a FortiAnalyzer unit to the FortiGate configuration (see Remote logging to a FortiAnalyzer unit on page 704). The FortiGuard Analysis and Management server becomes available when you subscribe to the FortiGuard Analysis and Management Service (see the FortiGuard Analysis and Management Service Administration Guide). You can configure full DLP archiving and summary DLP archiving. Full DLP archiving includes all content, for example, full email DLP archiving includes complete email messages and attachments. Summary DLP archiving includes just the meta data about the content, for example, email message summary records include only the email header. You can archive Email, FTP, HTTP, IM, MMS, and session control content: Email content includes IMAP, POP3, and SMTP sessions. Email content can also include email messages tagged as spam by FortiGate Email filtering. If your FortiGate unit supports SSL content scanning and inspection, Email content can also include IMAPS, POP3S, and SMTPS sessions. HTTP content includes HTTP sessions. If your FortiGate unit supports SSL content scanning and inspection HTTP content can also include HTTPS sessions. For more information about SSL content scanning and inspection, see SSL content scanning and inspection on page 469. IM content includes AIM, ICQ, MSN, and Yahoo! sessions. Session control content includes SIP, SIMPLE and SCCP sessions. Only summary DLP archiving is available for SIP and SCCP. Full and summary DLP archiving is available for SIMPLE.
You add DLP sensors to archive Email, Web, FTP, IM, and session control content. Archiving of spam email messages is configured in protection profiles.
580
DLP archiving
Note: Enabling full DLP archiving reduces the amount of system memory available for virus scanning. Fortinet recommends against using full DLP archiving if antivirus scanning is also configured because of these memory constraints. Especially on FortiGate units with low system memory.
To DLP archive all email messages This procedure describes how to add the All-Email DLP rule to a DLP sensor and in the sensor to configure the rule for full DLP archiving. 1 Go to UTM > Data Leak Prevention > Sensor and add a sensor. 2 Add rules to the sensor for whatever requirements you may have for the sensor 3 Add the All-Email DLP rule to the sensor and set Archive to Full. 4 Go to Firewall > Policy > Protection Profile and add a new or edit a protection profile. 5 Select the Data Leak Prevention Sensor expand arrow. 6 Select Data Leak Prevention Sensor and select the sensor from the list. 7 Add the protection profile to a firewall policy that accepts email traffic. The sensor will now match and archive all email messages processed by the firewall policy.
581
DLP archiving
To DLP archive HTTP and HTTPS (web) sessions This procedure describes how to configure DLP archiving for HTTP and HTTPS sessions. You can use similar procedures to configure DLP archiving for other protocols. This procedure is valid for FortiGate units that support SSL content scanning and inspection. This procedure describes editing the All-HTTP DLP rule to enable HTTPS POST and HTTPS GET, confirming that the Content_Archive DLP sensor to contains the All-HTTP rule, then selecting the Content_Archive DLP sensor to a protection profile. 1 Go to UTM > Data Leak Prevention > Rule and edit the All-HTTP rule. 2 Select HTTPS POST and HTTPS GET.
Figure 349: Selecting HTTPS POST and HTTPS GET in the All-HTTPS DLP rule
3 Verify that Rule is set to Always so that the rule matches all HTTP and HTTPS post and get sessions. 4 Select OK to save the changes to the rule. 5 Go to UTM > Data Leak Prevention > Sensor and edit the Content_Archive sensor.
Figure 350: The Content_Archive DLP sensor
6 Verify that the Content_Archive sensor includes the All-HTTP rule. 7 Edit the All_HTTP rule in the sensor and verify that Archive is set to Full.
582
DLP archiving
8 Go to Firewall > Policy > Protection Profile and add a new or edit a protection profile. 9 Select the Data Leak Prevention Sensor expand arrow. 10 Select Data Leak Prevention Sensor and select the Content_Archive sensor from the list.
Figure 352: Adding the Content_Archive DLP sensor to a protection profile
11 Add the protection profile to a firewall policy that accepts HTTP and HTTPS traffic. To DLP archive all email messages that contain the string confidential This procedure describes how to add a DLP rule that finds the string confidential in the body of POP3, IMAP, and SMTP email messages. To archive all email messages that contain this string you must add the DLP rule to a DLP sensor and configure the sensor for full DLP archiving. 1 Go to UTM > Data Leak Prevention > Rule and add a rule to find the string confidential in POP3, SMTP, and IMAP email messages.
583
DLP archiving
Figure 353: DLP rule to find the string confidential in the body of email messages
2 Go to UTM > Data Leak Prevention > Sensor and add a new sensor. 3 Edit the sensor and select Create New to add a rule to the sensor. 4 Configure the rule as follows:
Action Archive Severity Member type Email_confidential None Full 1 (Lowest) Rule Select
584
DLP archiving
5 Go to Firewall > Policy > Protection Profile and add a new or edit a protection profile. 6 Select the Data Leak Prevention Sensor expand arrow. 7 Select Data Leak Prevention Sensor and select the new sensor from the list. 8 Add the protection profile to a firewall policy that accepts email traffic.
585
DLP Rules
Note: Infected files are clearly indicated in the DLP Archive Email message list.
DLP Rules
DLP rules are the core element of the data leak prevention feature. These rules define the data to be protected so the FortiGate unit can recognize it. For example, an included rule uses regular expressions to describe Social Security number: ([0-6]\d{2}|7([0-6]\d|7[0-2]))[ \-]?\d{2}[ \-]\d{4} Rather than having to list every possible Social Security number, this regular expression describes the structure of a Social Security number. The pattern is easily recognizable by the FortiGate unit. For more information about regular expressions, see Using wildcards and Perl regular expressions on page 571. DLP rules can be combined into compound rules and they can be included in sensors. If rules are specified directly in a sensor, traffic matching any single rule will trigger the configured action. If the rules are first combined into a compound rule and then specified in a sensor, every rule in the compound rule must match the traffic to trigger the configured action. Individual rules in a sensor are linked with an implicit OR condition while rules within a compound rule are linked with an implicit AND condition.
586
DLP Rules
Delete Edit
Create New Name Comments Compound Rules DLP Sensors Delete and Edit icons Select Create New to add a new rule. The rule name. The optional description of the rule. If the rule is included in any compound rules, the compound rule names are listed here. If the rule is used in any sensors, the sensor names are listed here. Delete or edit a rule. If a compound rule is used in a compound rule or a sensor, the delete icon will not be available. Remove the compound rule from the compound rule or sensor and then delete it.
Caution: Before use, examine the rules closely to ensure you understand how they will affect the traffic on your network.
587
DLP Rules
All-Email, All-FTP, .These rules will detect all traffic of the specified type. All-HTTP, All-IM, All-NNTP, All-Session-Control Email-AmEx, Email-Canada-SIN, Email-US-SSN, Email-Visa-Mastercard HTTP-AmEx, HTTP-Canada-SIN, HTTP-US-SSN, HTTP-Visa-Mastercard These four rules detect American Express numbers, Canadian Social Insurance Numbers, U.S. Social Security Numbers, or Visa and Mastercard numbers within the message bodies of SMTP, POP3, and IMAP email traffic. These four rules detect American Express numbers, Canadian Social Insurance Numbers, U.S. Social Security Numbers, or Visa and Mastercard numbers within POST command in HTTP traffic. The HTTP POST is used to send information to a web server. As written, these rules are designed to detect data the user is sending to web servers. This rule does not detect the data retrieved with the HTTP GET command, which is used to retrieve load web pages. These rules prevent DLP from matching email or HTTP pages that contain the string WebEx. This rule detects files larger than 5MB attached to SMTP, POP3, and IMAP email messages. This rule detects files larger than 5MB sent using the FTP PUT protocol. Files received using FTP GET are not examined. This rule detects files larger than 5MB sent using the HTTP POST protocol. Files received using HTTP GET are not examined.
Name Comments
588
DLP Rules
Protocol
Select the type of content traffic that the DLP rule the rule will apply to. The available rule options vary depending on the protocol that you select. You can select the following protocols: Email, HTTP, FTP, NNTP, Instant Messaging and Session Control.
AIM, ICQ, MSN, Yahoo! When you select the Instant Messaging protocol, you can configure the rule to apply to file transfers using any or all of the supported IM protocols (AIM, ICQ, MSN, and Yahoo!). Only file transfers using the IM protocols are subject to DLP rules. IM messages are not scanned. HTTP POST, HTTP GET When you select the HTTP protocol, you can configure the rule to apply to HTTP post or HTTP get traffic or both. HTTPS POST, HTTPS GET When you select the HTTP protocol, if your FortiGate unit supports SSL content scanning and inspection, you can also configure the HTTP rule to apply to HTTPS get or HTTPS post sessions or both. For more information about SSL content scanning and inspection, see Configuring SSL content scanning and inspection on page 472. To scan these encrypted traffic types, you must set HTTPS Content Filtering Mode to Deep Scan (Decrypt on SSL Traffic) in the Protocol Recognition section of the protection profile. If URL Filtering is selected, the DLP sensors will not scan HTTPS content. When you select the FTP protocol, you can configure the rule to apply to FTP put, or FTP get sessions or both. When you select the Email protocol, you can configure the rule to apply to any or all of the supported email protocols (SMTP, IMAP, and POP3).
SMTPS IMAPS POP3S When you select the Email protocol, if your FortiGate unit supports SSL content scanning and inspection, you can also configure the rule to apply to SMTPS, IMAPS, POP3S or any combination of these protocols. For more information about SSL content scanning and inspection, see Configuring SSL content scanning and inspection on page 472. SIP, SIMPLE, SCCP When you select the Session Control protocol, you can configure the rule to apply to any or all of the supported session control protocols (SIP, SIMPLE, and SCCP). The only rule option for the session control protocols is Always. This option matches all session control traffic is used for session control DLP archiving. You can select file options for any protocol to configure how the DLP rule handles archive files, MS-Word files, and PDF files found in content traffic. File options appear when you select File Type rule option.
File Options
Scan archive contents When selected, files within archives are extracted and scanned in the same way as files that are not archived. Scan archive files whole Scan MS-Word text When selected, archives are scanned as a whole. The files within the archive are not extracted and scanned individually. When selected the text contents of MS Word DOC documents are extracted and scanned for a match. All metadata and binary information is ignored. Note: Office 2007/2008 DOCX files are not recognized as MS-Word by the DLP scanner. To scan the contents of DOCX files, select the Scan archive contents option. When selected, MS Word DOC files are scanned. All binary and metadata information is included. If you are scanning for text entered in a DOC file, use the Scan MS-Word option. Binary formatting codes and file information may appear within the text, causing text matches to fail. Note: Office 2007/2008 DOCX files are not recognized as MS-Word by the DLP scanner. To scan the contents of DOCX files, select the Scan archive contents option. When selected, the text contents of PDF documents are extracted and scanned for a match. All metadata and binary information is ignored.
589
DLP Rules
When selected, PDF files are scanned. All binary and metadata information is included. If you are scanning for text in PDF files, use the Scan PDF Text option. Binary formatting codes and file information may appear within the text, causing text matches to fail. Use the Rule settings to configure the content that the DLP rule matches. Match any content. This option is available for all protocols. Check the attachment file size. This option is available for Email. Search email messages for file types or file patterns as specified in the selected file filter. This option is available for Email. Search for traffic from the specified authenticated user. Search for the specified binary string in network traffic. Search for the specified string in the message or page body. This option is available for Email, HTTP, and NNTP. Search for the specified CGI parameters in any web page with CGI code. This option is available for HTTP. Search the contents of cookies for the specified text. This option is available for HTTP. Check whether the file is or is not encrypted. Encrypted files are archives and MS Word files protected with passwords. Because they are password protected, the FortiGate unit cannot scan the contents of encrypted files. Search for the specified text in transferred text files. This option is available in FTP, IM, and NNTP. Search for the specified file patterns and file types. The patterns and types configured in file filter lists and a list is selected in the DLP rule. For more information about file filter lists, see File Filter on page 513. This option is available for FTP, HTTP, IM, and NNTP. Search for the specified host name when contacting a HTTP server. Search for the specified string in HTTP headers. Search for the specified string in the message recipient email address. This option is available for Email. Search for the specified string in the message sender user ID or email address. This option is available for Email and IM. For email, the sender is determined by the From: address in the email header. For IM, all members of an IM session are senders and the senders are determined by finding the IM user IDs in the session. Search for the servers IP address in a specified address range. This option is available for FTP, NNTP. Search for the specified string in the message subject. This option is available for Email. Check the total size of the information transfer. In the case of email traffic for example, the transfer size includes the message header, body, and any encoded attachment. Search for the specified URL in HTTP traffic. Search for traffic from any user in the specified user group.
590
Rule operators:
matches/does not match This operator specifies whether the FortiGate unit is searching for the presence of specified string, or for the absence of the specified string. Matches: The rule will be triggered if the specified string is found in network traffic. Does not match: The rule will be triggered if the specified string is not found in network traffic. Select the encoding used for text files and messages. Select the means by which patterns are defined. For more information about wildcards and regular expressions, see Using wildcards and Perl regular expressions on page 571 This operator specifies if the rule is triggered when a condition is true or not true. Is: The rule will be triggered if the rule is true. Is not: The rule will be triggered if the rule is not true. For example, if a rule specifies that a file type is found within a specified file type list, all matching files will trigger the rule. Conversely, if the rule specifies that a file type is not found in a file type list, only the file types not in the list would trigger the rule. These operators allow you to compare the size of a transfer or attached file to an entered value. == is equal to the entered value. >= is greater than or equal to the entered value. <= is less than or equal to the entered value. != is not equal to the entered value.
==/>=/<=/!=
When the sensor is used, either rule could be activated its configured condition is true. If only one condition is true, only the corresponding rule would be activated. Depending on the contents of the SMTP traffic, neither, either, or both could be activated. If you remove these rules from the sensor, add them to a compound rule, and add the compound rule to the sensor, the conditions in both rules have to be present in network traffic to activate the compound rule. If only one condition is present, the message passes without any rule or compound rule being activated. By combining the individually configurable attributes of multiple rules, compound rules allow you to specify far more detailed and specific conditions to trigger an action.
591
Delete Edit
Create New Name Comments DLP sensors Delete and Edit icons Select Create New to add a new compound rule. The compound rule name. The optional description of the compound rule. If the compound rule is used in any sensors, the sensor names are listed here. Delete or edit a compound rule. If a compound rule is used in a sensor, the delete icon will not be available. Remove the compound rule from the sensor and then delete it.
592
Protocol
Select the type of content traffic that the DLP compound rule applies to. The rules that you can add to the compound rule vary depending on the protocol that you select. You can select the following protocols: Email, HTTP, FTP, NNTP, and Instant Messaging.
AIM, ICQ, MSN, Yahoo! When you select the Instant Messaging protocol, you can select the supported IM protocols for which to add rules. Only the rules that include all of the selected protocols can be added to the compound rule. HTTP POST, HTTP GET When you select the HTTP protocol, you can configure the compound rule to apply to HTTP post or HTTP get sessions or both. Only the rules that include all of the selected options can be added to the compound rule. HTTPS POST, HTTPS GET When you select the HTTP protocol, if your FortiGate unit supports SSL content scanning and inspection, you can configure the compound rule to apply to HTTPS post or HTTPS get sessions or both. Only the rules that include all of the selected options can be added to the compound rule. For more information about SSL content scanning and inspection, see Configuring SSL content scanning and inspection on page 472. To scan these encrypted traffic types, you must set HTTPS Content Filtering Mode to Deep Scan (Decrypt on SSL Traffic) in the Protocol Recognition section of the protection profile. If URL Filtering is selected, the DLP sensors will not scan HTTPS content. When you select the FTP protocol, you can configure the compound rule to apply to FTP put, or FTP get sessions or both. Only the rules that include all of the selected options can be added to the compound rule. When you select the Email protocol, you can select the supported email protocols for which to add rules. Only the rules that include all of the selected protocols can be added to the compound rule.
SMTPS IMAPS POP3S When you select the Email protocol, if your FortiGate unit supports SSL content scanning and inspection, you can also select the SMTPS, IMAPS, POP3S protocols. Only the rules that include all of the selected protocols can be added to the compound rule. For more information about SSL content scanning and inspection, see Configuring SSL content scanning and inspection on page 472. Rules Select the rule to include in the compound rule. Only the rules that include all of the selected protocols can be added to the compound rule. Use the add rule and delete rule icons to add and remove rules from the compound rule. Select the add rule icon and then select rule from the list.
593
594
Application Control
Application Control
This section describes how to configure the application control options associated with firewall protection profiles. If you enable virtual domains (VDOMs) on the FortiGate unit, the application control configuration of each VDOM is entirely separate. For example, application black/white lists created in one VDOM will not be visible in other VDOMs. For details, see Using virtual domains on page 125. This section provides an introduction to configuring application control. For more information see the FortiGate UTM User Guide. This section describes: What is application control? FortiGuard application control database Viewing the application control black/white lists Creating a new application control black/white list Configuring an application control black/white list Adding or configuring an application control black/white list entry Application control statistics
595
Application Control
To see the complete list of applications supported by FortiGuard Application Control go to the FortiGuard Application Control List. This web page lists all of the supported applications. You can select any application name to see details about the application.
Figure 359: ISIS.Over.IPv4 application page
Select Create New to add a new application control black/white list. The available application control black/white lists. The number of application rules in each application control black/white list. The protection profile each application control black/white list has been applied to. If the black/white list has not been applied to a protection profile, this field will be blank. An optional description of each application control black/white list. Select to remove the application control black/white list. The delete icon is only available if the application control black/white list is not selected in any protection profiles. Select to edit the application control black/white list.
Edit icon
596
Application Control
Name Comments
Enter the name of the application control black/white list. Optionally, enter a comment or description.
597
Application Control
The name of the application control black/white list. Enter or edit a comment about the black/white list. The comment is optional. Each application control list can behave either as a black list or as a white list. This setting determines how the FortiGate unit will treat traffic from applications not appearing on the list. Select Black List to allow application traffic from the applications not appearing on the application black/white list. The applications specified in the list will be handled to the action configured in each entry. Select White List to block application traffic from the applications not appearing on the application black/white list. The applications specified in the list will be handled to the action configured in each entry.
Black List (Allow all undefined applications) White List (Block all undefined applications)
Enable logging for Select whether the FortiGate unit will log the traffic of the applications undefined applications not appearing on the application black/white list. Create New ID Category Select to create a new application entry. A unique number used primarily when re-ordering application entries. The category indicates the scope of the applications included in the application entry if Application is set to all. For example, if Application is all and Category is toolbar, then all the toolbar applications are included in the application entry even though they are not specified individually. If Application is a single application, the value in Category has no effect on the operation of the application entry. The FortiGate unit will examine network traffic for the listed application. If Application is all, every application in the selected category is included. If the FortiGate unit detects traffic from the specified application, the selected action will be taken. If traffic from the specified application is detected, the FortiGate unit will log the occurrence and the action taken. Select to delete the application entry. Select to edit the application entry.
Application
Insert Application Before Select to create a new application entry above the entry in which you selected the icon. icon Move To icon Select to move the application entry to a different position in the black/white list.
598
Application Control
Figure 363: The application control black/white list entry for FTP
Category
The applications are categorized by type. If you want to choose an IM application, for example, select the im category, and the application black/white list will show only the im applications. The Category selection can also be used to specify an entire category of applications. To select all IM applications for example, select the im category, and select all as the application. This specifies all the IM applications with a single application control black/white list entry. The FortiGate unit will examine network traffic for the listed application. If Application is all, every application in the selected category is included. If the FortiGate unit detects traffic from the specified application, the selected action will be taken. The applications session TTL. If this option is not enabled, the TTL defaults to the setting of the config system session-ttl CLI command. When enabled, the FortiGate unit will log the occurrence and the action taken if traffic when the specified application is detected.
Application
Enable Logging
In addition to these option, some IM applications and VoIP protocols have additional options:
IM options Block Login Block File Transfers Block Audio Select to prevent users from logging in to the selected IM system. Select to prevent the sending and receiving of files using the selected IM system. Select to prevent audio communication using the selected IM system.
Inspect Non-standard Select to allow the FortiGate unit to examine non-standard ports for the IM client traffic. Port Display content meta- Select to include meta-information detected for the IM system on the FortiGate unit dashboard. information on the system dashboard VoIP options Limit Call Setup Limit REGISTER request Limit INVITE request Enable Logging of Violations Enter the maximum number of calls each client can set up per minute. Enter the maximum number of register requests per second allowed for the firewall policy. Enter the maximum number of invite requests per second allowed for the firewall policy. Select to enable logging of violations.
599
Application Control
Other options Command Some of traffic types include a command option. Specify a command that appears in the traffic that you want to block or pass. For example, enter GET as a command in the FTP.Command application to have the FortiGate unit examine FTP traffic for the GET command. Multiple commands can be entered. A method option is available for HTTP, RTSP, and SIP protocols. Specify a method that appears in the traffic that you want to block or pass. For example, enter POST as a method in the HTTP.Method application to have the FortiGate unit examine HTTP traffic for the POST method. Multiple methods can be entered. Enter the program number appearing in Sun Remote Procedure Calls (RPC) that you want to block or pass. Multiple program numbers can be entered. Enter the UUID appearing in Microsoft Remote Procedure Calls (MSRPC) that you want to block or pass. Multiple UUIDs can be entered.
Method
Program Number
UUID
Select the automatic refresh interval for statistics. Set the interval from none to 30 seconds. Click to refresh the page with the latest statistics. Click to reset the statistics to zero.
600
Application Control
Users
For each IM protocol, the following user information is listed: Current Users (Users) Since Last Reset (Users) Blocked. For each IM protocol, the following chat information is listed: Total Chat Sessions Server-based Chat (Sessions) Group Chat (Sessions) Direct/Private Chat (Sessions) For each IM protocol, the following message information is listed: Total Messages Sent Received For each IM protocol, the following file transfer information is listed: (Files transferred) Since Last Reset (Files) Sent (Files) Received (Files) Blocked. For each IM protocol, the following voice chat information is listed: (Voice chats) Since Last Reset (Voice chats) Blocked. For each P2P protocol, the following usage information is listed: Total Bytes (transferred) Average Bandwidth. If the action for a P2P application is set to pass, the statistics will display the total usage of the P2P application. Applications set to Block will not affect the statistics. Note that the same application can have different actions set in different application control black/white lists. In this case, the traffic handled by the black/white lists with the Pass action will be reflected in the statistics. The traffic handled by the black/white lists with the Block action will not be reflected. For SIP and SCCP protocol, the following information is listed: Currently Active Sessions (phones connected, etc) Total Calls (since last reset) Calls Failed/Dropped Calls Succeeded
Chat
Messages
File Transfers
Voice Chat
P2P Usage
VoIP Usage
601
Application Control
602
IPSec VPN
IPSec VPN
This section provides information about Internet Protocol Security (IPSec) VPN configuration options available through the web-based manager. FortiGate units support both policy-based (tunnel-mode) and route-based (interface mode) VPNs.
Note: For information about how to configure an IPSec VPN, see the FortiGate IPSec VPN User Guide.
If you enable virtual domains (VDOMs) on the FortiGate unit, VPN IPSec is configured separately for each virtual domain. For details, see Using virtual domains on page 125. This section describes: Overview of IPSec VPN configuration Policy-based versus route-based VPNs Auto Key Manual Key Internet browsing configuration Concentrator Monitoring VPNs
3 Create a firewall policy to permit communication between your private network and the VPN. For a policy-based VPN, the firewall policy action is IPSEC. For an interfacebased VPN, the firewall policy action is ACCEPT. See Configuring firewall policies on page 367.
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
603
IPSec VPN
For more information about configuring IPSec VPNs, see the FortiGate IPSec VPN User Guide.
Requires a firewall policy with IPSEC Requires only a simple firewall policy with action that specifies the VPN tunnel. One ACCEPT action. A separate policy is required policy controls connections in both for connections in each direction. directions.
You create a policy-based VPN by defining an IPSEC firewall policy between two network interfaces and associating it with the VPN tunnel (phase 1 or manual key) configuration. You need only one firewall policy, even if either end of the VPN can initiate a connection. You create a route-based VPN by enabling IPSec interface mode when you create the VPN phase 1 or manual key configuration. This creates a virtual IPSec interface that is bound to the local interface you selected. You then define an ACCEPT firewall policy to permit traffic to flow between the virtual IPSec interface and another network interface. If either end of the VPN can initiate the connection, you need two firewall policies, one for each direction. Virtual IPSec interface bindings are shown on the network interfaces page. (Go to System > Network > Interface.) The names of all tunnels bound to physical, aggregate, VLAN, inter-VDOM link or wireless interfaces are displayed under their associated interface names in the Name column. For more information, see Configuring interfaces on page 145. As with other interfaces, you can include a virtual IPSec interface in a zone.
Hub-and-spoke configurations
To function as the hub of a hub-and-spoke VPN, the FortiGate unit provides a concentrator function. This is available only for policy-based VPNs, but you can create the equivalent function for a route-based VPN in any of the following ways: Define a firewall policy between each pair of IPSec interfaces that you want to concentrate. This can be time-consuming to maintain if you have many site-to-site connections, since the number of policies required increases rapidly as the number of spokes increases. Put all the IPSec interfaces into a zone and then define a single zone-to-zone policy. Put all the IPSec interfaces in a zone and enable intra-zone traffic. There must be more than one IPSec interface in the zone.
For more information and an example, see the FortiGate IPSec VPN User Guide.
604
IPSec VPN
Auto Key
Redundant configurations
Route-based VPNs help to simplify the implementation of VPN tunnel redundancy. You can configure several routes for the same IP traffic with different route metrics. You can also configure the exchange of dynamic (RIP, OSPF, or BGP) routing information through VPN tunnels. If the primary VPN connection fails or the priority of a route changes through dynamic routing, an alternative route will be selected to forward traffic through the redundant connection. A simple way to provide failover redundancy is to create a backup IPSec interface. You can do this in the CLI. For more information, including an example configuration, see the monitor-phase1 keyword for the ipsec vpn phase1-interface command in the FortiGate CLI Reference.
Routing
Optionally, through the CLI, you can define a specific default route for a virtual IPSec interface. For more information, see the default-gw keyword for the vpn ipsec phase1-interface command in the FortiGate CLI Reference.
Auto Key
You can configure two VPN peers (or a FortiGate dialup server and a VPN client) to generate unique Internet Key Exchange (IKE) keys automatically during the IPSec phase 1 and phase 2 exchanges. When you define phase 2 parameters, you can choose any set of phase 1 parameters to set up a secure connection for the tunnel and authenticate the remote peer. Auto Key configuration applies to both tunnel-mode and interface-mode VPNs. To configure an Auto Key VPN, go to VPN > IPSEC > Auto Key (IKE).
Figure 365: Auto Key list
Delete
Create Phase 1 Create Phase 2 Phase 1 Phase 2 Interface Binding
Edit
Create a new phase 1 tunnel configuration. For more information, see Creating a new phase 1 configuration on page 606. Create a new phase 2 configuration. For more information, see Creating a new phase 2 configuration on page 611. The names of existing phase 1 tunnel configurations. The names of existing phase 2 configurations. The names of the local interfaces to which IPSec tunnels are bound. These can be physical, aggregate, VLAN, inter-VDOM link or wireless interfaces.
605
Auto Key
IPSec VPN
To define basic IPSec phase 1 parameters, go to VPN > IPSEC > Auto Key (IKE) and select Create Phase 1. For information about how to choose the correct phase 1 settings for your particular situation, see the FortiGate IPSec VPN User Guide.
Figure 366: New Phase 1
Name
Type a name to represent the phase 1 definition. The maximum name length is 15 characters for an interface mode VPN, 35 characters for a policy-based VPN. If Remote Gateway is Dialup User, the maximum name length is further reduced depending on the number of dialup tunnels that can be established: by 2 for up to 9 tunnels, by 3 for up to 99 tunnels, 4 for up to 999 tunnels, and so on. For a tunnel mode VPN, the name should reflect where the remote connection originates. For a route-based tunnel, the FortiGate unit also uses the name for the virtual IPSec interface that it creates automatically. Select the category of the remote connection: Static IP Address If the remote peer has a static IP address. Dialup User If one or more FortiClient or FortiGate dialup clients with dynamic IP addresses will connect to the FortiGate unit. Dynamic DNS If a remote peer that has a domain name and subscribes to a dynamic DNS service will connect to the FortiGate unit. If you selected Static IP Address, type the IP address of the remote peer. If you selected Dynamic DNS, type the domain name of the remote peer.
Remote Gateway
606
IPSec VPN
Auto Key
Local Interface
This option is available in NAT/Route mode only. Select the name of the interface through which remote peers or dialup clients connect to the FortiGate unit. By default, the local VPN gateway IP address is the IP address of the interface that you selected. Optionally, you can specify a unique IP address for the VPN gateway in the Advanced settings. For more information, see Local Gateway IP on page 609. Select Main or Aggressive: In Main mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information. In Aggressive mode, the phase 1 parameters are exchanged in single message with authentication information that is not encrypted. When the remote VPN peer has a dynamic IP address and is authenticated by a pre-shared key, you must select Aggressive mode if there is more than one dialup phase1 configuration for the interface IP address. When the remote VPN peer has a dynamic IP address and is authenticated by a certificate, you must select Aggressive mode if there is more than one phase 1 configuration for the interface IP address and these phase 1 configurations use different proposals. Peer Options settings may require a particular mode. See Peer Options, below. Select Preshared Key or RSA Signature. If you selected Pre-shared Key, type the pre-shared key that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during phase 1 negotiations. You must define the same value at the remote peer or client. The key must contain at least 6 printable characters and should be known only by network administrators. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters. If you selected RSA Signature, select the name of the server certificate that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during phase 1 negotiations. For information about obtaining and loading the required server certificate, see the FortiGate Certificate Management User Guide. One or more of the following options are available to authenticate VPN peers or clients, depending on the Remote Gateway and Authentication Method settings. Accept the local ID of any remote VPN peer or client. The FortiGate unit does not check identifiers (local IDs). You can set Mode to Aggressive or Main. You can use this option with RSA Signature authentication. But, for highest security, you should configure a PKI user/group for the peer and set Peer Options to Accept this peer certificate only. This option is available only if the remote peer has a dynamic IP address. Enter the identifier that is used to authenticate the remote peer. This identifier must match the identifier that the remote peers administrator has configured. If the remote peer is a FortiGate unit, the identifier is specified in the Local ID field of the phase 1 configuration. If the remote peer is a FortiClient dialup client, the identifier is specified in the Local ID field, accessed by selecting Config in the Policy section of the VPN connections Advanced Settings.
Mode
Certificate Name
Peer Options
607
Auto Key
IPSec VPN
Accept peer ID in dialup Authenticate multiple FortiGate or FortiClient dialup clients that use unique identifiers and unique pre-shared keys (or unique pre-shared group keys only) through the same VPN tunnel. You must create a dialup user group for authentication purposes. (For more information, see User Group on page 658.) Select the group from the list next to the Accept peer ID in dialup group option. For more information about configuring FortiGate dialup clients, see the FortiGate IPSec VPN User Guide. For more information about configuring FortiClient dialup clients, see the Authenticating FortiClient Dialup Clients Technical Note. You must set Mode to Aggressive when the dialup clients use unique identifiers and unique pre-shared keys. If the dialup clients use unique pre-shared keys only, you can set Mode to Main if there is only one dialup phase 1 configuration for this interface IP address. Accept this peer certificate only This option is available when Authentication Method is set to RSA Signature. Authenticate remote peers or dialup clients that use a security certificate. Select the certificate from the list next to the option. You must add peer certificates to the FortiGate configuration before you can select them here. For more information, see PKI on page 656. This option is available when Authentication Method is set to RSA Signature and Remote Gateway is set to Dialup User. Use a certificate group to authenticate dialup clients that have dynamic IP addresses and use unique certificates. Select the name of the peer group from the list. You must first create the group through the config user peergrp CLI command before you can select it. For more information, see the user chapter of the FortiGate CLI Reference. Members of the peer group must be certificates added by using the config user peer CLI command. You can also add peer certificates using the web-based manager. For more information, see PKI on page 656. Define advanced phase 1 parameters. For more information, see Defining phase 1 advanced settings on page 608.
Advanced
608
IPSec VPN
Auto Key
Add Delete
This is available in NAT/Route mode only. Create a virtual interface for the local end of the VPN tunnel. Select this option to create a route-based VPN, clear it to create a policy-based VPN. Select the version of IKE to use: 1 or 2. The default is 1. This is available only if IPsec Interface Mode is enabled. For more information about IKE v2, refer to RFC 4306. IKE v2 is not available if Mode is Aggressive. When IKE Version is 2, Mode and XAUTH are not available. Select if you want to use IPv6 addresses for the remote gateway and interface IP addresses. This is available only when Enable IPSec Interface Mode is enabled and IPv6 Support is enabled in the administrative settings. If you selected Enable IPSec Interface Mode, specify an IP address for the local end of the VPN tunnel. Select one of the following: Main Interface IP The FortiGate unit obtains the IP address of the interface from the network interface settings. For more information, see Configuring interfaces on page 145. Specify You can specify a secondary address of the interface selected in the phase 1 Local Interface field. For more information, see Local Interface on page 607. You cannot configure Interface mode in a Transparent mode VDOM. Select the encryption and authentication algorithms used to generate keys for protecting negotiations. Add or delete encryption and authentication algorithms as required. Select a minimum of one and a maximum of three combinations. The remote peer or client must be configured to use at least one of the proposals that you define. Select one of the following symmetric-key algorithms: DES Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key. 3DES Triple-DES, in which plain text is encrypted three times by three keys. AES128 a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 128-bit key. AES192 a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 192-bit key. AES256 a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 256-bit key.
IKE Version
IPv6 Version
Local Gateway IP
P1 Proposal
609
Auto Key
IPSec VPN
Select either of the following message digests to check the authenticity of messages during phase 1 negotiations: MD5 Message Digest 5, the hash algorithm developed by RSA Data Security. SHA1 Secure Hash Algorithm 1, which produces a 160-bit message digest. To specify a third combination, use the Add button beside the fields for the second combination. DH Group Select one or more Diffie-Hellman groups from DH group 1, 2, 5 and 14. At least one of the DH Group settings on the remote peer or client must match one the selections on the FortiGate unit. Type the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The keylife can be from 120 to 172 800 seconds. If the FortiGate unit will act as a VPN client and you are using peer IDs for authentication purposes, enter the identifier that the FortiGate unit will supply to the VPN server during the phase 1 exchange. If the FortiGate unit will act as a VPN client and you are using security certificates for authentication, select the distinguished name (DN) of the local server certificate that the FortiGate unit will use for authentication purposes. If the FortiGate unit is a dialup client and will not be sharing a tunnel with other dialup clients (that is, the tunnel will be dedicated to this FortiGate dialup client), set Mode to Aggressive. This option supports the authentication of dialup clients. It is available for IKE v1 only. Disable Select if you do not use XAuth. Enable as Client If the FortiGate unit is a dialup client, type the user name and password that the FortiGate unit will need to authenticate itself to the remote XAuth server. Enable as Server This is available only if Remote Gateway is set to Dialup User. Dialup clients authenticate as members of a dialup user group. You must first create a user group for the dialup clients that need access to the network behind the FortiGate unit. For more information, see Configuring a user group on page 661. You must also configure the FortiGate unit to forward authentication requests to an external RADIUS or LDAP authentication server. For information about these topics, see Configuring a RADIUS server on page 648 or Configuring an LDAP server on page 650. Select a Server Type setting to determine the type of encryption method to use between the FortiGate unit, the XAuth client and the external authentication server, and then select the user group from the User Group list. Select the check box if a NAT device exists between the local FortiGate unit and the VPN peer or client. The local FortiGate unit and the VPN peer or client must have the same NAT traversal setting (both selected or both cleared) to connect reliably. If you enabled NAT-traversal, enter a keepalive frequency setting. The value represents an interval ranging from 10 to 900 seconds. Select this check box to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required. You can use this option to receive notification whenever a tunnel goes up or down, or to keep the tunnel connection open when no traffic is being generated inside the tunnel. (For example, in scenarios where a dialup client or dynamic DNS peer connects from an IP address that changes periodically, traffic may be suspended while the IP address changes). With Dead Peer Detection selected, you can use the config vpn ipsec phase1 (tunnel mode) or config vpn ipsec phase1interface (interface mode) CLI command to optionally specify a retry count and a retry interval. For more information, see the FortiGate CLI Reference.
Keylife
Local ID
XAuth
Nat-traversal
610
IPSec VPN
Auto Key
Name Phase 1
Type a name to identify the phase 2 configuration. Select the phase 1 tunnel configuration. For more information, see Creating a new phase 1 configuration on page 606. The phase 1 configuration describes how remote VPN peers or clients will be authenticated on this tunnel, and how the connection to the remote peer or client will be secured. Define advanced phase 2 parameters. For more information, see Defining phase 2 advanced settings on page 611.
Advanced
611
Auto Key
IPSec VPN
Add Delete
P2 Proposal
Select the encryption and authentication algorithms that will be proposed to the remote VPN peer. You can specify up to three proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer. Initially there are two proposals. Add and Delete icons are next to the second Authentication field. To specify only one proposal, select Delete to remove the second proposal. To specify a third proposal, select Add. It is invalid to set both Encryption and Authentication to NULL. Select one of the following symmetric-key algorithms: NULL Do not use an encryption algorithm. DES Digital Encryption Standard, a 64-bit block algorithm that uses a 56bit key. 3DES Triple-DES, in which plain text is encrypted three times by three keys. AES128 a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 128-bit key. AES192 a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 192-bit key. AES256 a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 256-bit key. Select one of the following message digests to check the authenticity of messages during an encrypted session: NULL Do not use a message digest. MD5 Message Digest 5, the hash algorithm developed by RSA Data Security. SHA1 Secure Hash Algorithm 1, which produces a 160-bit message digest. SHA256 Secure Hash Algorithm 2, which produces a 256-bit message digest. Optionally enable or disable replay detection. Replay attacks occur when an unauthorized party intercepts a series of IPSec packets and replays them back into the tunnel. Enable or disable PFS. Perfect forward secrecy (PFS) improves security by forcing a new Diffie-Hellman exchange whenever keylife expires. Select one Diffie-Hellman group (1, 2, 5 or 14). This must match the DH Group that the remote peer or dialup client uses. Select the method for determining when the phase 2 key expires: Seconds, KBytes, or Both. If you select Both, the key expires when either the time has passed or the number of KB have been processed. The range is from 120 to 172 800 seconds, or from 5120 to 2 147 483 648 KB.
Encryption
Authentication
Enable replay detection Enable perfect forward secrecy (PFS) DH Group Keylife
612
IPSec VPN
Auto Key
Autokey Keep Alive Select the check box if you want the tunnel to remain active when no data is being processed. DHCP-IPSec Provide IP addresses dynamically to VPN clients. This is available for phase 2 configurations associated with a dialup phase 1 configuration. You also need configure a DHCP server or relay on the private network interface. You must configure the DHCP parameters separately. For more information, see System DHCP on page 199. If you configure the DHCP server to assign IP addresses based on RADIUS user group attributes, you must also set the Phase 1 Peer Options to Accept peer ID in dialup group and select the appropriate user group. See Creating a new phase 1 configuration on page 606. If the FortiGate unit acts as a dialup server and you manually assigned FortiClient dialup clients VIP addresses that match the network behind the dialup server, selecting the check box will cause the FortiGate unit to act as a proxy for the dialup clients.
Note: You can configure settings so that VPN users can browse the Internet through the FortiGate unit. For more information, see Internet browsing configuration on page 616.
Optionally specify the source and destination IP addresses to be used as selectors for IKE negotiations. If the FortiGate unit is a dialup server, you should keep the default value 0.0.0.0/0 unless you need to circumvent problems caused by ambiguous IP addresses between one or more of the private networks making up the VPN. You can specify a single host IP address, an IP address range, or a network address. You may optionally specify source and destination port numbers and a protocol number. If you are editing an existing phase 2 configuration, the Source address and Destination address fields are unavailable if the tunnel has been configured to use firewall addresses as selectors. This option exists only in the CLI. For more information, see the dst-addr-type, dst-name, src-addr-type and srcname keywords for the vpn ipsec phase2 command in the FortiGate CLI Reference. Source address If the FortiGate unit is a dialup server, type the source IP address that corresponds to the local senders or network behind the local VPN peer (for example, 172.16.5.0/24 or 172.16.5.0/255.255.255.0 for a subnet, or 172.16.5.1/32 or 172.16.5.1/255.255.255.255 for a server or host, or 192.168.10.[80-100] or 192.168.10.80-192.168.10.100 for an address range). A value of 0.0.0.0/0 means all IP addresses behind the local VPN peer. If the FortiGate unit is a dialup client, source address must refer to the private network behind the FortiGate dialup client. Type the port number that the local VPN peer uses to transport traffic related to the specified service (protocol number). The range is from 0 to 65535. To specify all ports, type 0. Type the destination IP address that corresponds to the recipients or network behind the remote VPN peer (for example, 192.168.20.0/24 for a subnet, or 172.16.5.1/32 for a server or host, or 192.168.10.[80100] for an address range). A value of 0.0.0.0/0 means all IP addresses behind the remote VPN peer. Type the port number that the remote VPN peer uses to transport traffic related to the specified service (protocol number). The range is from 0 to 65535. To specify all ports, type 0. Type the IP protocol number of the service. The range is from 0 to 255. To specify all services, type 0.
Source port
Destination address
Destination port
Protocol
613
Manual Key
IPSec VPN
Manual Key
If required, you can manually define cryptographic keys for establishing an IPSec VPN tunnel. You would define manual keys in situations where: You require prior knowledge of the encryption or authentication key (that is, one of the VPN peers requires a specific IPSec encryption or authentication key). You need to disable encryption and authentication.
In both cases, you do not specify IPSec phase 1 and phase 2 parameters; you define manual keys by going to VPN > IPSEC > Manual Key instead.
Note: You should use manual keys only if it is unavoidable. There are potential difficulties in keeping keys confidential and in propagating changed keys to remote VPN peers securely.
For general information about how to configure an IPSec VPN, see the FortiGate IPSec VPN User Guide.
Figure 370: Manual Key list
Delete Edit
Create New Tunnel Name Remote Gateway Encryption Algorithm Authentication Algorithm Delete and Edit icons
Create a new manual key configuration. See Creating a new manual key configuration on page 614. The names of existing manual key configurations. The IP addresses of remote peers or dialup clients. The names of the encryption algorithms specified in the manual key configurations. The names of the authentication algorithms specified in the manual key configurations. Delete or edit a manual key configuration.
614
IPSec VPN
Manual Key
To specify manual keys for creating a tunnel, go to VPN > IPSEC > Manual Key and select Create New.
Figure 371: New Manual Key
Type a name for the VPN tunnel. The maximum name length is 15 characters for an interface mode VPN, 35 characters for a policy-based VPN. Type a hexadecimal number (up to 8 characters, 0-9, a-f) that represents the SA that handles outbound traffic on the local FortiGate unit. The valid range is from 0x100 to 0xffffffff. This value must match the Remote SPI value in the manual key configuration at the remote peer. Type a hexadecimal number (up to 8 characters, 0-9, a-f) that represents the SA that handles inbound traffic on the local FortiGate unit. The valid range is from 0x100 to 0xffffffff. This value must match the Local SPI value in the manual key configuration at the remote peer. Type the IP address of the public interface to the remote peer. The address identifies the recipient of ESP datagrams. This option is available in NAT/Route mode only. Select the name of the interface to which the IPSec tunnel will be bound. The FortiGate unit obtains the IP address of the interface from the network interface settings. For more information, see Configuring interfaces on page 145. Select one of the following symmetric-key encryption algorithms: DES Digital Encryption Standard, a 64-bit block algorithm that uses a 56bit key. 3DES Triple-DES, in which plain text is encrypted three times by three keys. AES128 a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 128-bit key. AES192 a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 192-bit key. AES256 a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 256-bit key. Note: The algorithms for encryption and authentication cannot both be NULL. Enter an encryption key appropriate to the encryption algorithm: for DES, type a 16-character hexadecimal number (0-9, a-f). for 3DES, type a 48-character hexadecimal number (0-9, a-f) separated into three segments of 16 characters. for AES128, type a 32-character hexadecimal number (0-9, a-f) separated into two segments of 16 characters. for AES192, type a 48-character hexadecimal number (0-9, a-f) separated into three segments of 16 characters. for AES256, type a 64-character hexadecimal number (0-9, a-f) separated into four segments of 16 characters.
Remote SPI
Encryption Algorithm
Encryption Key
615
IPSec VPN
Authentication Algorithm
Select one of the following message digests: MD5 Message Digest 5 algorithm, which produces a 128-bit message digest. SHA1 Secure Hash Algorithm 1, which produces a 160-bit message digest. SHA256 Secure Hash Algorithm 2, which produces a 256-bit message digest. Note: The Algorithms for encryption and authentication cannot both be NULL.
Authentication Key Enter an authentication key appropriate to the authentication algorithm: for MD5, type a 32-character hexadecimal number separated into two segments of 16 characters. for SHA1, type a 40-character hexadecimal number separated into two segments of 16 characters and a third segment of 8 characters. for SHA256, type a 64-character hexadecimal number separated into four segments of 16 characters. Digits can be 0 to 9, and a to f. IPSec Interface Mode Create a virtual interface for the local end of the VPN tunnel. Select this check box to create a route-based VPN, clear it to create a policy-based VPN. This is available only in NAT/Route mode.
3 Configure other settings as required. 4 Select OK. To configure a route-based VPN Internet browsing configuration 1 Go to Firewall > Policy. 2 Select Create New and enter the following information.
Source Interface/Zone Source Address Destination Interface/Zone Destination Address Select the IPSec interface. Select All. Select the FortiGate unit public interface. Select All.
616
IPSec VPN
Concentrator
Action NAT
Concentrator
In a hub-and-spoke configuration, policy-based VPN connections to a number of remote peers radiate from a single, central FortiGate unit. Site-to-site connections between the remote peers do not exist; however, You can establish VPN tunnels between any two of the remote peers through the FortiGate unit hub. In a hub-and-spoke network, all VPN tunnels terminate at the hub. The peers that connect to the hub are known as spokes. The hub functions as a concentrator on the network, managing all VPN connections between the spokes. VPN traffic passes from one tunnel to the other through the hub. You define a concentrator to include spokes in the hub-and-spoke configuration. To define a concentrator, go to VPN > IPSEC > Concentrator. For detailed information and step-by-step procedures about how to set up a hub-and-spoke configuration, see the FortiGate IPSec VPN User Guide.
Figure 372: Concentrator list
Delete Edit
Create New
Define a new concentrator for an IPSec hub-and-spoke configuration. For more information, see Defining concentrator options on page 617. The tunnels that are associated with the concentrators. Delete or edit a concentrator.
Concentrator Name The names of existing IPSec VPN concentrators. Members Delete and Edit icons
617
Monitoring VPNs
IPSec VPN
Type a name for the concentrator. A list of defined IPSec VPN tunnels. Select a tunnel from the list and then select the right arrow. Repeat these steps until all of the tunnels associated with the spokes are included in the concentrator. A list of tunnels that are members of the concentrator. To remove a tunnel from the concentrator, select the tunnel and select the left arrow.
Members
Monitoring VPNs
You can use the IPSec monitor to view activity on IPSec VPN tunnels and start or stop those tunnels. The display provides a list of addresses, proxy IDs, and timeout information for all active tunnels, including tunnel mode and route-based (interface mode) tunnels. You can use filters to control the information displayed in the list. For more information, see Adding filters to web-based manager lists on page 57. To view active tunnels, go to VPN > IPSec > Monitor.
Figure 374: IPSec Monitor list
Current Page
Select the types of VPN to display: All, Dialup, or Static IP or Dynamic DNS. Customize the table view. You can select the columns to hide or display and specify the column displaying order in the table. For more information, see Using column settings to control the columns displayed on page 61 and Web-based manager icons on page 63. The current page number of list items that are displayed. Select the left and right arrows to display the first, previous, next or last page of monitored VPNs. Edit the column filters to filter or sort the IPSec monitor list according to the criteria you specify. For more information, see Adding filters to web-based manager lists on page 57. The name of the phase 1 configuration for the VPN. The public IP address of the remote host device, or if a NAT device exists in front of the remote host, the public IP address of the NAT device.
Clear All Filters Select to clear any column display filters you might have applied. Current Page Filter icons
618
IPSec VPN
Monitoring VPNs
Remote Port
The UDP port of the remote host device, or if a NAT device exists in front of the remote host, the UDP port of the NAT device. Zero (0) indicates that any port can be used.
Proxy ID Source The IP addresses of the hosts, servers, or private networks behind the FortiGate unit. The page may display a network range if the source address in the firewall encryption policy was expressed as a range of IP addresses. Proxy ID Destination When a FortiClient dialup client establishes a tunnel: If VIP addresses are not used, the Proxy ID Destination field displays the public IP address of the remote host Network Interface Card (NIC). If VIP addresses were configured (manually or through FortiGate DHCP relay), the Proxy ID Destination field displays either the VIP address belonging to the FortiClient dialup client, or the subnet address from which VIP addresses were assigned. When a FortiGate dialup client establishes a tunnel, the Proxy ID Destination field displays the IP address of the remote private network. A green arrow means the tunnel is currently processing traffic. Select to bring down the tunnel. A red arrow means the tunnel is not processing traffic. Select to bring up the tunnel.
For Dialup VPNs, the list provides status information about the VPN tunnels established by dialup clients, including their IP addresses. The number of tunnels shown in the list can change as dialup clients connect and disconnect. For Static IP or dynamic DNS VPNs, the list provides status and IP addressing information about VPN tunnels, active or not, to remote peers that have static IP addresses or domain names. You can also start and stop individual tunnels from the list.
619
Monitoring VPNs
IPSec VPN
620
PPTP VPN
PPTP VPN
FortiGate units support PPTP to tunnel PPP traffic between two VPN peers. Windows or Linux PPTP clients can establish a PPTP tunnel with a FortiGate unit that has been configured to act as a PPTP server. As an alternative, you can configure the FortiGate unit to forward PPTP packets to a PPTP server on the network behind the FortiGate unit. PPTP VPN is available only in NAT/Route mode. The current maximum number of PPTP sessions is 254. If you enable virtual domains (VDOMs) on the FortiGate unit, you need to configure VPN PPTP separately for each virtual domain. For more information, see Using virtual domains on page 125. When you intend to use the FortiGate unit as a PPTP gateway, you can select a PPTP client IP from a local address range or use the server defined in the PPTP user group. You select which method to use for IP address retrieval and, in the case of the user group server, provide the IP address and the user group. This section explains how to specify a range of IP addresses for PPTP clients or configure the PPTP client-side IP address to be used in the tunnel setup. For information about how to perform other related PPTP VPN setup tasks, see the FortiGate PPTP VPN User Guide.
Note: The PPTP feature is disabled by default in the FortiGate web-based manager. You configure the PPTP tunnel configuration by creating a customized FortiGate screen.
This section describes: PPTP configuration using FortiGate web-based manager PPTP configuration using CLI commands
621
PPTP VPN
For information about creating customized screens in the FortiGate web-based manager, see Customizable web-based manager on page 268. PPTP requires two IP addresses, one for each end of the tunnel. The PPTP address range is the range of addresses reserved for remote PPTP clients. When the remote PPTP client establishes a connection, the FortiGate unit assigns an IP address from the reserved range of IP addresses to the client PPTP interface or retrieves the assigned IP address from the PPTP user group. If you use the PPTP user group, you must also define the FortiGate end of the tunnel by entering the IP address of the unit in Local IP (webbased manager) or local-ip (CLI). The PPTP client uses the assigned IP address as its source address for the duration of the connection. To enable PPTP and specify the PPTP address range or specify the IP address for the peers remote IP on the PPTP client side, go to the customized screen in the web-based manager, select the required options, and then select Apply.
Note: The start and end IPs in the PPTP address range must be in the same 24-bit subnet, e.g. 192.168.1.1 - 192.168.1.254.
622
PPTP VPN
Figure 376: Edit PPTP range options, showing both Range and User Group
Enable PPTP. You must add a user group before you can select the option. See User Group on page 658. Select how PPTP users are assigned an IP address. Users IP addresses are assigned from the range of IP addresses configured by Starting IP and Ending IP. Users IP addresses are assigned by the user group used to authenticate the user. Select the user group. See Dynamically assigning VPN client IP addresses from a user group on page 665. Type the starting address in the range of reserved IP addresses. Type the ending address in the range of reserved IP addresses. Type the IP address to be used for the peers remote IP on the PPTP client side. Select the PPTP user group from the list. Select to disable PPTP support.
Syntax
config vpn pptp set eip <address_ipv4> set ip-mode {range | usrgrp} set local-ip <address_localip> set sip <address_ipv4> set status {disable | enable} set usrgrp <group_name> end
Variables eip <address_ipv4> FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback Description The ending address of the PPTP address range. Default 0.0.0.0
623
PPTP VPN
Select one of: range range Assign user IP addresses from the IP address range of configured by sip and eip. usrgrp Retrieve the IP address from the user group used to authenticate the user. Select the user group in usrgrp. Enter the IP address to be used for the peers remote IP on the PPTP client side. Enable or disable PPTP VPN. 0.0.0.0
This keyword is available when ip-mode is set to Null. usrgrp. Enter the name of the user group for authenticating PPTP clients. The user group must be added to the FortiGate configuration before it can be specified here. The ending address of the PPTP address range. 0.0.0.0
eip <address_ipv4>
624
SSL VPN
SSL VPN
An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be used with a standard Web browser. SSL VPN does not require the installation of specialized client software on end users computers, and is ideal for applications including web-based email, business and government directories, file sharing, remote backup, remote system management, and consumer-level electronic commerce. The two modes of SSL VPN operation (supported in NAT/Route mode only) are: web-only mode, for thin remote clients equipped with a web-browser only. tunnel mode, for remote computers that run a variety of client and server applications.
When the FortiGate unit provides services in web-only mode, a secure connection between the remote client and the FortiGate unit is established through the SSL VPN security in the FortiGate unit and the SSL security in the web browser. After the connection has been established, the FortiGate unit provides access to selected services and network resources through a web portal. The FortiGate SSL VPN web portal has a widget-based layout with customizable themes. Each widget is displayed in a 1- or 2column format with the ability to modify settings, minimize the widget window, or other functions depending on the type of content within the widget. When users have complete administrative rights over their computers and use a variety of applications, tunnel mode allows remote clients to access the local internal network as if they were connected to the network directly. This section provides information about the features of SSL VPN available for configuration in the web-based manager. Only FortiGate units that run in NAT/Route mode support the SSL VPN feature. If you enable virtual domains (VDOMs) on the FortiGate unit, VPN SSL is configured separately for each virtual domain. For details, see Using virtual domains on page 125.
Note: For detailed instructions about how to configure web-only mode or tunnel-mode operation, see the FortiGate SSL VPN User Guide.
This section describes: ssl.root Configuring SSL VPN SSL VPN web portal Configuring web portal layout Configuring the virtual desktop Virtual Desktop Application Control Host Check list SSL VPN monitor list
625
ssl.root
SSL VPN
ssl.root
The FortiGate unit has a virtual SSL VPN interface called ssl.<vdomname>. The root VDOM, called ssl.root, appears in the firewall policy interface lists and static route interface lists. You can use the ssl-root interface to allow access to additional networks and facilitate a connected users ability to browse the Internet through the FortiGate unit. SSL VPN tunnel-mode access requires the following firewall policies: External > Internal, with the action set to SSL, with an SSL user group ssl.root > Internal, with the action set to Accept Internal > ssl.root, with the action set to Accept.
Access also requires a new static route: Destination network - <ssl tunnel mode assigned range> interface ssl.root. If you are configuring Internet access through an SSL VPN tunnel, you must add the following configuration: ssl.root > External, with the action set to Accept, NAT enabled.
To enable SSL VPN connections and configure SSL VPN settings, go to VPN > SSL > Config and select Enable SSL-VPN. When you have completed configuring the settings, select Apply.
Figure 377: SSL-VPN Settings
626
SSL VPN
Select to enable SSL VPN connections. Select Edit to select the range or subnet firewall addresses that represent IP address ranges reserved for tunnel-mode SSL VPN clients. If the appropriate addresses do not exist, go to Firewall > Address to create them. You cannot add the all firewall address or a FQDN firewall address. You also cannot add an address group that includes the all firewall address or a FQDN address. Select the signed server certificate to use for authentication purposes. If you leave the default setting (Self-Signed), the FortiGate unit offers its factory installed (self-signed) certificate from Fortinet to remote clients when they connect.
Server Certificate
Require Client Certificate If you want to enable the use of group certificates for authenticating remote clients, select the check box. Afterward, when the remote client initiates a connection, the FortiGate unit prompts the client for its clientside certificate as part of the authentication process. Encryption Key Algorithm Default - RC4(128 bits) and higher High - AES(128/256 bits) and 3DES Low - RC4(64 bits), DES and higher Idle Timeout Select the algorithm for creating a secure SSL connection between the remote client web browser and the FortiGate unit. If the web browser on the remote client can match a cipher suite greater than or equal to 128 bits, select this option. If the web browser on the remote client can match a high level of SSL encryption, select this option to enable cipher suites that use more than 128 bits to encrypt data. If you are not sure which level of SSL encryption the remote client web browser supports, select this option to enable a cipher suite greater than or equal to 64 bits. Type the period of time (in seconds) to control how long the connection can remain idle before the system forces the user to log in again. The range is from 10 to 28800 seconds. You can also set the value to 0 to have no idle connection timeout. This setting applies to the SSL VPN session. The interface does not time out when web application sessions or tunnels are up. Enter up to two DNS Servers to be provided for the use of clients. Enter up to two WINS Servers to be provided for the use of clients. Select to save and apply settings.
Advanced (DNS and WINS Servers) DNS Server #1 DNS Server #2 WINS Server #1 WINS Server #2 Apply
627
SSL VPN
Configuring web portal layout Session Information widget Bookmarks widget Connection Tool widget Tunnel Mode widget
To use a default SSL VPN web portal configuration, select the Edit icon next to the web portal in the Portal list. The SSL VPN web portal that you select will open.
Figure 378: Default web portals Edit button
628
SSL VPN
OK/Cancel
Select OK to save the configuration and Cancel to exit the configuration window without any saving changes made. If you select OK, the main portal configuration window appears. Name of the web portal configuration. Select the abbreviated name of the server applications or network services clients can use. Enter the caption that appears at the top of the web portal home page. Select the color scheme for the web portal home page from the list. Select the one or two page column format for the web portal home page.
629
SSL VPN
To enable virtual desktop 1 Go to VPN > SSL > Portal and select the Edit icon for the web portal. 2 Select the Settings button. 3 Select the Virtual Desktop tab. 4 Select Enable Virtual Desktop.
Figure 380: Configuring Virtual Desktop
Allow network share access Enable to allow the user to copy files between the virtual desktop and network drives. Allow printing Enable to allow the user to use printers from the virtual desktop.
Quit the virtual desktop and By default, the virtual desktop remains in effect even if the user closes the browser. Enable to automatically close the virtual logout session when desktop and logout if the user closes the browser. browser is closed Application Control List Optionally, select an application control list. This controls which applications the user can run on the virtual desktop. See Virtual Desktop Application Control.
630
SSL VPN
5 Select OK.
631
SSL VPN
Add Widget list OK Cancel Apply Settings Help Select to save the configuration. If you select OK, you exit out of the SSL VPN web portal configuration window. Select to exit the configuration window without saving any changes. Select to apply any changes made in the web portal configuration. If you select Apply, you will not leave the portal configuration window. Select to edit the General or Advanced settings for the SSL VPN web portal. See SSL VPN web portal on page 627. Indicates the location of the SSL VPN web portal online help icon. You cannot change or move this icon. Active when SSL VPN web portal is activated by user. Indicates the location of the SSL VPN web portal log out icon. You cannot change or move this icon. Active when SSL VPN web portal is activated by user. Select to add a widget to the SSL VPN web portal configuration. Displays the login name of the user, the amount of time the user has been logged in, and the inbound and outbound traffic of HTTP and HTTPS. Displays configured bookmarks, allows for the addition of new bookmarks and editing of existing bookmarks.
Log out
Bookmarks
632
SSL VPN
Connection Tool
Enter the URL or IP address for a connection tool application/server (selected when configuring the Connection Tool). You can also check connectivity to a host or server on the network behind the FortiGate unit by selecting the Type Ping. Displays tunnel information and actions in user mode. The administrator can configure a split-tunneling option.
Tunnel Mode
Select to edit the information in the widget. Select to close the widget and remove it from the web portal home page. Select to save the Session Information configuration. Select to exit the Session Information widget without saving any changes. Enter a customized name for the Session Information widget.
633
SSL VPN
Bookmarks widget
Bookmarks are used as links to specific resources on the network. When a bookmark is selected from a bookmark list, a pop-up window appears with the requested web page. Telnet, VNC, and RDP all pop up a window that requires a browser plug-in. FTP and Samba replace the bookmarks page with an HTML file-browser. A web bookmark can include login credentials to automatically log the SSL VPN user into the web site. This means that once the user logs into the SSL VPN, he or she does not have to enter any more credentials to visit preconfigured web sites. When the administrator configures bookmarks, the web site credentials must be the same as the users SSL VPN credentials. Users configuring their own bookmarks can specify alternative credentials for the web site. To configure the Bookmarks widget 1 Open the web portal. 2 If the Bookmarks widget is missing, add it by selecting Bookmarks from the Add Widget list in the top right corner of the web portal window. 3 Select the Edit icon in the Bookmarks widget title bar. 4 Optionally, you can change the Name of the Bookmarks widget. 5 Select the Applications check boxes for the types of bookmarks that you want to support. 6 Select OK. To add or edit bookmarks 1 Open the web portal. 2 In the Bookmarks widget, do one of the following: To add a bookmark, select Add. To edit an existing bookmark, select the Edit button and then select the bookmark. 3 Enter or edit the following information:
Name Type Enter a name for the bookmark. Select the type of application to which the bookmark links. For example, select HTTP/HTTPS for a web site. Only the application types that you configured for this widget are in the list. You can select Edit in the widget title bar to enable additional application types. See To configure the Bookmarks widget. Enter the destination of the bookmark. For HTTP, enter the URL or just the hostname. For HTTPS, enter the URL. For RDP, VNC, Telnet or SSH, enter the hostname. For FTP or SMB, enter hostname or //<hostname>/<path>. Optionally, enter a descriptive tooltip for the bookmark. A Single Sign-On (SSO) bookmark automatically enters the login credentials for the bookmark destination. Select one of: Disabled This is not an SSO bookmark. Automatic Use the users SSL VPN credentials for login. Static Use the login credentials defined below. Enter a required login page field name, User Name for example.
Location
Description SSO
634
SSL VPN
Value
Enter the value to enter in the field identified by Field Name. If you are an administrator configuring a bookmark for users: Enter %usrname% to represent the users SSL VPN user name. Enter %passwd% to represent the users SSL VPN password. Enter another Field Name / Value pair, for the password, for example. A new set of Field Name / Value fields is added. Fill them in.
Add
4 Select OK. 5 If there is a Done button, you can select another bookmark to edit or select Done to leave the edit mode. 6 Select Apply at the top of the web portal page to save the changes that you made.
Figure 383: Using the Bookmarks widget to add a bookmark Remove widget Edit
Bookmark added
635
SSL VPN
Figure 384: Using the Bookmarks widget to edit a bookmark Remove widget Edit
Delete bookmark
To delete bookmarks 1 Open the web portal. 2 In the Bookmarks widget, select the Edit button. 3 Select the X to the right of the bookmark that you want to delete. 4 Select Done.
636
SSL VPN
3 In the Connection Tool widget select the Edit icon in the widget title bar. 4 Enter the following information:
Name Applications Type Optionally, enter a customized name for the Connection Tool widget. Select the types of server applications or network services that will be available to users through the Connection Tool widget. Select the server/application that the FortiGate unit will use to establish a connection.
5 Select OK. To use the Connection Tool widget 1 Open the web portal. 2 In the Connection Tool widget, from the Type list select the type network service you want to use. The available types of network service depend on the widget configuration. See To configure the Connection Tool widget. 3 In the Host field, enter the URL, host name, or IP address as appropriate. 4 Select Go.
User Group
IP Pools
Split tunneling
The remaining items in the widget are available to the user during an SSL VPN session.
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
637
SSL VPN
To use the tunnel mode widget When logged into the portal as an SSL VPN user: 1 View any of the following information:
Link status The state of the SSL VPN tunnel: Up an SSL VPN tunnel with the FortiGate unit has been established. Down there is no tunnel connection. The number of bytes of data transmitted from the client to the FortiGate unit since the tunnel was established. The number of bytes of data received by the client from the FortiGate unit since the tunnel was established. Detailed information about the tunnel connection, for example, Fortinet SSL VPN client connected to server.
638
SSL VPN
Delete Edit
Add a new virtual desktop application control list. The names of the virtual desktop application control lists. The action configured for each virtual desktop application control list: Block the applications on this list and allow all others or Allow the applications on this list and block all others. Select Edit beside an existing application control list to modify it. Delete an application control list. Make a copy of an application control list. Make a copy and then modify it to create a new application control list. Add an application to the application control list. Enter the name of the application to be added to the application control list. This can be any name and does not have to match the official name of the application.
MD5 Signatures Enter one or more known MD5 signatures for the application executable file.You can use a third-party utility to calculate MD5 signatures or hashes for any file. You can enter multiple signatures to match multiple versions of the application.
639
SSL VPN
Delete Edit
Host check list and software entries Create New Name Type Version Edit icon Delete icon Add a new application to the host check list. The name of the applications added to the host check list. The name does not need to match the actual application name. The type of host check application. Can be AV for antivirus or FW for firewall. The version of the host check application. Select Edit beside an existing host check application to modify it. Delete a host check application.
640
SSL VPN
GUID
Enter the globally unique identifier (GUID) for the host check application. The GUID is usually in the form xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx, where each x is a hexadecimal digit. Windows uses GUIDs to identify applications in the Windows Registry. If you do not know the GUID, add alternative checks for the application. The host check software is considered found only if all checks succeed. Select how to check for the application: File Look for a file. This could be the applications executable file or any other file that would confirm the presence of the application. In File/Path, enter the full path to the file. Where applicable, you can use environment variables enclosed in percent (%) marks. For example, %ProgramFiles%\Fortinet\FortiClient\FortiClient.exe. Process Look for the application as a running process. In Process, enter the applications executable file name. Registry Search for a Windows Registry entry. In Registry, enter a registry item, for example HKLM\SOFTWARE\Fortinet\FortiClient\Misc. Select one of Require If the item is found, the client meets the check item condition. Deny If the item is found, the client is considered to not meet the check item condition. Use this option if it is necessary to prevent use of a particular security product.
Action
MD5 Signatures If Type is File or Process, enter one or more known MD5 signatures for the application executable file.You can use a third-party utility to calculate MD5 signatures or hashes for any file. You can enter multiple signatures to match multiple versions of the application.
Delete No. User Source IP Begin Time Description Action Delete icon The connection identifiers. The user names of all connected remote users. The IP addresses of the host devices connected to the FortiGate unit. The starting time of each connection. For an SSL VPN tunnel subsession, the clients assigned tunnel IP address is shown. Select action to apply to current SSL VPN tunnel session or subsession. Delete the current session or subsession.
641
SSL VPN
642
User
User
This section explains how to set up user accounts, user groups, and external authentication servers. You can use these components of user authentication to control access to network resources. If you enable virtual domains (VDOMs) on the FortiGate unit, user authentication is configured separately for each virtual domain. For details, see Using virtual domains on page 125. This section describes: Getting started - User authentication Local user accounts Remote RADIUS LDAP TACACS+ PKI Directory Service User Group Options Monitor NAC quarantine and the Banned User list
643
User
You can configure your FortiGate unit to authenticate system administrators with your FortiGate unit, using RADIUS, LDAP and TACACS+ servers and with certificate-based authentication using PKI. For more information, see System Admin on page 241. You can change the authentication timeout value or select the protocol supported for Firewall authentication. For more information, see Options on page 667. You can view lists of currently authenticated users, authenticated IM users, and banned users. For more information, see Monitor on page 668. For each network resource that requires authentication, you specify which user groups are permitted access to the network. There are three types of user groups: Firewall, Directory Service, and SSL VPN. For more information, see Firewall user groups on page 659, Directory Service user groups on page 660, and SSL VPN user groups on page 660.
Delete Edit
644
User
Type
The authentication type to use for this user. The authentication types are Local (user and password stored on FortiGate unit), LDAP, RADIUS, and TACACS+ (user and password matches a user account stored on the authentication server). Delete the user. The delete icon is not available if the user belongs to a user group. Edit the user account.
Note: Deleting the user name deletes the authentication configured for the user.
To add a Local user, go to User > Local, select Create New, and enter or select the following:
Figure 390: Local user
A name that identifies the user. Select to prevent this user from authenticating. Select to authenticate this user using a password stored on the FortiGate unit and then enter the password. The password should be at least six characters. Select to authenticate this user using a password stored on an LDAP server. Select the LDAP server from the list. You can select only an LDAP server that has been added to the FortiGate LDAP configuration. For more information, see LDAP on page 649. Select to authenticate this user using a password stored on a RADIUS server. Select the RADIUS server from the list. You can select only a RADIUS server that has been added to the FortiGate RADIUS configuration. For more information, see RADIUS on page 647. Select to authenticate this user using a password stored on a TACACS server. Select the TACACS+ server from the list. You can select only a TACACS server that has been added to the FortiGate TACACS configuration. For more information, see TACACS+ on page 652.
RADIUS
TACACS+
645
User
Add a new user to the list. Filter the list by selecting a protocol: AIM, ICQ, MSN, Yahoo, or All. Filter the list by selecting a policy: Allow, Block, or All. The protocol associated with the user. The name selected by the user when registering with an IM protocol. The same user name can be used for multiple IM protocols. Each user name/protocol pair appears separately in the list. The policy applied to the user when attempting to use the protocol: Block or Deny. Change the following user information: Protocol, Username, and Policy. Permanently remove users from the User List.
To add an IM user, go to User > Local > IM, select Create New, and enter or select the following:
Figure 392: Edit User dialog
Select a protocol from the dropdown list: AIM, ICQ, MSN, or Yahoo!. Enter a name for the user. Select a policy from the dropdown list: Allow or Block.
The IM user monitor list displays information about instant messaging users who are currently connected. For more information, see IM user monitor list on page 669.
646
User
Remote
If you want to block a protocol that is older than the ones listed above, use the CLI command: config imp2p old-version For more information, see the FortiGate CLI Reference.
Remote
Remote authentication is generally used to ensure that employees working offsite can remotely access their corporate network with appropriate security measures in place. In general terms, authentication is the process of attempting to verify the (digital) identity of the sender of a communication such as a login request. The sender may be someone using a computer, the computer itself, or a computer program. Since a computer system should be used only by those who are authorized to do so, there must be a measure in place to detect and exclude any unauthorized access. On a FortiGate unit, you can control access to network resources by defining lists of authorized users, called user groups. To use a particular resource, such as a network or VPN tunnel, the user must: belong to one of the user groups that is allowed access correctly enter a user name and password to prove his or her identity, if asked to do so.
RADIUS
Remote Authentication and Dial-in User Service (RADIUS) servers provide authentication, authorization, and accounting functions. FortiGate units use the authentication function of the RADIUS server. To use the RADIUS server for authentication, you must configure the server before you configure the FortiGate users or user groups that will need it. If you have configured RADIUS support and a user is required to authenticate using a RADIUS server, the FortiGate unit sends the users credentials to the RADIUS server for authentication. If the RADIUS server can authenticate the user, the user is successfully authenticated with the FortiGate unit. If the RADIUS server cannot authenticate the user, the FortiGate unit refuses the connection. You can override the default authentication scheme by selecting a specific authentication protocol or changing the default port for RADIUS traffic.
Note: The default port for RADIUS traffic is 1812. If your RADIUS server is using port 1645, use the CLI to change the default RADIUS port. For more information, see the config system global command in the FortiGate CLI Reference.
To view the list of RADIUS servers, go to User > Remote > RADIUS.
Figure 393: Example RADIUS server list Delete Edit
Add a new RADIUS server. The maximum number is 10. Name that identifies the RADIUS server on the FortiGate unit.
647
RADIUS
User
Server Name/IP Domain name or IP address of the RADIUS server. Delete icon Edit icon Delete a RADIUS server configuration. You cannot delete a RADIUS server that has been added to a user group. Edit a RADIUS server configuration.
The RADIUS server can use several different authentication protocols during the authentication process: MS-CHAP-V2 is the Microsoft challenge-handshake authentication protocol v2 MS-CHAP is the Microsoft challenge-handshake authentication protocol v1 CHAP (challenge-handshake authentication protocol) provides the same functionality as PAP, but does not send the password and other user information over the network to a security server PAP (password authentication protocol) is used to authenticate PPP connections. PAP transmits passwords and other user information in clear text (unencrypted).
If you have not selected a protocol, the default protocol configuration uses PAP, MSCHAPv2, and CHAP, in that order. To add a new RADIUS server, go to User > Remote > RADIUS, select Create New, and enter or select the following:
Figure 394: RADIUS server configuration
648
User
LDAP
Enter the name that is used to identify the RADIUS server on the FortiGate unit. Enter the domain name or IP address of the primary RADIUS server. Enter the RADIUS server secret key for the primary RADIUS server. The primary server secret key should be a maximum of 16 characters in length.
Secondary Server Name/IP Enter the domain name or IP address of the secondary RADIUS server, if you have one. Secondary Server Secret Enter the RADIUS server secret key for the secondary RADIUS server. The secondary server secret key should be a maximum of 16 characters in length. Select Use Default Authentication Scheme to authenticate with the default method. The default authentication scheme uses PAP, MSCHAP-V2, and CHAP, in that order. Select Specify Authentication Protocol to override the default authentication method, and choose the protocol from the list: MSCHAP-V2, MS-CHAP, CHAP, or PAP, depending on what your RADIUS server needs. Enter the NAS IP address and Called Station ID (for more information about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific RADIUS Attributes). If you do not enter an IP address, the IP address that the FortiGate interface uses to communicate with the RADIUS server will be applied.
Authentication Scheme
Include in every User Group Select to have the RADIUS server automatically included in all user groups.
LDAP
Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, email addresses, and printers. An LDAP consists of a data-representation scheme, a set of defined operations, and a request/response network. If you have configured LDAP support and require a user to authenticate using an LDAP server, the FortiGate unit contacts the LDAP server for authentication. To authenticate with the FortiGate unit, the user enters a user name and password. The FortiGate unit sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, the FortiGate unit successfully authenticates the user. If the LDAP server cannot authenticate the user, the FortiGate unit refuses the connection. The FortiGate unit supports LDAP protocol functionality defined in RFC 2251: Lightweight Directory Access Protocol v3, for looking up and validating user names and passwords. FortiGate LDAP supports all LDAP servers compliant with LDAP v3. In addition, FortiGate LDAP supports LDAP over SSL/TLS. To configure SSL/TLS authentication, refer to the FortiGate CLI Reference. FortiGate LDAP support does not extend to proprietary functionality, such as notification of password expiration, that is available from some LDAP servers. Nor does the FortiGate LDAP supply information to the user about why authentication failed. To view the list of LDAP servers, go to User > Remote > LDAP.
649
LDAP
User
Delete Edit
Add a new LDAP server. The maximum number is 10. The name that identifies the LDAP server on the FortiGate unit. The TCP port used to communicate with the LDAP server.
Server Name/IP The domain name or IP address of the LDAP server. Common Name The common name identifier for the LDAP server. Most LDAP servers use cn. However, some servers use other common name identifiers such as uid. Identifier Distinguished Name Delete icon Edit icon The distinguished name used to look up entries on the LDAP servers use. The distinguished name reflects the hierarchy of LDAP database object classes above the common name identifier. Delete the LDAP server configuration. Edit the LDAP server configuration.
You can use simple authentication if the user records all fall under one dn. If the users are under more than one dn, use the anonymous or regular type, which can search the entire LDAP database for the required user name. If your LDAP server requires authentication to perform searches, use the regular type and provide values for user name and password. To add an LDAP server, go to User > Remote > LDAP and select Create New. Enter the information below and select OK.
650
User
LDAP
Query
Enter the name that identifies the LDAP server on the FortiGate unit. Enter the domain name or IP address of the LDAP server. Enter the TCP port used to communicate with the LDAP server. By default, LDAP uses port 389. If you use a secure LDAP server, the default port changes when you select Secure Connection.
Common Name Identifier Enter the common name identifier for the LDAP server. The maximum number of characters is 20. Distinguished Name Enter the base distinguished name for the server using the correct X.500 or LDAP format. The FortiGate unit passes this distinguished name unchanged to the server. The maximum number of characters is 512. View the LDAP server Distinguished Name Query tree for the LDAP server that you are configuring so that you can cross-reference to the Distinguished Name. For more information, see Using Query. Select the type of binding for LDAP authentication. Connect to the LDAP server directly with user name/password, then receive accept or reject based on search of given values. Connect as an anonymous user on the LDAP server, then retrieve the user name/password and compare them to given values. Connect directly to the LDAP server with user name/password authentication. Enter the filter to use for group searching. Available if Bind Type is Regular or Anonymous. Enter the Distinguished name of the user to be authenticated. Available if Bind Type is Regular. Enter the password of the user to be authenticated. Available if Bind Type is Regular. Select to use a secure LDAP server connection for authentication.
Query icon
Bind Type Regular Anonymous Simple Filter User DN Password Secure Connection
651
TACACS+
User
Protocol
Select a secure LDAP protocol to use for authentication. Depending on your selection, the value in Server Port will change to the default port for the selected protocol. Available only if Secure Connection is selected. LDAPS: port 636 STARTTLS: port 389 Select a certificate to use for authentication from the list. The certificate list comes from CA certificates at System > Certificates > CA Certificates.
Certificate
Using Query
The LDAP Distinguished Name Query list displays the LDAP Server IP address, and all the distinguished names associated with the Common Name Identifier for the LDAP server. The tree helps you to determine the appropriate entry for the DN field. To see the distinguished name associated with the Common Name identifier, select the Expand Arrow beside the CN identifier and then select the DN from the list. The DN you select is displayed in the Distinguished Name field. Select OK to save your selection in the Distinguished Name field of the LDAP Server configuration. To see the users within the LDAP Server user group for the selected Distinguished Name, select the Expand arrow beside the Distinguished Name in the LDAP Distinguished Name Query tree.
Figure 397: Example LDAP server Distinguished Name Query tree
TACACS+
In recent years, remote network access has shifted from terminal access to LAN access. Users connect to their corporate network (using notebooks or home PCs) with computers that use complete network connections and have the same level of access to the corporate network resources as if they were physically in the office. These connections are made through a remote access server. As remote access technology has evolved, the need for network access security has become increasingly important. Terminal Access Controller Access-Control System (TACACS+) is a remote authentication protocol that provides access control for routers, network access servers, and other networked computing devices via one or more centralized servers. TACACS+ allows a client to accept a user name and password and send a query to a TACACS+ authentication server. The server host determines whether to accept or deny the request and sends a response back that allows or denies network access to the user. The default TCP port for a TACACS+ server is 49. To view the list of TACACS+ servers, go to User > Remote > TACACS+.
652
User
TACACS+
Delete Edit
Add a new TACACS+ server. The maximum number is 10. The server domain name or IP address of the TACACS+ server. The supported authentication method. TACACS+ authentication methods include: Auto, ASCII, PAP, CHAP, and MSCHAP. Delete this TACACS+ server. Edit this TACACS+ server.
653
Directory Service
User
Enter the name of the TACACS+ server. Enter the server domain name or IP address of the TACACS+ server. Enter the key to access the TACACS+ server. The server key should be a maximum of 16 characters in length. Select the authentication type to use for the TACACS+ server. Selection includes: Auto, ASCII, PAP, CHAP, and MSCHAP. Auto authenticates using PAP, MSCHAP, and CHAP (in that order).
Directory Service
Windows Active Directory (AD) and Novell eDirectory provide central authentication services by storing information about network resources across a domain (a logical group of computers running versions of an operating system) in a central directory database. Each person who uses computers within a domain receives his or her own unique account/user name. This account can be assigned access to resources within the domain. In a domain, the directory resides on computers that are configured as domain controllers. A domain controller is a server that manages all security-related features that affect the user/domain interactions, security centralization, and administrative functions. FortiGate units use firewall policies to control access to resources based on user groups configured in the policies. Each FortiGate user group is associated with one or more Directory Service user groups. When a user logs in to the Windows or Novell domain, a Fortinet Server Authentication Extension (FSAE) sends the FortiGate unit the users IP address and the names of the Directory Service user groups to which the user belongs. The FSAE has two components that you must install on your network: The domain controller (DC) agent must be installed on every domain controller to monitor user logins and send information about them to the collector agent. The collector agent must be installed on at least one domain controller to send the information received from the DC agents to the FortiGate unit.
The FortiGate unit uses this information to maintain a copy of the domain controller user group database. Because the domain controller authenticates users, the FortiGate unit does not perform authentication. It recognizes group members by their IP address. You must install the Fortinet Server Authentication Extensions (FSAE) on the network and configure the FortiGate unit to retrieve information from the Directory Service server. For more information about FSAE, see the Fortinet Server Authentication Extension Administration Guide. To view the list of Directory Service servers, go to User > Directory Service.
654
User
Directory Service
Figure 400: Example Directory Service server list Delete Edit User/Group
Expand Arrow (Directory Service server) Domain and groups Create New Name AD Server Domain Groups FSAE Collector IP Add a new Directory Service server.
Select the Expand arrow beside the server/domain/group name to display Directory Service domain and group information. The name defined for the Directory Service server. The domain name imported from the Directory Service server. The group names imported from the Directory Service server. The IP addresses and TCP ports of up to five FSAE collector agents that send Directory Service server login information to the FortiGate unit. Delete this Directory Service server. Edit this Directory Service server. Add a user or group to the list. You must know the distinguished name for the user or group. Select users and groups to add to the list.
You can enter information for up to five collector agents. To add a new Directory Service server, go to User > Directory Service, select Create New, and enter or select the following:
655
PKI
User
Name
Enter the name of the Directory Service server. This name appears in the list of Directory Service servers when you create user groups.
FSAE Collector Enter the IP address or name of the Directory Service server where this collector agent is installed. The maximum number of characters is 63. IP/Name Port Password LDAP Server Enter the TCP port used for Directory Service. This must be the same as the FortiGate listening port specified in the FSAE collector agent configuration. Enter the password for the collector agent. This is required only if you configured your FSAE collector agent to require authenticated access. Select the check box and select an LDAP server to access the Directory Service.
PKI
Public Key Infrastructure (PKI) authentication utilizes a certificate authentication library that takes a list of peers, peer groups, and/or user groups and returns authentication successful or denied notifications. Users only need a valid certificate for successful authenticationno user name or password are necessary. Firewall and SSL VPN are the only user groups that can use PKI authentication. For more information about certificate authentication, see the FortiGate Certificate Management User Guide. For information about the detailed PKI configuration settings available only through the CLI, see the FortiGate CLI Reference. To view the list of PKI users, go to User > PKI.
Figure 402: Example PKI User list
Delete Edit
656
User
PKI
The name of the PKI user. The text string that appears in the subject field of the certificate of the authenticating user. The CA certificate that is used to authenticate this user. Delete this PKI user. The delete icon is not available if the peer user belongs to a user group. Remove it from the user group first. Edit this PKI user.
Edit icon
You can add or modify other configuration settings for PKI authentication. For more information, see the FortiGate CLI Reference.
Caution: If you use the CLI to create a peer user, Fortinet recommends that you enter a value for either subject or ca. If you do not do so, and then open the user record in the webbased manager, you will be prompted to enter a subject or ca value before you can continue.
To create a peer user for PKI authentication, go to User > PKI, select Create New., and enter the following:
Figure 403: PKI user
Name Subject CA
Enter the name of the PKI user. Enter the text string that appears in the subject field of the certificate of the authenticating user. This field is optional. Enter the CA certificate that must be used to authenticate this user. This field is optional.
657
User Group
User
Two-factor authentication Require two-factor authentication Password Require this PKI user to authenticate by password in addition to
Note: You must enter a value for at least one of Subject or CA.
You can configure peer user groups only through the CLI. For more information, see the FortiGate CLI Reference.
User Group
A user group is a list of user identities. An identity can be: a local user account (user name and password) stored on the FortiGate unit a local user account with a password stored on a RADIUS, LDAP, or TACACS+ server a RADIUS, LDAP, or TACACS+ server (all identities on the server can authenticate) a user or user group defined on a Directory Service server.
Each user group belongs to one of three types: Firewall, Directory Service or SSL VPN. For information about each type, see Firewall user groups on page 659, Directory Service user groups on page 660, and SSL VPN user groups on page 660. For information on configuring each type of user group, see Configuring a user group on page 661. In most cases, the FortiGate unit authenticates users by requesting each user name and password. The FortiGate unit checks local user accounts first. If the unit does not find a match, it checks the RADIUS, LDAP, or TACACS+ servers that belong to the user group. Authentication succeeds when the FortiGate unit finds a matching user name and password. For a Directory Service user group, the Directory Service server authenticates users when they log in to the network. The FortiGate unit receives the users name and IP address from the FSAE collector agent. For more information about FSAE, see the Fortinet Server Authentication Extension Administration Guide. You can configure user groups to provide authenticated access to: Firewall policies that require authentication See Adding authentication to firewall policies on page 372. You can choose the user groups that are allowed to authenticate with these policies. SSL VPNs on the FortiGate unit See Configuring SSL VPN identity-based firewall policies on page 376. IPSec VPN Phase 1 configurations for dialup users See Creating a new phase 1 configuration on page 606. Only users in the selected user group can authenticate to use the VPN tunnel. XAuth for IPSec VPN Phase 1 configurations See XAUTH in Defining phase 1 advanced settings on page 608. Only user groups in the selected user group can be authenticated using XAuth.
658
User
User Group
FortiGate PPTP configuration See PPTP configuration using FortiGate web-based manager on page 621. Only users in the selected user group can use PPTP.
FortiGate L2TP configuration You can configure this only by using the config vpn l2tp CLI command. See the FortiGate CLI Reference. Only users in the selected user group can use L2TP.
Administrator login with RADIUS authentication See Configuring RADIUS authentication for administrators on page 247. Only administrators with an account on the RADIUS server can log in.
FortiGuard Web Filtering override groups See FortiGuard Web Filtering on page 552. When FortiGuard Web Filtering blocks a web page, authorized users can authenticate to access the web page or to allow members of another group to access it.
For each resource that requires authentication, you specify which user groups are permitted access. You need to determine the number and membership of user groups appropriate to your authentication needs.
For more information, see Creating a new phase 1 configuration on page 606. For information about configuring a Firewall user group, see Configuring a user group on page 661. You can also use a firewall user group to provide override privileges for FortiGuard web filtering. For more information, see Configuring FortiGuard Web filtering override options on page 664. For detailed information about FortiGuard Web Filter, including the override feature, see FortiGuard Web Filtering on page 552.
659
User Group
User
A Directory Service user group provides access to a firewall policy that requires Directory Service type authentication and lists the user group as one of the allowed groups. The members of the user group are Directory Service users or groups that you select from a list that the FortiGate unit receives from the Directory Service servers that you have configured. See Directory Service on page 654.
Note: A Directory Service user group cannot have SSL VPN access.
You can also use a Directory Service user group to provide override privileges for FortiGuard web filtering. For more information, see Configuring FortiGuard Web filtering override options on page 664. For detailed information about FortiGuard Web Filter, including the override feature, see FortiGuard Web Filtering on page 552. For information on configuring user groups, see Configuring a user group on page 661.
For information on configuring user groups, see Configuring a user group on page 661. For information on configuring SSL VPN user group options, see Configuring SSL VPN identity-based firewall policies on page 376.
660
User
User Group
Expand Arrow Create New Group Name Add a new user group.
Edit
The name of the user group. User group names are listed by type of user group: Firewall, Directory Service and SSL VPN. For more information, see Firewall user groups on page 659, Directory Service user groups on page 660, and SSL VPN user groups on page 660. The Local users, RADIUS servers, LDAP servers, TACACS+ servers, Directory Service users/user groups or PKI users found in the user group. Delete the user group. You cannot delete a user group that is included in a firewall policy, a dialup user phase 1 configuration, or a PPTP or L2TP configuration. Edit the membership and options of the group.
Edit icon
Note: You cannot add local users to a group that is used to authenticate administrators.
661
User Group
User
Expand Arrow
Left Arrow
Expand Arrow
Left Arrow
662
User
User Group
Left Arrow Name Type Firewall Enter the name of the user group. Select the user group type. Select this group in any firewall policy that requires Firewall authentication. See Adding authentication to firewall policies on page 372 and Configuring FortiGuard Web filtering override options on page 664. Select this group in any firewall policy that requires Directory Service authentication. See Adding authentication to firewall policies on page 372. Select this group in any firewall policy with Action set to SSL VPN. Not available in Transparent mode. See Configuring SSL VPN identity-based firewall policies on page 376. Select the SSL VPN web portal configuration to use with the User Group. For more information, see SSL VPN web portal on page 627. The list of Local users, RADIUS servers, LDAP servers, TACACS+ servers, Directory Service users/user groups, or PKI users that can be added to the user group. To add a member to this list, select the name and then select the Right Arrow. * Available Members if user group type is Directory Service. The list of Local users, RADIUS servers, LDAP servers, TACACS+ servers, Directory Service users/user groups, or PKI users that belong to the user group. To remove a member, select the name and then select the Left Arrow. Available only if Type is Firewall or Directory Service. Configure Web Filtering override capabilities for this group. See Configuring FortiGuard Web filtering override options on page 664.
Directory Service
SSL VPN
Members
663
User Group
User
Allow to create FortiGuard Select to allow members of this group to request an override on the FortiGuard Web Filtering Block page. The firewall protection profile Web Filtering overrides governing the connection must have FortiGuard overrides enabled. The protection profile may have more than one user group as an override group. Members of an override group can authenticate on the FortiGuard Web Filter Block Override page to access the blocked site. For more information, see FortiGuard Web Filtering on page 552. Override Scope User User Group IP Profile Ask Override Type Directory Domain Categories Ask Off-site URLs The override can apply to just the user who requested the override, or include others. Select one of the following from the list: Only the user. The user group to which the user belongs. Any user at the users IP address. Any user with the specified protection profile of the user group. Authenticating user, who chooses the override scope. Select from the list to allow access to: Only the lowest level directory in the URL. The entire website domain. The FortiGuard category. Authenticating user, who chooses the override type. Select one of the following from the list to set permissions for users linking to sites off the blocked site:
664
User
User Group
Allow Deny Ask Override Time Constant Ask Protection Profiles Available
User can follow links to other sites. User can follow links only to destinations as defined by Override Type. Authenticating user, who chooses whether to allow use of off-site links. Select to set the duration of the override: Select to set the duration of override in days, hours, minutes. Authenticating user, who determines the duration of override. The duration set is the maximum. One protection profile can have several user groups with override permissions. Verification of the user group occurs once the user name and password are entered. The overrides can still be enabled or not enabled on a profile-wide basis regardless of the user groups that have permissions to override the profile. The list of defined protection profiles applied to user groups that have override privileges.
665
User Group
User
Figure 409: Using RADIUS records to assign IP addresses for SSL VPN Tunnel Mode
5 Go to User > User Group and create a new user group or edit an SSL VPN user group. 6 Set Type to SSL VPN. 7 Select the name of the Portal that contains the tunnel mode widget. 8 Add the RADIUS server that assigns IP addresses to the Members list and save the SSL VPN user group. 9 Go to Firewall > Policy and select Create New. 10 Set Action to SSL VPN. 11 Add an identity based policy and add the SSL VPN user group containing the RADIUS server and the portal to the Selected User Groups list. 12 Configure the remaining firewall policy settings as required. To dynamically assign IP addresses for dialup IPSec VPN To use a RADIUS server to assign IP addresses for dialup IPSec VPN users you configure an IPSec DHCP server for your IPSec VPN configuration and configure advanced settings to set IP Assignment Mode to User-group defined method. You must also add the RADIUS server to a firewall user group. Then in the phase 1 configuration of the dialup VPN you configure advanced settings to set XAUTH to server mode and select the firewall user group that you added the RADIUS server to. 1 Go to System > DHCP and add or edit the IPSec DHCP server used by the IPSec VPN configuration. 2 Select Advanced and set IP Assignment Mode to User-group defined method and save the changes to the DHCP server. 3 Go to User > User Group and create a new user group or edit a Firewall user group. 4 Set Type to Firewall. 5 Add the RADIUS server that assigns IP addresses to the Members list and save the Firewall user group. 6 Go to VPN > IPSec and create or edit a User Phase 1 with Remote Gateway set to Dialup User. 7 Select Advanced. 8 Set XAUTH to Enable as Server. 9 Set User Group to the firewall user group containing the RADIUS server. 10 Configure the remaining IPSec VPN settings as required.
666
User
Options
To dynamically assign IP addresses for PPTP VPN users For PPTP VPN you can use a RADIUS server to assign IP addresses for PPTP users by adding the RADIUS server that can assign IP addresses to a firewall user group. Then configure PPTP VPN to use this user group. 1 Go to User > User Group and create a new user group or edit a firewall user group. 2 Set Type to Firewall. 3 Add the RADIUS server that assigns IP addresses to the Members list and save the Firewall user group. 4 Connect to the FortiGate CLI and enter the following command to enable PPTP, configure assigning IP addresses with a user group, and add the user group containing the RADIUS server to the PPTP VPN configuration. config vpn pptp set status enable set ip-mode usrgrp set usrgrp <user_group> set sip <address> set eip <address> end
Options
You can define setting options for user authentication, including authentication timeout, supported protocols, and authentication certificates. Authentication timeout controls how long an authenticated firewall connection can be idle before the user must authenticate again. When user authentication is enabled on a firewall policy, the authentication challenge is normally issued for any of the four protocols (depending on the connection protocol): HTTP (can also be set to redirect to HTTPS) HTTPS FTP Telnet.
The selections made in the Protocol Support list of the Authentication Settings screen control which protocols support the authentication challenge. Users must connect with a supported protocol first so they can subsequently connect with other protocols. If HTTPS is selected as a method of protocol support, it allows the user to authenticate with a customized Local certificate. When you enable user authentication on a firewall policy, the firewall policy user will be challenged to authenticate. For user ID and password authentication, users must provide their user names and passwords. For certificate authentication (HTTPS or HTTP redirected to HTTPS only), you can install customized certificates on the FortiGate unit and the users can also have customized certificates installed on their browsers. Otherwise, users will see a warning message and have to accept a default FortiGate certificate.
Note: When you use certificate authentication, if you do not specify any certificate when you create the firewall policy, the global settings will be used. If you specify a certificate, the per-policy setting will overwrite the global setting. For information about how to use certificate authentication, see FortiGate Certificate Management User Guide.
667
Monitor
User
Authentication Timeout
Enter a length of time in minutes, from 1 to 480. Authentication Timeout controls how long an authenticated firewall connection can be idle before the user must authenticate again. The default value is 30 Select the protocols to challenge during firewall user authentication. If using HTTPS protocol support, select the Local certificate to use for authentication. Available only if HTTPS protocol support is selected. Apply selections for user Authentication Settings.
Monitor
You can go to User > Monitor to view lists of currently authenticated users, authenticated IM users, and banned users. For each authenticated user, the list includes the user name, user group, how long the user has been authenticated (Duration), how long until the users session times out (Time left), and the method of authentication used. The list of IM users includes the source IP address, protocol, and last time the protocol was used. The Banned User list includes users configured by administrators in addition to those quarantined based on AV, IPS, or DLP rules. The following lists are available: Firewall user monitor list IM user monitor list NAC quarantine and the Banned User list
668
User
Monitor
Refresh
Current Page
De-authenticate All Stop authenticated sessions for all users in the Firewall user monitor list. User(s) must re-authenticate with the firewall to resume their communication Users session. Filter icons Edit the column filters to filter or sort the firewall user monitor list according to the criteria you specify. For more information, see Adding filters to web-based manager lists on page 57. The user names of all connected remote users. The user group that the remote user is part of. Length of time since the user was authenticated. Length of time remaining until the user session times out. Only available if the authentication time of the session will be automatically extended (authentication keepalive is enabled). If authentication keepalive is not enabled, the value in Time-left will be N/A. For more information, see the FortiGate CLI Reference. The users source IP address. The amount of traffic through the FortiGate unit generated by the user. Authentication method used for the user by the FortiGate unit (authentication methods can be FSAE, firewall authentication, or NTLM).
669
User
Protocol # Protocol
Filter the list by selecting the protocol for which to display current users: AIM, ICQ, MSN, or Yahoo. All current users can also be displayed. The position number of the IM user in the list. The protocol being used.
User Name The name selected by the user when registering with an IM protocol. The same user name can be used for multiple IM protocols. Each user name/protocol pair appears separately in the list. Source IP Block The Address from which the user initiated the IM session. Select to add the user name to the permanent black list. Each user name/protocol pair must be explicitly blocked by the administrator. Last Login The last time the current user used the protocol.
NAC quarantine adds blocked IP addresses or interfaces to the Banned User list. To view the Banned User list, go to User > Monitor > Banned User. When you configure NAC quarantine settings, you can specify how long to block the IP addresses or interfaces. FortiGate administrators can manually enable access again by removing IP addresses or interfaces from the Banned User list. Removing an IP address from the Banned User list means the user can start accessing network services through the FortiGate unit again. Removing an interface from the list means the interface can resume normal receiving and processing of communication sessions. For more information, see The Banned User list on page 672.
670
User
SMTP email message, you can configure DLP to block all SMTP email from a sender identified in the From: field of the email messages, without blocking the user from web browsing. DLP will also add the senders name to the Banned User list. For more information about using actions in DLP sensors, see Adding or editing a rule or compound rule in a DLP sensor on page 577.
671
User
config ips DoS edit QDoS_sensor config anomaly edit udp_dst_session set quarantine attacker set quarantine-expiry 30 next edit icmp_flood set quarantine both end end For more information, see the FortiGate CLI Reference.
To view the Banned User list, go to User > Monitor > Banned User.
Figure 413: Banned User list
Delete
672
User
Current Page
The current page number of list items that are displayed. Select the left and right arrows to display the first, previous, next or last page of banned users or IP addresses. Remove all users and IP addresses from the Banned User list. The position number of the user or IP address in the list. The protocol that was used by the user or IP address added to the Banned User list.
Cause or rule The FortiGate function that caused the user or IP address to be added to the Banned User list. Cause or rule can be IPS, Antivirus, or Data Leak Prevention. Created Expires The date and time the user or IP address was added to the Banned User list. The date and time the user or IP address will be automatically removed from the Banned User list. If Expires is Indefinite you must manually remove the user or host from the list. Delete the selected user or IP address from the Banned User list.
Delete icon
673
User
674
675
Edit Delete
Protocol Peer Mode SSL Secure Tunnel Delete icon Edit icon
Insert WAN Add a new rule above the corresponding rule (the New rule screen appears). Optimization Rule Before icon Move To icon Move the corresponding rule before or after another rule in the list. See Moving a rule to a different position in the rule list on page 677.
676
To move a rule in the WAN optimization rule list 1 Go to WAN Opt & Cache > Rule. 2 In the rule list, note the ID of a rule that is before or after your intended destination. 3 In the row corresponding to the rule that you want to move, select the Move To icon. 4 Select Before or After, and enter the ID of the rule that is before or after your intended destination. This specifies the rules new position in the WAN optimization rule list. 5 Select OK.
677
Mode
Select Full Optimization to add a rule that can apply all WAN optimization features. Select Web Cache Only to add a rule that just applies web caching. If you select Web Cache Only, you can configure the source and destination address and port for the rule. You can also select Transparent Mode and Enable SSL. Enter an IP address, followed by a forward slash (/), then subnet mask, or enter an IP address range separated by a hyphen. See About WAN optimization addresses on page 679. Only packets whose source address header contains an IP address matching this IP address or address range will be accepted by and subject to this rule. For a passive rule, the server (passive) source address range should be compatible with the source addresses of the matching client (active) rule. To match one passive rule with many active rules, the passive rule source address range should include the source addresses of all of the active rules. Enter an IP address, followed by a forward slash (/), then subnet mask, or enter an IP address range separated by a hyphen. See About WAN optimization addresses on page 679. Only a packet whose destination address header contains an IP address matching this IP address or address range will be accepted by and subject to this rule. Tip: For a Web Cache Only rule, if you set Destination to 0.0.0.0, the rule caches web pages on the Internet or any network. For a passive rule, the server (passive) destination address range should be compatible with the destination addresses of the matching client (active) rule. To match one passive rule with many active rules, the passive rule destination address range should include the destination addresses of all of the active rules.
Source
Destination
Port
Enter a single port number or port number range. Only packets whose destination port number matches this port number or port number range will be accepted by and subject to this rule. For a passive rule, the server (passive) port range should be compatible with the port range of the matching client (active) rule. To match one passive rule with many active rules, the passive rule port range should include the port ranges of all of the active rules. Available only if Mode is set to Full Optimization. Specify whether the rule is an Active (client) rule, a Passive (server) rule or if autodetect is Off. If auto-detect is off the rule is a peer-to-peer rule. For an Active (client) rule, you must select all of the WAN optimization features to be applied by the rule. You can select the protocol to optimize, transparent mode, byte caching, SSL offloading, secure tunneling, and an authentication group. A Passive (server) rule uses the settings in the active rule on the client FortiGate unit to apply WAN optimization settings. You can also select web caching for a passive rule. If Auto-Detect is Off, the rule must include all required WAN optimization features and you must select a Peer for the rule. Select this option to configure peer-topeer WAN optimization where this rule can start a WAN optimization tunnel with this peer only. Available only if Mode is set to Full Optimization, and Auto-Detect is set to Off or Active. Select CIFS, FTP, HTTP, or MAPI to apply protocol optimization for one of these protocols. For information about protocol optimization, see the FortiGate WAN Optimization, Web Cache, and Web Proxy User Guide. Select TCP if the WAN optimization tunnel accepts sessions that use more than one protocol or that do not use the CIFS, FTP, HTTP, or MAPI protocol. Available only if Mode is set to Full Optimization, and Auto-Detect is set to Off. Select the peer host ID of the peer that this peer-to-peer WAN optimization rule will start a WAN optimization tunnel with. You can also select [Create New ...] to add a new peer. Available only if Mode is set to Full Optimization, and Auto-Detect is set to Off or Passive. If Auto-Detect is set to Off, then Protocol must be set to HTTP. Select to apply WAN optimization web caching to the sessions accepted by this rule. For more information, see the FortiGate WAN Optimization, Web Cache, and Web Proxy User Guide.
Auto-Detect
Protocol
Peer
678
Transparent Mode
Servers receiving packets after WAN optimization see different source addresses depending on whether or not you select Transparent Mode. You can select this option if Auto-Detect is set to Active or Off. You can also select it for Web Cache Only rules. Select this option to keep the original source address of the packets when they are sent to servers. The servers appear to receive traffic directly from clients. The server network should be configured to route traffic with client source IP addresses from the server side FortiGate unit to the server and back to the server side FortiGate unit. If this option is not selected, the server side FortiGate unit changes the source address of the packets received by servers to the address of the server side FortiGate unit interface that sends the packets to the servers. So servers appear to receive packets from the server side FortiGate unit. Routing on the server network is usually simpler in this case because client addresses are not involved, but the server sees all traffic as coming from the server side FortiGate unit and not from individual clients. Available only if Mode is set to Full Optimization, and Auto-Detect is set to Off or Active. Select to apply WAN optimization byte caching to the sessions accepted by this rule. For more information, see the FortiGate WAN Optimization, Web Cache, and Web Proxy User Guide. Available only if Auto-Detect is set to Active or Off. Select to apply SSL offloading for HTTPS traffic. You can use SSL offloading to offload SSL encryption and decryption from one or more HTTP servers to the FortiGate unit. If you enable this option, you must configure the rule to accept SSL-encrypted traffic, for example, by configuring the rule to accept HTTPS traffic by setting Port to 443. If you enable SSL offloading, you must also use the CLI command config wanopt ssl-server to add an SSL server for each HTTP server that you want to offload SSL encryption/decryption for. For more information, see the FortiGate WAN Optimization, Web Cache, and Web Proxy User Guide.
Enable SSL
Enable Secure Available only if Mode is set to Full Optimization, and Auto-Detect is set to Active or Off. Tunnel If you select Enable Secure Tunnel, the WAN optimization tunnel is encrypted using SSL encryption. You must also add an authentication group to the rule. For more information, see the FortiGate WAN Optimization, Web Cache, and Web Proxy User Guide. Authentication Available only if Mode is set to Full Optimization, and Auto-Detect is set to Active or Off. Group Select this option and select an authentication group from the list if you want groups of FortiGate units to authenticate with each other before starting the WAN optimization tunnel. You must also select an authentication group if you select Enable Secure Tunnel. You must add identical authentication groups to both of the FortiGate units that will participate in the WAN optimization tunnel started by the rule. For more information, see Configuring authentication groups on page 681.
The netmask corresponds to the subnet class of the address being added, and can be represented in either dotted decimal or CIDR format. The FortiGate unit automatically converts CIDR formatted netmasks to dotted decimal format. Example formats:
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
679
netmask for a single computer: 255.255.255.255, or /32 netmask for a class A subnet: 255.0.0.0, or /8 netmask for a class B subnet: 255.255.0.0, or /16 netmask for a class C subnet: 255.255.255.0, or /24 netmask including all IP addresses: 0.0.0.0 x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0 x.x.x.x/x, such as 192.168.1.0/24
Note: An IP address 0.0.0.0 with netmask 255.255.255.255 is not a valid source or destination address.
When representing hosts by an IP range, the range indicates hosts with continuous IP addresses in a subnet, such as 192.168.1.[2-10], or 192.168.1.* to indicate the complete range of hosts on that subnet. Valid IP range formats include: x.x.x.x-x.x.x.x, such as 192.168.110.100-192.168.110.120 x.x.x.[x-x], such as 192.168.110.[100-120] x.x.x.*, such as 192.168.110.*
Delete Edit
Viewing basic information Create New Local Host ID Apply Create New Add a new peer. Enter the local host ID of this FortiGate unit and select Apply. If you add this FortiGate unit as a peer to another FortiGate unit, use this ID as its peer host ID. Save a change to the Local Host ID to the FortiGate configuration. Select to add a new peer.
680
Select Edit beside an existing peer to modify it. Delete a peer. The peer host ID of the peer FortiGate unit. This is the local host ID added to the peer FortiGate unit. The IP address of the FortiGate unit. Usually this is the IP address of the FortiGate interface connected to the WAN.
Delete Edit
Viewing basic information Create New Name Add a new authentication group. The name of the authentication group.
681
The method used to authenticate the tunnels: certificate (plus certificate name) or pre-shared key. The host IDs of the peers added to the authentication group. When you add the authentication group to a WAN optimization rule, only these FortiGate units can authenticate to use this WAN optimization rule. Peer(s) can be any peer, a peer added to the FortiGate unit peer list (defined peers), or a selected peer. Select to add a new authentication group Select Edit beside an existing authentication group to modify it. Select to delete an authentication group. Add or change the name of the authentication group. Select this name when adding the authentication group to a rule. Other FortiGate units that participate in WAN optimization tunnels with this FortiGate unit must have an authentication group with the same name. Select the authentication method to use. Select Certificate if you want to use a certificate to authenticate and encrypt WAN optimization tunnels. Select Pre-shared key if you want to use a pre-shared key or password to authenticate and encrypt WAN optimization tunnels. Available only when Authentication Method is Certificate. Select a local certificate that has been added to this FortiGate unit. Other FortiGate units that participate in WAN optimization tunnels with this FortiGate unit must have an authentication group with the same name and certificate. Go to System > Certificates > Local Certificates to add a local certificate to a FortiGate unit. Available only when Authentication Method is Pre-shared key. Add the password (or pre-shared key) used by the authentication group. Other FortiGate units that participate in WAN optimization tunnels with this FortiGate unit must have an authentication group with the same name and password. The key must contain at least 6 printable characters and should be known only by network administrators. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters. One or more of the following options are available to authenticate WAN optimization peers:
Adding or modifying an authentication group Create New Edit icon Delete icon Name
Authentication Method
Certificate (list)
Password
Peer Acceptance
Accept Any Peer Authenticate with any peer. Use this setting if you do not know the peer host IDs or IP addresses of the peers that will use this authentication group. This setting is most often used for WAN optimization with the FortiClient application. Accept Defined Peers Specify Peer Authenticate with any peer in the FortiGate unit peer list. Authenticate with the selected peer only. Select this option and then select the peer to add to this authentication group.
682
Reduction Rate
LAN WAN
683
Period
Select a time frame to show bandwidth optimization. You can select: Last 10 Minutes Last 1 Hour Last 1 Day Last 1 Week Last 1 Month Select All to display bandwidth optimization for all applications. Select an individual protocol to display bandwidth optimization for that individual protocol. Select to display bandwidth optimization with a line chart or a column chart.
Protocol
Chart Type
Select to always revalidate requested cached object with content on the server before serving it to the client. Set the maximum object size to cache. The default size is 512000 KB. This object size determines the maximum object size to store in the web cache. Objects retrieved that are larger than the maximum size are still delivered to the client but are not stored in the web cache.
Negative Response Set how long in minutes to cache negative responses. The default is 0, meaning negative responses are not cached. The content server might send Duration a client error code (4xx HTTP response) or a server error code (5xx HTTP response) as a response to some requests. If the web cache is configured to cache these negative responses, it returns that response in subsequent requests for that page or image for the specified number of minutes.
684
Fresh Factor
Set the fresh factor as a percentage. The default is 100, and the range is 1 to 100. For cached objects that do not have an expiry time, the web cache periodically checks the server to see if the objects have expired. The higher the fresh factor the less often the checks occur. For example, if you set the Max TTL value and Default TTL at 7200 minutes (5 days) and set the Fresh Factor at 20, the web cache will check the cached objects 5 times before they expire, but if you set the Fresh Factor at 100, the web cache will check once. The maximum amount of time (Time to Live) an object can stay in the web cache without the cache checking to see if it has expired on the server. The default is 7200 minutes (120 hours or 5 days). The minimum amount of time an object can stay in the web cache before the web cache checks to see if it has expired on the server. The default is 5 minutes. The default expiry time for objects that do not have an expiry time set by the web server. The default expiry time is 1440 minutes (24 hours). Indicates whether the explicit proxy has been enabled for the FortiGate unit. See Configuring the explicit web proxy on page 182. Select to enable using the WAN optimization web cache to cache for the explicit proxy.
Max TTL
Min TTL
If-modified-since By default, if the time specified by the if-modified-since (IMS) header in the client's conditional request is greater than the last modified time of the object in the cache, it is a strong indication that the copy in the cache is stale. If so, HTTP does a conditional GET to the Overlay Caching Scheme (OCS), based on the last modified time of the cached object. Enable ignoring If-modifiedsince to override this behavior. HTTP 1.1 Conditionals HTTP 1.1 provides additional controls to the client over the behavior of caches toward stale objects. Depending on various cache-control headers, the FortiGate unit can be forced to consult the OCS before serving the object from the cache. For more information about the behavior of cache-control header values, see RFC 2616. Typically, if a client sends an HTTP GET request with a pragma no-cache (PNC) or cache-control no-cache header, a cache must consult the OCS before serving the content. This means that the FortiGate unit always refetches the entire object from the OCS, even if the cached copy of the object is fresh. Because of this behavior, PNC requests can degrade performance and increase server-side bandwidth utilization. However, if ignore Pragma-nocache is enabled, then the PNC header from the client request is ignored. The FortiGate unit treats the request as if the PNC header is not present at all. Some versions of Internet Explorer issue Accept / header instead of Pragma no-cache header when you select Refresh. When an Accept header has only the / value, the FortiGate unit treats it as a PNC header if it is a type-N object. When ignore IE Reload is enabled, the FortiGate unit ignores the PNC interpretation of the Accept / header.
Pragma-nocache
IE Reload
685
Applies only to type-1 objects. When this option is selected, expired type-1 objects are cached (if all other conditions make the object cacheable).
Revalidated Pragma- The pragma-no-cache (PNC) header in a client's request can affect the efficiency of the FortiGate units bandwidth. If you do not want to completely no-cache ignore PNC in client requests (which you can do by selecting to ignore Pragma-no-cache, above), you can nonetheless lower the impact on the bandwidth by selecting Revalidate Pragma-no-cache. When this option is selected, a client's non-conditional PNC-GET request results in a conditional GET request sent to the OCS if the object is already in the cache. This gives the OCS a chance to return the 304 Not Modified response, which consumes less server-side bandwidth, because the OCS has not been forced to otherwise return full content. By default, Revalidate Pragma-no-cache is disabled and is not affected by changes in the top-level profile. When the Substitute Get for PNC configuration is enabled, the revalidate PNC configuration has no effect. Most download managers make byte-range requests with a PNC header. To serve such requests from the cache, you should also configure byte-range support when you configure the Revalidate pragma-no-cache option.
686
Endpoint NAC
Endpoint NAC
Endpoint Network Access Control (NAC) enforces the use of the FortiClient End Point Security (Enterprise Edition) application on your network. It can also allow or deny endpoints access to the network based on the applications installed on them. FortiClient enforcement can check that the endpoint is running the most recent version of the FortiClient application, that the antivirus signatures are up-to-date and that the firewall is enabled. An endpoint is most often a single PC with a single IP address being used to access network services through a FortiGate unit. You enable endpoint NAC in a firewall policy. When traffic attempts to pass through the firewall policy, the FortiGate unit runs compliance checks on the originating host on the source interface. Non-compliant endpoints are blocked. If web browsing, the endpoints are redirected to a web portal that explains the non-compliance and provides a link to download the FortiClient application installer. To ease introduction of endpoint NAC on your network, the FortiGate unit can optionally recommend non-compliant users install FortiClient software but allow them to continue without doing so. You can monitor the endpoints that are subject to endpoint NAC, viewing information about the computer, its operating system and detected applications.
Note: Endpoint NAC does not function if enabled in a firewall policy that contains a load balance VIP.
This section describes: Configuring Endpoint NAC overview Configuring FortiClient installer download and version enforcement Configuring application detection lists Configuring Endpoint NAC profiles Monitoring endpoints
687
Endpoint NAC
Define application detection lists to specify which applications are allowed or not allowed. Optionally, you can deny access to endpoints that have applications installed that are not on the detection list. See Configuring application detection lists on page 689. Configure Endpoint NAC profiles which specify the FortiClient enforcement settings and the application detection list to apply. You select the Endpoint NAC profile to use when you enable Endpoint NAC in the firewall policy. Enable endpoint NAC in firewall policies.
Note: You cannot enable Endpoint NAC in firewall policies if Redirect HTTP Challenge to a Secure Channel (HTTPS) is enabled in User > Options > Authentication.
Optionally, modify the inactivity timeout for endpoints. The default is 5 minutes. After that time period, the FortiGate unit rechecks the endpoint for Endpoint NAC compliance. To change the timeout, adjust the compliance-timeout value in the config endpoint-control settings CLI command.
You can also modify the appearance of the Endpoint NAC Download Portal and the Endpoint NAC Recommendation Portal. These are replacement messages. For more information, see Endpoint NAC replacement messages on page 235.
Information FortiGuard Availability FortiGuard Services is available if the indicator is green. FortiClient Endpoint Versions FortiClient software versions available from FortiGuard Services are listed. Select the Download link to download the installer.
688
Endpoint NAC
AV Signature Package The latest AV signature package available from FortiGuard Services. Application Signature Package The latest application signature package available from FortiGuard Services.
FortiClient Downloads The number of FortiClient software downloads through this FortiGate unit. Update Now FortiClient Installer Download Location Retrieve the latest information from FortiGuard Services. Select one of the following options to determine the link that the FortiClient Download Portal provides to non-compliant users to download the FortiClient installer.
FortiGuard Distribution The FortiClient application is provided by the FortiGuard Distribution Network. The FortiGate unit must be able to access the FortiGuard Network Distribution Network. See Configuring FortiGuard Services on page 300. If the FortiGate unit contains a hard disk drive, the files from FortiGuard Services are cached to more efficiently serve downloads to multiple end points. This FortiGate Users download a FortiClient installer file from this FortiGate unit. This option is available only on FortiGate models that support upload of FortiClient installer files. Upload your FortiClient installer file using the execute restore forticlient CLI command. For more information, refer to the FortiGate CLI Reference. Specify a URL from which users can download the FortiClient installer. You can use this option to provide custom installer files even if your FortiGate unit does not have storage space for them.
Custom URL
Enforce Minimum Version From the list select either Latest Available or a specific FortiClient version as the minimum requirement for endpoints. The list contains the FortiClient versions available from the selected FortiClient Installer Download Location. Fortinet recommends that administrators deploy a FortiClient version update to their users or ask users to install the update and then wait a reasonable period of time for the updates to be installed before updating the minimum version required to the most recent version. Note: Select This FortiGate or Custom URL if you want to provide a customized FortiClient application. This is required if a FortiManager unit will centrally manage FortiClient applications. For information about customizing the FortiClient application, see the FortiClient Administration Guide.
689
Endpoint NAC
Edit
Application Detection List Create New Name Comments # of Entries Profiles Edit Other Applications (not specified below) Create a new application detection list. Enter a name for the application detection list. Optionally, enter descriptive information about this list. The number of application entries in the list. The Endpoint NAC profiles that use this application detection list. Edit this application detection list. Select what to do if applications not included in this list are installed on the endpoint: Allow allow the endpoint to connect Deny quarantine the endpoint Monitor include this endpoints information in statistics and logs Create a new application entry. Select the software category, Remote Access, for example. Select the software vendor. Select the application from the list. Select one of the following: Installed application is installed but not currently running Running application is currently running
690
Endpoint NAC
Action
Select what to do if the application is running on the endpoint: Allow allow the endpoint to connect Deny quarantine the endpoint Monitor include this endpoints information in statistics and logs on the Endpoint NAC Monitor page. Delete this application entry. Edit this application entry. Add a new entry preceding this one. Move this entry. Enter the ID of another entry and select Before or After.
Page
Shows the current page number in the list. Select the left and right arrows to display the first, previous, next or last page of known endpoints. Select the columns to display in the list. You can also determine the order in which they appear. For more information, see Using column settings to control the columns displayed on page 61 and Web-based manager icons on page 63. Clear any column display filters you might have applied. Edit the column filters to filter or sort the endpoints list according to the criteria you specify. For example, you could add a filter to the Detected Software column to display all endpoints running BitTorrent software. For more information, see Adding filters to web-based manager lists on page 57.
Column Settings
691
Endpoint NAC
Delete Edit
Profile list Create New Name FortiClient Enforcement Application Detection List Delete Edit Endpoint NAC Profile settings Name For non-compliant hosts: Notify hosts to install FortiClient (warn only) Enter a name for the Endpoint NAC profile. Enable one of the following options: Allow users to continue browsing without installing FortiClient Endpoint Security. Create a new Endpoint NAC profile. The name of the Endpoint NAC profile. Green check mark icon - enabled. Grey X icon - not enabled. The application detection list specified in this profile. Delete this profile. Edit this profile.
Quarantine hosts to user Keep endpoint quarantined until user installs FortiClient portal (enforce compliance) Endpoint Security. Additional Client Options Anti-virus Enabled Anti-virus Up-to-date Firewall Enabled Enable to enforce any of the following: Require that the antivirus feature is enabled. Require that the antivirus signatures are up-to-date. Require that the firewall feature is enabled.
692
Endpoint NAC
Monitoring endpoints
Enable to check applications on the endpoint against an application detection list. Select the application detection list to use.
Monitoring endpoints
To view the list of known endpoints, go to Endpoint NAC > Monitor > Endpoints. An endpoint is added to the list when it uses a firewall policy that has Endpoint NAC enabled. Once an endpoint is added to the list it remains there until you manually delete it or until the FortiGate unit restarts. Every time an endpoint accesses network services through the FortiGate unit (or attempts to access services) the entry for the endpoint is updated. The endpoints list can provide an inventory of the endpoints on your network. Entries for endpoints not running the FortiClient application include the IP address, last update time, and traffic volume/attempts. The non-compliant status indicates the endpoint is not running the FortiClient application. Entries for endpoints running the FortiClient application show much more information, depending on what is available for the FortiClient application to gather. Detailed information you can view includes endpoint hardware (CPU and model name) and the software running on the endpoints. You can adjust column settings and filters to display this information in many different forms. From the endpoints list, you can view information for each endpoint, temporarily exempt end points from endpoint NAC, and restore exempted end points to their blocked state.
Figure 425: Endpoints list (showing one endpoint that does not have FortiClient software installed)
Refresh
Non-Compliant
693
Monitoring endpoints
Endpoint NAC
Refresh Status
Update the list. Display Compliant or Non-compliant endpoints or Both. Compliant endpoints are running the minimum required version of FortiClient or a more recent version. To configure the minimum required version of FortiClient, see Configuring FortiClient installer download and version enforcement on page 688. The Status column displays a gray icon if the endpoint is non-compliant and a green icon if the endpoint is compliant. The Status column displays a green icon with an hourglass if the endpoint is non-compliant but has been temporarily exempted. Shows the current page number in the list. Select the left and right arrows to display the first, previous, next or last page of known endpoints. Select the columns to display in the list. You can also determine the order in which they appear. For more information, see Using column settings to control the columns displayed on page 61 and Web-based manager icons on page 63. Clear any column display filters you might have applied. Edit the column filters to filter or sort the endpoints list according to the criteria you specify. For example, you could add a filter to the Detected Software column to display all endpoints running BitTorrent software. For more information, see Adding filters to web-based manager lists on page 57. View details about a selected endpoint. Select this icon to display the information about the endpoint found by the FortiClient application.
Page
Column Settings
View icon
Exempt Temporarily icon Exempt the selected endpoint from endpoint NAC. This means an endpoint that is blocked and added to the endpoint list can temporarily access network services through the FortiGate unit. When you select this icon you can specify how long the end point is exempted from endpoint NAC. The default exempt duration is 600 seconds. Restore to Blocked State Resume blocking access for a temporarily exempted endpoint. icon Information columns Select Column Settings determine which of the following columns to display. All information that appears in the columns is reported by the FortiClient application running on the endpoint, unless otherwise noted. The version of the FortiClient antivirus signatures installed on the endpoint. The name of the manufacturer of the endpoint. The model name of the endpoint. The CPU running on the endpoint. The description of the endpoint. The software applications detected on this endpoint. See Configuring application detection lists on page 689. You can control the applications that appear in the Detected Software column by editing the Detected Software filter. See Adding filters to web-based manager lists on page 57. The version of the FortiClient application running on the endpoint. The host name of the endpoint. The FortiClient features enabled on the endpoint. The IP address of the endpoint as found from the communication session. The FortiClient application is not required to obtain this information. The last user to log in to the endpoint. The time that the status of the endpoint was last verified by the FortiGate unit. The FortiClient application is not required to obtain this information. FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
AV signature Computer Manufacturer Computer Model CPU Model Description Detected Software
694
Endpoint NAC
Monitoring endpoints
The amount of memory installed on the endpoint. The version of the operating system running on the endpoint. The system up time of the endpoint.
Traffic Volume/Attempts If the endpoint is compliant, this column displays the amount of data passed through the FortiGate unit by communication sessions originating from the endpoint. If the endpoint is non-compliant, this column displays the number of times the endpoint has attempted to connect through the FortiGate unit. The FortiClient application is not required to obtain this information. User The name of the active user account on the endpoint.
695
Monitoring endpoints
Endpoint NAC
696
Wireless Controller
Configuration overview
Wireless Controller
Most FortiGate units, but not FortiWiFi models, can act as a wireless network controller, managing the wireless Access Point (AP) functionality of FortiWiFi units. All units must be running the most recent FortiOS 4.0 firmware. You create virtual access points that can be associated with multiple physical access points. Clients can roam amongst the physical access points, extending the range of the wireless network. The following topics are included in this section: Configuration overview Enabling the wireless controller Configuring FortiWiFi units as managed access points Configuring a virtual wireless access point Configuring a physical access point Configuring DHCP for your wireless LAN Configuring firewall policies for the wireless LAN Monitoring wireless clients Monitoring rogue APs
Configuration overview
To set up a wireless network using the Wireless Controller feature, you need to: Enable the wireless controller, if it is not already enabled. Configure FortiWiFi units to be managed by the wireless controller. Configure each virtual access point (VAP). A VAP has the SSID and security configuration settings you would find on a wireless access point device. Optionally, you can limit the number of simultaneous wireless clients who can use this VAP. Configure each physical access point (AP). The AP settings include the radio settings and rogue AP scan settings. You select the VAPs that will be carried on the physical access point. Optionally, you can limit the number of simultaneous clients this AP will accept. Configure DHCP service to provide addresses to your wireless clients. Configure firewall policies to enable communication between the wireless LAN and other networks.
697
Wireless Controller
Name SSID
Enter a name to identify the VAP. This is also the name of the virtual network interface you will use in firewall policies. Enter the wireless service set identifier (SSID) or network name for this wireless interface. Users who want to use the wireless network must configure their computers with this network name.
698
Wireless Controller
SSID Broadcast
Select to broadcast the SSID. Broadcasting the SSID enables clients to connect to your wireless network without first knowing the SSID. For better security, do not broadcast the SSID. Select the security mode for the wireless interface. Wireless users must use the same security mode to be able to connect to this wireless interface. None has no security. Any wireless user can connect to the wireless network. WEP64 64-bit web equivalent privacy (WEP). To use WEP64 you must enter a Key containing 10 hexadecimal digits (0?9 a?f) and inform wireless users of the key. WEP128 128-bit WEP. To use WEP128 you must enter a Key containing 26 hexadecimal digits (0-9 a-f) and inform wireless users of the key. WPA Wi-Fi protected access (WPA) security. To use WPA you must select a data encryption method. You must also enter a pre-shared key containing at least eight characters or select a RADIUS server. If you select a RADIUS server, the wireless clients must have accounts on the RADIUS server. WPA2 WPA with more security features. To use WPA2 you must select a data encryption method and enter a pre-shared key containing at least eight characters or select a RADIUS server. If you select a RADIUS server the wireless clients must have accounts on the RADIUS server. WPA2 Auto the same security features as WPA2, but also accepts wireless clients using WPA security. To use WPA2 Auto you must select a data encryption method You must also enter a pre-shared key containing at least 8 characters or select a RADIUS server. If you select a RADIUS server the wireless clients must have accounts on the RADIUS server. Select TKIP or AES encryption as appropriate for the capabilities of your wireless clients. This is available for WPA security modes. Many wireless clients can configure up to four WEP keys. Select which key clients must use.with this access point. This is available when you select a WEP Security Mode. Enter the encryption key that the clients must use. This is available when you select a WEP Security Mode. Select one of: Pre-shared key Enter the pre-shared key that clients must use. RADIUS Server Select the RADIUS server that will authenticate the clients. These settings are available when you select a WAP Security Mode.
Security mode
Key Authentication
Maximum Clients Enter the maximum number of clients permitted to connect simultaneously. Enter 0 for no limit.
2 Select OK.
699
Wireless Controller
Enter the serial number of the FortiWiFi unit. This field is completed automatically if the AP discovers this AC and registers itself. Enter a name for the physical AP. Select one of the following: Discovery This is the setting for APs that have discovered this AC and registered themselves. To use such an AP, select Enabled. Disabled Do not manage this AP. Enabled Manage this AP. The last error message, if any, for this AP. Rogue AP scanning detects other APs and reports them on the Wireless Controller > Rogue AP page. Select one of the following: Dedicated AP performs scanning only and does not provide service. Background AP performs scanning during idle periods while acting as an AP. Disabled Do not perform scanning. Scanning can reduce performance. Select the wireless frequency band. Keep in mind the capabilities of your users wireless cards or devices. Select your country or region. This determines which channels are available. Select a channel for your wireless network or select Auto. The channels that you can select depend on the Geography setting. Set the transmitter power level. The higher the number, the larger the area the AP will cover. Enter the maximum number of clients permitted to connect simultaneously to this physical AP. Enter 0 for no limit. In the Available list, select the virtual APs to be carried on this physical AP and then select the right-arrow button to move them to the Selected list.
2 Select OK.
700
Wireless Controller
Column Settings
Information columns Association Time Bandwidth Rx Bandwidth Tx Bandwidth Tx/Rx Idle Time IP MAC Physical AP Signal Strength/Noise Virtual AP
701
Wireless Controller
Unknown Access Points are detected access points that have not been designated as either Rogue or Accepted.
Figure 428: Rogue Access Point list
Set time between information updates. none means no updates. Updates displayed information now.
Inactive Access Points Select which inactive access points to show: all, none, those detected less than one hour ago, or those detected less than one day ago. Online SSID MAC Address Channel Rate First Seen Last Seen Mark as Rogue AP Forget AP A green checkmark indicates an active access point. A grey X indicates that the access point is inactive. The wireless service set identifier (SSID) or network name for the wireless interface. The MAC address of the Wireless interface. The wireless radio channel that the access point uses. The data rate of the access point. The data and time when the FortiWifi unit first detected the access point. The data and time when the FortiWifi unit last detected the access point. Select the icon to move this entry to the Rogue Access Points list. Return item to Unknown Access Points list from Accepted Access Points list or Rogue Access Points list.
Mark as Accepted AP Select the icon to move this entry to the Accepted Access Points list.
702
Log&Report
Log&Report
FortiGate units provide extensive logging capabilities for traffic, system and network protection functions. They also allow you to compile reports from the detailed log information gathered. Reports provide historical and current analysis of network activity to help identify security issues that will reduce and prevent network misuse and abuse. This section provides an introduction to FortiGate logging and reporting. For more information see the Logging and Reporting in FortiOS 4.0. For better log storage and retrieval, the FortiGate unit can send log messages to a FortiAnalyzer unit. FortiAnalyzer units provide integrated log collection, analysis tools and data storage. Detailed log reports provide historical as well as current analysis of network activity. Detailed log reports also help identify security issues, reducing network misuse and abuse. The FortiGate unit can send all log message types, including quarantine files and DLP archives, to a FortiAnalyzer unit for storage. The FortiAnalyzer unit can upload log files to an FTP server for archival purposes. For more information about configuring the FortiGate unit to send log messages to a FortiAnalyzer unit, see Remote logging to a FortiAnalyzer unit on page 704. If you have a subscription for the FortiGuard Analysis and Management Service, your FortiGate unit can send logs to a FortiGuard Analysis server. This service provides another way to store and view logs, as well as archiving email messages. For more information, see the FortiGuard Analysis and Management Service Administration Guide. For details and descriptions of log messages and formats, see the FortiGate Log Message Reference. This section provides information about how to enable logging, view log messages, and configure reports. If you have VDOMs enabled, see Using virtual domains on page 125 for more information. The following topics are included in this section: Configuring how a FortiGate unit stores logs Configuring Alert Email Configuring Event logging Accessing and viewing log messages Viewing DLP Archives Viewing the File Quarantine list Configuring FortiAnalyzer report schedules Viewing Executive Summary reports from SQL logs Viewing FortiAnalyzer reports Viewing basic traffic reports Log severity levels Log types Example configuration: logging all FortiGate traffic
703
Log&Report
Note: If the FortiGate unit is in transparent mode, certain settings and options for logging may not be available because certain features do not support logging, or are not available in transparent mode. For example, SSL VPN events are not available in transparent mode.
Expand Arrow
704
Log&Report
To configure the FortiGate unit to send logs to the FortiAnalyzer unit 1 Go to Log&Report > Log Config > Log Setting. 2 Select the expand arrow beside Remote Logging & Archiving to reveal the available options. 3 Select FortiAnalyzer. 4 From the Minimum log level list, select one of the following:
Emergency Alert Critical Error Warning Notification Information Debug The system in unusable. Immediate action is required. Functionality is affected. An erroneous condition exists and functionality is probably affected. Functionality might be affected. Information about normal events. General information about system operations. Information used for diagnosing or debugging the FortiGate unit.
5 Enter the IP address of the FortiAnalyzer unit. 6 Select Apply. The FortiAnalyzer unit needs to be configured to receive logs from the FortiGate unit after you have configured log settings on the FortiGate unit. Contact a FortiAnalyzer administrator to complete the configuration.
Note: You cannot configure a FortiAnalyzer unit to be a backup solution for the FortiGuard Analysis server, and vice versa. If you require a backup solution for one of these logging devices, using a syslog server or WebTrends server.
705
Log&Report
The name of the FortiAnalyzer unit. The default name of a FortiAnalyzer unit is its product name, for example, FortiAnalyzer-400. The serial number of the FortiGate unit. The status of whether or not the FortiGate unit is registered with the FortiAnalyzer unit. If the FortiGate unit is unregistered, it may not have full privileges. For more information, see the FortiAnalyzer Administration Guide. The connection status between FortiGate and FortiAnalyzer units. A green check mark indicates there is a connection and a gray X indicates there is no connection. Allocated Space Used Space Total Free Space The amount of the FortiAnalyzer unit hard drive space designated for logs, including quarantine files and DLP archives. The amount of used space. The amount of unused space.
Disk Space (MB) The amount of disk space, in MB, on the FortiAnalyzer unit for logs.
Privileges
The permissions of the device for sending and viewing logs, reports, DLP archives, and quarantined logs. Tx indicates the FortiGate unit is allowed to transmit log packets to the FortiAnalyzer unit. Rx indicates the FortiGate unit is allowed to display reports and logs stored on the FortiAnalyzer unit. A check mark indicates the FortiGate unit has permissions to send or view log information and reports. An X indicates the FortiGate unit is not allowed to send or view log information.
You can also test the connection status between the FortiGate unit and the FortiAnalyzer unit by using the following CLI command: execute log fortianalyzer test-connectivity The command displays the connection status and the amount of disk usage in percent. For more information, see the FortiGate CLI Reference.
Note: The test connectivity feature also provides a warning when a FortiGate unit requires a higher-end FortiAnalyzer unit or when the maximum number of VDOMs/FortiGate units has been reached on the FortiAnalyzer unit.
706
Log&Report
The IP address or fully qualified domain name of the syslog server. For example, the FQDN could be log.example.com. The port number for communication with the syslog server, typically port 514. The FortiGate unit logs all messages at and above the logging severity level you select. For more information about the logging levels, see Log severity levels on page 727.
707
Log&Report
Facility
Facility indicates to the syslog server the source of a log message. By default, FortiGate reports Facility as local7. You may want to change Facility to distinguish log messages from different FortiGate units.
Enable CSV Format If you enable CSV format, the FortiGate unit produces the log in Comma Separated Value (CSV) format. If you do not enable CSV format the FortiGate unit produces plain text files.
To configure the FortiGate unit to send logs to a syslog server 1 Go to Log&Report > Log Config > Log Setting. 2 Select the check box beside Syslog. 3 Select the expand arrow beside the check box to reveal the Syslog options. 4 Enter the appropriate information for the syslog server. 5 Select Apply.
To configure the FortiGate unit to save logs in memory 1 Go to Log&Report > Log Config > Log Setting. 2 Select Local Logging & Archiving and select the check box beside Memory. 3 Select Minimum log level for memory logs The FortiGate unit logs all messages at and above the logging severity level you select. For more information about the logging levels, see Log severity levels on page 727.
708
Log&Report
To configure the FortiGate unit to save logs on the local hard disk 1 Go to Log&Report > Log Config > Log Setting. 2 Select Local Logging & Archiving and select the check box beside Disk. 3 Select Minimum log level for memory logs The FortiGate unit logs all messages at and above the logging severity level you select. For more information about the logging levels, see Log severity levels on page 727. 4 Change the When log disk is full setting if required. 5 Change the Log rolling settings if required. 6 Select which log message types are saved as SQL logs. 7 Select Apply.
709
Log&Report
The name/address of the SMTP email server. The email address the alert messages will come from. Enter up to three email address recipients for the alert email message. Select the authentication Enable check box to enable SMTP authentication. Enter the user name for logging on to the SMTP server to send alert email messages. You need to do this only if you have enabled the SMTP authentication. Enter the password for logging on to the SMTP server to send alert email. You need to do this only if you selected SMTP authentication. Select to have the alert email sent for one or multiple events that occur, such as an administrator logging in and out. Enter the minimum time interval between consecutive alert emails. Use this to rate-limit the volume of alert emails. Select if you require an alert email message based on attempted intrusion detection. Select if you require an alert email message based on virus detection. Select if you require an alert email message based on blocked web sites that were accessed. Select if you require an alert email message based on HA status changes.
Password Send alert email for the following Interval Time (1-9999 minutes) Intrusion detected Virus detected Web access blocked HA status changes
710
Log&Report
Select if you require an alert email message based on violated traffic that is detected by the FortiGate unit.
Firewall authentication Select if you require an alert email message based on firewall authentication failures. failure SSL VPN login failure Select if you require an alert email message based on any SSL VPN logins that failed. Administrator login/logout IPSec tunnel errors L2TP/PPTP/PPPoE errors Select if you require an alert email message based on whether administrators log in or out. Select if you require an alert email message based on whether there is an error in the IPSec tunnel configuration. Select if you require an alert email message based on errors that occurred in L2TP, PPTP, or PPPoE.
Configuration changes Select if you require an alert email message based on any changes made to the FortiGate configuration. FortiGuard license expiry time (1-100 days) FortiGuard log quota usage Disk Usage Enter the number of days before the FortiGuard license expiry time notification is sent. Select if you require an alert email message based on the FortiGuard Analysis server log disk quota getting full. Select if you require an alert email when the internal hard disk or AMC disk reaches a disk usage level. You can set the disk usage level at which the alert email is sent. Select if you want to send an alert email that is based on a specified log severity, such as warning. Select a log severity from the list. For more information about log severity levels, see Log severity levels on page 727.
Send alert email for logs based on severity Minimum log level
711
Log&Report
Pattern update event All pattern update events, such as antivirus and IPS pattern updates and update failures. SSL VPN user All user authentication events for an SSL VPN connection, such as logging authentication event in, logging out and timeout due to inactivity. SSL VPN All administration events related to SSL VPN, such as SSL configuration administration event and CA certificate loading and removal. SSL VPN session event VIP ssl event VIP server health monitor event CPU & memory usage (every 5 min) All session activity such as application launches and blocks, timeouts, and verifications. All server-load balancing events happening during SSL sessions, especially details about handshaking. All related VIP server health monitor events that occur when the VIP health monitor is configured, such as an interface failure. All real-time CPU and memory events, at 5-minute intervals.
712
Log&Report
6 Select the expand arrow to expand the Logging options. 7 Select the Log Application Control check box.
Antivirus log
The Antivirus log records virus incidents in Web, FTP, and email traffic. For example, when the FortiGate unit detects an infected file, blocks a file type, or blocks an oversized file or email that is logged, it records an antivirus log. You can also apply filters to customize what the FortiGate unit logs, which are: Viruses The FortiGate unit logs all virus infections. Blocked Files The FortiGate unit logs all instances of blocked files. Oversized Files/Emails The FortiGate unit logs all instances of files and email messages exceeding defined thresholds. AV Monitor The FortiGate unit logs all instances of viruses, blocked files, and oversized files and email. This applies to HTTP, FTP, IMAP, POP3, SMTP, and IM traffic.
To enable antivirus logs 1 Go to Firewall > Protection Profile. 2 Select Edit beside the protection profile that you want. 3 Select the expand arrow beside Logging to reveal the available options. 4 Select the antivirus events you want logged. 5 Select OK.
713
Log&Report
You can view attack log messages from either the Memory or Remote tab. To enable the attack logs 1 Go to Firewall > Protection Profile. 2 Select Edit beside the protection profile that you want. 3 Select the expand arrow beside Logging to reveal the available options. 4 Select Log Intrusions under IPS. 5 Select OK.
Note: Make sure attack signature and attack anomaly DoS sensor settings are enabled to log the attack. The logging options for the signatures included with the FortiGate unit are set by default. Ensure any custom signatures also have the logging option enabled. For more information, see Intrusion Protection on page 523.
Log Access provides tabs for viewing logs according to these locations. Each tab provides options for viewing log messages, such as search and filtering options, and choice of log type. The Remote tab displays logs stored on either the FortiGuard Analysis server or FortiAnalyzer unit, whichever one is configured for logging. Log information is displayed in the Log Access menu. Different tabs in Log Access display log information stored on the FortiAnalyzer unit, FortiGate system memory and hard disk if available, including the FortiGuard Analysis server. The columns that appear reflect the content found in the log file. The top portion of the Log Access page includes navigational features to help you move through the log messages and locate specific information. To view log messages, go to Log&Report > Log Access and then select the tab that corresponds to the log storage device used: Remote, Memory or Disk. If you are logging to the FortiGate units hard disk, select Edit beside a rolled log file to view log messages.
714
Log&Report
Current Page
Select the type of log you want to view. Some log files, such as the traffic log, cannot be stored to memory due to the volume of information logged. By default, the first page of the list of items is displayed. The total number of pages displays after the current page number. For example, if 3/54 appears, you are currently viewing page 3 of 54 pages. To view pages, select the left and right arrows to display the first, previous, next, or last page. To view a specific page, enter the page number in the field and then press Enter. For more information, see Using page controls on web-based manager lists on page 60. Select to add or remove columns. This changes what log information appears in Log Access. For more information, see Column settings on page 718. By default, log messages are displayed in Formatted mode. Select Formatted to view log messages in Raw mode, without columns. When in Raw mode, select Formatted to switch back to viewing log messages organized in columns. When log messages are displayed in Formatted view, you can customize the columns, or filter log messages. Clear all filter settings. For more information, see Filtering log messages on page 719.
715
Log&Report
View
Select the type of log you want to view. Some log files, such as the traffic log, cannot be stored to memory due to the volume of information logged. Refresh the displayed log messages. The names of the log files of the displayed log type stored on the FortiGate hard disk. When a log file reaches its maximum size, the FortiGate unit saves the log files with an incremental number, and starts a new log file with the same name. For example, if the current attack log is alog.log, any subsequent saved logs appear as alog.n, where n is the number of rolled logs. The size of the log file in bytes. The time a log message was recorded on the FortiGate unit. The time is in the format name of day month date hh:mm:ss yyyy, for example Fri Feb 16 12:30:54 2007. Clear the current log file. Clearing deletes only the current log messages of that log file. The log file is not deleted. Download the log file or rolled log file. Select either Download file in Normal format or Download file in CSV format. Select Return to return to the Disk tab page. Downloading the current log file includes only current log messages. View a log files log messages. Delete rolled logs. Fortinet recommends to download the rolled log file before deleting it because the rolled log file cannot be retrieved after deleting it.
Size (bytes) Last access time Clear log icon Download icon
716
Log&Report
Current Page
Log Type Refresh Current Page Select the type of log you want to view. Refresh the displayed log messages. By default, the first page of the list of items is displayed. The total number of pages appears after the current page number. For example, if 3/54 appears, you are currently viewing page 3 of 54 pages. To view pages, select the left and right arrows to display the first, previous, next, or last page. To view a specific page, enter the page number in the field and then press Enter. For more information, see Using page controls on web-based manager lists on page 60.
Column Settings Select to add or remove columns. This changes what log information appears in Log Access. For more information, see Column settings on page 718. Raw or Formatted By default, log messages is displayed in Formatted mode. Select Formatted to view log messages in Raw mode, without columns. When in Raw mode, select Formatted to switch back to viewing log messages organized in columns. When log messages are displayed in Formatted view, you can customize the columns, or filter log messages. Clear All Filters Clear all filter settings. For more information, see Filtering log messages on page 719.
Note: The FortiAnalyzer unit must be running firmware version 3.0 or higher to view logs from the FortiGate unit.
717
Log&Report
Column settings
By using Column Settings, you can customize the view of log messages in Formatted view. By adding columns, changing their order, or removing them, you can view only the log information you want. The Column Settings feature is available only in Formatted view.
Figure 438: Column settings for viewing log messages
To customize the columns 1 Go to Log&Report > Log Access. 2 Select the tab to view logs from, Memory, Disk or Remote. 3 Select a log type from the Log Type list. 4 Select the View icon if you are viewing a log file on a FortiAnalyzer unit. 5 Select the Column Settings icon. 6 Select a column name in the Available fields list and then select one of the following to change the views of the log information:
-> <Move up Move down Select the right arrow to move selected fields from the Available fields list to the Show these fields in this order list. Select the left arrow to move selected fields from the Show these fields in this order list to the Available fields list. Move the selected field up one position in the Show these fields in this order list. Move the selected field down one position in the Show these fields in this order list.
7 Select OK.
Note: The Detailed Information column provides the entire raw log entry and is needed only if the log contains information not available in any of the other columns. The VDOM column displays which VDOM the log was recorded in. You can view the device ID and device name when customizing columns. The device ID provides the identification name of the device. The device name is the host name that you configured for the FortiGate unit, for example Headquarters.
718
Log&Report
To filter log messages 1 Go to Log&Report > Log Access. 2 Select the tab to view logs from, Memory, Remote or Disk. 3 Select a log type from the Log Type list. 4 Select the Filter icon in the column to view logs. 5 Select Enable to enable filtering for the column. 6 Enter the information as appropriate. Fields vary between type. For more information about using the filter icons to filter log messages, see Adding filters to web-based manager lists on page 57. 7 Select OK. 8 Select the columns to filter in the Filter list. You can also select the columns that appear in the Filter list instead of selecting the actual column. You can view log messages in Raw format only after configuring the filters. If you want to delete all filter settings, select the Clear All Filters that is located under the Filters list.
Select the following tabs to view DLP archives for one of these protocols.
719
Log&Report
If you need to view logs in Raw format, select Raw beside the Column Settings icon. For more information, see Column settings on page 718. For information about configuring DLP archiving, see DLP archiving on page 580.
The file quarantine list displays the following information about each quarantined file:
Source Sort by Filter Either FortiAnalyzer or Local disk, depending where you configure to quarantined files to be stored. Sort the list. Choose from: Status, Service, File Name, Date, TTL, or Duplicate Count. Select Apply to complete the sort. Filter the list. Choose either Status (infected, blocked, or heuristics) or Service (IMAP, POP3, SMTP, FTP, HTTP, IM, or NNTP). Select Apply to complete the filtering. Heuristics mode is configurable through the CLI only. If your FortiGate unit supports SSL content scanning and inspection Service can also be IMAPS, POP3S, SMTPS, or HTTPS. Select to apply the sorting and filtering selections to the list of quarantined files. Select to delete the selected files. Use the controls to page through the list. For details, see Using page controls on web-based manager lists on page 60. Removes all quarantined files from the local hard disk. This icon only appears when the files are quarantined to the hard disk. The file name of the quarantined file. The date and time the file was quarantined, in the format dd/mm/yyyy hh:mm. This value indicates the time that the first file was quarantined if duplicates are quarantined.
Apply Delete Page Controls Remove All Entries File Name Date
720
Log&Report
The service from which the file was quarantined (HTTP, FTP, IMAP, POP3, SMTP, IM, NNTP, IMAPS, POP3S, SMTPS, or HTTPS). The reason the file was quarantined: infected, heuristics, or blocked. Specific information related to the status, for example, File is infected with W32/Klez.h or File was stopped by file block pattern. Duplicate count. A count of how many duplicates of the same file were quarantined. A rapidly increasing number can indicate a virus outbreak. Time to live in the format hh:mm. When the TTL elapses, the FortiGate unit labels the file as EXP under the TTL heading. In the case of duplicate files, each duplicate found refreshes the TTL. The TTL information is not available if the files are quarantined on a FortiAnalyzer unit. Y indicates the file has been uploaded to Fortinet for analysis, N indicates the file has not been uploaded. This option is available only if the FortiGate unit has a local hard disk. Select to download the corresponding file in its original format. This option is available only if the FortiGate unit has a local hard disk. Select to upload a suspicious file to Fortinet for analysis. This option is available only if the FortiGate unit has a local hard disk.
Upload status
Note: Duplicates of files (based on the checksum) are not stored, only counted. The TTL value and the duplicate count are updated each time a duplicate of a file is found.
The following procedure describes how to clone a report schedule. When you clone a report schedule, a duplicate of the original is used as a basis for a new one. To view the list of report schedules, go to Log&Report > Report Config. To configure a report schedule, go to Log&Report > Report Config, select Create New, enter the appropriate information and then select OK.
721
Log&Report
General report schedule settings Create New Name Description Report Layout Schedule Create a new report schedule. The name of the report schedule. The comment made when the report schedule was created. The name of the report layout used for the report schedule. When the report schedule will be generated. The time depends on what time period was selected when the report schedule was created: once, daily, or specified days of the week. For example, if you select monthly, the days of the month and time (hh:mm) will appear in the format Monthly 2, 10, 21, 12:00. Delete or edit a report schedule in the list. Create a duplicate of the report schedule and use it as a basis for a new report schedule. Enter a name for the schedule. Enter a description for the schedule. This is optional. Select a configured report layout from the list. You must apply a report layout to a report schedule. For more information, see the FortiAnalyzer Administration Guide. Select the language you want used in the report schedule from the list.
Language
722
Log&Report
Select one of the following to have the report generate once only, daily, weekly, or monthly at a specified date or time period. Select to have the report generated only once. Select to generate the report every date at the same time, and then enter the hour and minute time period for the report. The format is hh:mm. Select to generate the report on specified days of the week, and then select the days of the week check boxes. Select to generate the report on a specific day or days of the month, and then enter the days with a comma to separate them. For example, if you want to generate the report on the first day, the 21st day and 30th day, enter: 1, 21, 30. You can specify the following variables for the report: Select to create a report based on virtual domains. Enter a specific virtual domain to include in the report. Select to create a report based on a network user. Enter the user or users in the field, separated by spaces. If a name or group name contains a space, if should be specified between quotes, for example, user 1. Select to create a report based on a group of network users, defined locally. Enter the name of the group or groups in the field. Select the LDAP Query check box and then select an LDAP directory or Windows Active Directory group from the list. Select to include the time period of the logs to include in the report. Select a time period from the list. For example, this year. Select to specify the date, day, year and time for the report to run. From Select the beginning date and time of the log time range. To Select the ending date and time of the log time range. Select the format you want the report to be in and if you want to apply an output template. Select the type of file format for the generated report. You can choose from PDF, MS Word, Text, and MHT. Select the check box if you want to apply a report output template from the list. This list is empty if a report output template does not exist. For more information, see the FortiAnalyzer Administration Guide.
Note: FortiAnalyzer reports do not appear if the FortiGate unit is not connected to a FortiAnalyzer unit, or if the FortiAnalyzer unit is not running firmware 3.0 or higher.
To clone a report schedule 1 Go to Log&Report > Report Config. 2 Select Clone in the same row of the report schedule that will be the basis of a new report schedule. 3 Rename the report schedule. The report schedule is renamed, for example, CloneOfFGT_100A. 4 Enter the appropriate information and select OK. You can use the Log&Report menu to configure FortiAnalyzer report schedules and to view generated FortiAnalyzer reports. You can also configure basic traffic reports, which use the log information stored in your FortiGate system memory to present basic traffic information in a graphical format.
FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
723
Log&Report
Display Column
The report updates at the configured time. To update the report immediately, select the Refresh icon near the right end of the widget title bar. You can also select the Edit icon to change the report update schedule.
724
Log&Report
Report Files
The name of the generated report. Select the name to view the report. You can also select the expand arrow to view the report and the select the rolled report to view the report. The date the report was generated on. The size of the report in bytes. Displays the formats PDF, RTF or MHT or all if these formats were chosen in the report schedule.
725
Log&Report
Time Period
Select a time range to view for the graphical analysis. You can choose from one day, three days, one week or one month. The default is one day. When you refresh your browser or go to a different menu, the settings revert to default. By default all services are selected. When you refresh your browser or go to a different menu, all services revert to default settings. Clear the check boxes beside the services you do not want to include in the graphical analysis. Browsing DNS Email FTP Gaming Instant Messaging Newsgroups P2P Streaming TFTP VoIP Generic TCP Generic UDP Generic ICMP Generic IP
Services
726
Log&Report
This bar graph is based on what services you select, and is updated when you select Apply. The graph is based on date and time, which is the current date and time. This bar graph displays the traffic volume for various protocols, in decreasing order of volume. The bar graph does not update when you select different services and then select Apply.
The report is not updated in real-time. You can refresh the report by selecting the Memory tab.
Note: The data used to present the graphs is stored in the FortiGate system memory. When the FortiGate unit is reset or rebooted, the data is erased.
727
Log types
Log&Report
Table 63: Log severity levels Levels 0 - Emergency Description The system has become unstable. Generated by Event logs, specifically administrative events, can generate an emergency severity level. Attack logs are the only logs that generate an Alert severity level. Event, antivirus, and email filter logs. Event and email filter logs. Event and antivirus logs. Traffic and web filter logs. DLP archive, event, and email filter logs. The Debug severity level is rarely used. It is the lowest log severity level and usually contains some firmware status information that is useful when the FortiGate unit is not functioning properly. Debug log messages are generated by all types of FortiGate features.
Immediate action is required. Functionality is affected. An error condition exists and functionality could be affected. Functionality could be affected. Information about normal events. General information about system operations. Displays debugging messages.
Log types
The FortiGate unit provides a wide range of features to log, enabling you to better monitor activity that is occurring on your network. For example, you can enable logging of IM/P2P features, to obtain detailed information on the activity occurring on your network where IM/P2P programs are used. Before enabling FortiGate features, you need to configure what type of logging device will store the logs. For more information, see Configuring how a FortiGate unit stores logs on page 704. This topic also provides details on each log type and explains how to enable logging of the log type.
Note: If the FortiGate unit is in transparent mode, certain settings and options for logging may not be available because they are not available in transparent mode. For example, SSL VPN events are not available in transparent mode.
Traffic log
The Traffic log records all the traffic to and through the FortiGate interfaces. You can configure logging of traffic controlled by firewall policies and for traffic between any source and destination addresses. You can also filter to customize the traffic logged: Allowed traffic The FortiGate unit logs all traffic that is allowed according to the firewall policy settings. Violation traffic The FortiGate unit logs all traffic that violates the firewall policy settings.
If you are logging other-traffic, the FortiGate unit will incur a higher system load because other-traffic logs log individual traffic packets. Fortinet recommends logging firewall policy traffic since it minimizes the load. Logging other-traffic is disabled by default.
728
Log&Report
Firewall policy traffic logging records the traffic that is both permitted and denied by the firewall policy, based on the protection profile. Firewall policy traffic logging records packets that match the policy. To enable firewall policy traffic logging 1 Go to Firewall > Policy. 2 Select the expand arrow to view the policy list for a policy. 3 Select Edit beside the policy that you want. If required, create a new firewall policy by selecting Create New. For more information, see Firewall Policy on page 363. 4 Select Log Allowed Traffic. 5 Select OK.
Note: You need to set the logging severity level to Notification when configuring a logging location to record traffic log messages. Traffic log messages generally have a severity level no higher than Notification. If VDOMs are in transparent mode, make sure that VDOM allows access for enabling traffic logs.
729
Log&Report
next edit port2 set log enable end 4 Use the following command to enable logging of other traffic. config log syslogd filter set other-traffic enable end 5 Go to UTM > Intrusion Protection > IPS Sensor and select Create New to add an IPS Sensor. Edit the IPS Sensor and select Add Pre-defined Override to add the following predefined IPS signatures to the sensor. Invalid.Protocol.Header TCP.Bad.Flags TCP.Invalid.Packet.Size Enable each of these signatures, set Action to Block and enable Logging. 6 Enter the following CLI commands to add a DoS policy (called an interface policy in the CLI) that includes the IPS Sensor. config firewall interface-policy edit 1 set interface <interface_name> set srcaddr all set dstaddr all set service ANY set ips-sensor-status enable set ips-sensor <sensor_name> end Where <sensor_name> is the name of the IPS sensor added above.
730
Index
Index
Symbols Numerics
802.3ad aggregate interface creating, 159 DHCP relay agent, 201 DHCP server, 201 Directory Service server, 654, 655 Directory Service user groups, 660 DoS sensors, 538 Dynamic DNS on an interface, 163 dynamic virtual IP, 434 email filter log, 713 email filtering options, 485 event logs, 711 fail-open, IPS, 540 firewall address, 397 firewall address group, 399 firewall policy, 366, 367, 418, 419 firewall policy traffic logging, 728 firewall policy, modem connections, 175 firewall protection profile, 474 firewall schedule, 411 firewall service group, 408 firewall user groups, 659 firewall virtual IP, 421 firmware upgrade, 295 firmware version, 87 FortiAnalyzer report schedules, 721 FortiGuard override options for a user group, 664 FortiGuard Web Filtering options, 483 FortiWiFi-50B settings, 190, 191 FortiWiFi-60B settings, 190, 191 gateway for default route, 320 HA, 205 HA device priority, 212 HA subordinate unit host name, 212 health check monitor, 451 IM/P2P/VoIP applications, older versions, 646 interface settings, 151 inter-VDOM links, 136 IP pool, 440 IPS log (attack), 714 IPS options, 480 IPS sensor filters, 532 IPS sensors, 529 IPSec encryption policy, 376 IPSec VPN concentrator, 617 IPSec VPN phase 1, 606 IPSec VPN phase 1 advanced options, 608 IPSec VPN phase 2, 611 IPSec VPN phase 2 advanced options, 611 IPv6 support, 264 LDAP authentication, 249 LDAP server, 649, 650 license key, 311 local ratings, 556 local URL block categories, 555 local user account, 644 log message display, 717 logging options, 489 logging to a FortiAnalyzer unit, 704 logging to a FortiGuard Analysis server, 706 logging to a Syslog server, 707 logging to memory, 708
A
accept action firewall policy, 683, 684 access profile, See admin profile, 257 accessing logs stored in hard disk, 716 action email filter banned word, 564 email filter IP address, 567 firewall policy, 367 action type email filter email address, 569 active sessions HA statistics, 212 add signature to outgoing email protection profile, 479 adding, configuring or defining admin profile, 258 administrative access to interface, 165 administrator account, 244 administrator password, 246 administrator settings, 261 antispam advanced options, 570 antispam email address list, 568, 570 antispam IP address, 567 antispam IP address list, 566 antivirus file filter list, 515, 516 antivirus file patterns, 516 antivirus file quarantine, 516 antivirus log, 713 antivirus quarantine options, 518 antivirus scanning options, 477 application control options, 489 attack log (IPS), 714 authentication settings, 667 authentication, firewall policy, 372 autosubmit list, 517 banned word list, 563, 564 basic traffic report, graphical view, 727 BFD, 351 BFD on BGP, 352 BFD on OSPF, 353 BGP settings, 346 CA certificates, 286 Certificate Revocation List (CRL), 288 cipher suite, 627 combined IP pool and virtual IP, 440 custom firewall service, 406 custom service, firewall, 406 custom signatures, 527 customized CLI console, 68 DHCP interface settings, 161
731
Index
MAC filter list, 194 modem connections, firewall policy, 175 modem interface, 170 MTU size, 167 multicast settings, 348 NAT virtual IP, 428 OCSP certificates, 285 one-time schedule, 413 OSPF areas, 343 OSPF AS, 339 OSPF basic settings, 340 OSPF interface, operating parameters, 344 OSPF networks, 344 OSPF settings, advanced, 342 override server, 308 password, 246 password, administrator, 246 peer users and peer groups, 657 PKI authentication, 252 policy, 367, 372 policy route, 329 PPPoE or PPPoA interface settings, 162 PPTP range, 621, 623 PPTP VPN, 621, 623 protection profile, 468 push updates, 309 RADIUS authentication, 247 RADIUS server, 648 recurring schedule, 412 redundant interface, 160 redundant mode, 173 remote authentication, 246 RIP settings, advanced, 336 RIP settings, basic, 334 RIP-enabled interface, 337 scripts, 299 secondary IP address, 167 server load balance port forwarding virtual IP, 459 server load balance virtual IP, 454 SIP advanced features, 502 SNMP community, 214, 215 socket-size, IPS, 540 SSL VPN options, firewall policy, 376 SSL VPN settings, 626 SSL VPN user groups, 660 standalone mode, 174 static NAT port forwarding, IP address and port range, 432 static NAT port forwarding, single address and port, 431 static NAT virtual IP, IP address range, 429 static route, adding to routing table, 320 subnet object, 110 system administrators, 241 system certificates, 283 system configuration backup and restore, 290 system configuration backup and restore, FortiManager, 292 system configuration, central management options, 293 system status widgets, 68 system time, 86 TACACS+ authentication, 251 TACACS+ server, 652, 653 topology diagram, 110, 111 updates for FDN and FortiGuard services, 302 URL filter list, 548, 550
URL overrides, 553 user authentication settings, 667 user group, 661 user groups, 658 VDOM configuration settings, 127, 134 VDOM configuration settings, advanced, 131 VDOM configuration settings, global, 129 VDOM interface, 135 VDOM, new, 133 VIP group, 436 virtual IP, 426 virtual IP group, 436 virtual IP, port translation only, 435 virtual IPSec interface, 164 VPN firewall policy-based internet browsing, 616 VPN route-based internet browsing, 616 web content filter list, 545, 546 web filtering options, 480 wireless interface, 191 zone, 170 address firewall address group, 398 list, 397 address group, 398 adding, 399 creating new, 398 list, 398 Address Name firewall address, 398 admin administrator account, 49 admin profile administrator account, 254 CLI commands list, 256 configuring, 258 viewing list, 257 administrative access changing, 50 interface settings, 157, 165, 168 monitoring logins, 264 administrative distance, 314 administrative interface. See web-based manager administrator assigning to VDOM, 138 administrator account admin, 49 admin profile, 254 configuring, 244 netmask, 246 administrator login disclaimer, 232 administrator password changing, 49 administrator settings, 261 administrators viewing list, 243 administrators, monitoring, 264 Advanced Mezzanine Card (AMC), 74 AFS3, advanced file security encrypted file AFS3, 402 age limit quarantine, 519
732
Index
aggregate interface creating, 159 AH, predefined service, 402 alert email, 709 options, 709 SMTP user, 710 alert message console viewing, 76 ALG SIP, 495 allow inbound IPSec firewall policy, 376 allow outbound IPSec firewall policy, 376 allow web sites when a rating error occurs protection profile, 484 allowed web category report, 558 AMC bridge module, 99 configuring AMC modules, 98 AMC module, 149 configuring, 98 antispam port 53, 305 port 8888, 305 antispam email address list adding, 568 viewing, 568 antispam IP address list viewing, 566 antispam. See also Email filter, 559 antivirus av_failopen, 520 CLI configuration, 520 configure antivirus heuristic, 520 file block, 513 file block list, 515 heuristics, 520 optimize, 520 quarantine, 516 quarantine files list, 720 scanning large files, 521 splice, 478, 487 streaming mode, 478, 487 system global av_failopen, 520 system global optimize, 520 virus list, 519 antivirus and attack definitions, 307 antivirus options protection profile, 477 antivirus updates, 307 manual, 91 through a proxy server, 308 ANY service, 402 AOL service, 402 append tag format protection profile, 488 append tag to location protection profile, 488
application control, 595 statistics, 600 application level gateway SIP, 495 application list SIP, 502 archiving spam email, 585 area border router (ABR), 338, 343 ARP, 426, 446 proxy ARP, 426, 446 AS OSPF, 338 ASM-CX4, 99 ASM-cx4, 99 ASM-FX2, 99 attack updates manual, 91 scheduling, 307 through a proxy server, 308 Authentication IPSec VPN, phase 2, 612 authentication client certificates and SSL VPN, 627 configuring remote authentication, 246 defining settings, 667 firewall policy, 372, 379 MD5, 344 RIP, 338 server certificate and SSL VPN, 627 Authentication Algorithm IPSec VPN, manual key, 614, 616 Authentication Key IPSec VPN, manual key, 616 Authentication Method IPSec VPN, phase 1, 607 Auto Key IPSec VPN, 605 Autokey Keep Alive IPSec VPN, phase 2, 613 autonomous system (AS), 338, 346 AutoSubmit quarantine, 519 autosubmit list configuring, 517 enabling uploading, 517 quarantine files, 517 av_failopen antivirus, 520
B
back to HA monitor HA statistics, 211 backing up 3.0 config to FortiUSB, 115 3.0 configuration, 114 config using web-based manager, 3.0, 114 configuration, 52 backup (redundant) mode modem, 171 backup and restore, system maintenance, 290
733
Index
backup mode modem, 173 band wireless setting, 191 bandwidth guaranteed, 418 maximum, 418, 676, 681 banned word character set, 483 banned word (email filter) action, 564 adding words to the banned word list, 564 catalog, 562 language, 564 pattern, 564 banned word (spam filter) language, 564 list, 563 pattern, 564 pattern type, 564 banned word check protection profile, 487 banned word list creating new, 563 banned word list catalog viewing, 562 beacon interval wireless setting, 191 BFD configuring on BGP, 352 configuring on OSPF, 353 disabling, 352 BGP AS, 346 flap, 346 graceful restart, 346 MED, 346 RFC 1771, 346 service, 402 settings, viewing, 346 stabilizing the network, 346 black/white list, 565 blackhole route, 315 blackhole routing, 158 block, 504 block login (IM) protection profile, 489 blocked web category report, 558 Boot Strap Router (BSR), 348 BOOTP, 203 branch, 508 bridge mode, 99 bridge module AMC, 99 button bar features, 51
C
CA certificates importing, 286 viewing, 286 catalog banned word, 562 content filter, 545 email address back/white list, 568 IP address black/white list, 565 URL filter, 548 viewing file pattern, 514 category protection profile, 485 web category report, 558 category block configuration options, 552 reports, 557 central management, 260 revision control, 261 Certificate Name IPSec VPN, phase 1, 607 certificate, security. See system certificate certificate, server, 627 certificate. See system certificates channel wireless setting, 191 character set converting, 483 DLP, 483 email filter, 483 web filtering, 483 CIDR, 28, 266, 395, 679 cipher suite SSL VPN, 627 CLI, 47 admin profile, 256 connecting to from the web-based manager, 51 CLI command PPTP tunnel setup, 623 CLI configuration antivirus, 520 customizing CLI console, 68 using in web-based manager, 79 web category block, 557 CLI console, 79 client certificates SSL VPN, 627 client comforting, 479 cluster member, 209 cluster members list, 210 priority, 210 role, 210 cluster unit disconnecting from a cluster, 212 code, 407 column settings, 718 configuring, 61 using with filters, 63 comfort clients protection profile, 478
734
Index
comforting client, 479 command line interface (CLI), 24 comments firewall policy, 372, 379 comments, documentation, 30 concentrator adding, 617 equivalent for route-based VPN, 604 IPSec tunnel mode, 617 IPSec VPN, policy-based, 617 Concentrator Name IPSec VPN, concentrator, 617 config antivirus heuristic CLI command, 520 configuration backing up the configuration, 52 configuring WAN optimization peer, 680 WAN optimization rule, 675 connecting modem, dialup account, 175 web-based manager, 48 conservation mode, 220 conserve mode, 76 contact information SNMP, 214 contacting customer support, 51 content archiving DLP archiving, 580 content block catalog, 545 web filter, 544 content filtering character set, 483 content filtering mode HTTPS, 477 content scanning SSL, 469 content streams replacement messages, 225 CPU load, 132 CPU usage HA statistics, 211 CRL (Certificate Revocation List) importing, 288 viewing, 287 custom service adding, 406 adding a TCP or UDP custom service, 406 list, 406 custom signatures intrusion protection, 527 viewing, 527 customer service, 29, 132 customer support contacting, 51 customized GUI PPTP tunnel setup, 621 CVSPSERVER, concurrent versions system proxy server, 402 cx4, 99 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
D
dashboard, 47, 67 dashboard statistics protection profile, 488 data encryption wireless setting, 193 data leak prevention sensor, 488 data leak protection, 575 compound rule, 591 rule, 586 sensor, 575 date quarantine files list, 720 daylight saving changes, 86 DC quarantine files list, 721 DCE-RPC firewall service, 402 Dead Peer Detection IPSec VPN, phase 1, 610 default password, 24 default gateway, 318 default route, 318 Designated Routers (DR), 348 destination firewall policy, 367, 370, 375, 378 destination IP address system status, 83 destination NAT SIP, 496 destination network address translation (DNAT) virtual IPs, 423, 424 destination port, custom services, 407 device priority HA, 207 subordinate unit, 212 DH Group IPSec VPN, phase 1, 610 IPSec VPN, phase 2, 612 DHCP and IP Pools, 371 configuring relay agent, 201 configuring server, 201 servers and relays, 199 service, 200 system, 199 transparent mode, 199 viewing address leases, 203 DHCP (Dynamic Host Configuration Protocol) configuring on an interface, 161 service, 402 DHCP6 service, 402 DHCP-IPSec IPSec VPN, phase 2, 613 diagnose commands, 51 diagram topology viewer, 107
735
Index
dialup VPN monitor, 618 Directory Service configuring server, 654, 655 FSAE, 655 disclaimer administrator login, 232 disconnecting modem, dialup account, 175 disk space quarantine, 519 display content meta-information on dashboard protection profile option, 489 display content meta-information on the system dashboard protection profile, 488 Distinguished Name query, 652 DLP archiving, 580 character set, 483 content archiving, 580 DLP archive viewing, 91, 586, 719 DLP archiving, 580 DLP. See data leak protection DNAT virtual IPs, 423, 424 DNS service, 402 split, 177, 180 documentation commenting on, 30 Fortinet, 30 domain name, 396 DoS policy, 379 configuring, 381, 384 viewing, 380 DoS sensor, 537 IPS, 480 list, 538 SCCP, 501 SIP, 501 dotted-decimal notation, 343 double NAT, 440 downgrading. See also reverting 3.0 using the CLI, 121 3.0 using web-based manager, 120 download quarantine files list, 721 duplicates quarantine files list, 721 Dynamic DNS IPSec VPN, phase 1, 606 monitor, 618 network interface, 163 VPN IPSec monitor, 618 dynamic IP pool SIP, 497 dynamic resources VDOM resource limits, 139, 140
dynamic routing, 333 OSPF, 338 PIM, 348 dynamic virtual IP adding, 434
E
ECMP, 315 eip vpn pptp, 623, 624 email oversize threshold, 478 email address action type, 569 adding to the email address list, 570 back/white list catalog, 568 BWL check, protection profile, 487 list, email filter, 568 pattern type, 569 email alert, 709 email filter, 559 adding words to the banned word list, 564 email address list, 568 IP address, 565 IP address list, 566 Perl regular expressions, 571 email filtering options protection profile, 485 enable FortiGuard Web Filtering protection profile, 484 enable FortiGuard Web Filtering overrides protection profile, 484 Enable perfect forward secrecy (PFS) IPSec VPN, phase 2, 612 Enable replay detection IPSec VPN, phase 2, 612 enable session pickup HA, 208 Encryption IPSec VPN, phase 2, 612 Encryption Algorithm IPSec VPN, manual key, 614, 615 Encryption Key IPSec VPN, manual key, 615 end IP IP pool, 440 enhanced reliability, 205 Equal Cost Multipath (ECMP), 315 equal-cost multi-path (ECMP), 322 ESP service, 402 example firewall policy, 389 source IP address and IP pool address matching, 438 exclude range adding to DHCP server, 203 expire system status, 83 expired subscription, 303
736
Index
explicit mode WAN optimization, 679 exported server certificates importing, 283 external interface virtual IP, 426 external IP address virtual IP, 427 external service port virtual IP, 427
F
fail-open, CLI command for IPS, 540 FDN attack updates, 239 HTTPS, 306 override server, 304 port 443, 306 port 53, 305 port 8888, 305 port forwarding connection, 309 proxy server, 308 push update, 304 troubleshooting connectivity, 306 updating antivirus and attack definitions, 307 FDS, 300 file block antivirus, 513 default list of patterns, 513 list, antivirus, 515 protection profile, 478 file name quarantine files list, 720 file pattern catalog, 514 quarantine autosubmit list, 517 filter filtering information on web-based manager lists, 57 IPS sensor, 532 quarantine files list, 720 using with column settings, 63 web-based manager lists, 57 FINGER service, 402 firewall, 363, 395, 401, 411, 421, 467 address list, 397 configuring, 363, 395, 467 configuring firewall service, 401 configuring service group, 408 configuring virtual IP, 421 configuring, schedule, 411 custom service list, 406 one-time schedule, 412 overview, 363, 395, 401, 467 overview, firewall schedule, 411 overview, virtual IP, 421 policy list, 366 policy matching, 363 predefined services, 401 recurring schedule, 411 virtual IP list, 425
firewall address adding, 397 address group, 398 address name, 398 create new, 397 IP range/subnet, 398 list, 397 name, 397 subnet, 398 firewall address group adding, 399 available addresses, 400 group name, 400 members, 400 firewall IP pool list, 439 firewall IP pool options, 440 firewall policy accept action, 683, 684 action, 367 adding, 367 adding a protection profile, 468 allow inbound, 376 allow outbound, 376 authentication, 372, 379 changing the position in the policy list, 364, 677 comments, 372, 379 configuring, 367 creating new, 366, 418, 419 deleting, 364, 677 destination, 367, 370, 375, 378 example, 389 guaranteed bandwidth, 418 ID, 367 inbound NAT, 376 insert policy before, 367, 676 list, 366 log traffic, 372, 375, 379 matching, 363 maximum bandwidth, 418, 676, 681 modem, 175 moving, 364, 677 multicast, 365 outbound NAT, 376 protection profile, 371 schedule, 367, 370 service, 367, 371 source, 367, 370, 378 SSL VPN options, 376 traffic priority, 676, 681 traffic shaping, 371, 375, 379 user groups, 659 firewall protection profile default protection profiles, 468 list, 469 options, 474
737
Index
firewall service AFS3, 402 AH, 402 ANY, 402 AOL, 402 BGP, 402 CVSPSERVER, 402 DCE-RPC, 402 DHCP, 402 DHCP6, 402 DNS, 402 ESP, 402 FINGER, 402 FTP, 402 FTP_GET, 402 FTP_PUT, 402 GOPHER, 402 GRE, 402 group list, 408 H323, 403 HTTP, 403 HTTPS, 403 ICMP_ANY, 403 IKE, 403 IMAP, 403 INFO_ADRESS, 403 INFO_REQUEST, 403 Internet-Locator-Service, 403 IRC, 403 L2TP, 403 LDAP, 403 MGCP, 403 MS-SQL, 403 MYSQL, 403 NetMeeting, 403 NFS, 403 NNTP, 403 NTP, 403 ONC-RPC, 404 OSPF, 404 PC-Anywhere, 404 PING, 404 PING6, 404 POP3, 404 PPTP, 404 QUAKE, 404 RAUDIO, 404 REXEC, 404 RIP, 404 RLOGIN, 404 RSH, 404 RTSP, 404 SAMBA, 404 SCCP, 405 SIP, 405 SIP-MSNmessenger, 405 SMTP, 405 SNMP, 405 SOCKS, 405 SQUID, 405 SSH, 405 SYSLOG, 405 TALK, 405 TCP, 405
TELNET, 405 TFTP, 405 TIMESTAMP, 405 UDP, 405 UUCP, 405 VDOLIVE, 405 viewing custom service list, 406 viewing list, 401 VNC, 405 WAIS, 405 WINFRAME, 406 WINS, 406 X-WINDOWS, 406 firmware reverting to previous version, 89 upgrading to a new version, 88 viewing, 294 firmware version, 88 fixed port IP pool, 438 FortiAnalyzer, 23, 704 accessing logs, 716 configuring report schedules, 721 logging to, 704 printing reports, 725 VDOM, 126 FortiBridge, 23 FortiClient, 23 system maintenance, 290 FortiGate documentation commenting on, 30 FortiGate SNMP event, 217 FortiGate-ASM-CX4, 99 FortiGate-ASM-FB4, 149 FortiGate-ASM-FX2, 99 FortiGuard, 23 Antispam, 24 Antivirus, 24 changing the host name, 557 CLI configuration, 557 configuration options, 552 configuring FortiGuard Web filtering options, 483 manually configuring definition updates, 91 override options for user group, 664 report allowed, 558 report blocked, 558 report category, 558 report profiles, 558 report range, 558 report type, 558 reports, 557 web filter, 552 FortiGuard Analysis Service accessing logs on FortiGuard Analysis server, 717 FortiGuard Antispam email checksum check, 486 IP address check, 486 FortiGuard Distribution Network. See FDN FortiGuard Distribution Server. See FDS FortiGuard Intrusion Prevention System (IPS), 72 FortiGuard Management Services remote management options, 293
738
Index
FortiGuard Services, 300 antispam service, 301 configuring antispam service, 301 configuring updates for FDN and services, 302 configuring web filter service, 301 FortiGuard Management and Analysis Services, 301 licenses, 70, 301 management and analysis service options, 306 support contract, 302 web filtering, 301 web filtering and antispam options, 305 FortiMail, 23 FortiManager, 23 FortiManager Management Services revision control, 297 Fortinet customer service, 132 Fortinet customer service, 29 Fortinet documentation, 30 Fortinet Family Products, 23 Fortinet Knowledge Center, 30 Fortinet MIB, 217, 221 Fortinet product registering, 52 FortiWiFi-50B wireless settings, 190 FortiWiFi-60B wireless settings, 190 fragmentation threshold wireless setting, 193 FSAE Directory Service server, 655 FTP service, 402 FTP_GET service, 402 FTP_PUT service, 402 fully qualified domain name (FQDN), 396 FX2, 99
H
H323 service, 403 HA, 205, 210 changing cluster unit host names, 210 cluster member, 210 cluster members list, 209 configuring, 205 device priority, 207 disconnecting a cluster unit, 212 enable session pickup, 208 group name, 208 hash map, 208 heartbeat interface, 208 host name, 210 interface monitoring, 208 mode, 207 password, 208 port monitor, 208 router monitor, 360 routes, 360 session pickup, 208 subordinate unit device priority, 212 subordinate unit host name, 212 VDOM partitioning, 206, 208 viewing HA statistics, 211 HA statistics active sessions, 212 back to HA monitor, 211 CPU usage, 211 intrusion detected, 212 memory usage, 212 monitor, 211 network utilization, 212 refresh every, 211 status, 211 total bytes, 212 total packets, 212 unit, 211 up time, 211 virus detected, 212 HA virtual clustering, 206 health check monitor configuring, 451 heartbeat, HA interface, 208 HELO DNS lookup protection profile, 487 help navigating using keyboard shortcuts, 55 searching the online help, 54 using FortiGate online help, 52 heuristics antivirus, 520 quarantine, 521 high availability (HA), 205 high availability See HA, 205 host name changing, 87 changing for a cluster, 210 viewing, 87
G
geography wireless setting, 191 GOPHER service, 402 graceful restart, 346 graphical user interface. See web-based manager grayware updating antivirus and attack definitions, 307 GRE, 338 service, 402 group name HA, 208 grouping services, 408 groups user, 658 guaranteed bandwidth firewall policy, 418 traffic shaping, 418 GUI. See web-based manager FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
739
Index
hostname cluster members list, 210 HTTP, 451 service, 403 virus scanning large files, 521 HTTPS, 47, 239 service, 403 HTTPS content filtering mode, 477 hub-and-spoke IPSec VPN (see also concentrator), 604
I
ICMP custom service, 407 code, 407 protocol type, 407 type, 407 ICMP echo request, 451 ICMP_ANY service, 403 ID firewall policy, 367 idle timeout changing for the web-based manager, 50 IEEE 802.11a, channels, 188 IEEE 802.11b, channels, 189 IEEE 802.11g, channels, 189 IEEE 802.3ad, 159 IKE service, 403 IMAP service, 403 inbound NAT IPSec firewall policy, 376 index number, 28 INFO_ADDRESS service, 403 INFO_REQUEST service, 403 insert policy before firewall policy, 367, 676 inspection SSL, 469 installation, 24 interface adding system settings, 151 administrative access, 157, 165, 168 administrative status, 149 configuring administrative access, 165 GRE, 338 loopback, 149, 316 modem, configuring, 170 MTU, 157 proxy ARP, 426, 446 wireless, 187 WLAN, 187 Interface Mode, 151 interface monitoring, 208 HA, 208 internet browsing IPSec VPN configuration, 616
Internet-Locator-Service service, 403 inter-VDOM links, 136 introduction Fortinet documentation, 30 intrusion detected HA statistics, 212 intrusion protection custom signature list, 527 DoS sensor list, 538 DoS sensor, protection profile, 480 fail-open, CLI command for IPS, 540 filter, 532 IPS sensor list, 529 IPS sensor, protection profile, 480 predefined signature list, 525 protection profile options, 480 protocol decoder, 528 protocol decoder list, 528 signatures, 524 socket-size, CLI command for IPS, 540 Intrusion Protection definitions, 91 IP virtual IP, 425 IP address action, antispam, 567 antispam black/white list catalog, 565 BWL check, protection profile, 487 defining PPTP range, 621, 623 email filter, 565 IPSec VPN, phase 1, 606 list, email filter, 566 PPTP user group, 621, 623 IP address, configuring secondary, 167 IP custom service, 408 protocol number, 408 protocol type, 408 IP pool adding, 440 configuring, 440 creating new, 440 DHCP, 371 end IP, 440 fixed port, 438 IP range/subnet, 440, 441 list, 439 name, 440, 441 options, 440 PPPoE, 371 proxy ARP, 426, 446 SIP, 497 start IP, 440 transparent mode, 442 IP range/subnet firewall address, 398 IP pool, 440, 441 IPS see intrusion protection IPS sensor filter, 532 options, protection profile, 480 IPS sensors creating, 529 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
740
Index
IPSec, 338 IPSec firewall policy allow inbound, 376 allow outbound, 376 inbound NAT, 376 outbound NAT, 376 IPSec Interface Mode IPSec VPN, manual key, 616 IPSec VPN, phase 1, 609 IPSec VPN adding manual key, 614 authentication for user group, 658 Auto Key list, 605 concentrator list, 617 configuring phase 1, 606 configuring phase 1 advanced options, 608 configuring phase 2, 611 configuring phase 2 advanced options, 611 configuring policy-, route-based Internet browsing, 616 Manual Key list, 614 monitor list, 618 remote gateway, 658 route-based vs policy-based, 604 IPv6, 264, 316 IPv6 support settings, 263 IRC service, 403
K
Keepalive Frequency IPSec VPN, phase 1, 610 key license, 311 wireless setting, 193 keyboard shortcut online help, 55 Keylife IPSec VPN, phase 1, 610 IPSec VPN, phase 2, 612
L
L2TP, 659 service, 403 language changing the web-based manager language, 49 email filter banned word, 564 spam filter banned word, 564 web content block, 546 web-based manager, 49, 263
LDAP configuring server, 649, 650 service, 403 user authentication, 644 LDAP Distinguished Name query, 652 LDAP server authentication, 246 configuring authentication, 249 license key, 311 licenses viewing, 70 limit VDOM resources, 139 lists using web-based manager, 57 load balancer, 445 local certificates options, 281 viewing, 280 Local Gateway IP IPSec VPN, phase 1, 609 Local ID IPSec VPN, phase 1, 610 Local Interface IPSec VPN, manual key, 615 IPSec VPN, phase 1, 607 local ratings configuring, 556 local ratings list viewing, 555 Local SPI IPSec VPN, manual key, 615 local user, 644 local user account configuring, 644 log attack anomaly, 714 attack signature, 714 column settings, 718 raw or formatted, 715 to FortiAnalyzer, 704 traffic, firewall policy, 372, 375, 379 log traffic firewall policy, 372, 375 log types, 728 antivirus, 713 attack, 714 email filter, 713 event, 711 traffic, 728 web filter, 713
741
Index
logging, 716 accessing logs in memory, 715 accessing logs on FortiAnalyzer unit, 716 accessing logs on FortiGuard Analysis server, 717 alert email, configuring, 709 applying through protection profile, 489 basic traffic reports, 725 blocked files, 490 configuring FortiAnalyzer report schedules, 721 configuring graphical system memory report, 727 content block, 490 customizing display of log messages, 717 DLP archive, 719 FortiGuard Analysis server, 706 intrusions, 491 invalid domain name warnings, 490 log severity levels, 727 log types, 728 oversized files/emails, 490 printing FortiAnalyzer reports, 725 rating errors, 490 searching, filtering logs, 719 SIP, 501 spam, 490 storing logs, 704 testing FortiAnalyzer configuration, 705 to a FortiAnalyzer unit, 704 to memory, 708 to syslog server, 707 URL block, 490 viewing DLP archives, 586, 719 viewing raw or formatted logs, 715 viruses, 490 logging out web-based manager, 55 loopback interface, 149, 316 lost password recovering, 49, 245, 246 low disk space quarantine, 519
M
MAC address filtering, 193 MAC filter wireless, 193 MAC filter list configuring, 194 viewing, 194 major version, 88 Management Information Base (MIB), 213 management VDOM, 135, 139 Manual Key IPSec VPN, 614 map to IP virtual IP, 425 map to port virtual IP, 425, 427 matched content, 453 matching firewall policy, 363
max filesize to quarantine quarantine, 519 maximum bandwidth, 418, 676, 681 firewall policy, 418, 676, 681 traffic shaping, 418, 676, 681 MD5 OSPF authentication, 344, 345 Members IPSec VPN, concentrator, 617 memory, 132 memory usage HA statistics, 212 menu web-based manager menu, 56 MGCP service, 403 mheader, 570 MIB, 221 FortiGate, 217 RFC 1213, 217 RFC 2665, 217 minor version, 88 Mode IPSec VPN, phase 1, 607 mode HA, 207 operation, 24 modem adding firewall policies, 175 backup mode, 173 connecting and disconnecting to dialup account, 175 redundant (backup) mode, 171 standalone mode, 171, 174 viewing status, 176 modem interface configuring, 170 monitor administrator logins, 264 HA statistics, 211 IPSec VPN, 618 routing, 359 monitored ports, 477 monitoring WAN optimization, 682 moving a firewall policy, 364, 677 MS-CHAP, 648 MS-CHAP-V2, 648 MS-SQL service, 403 MTU size, 157, 167 multicast, 348 multicast destination NAT, 350 multicast policy, 365 multicast settings overriding, 350 viewing, 348 Multi-Exit Discriminator (MED), 346 MYSQL service, 403
742
Index
N
Name IP pool, 440, 441 IPSec VPN, manual key, 615 IPSec VPN, phase 1, 606 IPSec VPN, phase 2, 611 NAPT, 385 NAT in transparent mode, 442 inbound, IPSec firewall policy, 376 multicast, 350 NAPT, 385 outbound, IPSec firewall policy, 376 port selection, 385 preserving SIP NAT IP, 505 push update, 309 SIP, 495 SIP contact headers, 506 symmetric, 424 NAT virtual IP adding for single IP address, 428 adding static NAT virtual IP for IP address range, 429 Nat-traversal IPSec VPN, phase 1, 610 netmask administrator account, 246 NetMeeting service, 403 network topology viewer, 107 Network Address Port Translation, 385 network address translation (NAT), 422 Network Attached Storage (NAS), 248 Network Time Protocol, 87 network utilization HA statistics, 212 NFS service, 403 NNTP service, 403 not registered subscription, 303 notification, 709 Not-so-stubby Area (NSSA), 343 not-so-stubby area (NSSA), 360 Novel edirectory, 654 NTP, 87 service, 403 sync interval, 87 synchronizing with an NTP server, 87
O
object identifier (OID), 221 OCSP certificates importing, 285 OFTP connection, 74 ONC-RPC service, 404
one-time schedule adding, 413 configuring, 413 creating new, 412 list, 412 start, 413 stop, 413 online help content pane, 53 keyboard shortcuts, 55 navigation pane, 53 search, 54 using FortiGate online help, 52 operation mode, 24, 238 wireless setting, 191 operational history viewing, 90 optimize antivirus, 520 OSPF area ID, 344 AS, 341 authentication, 344, 345 Dead Interval, 346 dead packets, 346 GRE, 345 Hello Interval, 346 Hello protocol, 338 interface definition, 344 IPSec, 345 link-state, 338 LSA, 345 multiple interface parameter sets, 345 neighbor, 338 network, 341 network address space, 345 NSSA, 343, 360 path cost, 339 regular area, 343 service, 404 settings, 340 stub, 343 virtual lan, 344 virtual link, 343 VLAN, 345 OSPF AS, 338 defining, 339 outbound NAT IPSec firewall policy, 376 override server adding, 308 oversize threshold, 478 oversized file/email protection profile, 478
P
P1 Proposal IPSec phase 1, 609 P2 Proposal IPSec VPN, phase 2, 612 packets VDOM, 126
743
Index
page controls web-based manager, 60 PAP, 648 pass fragmented email protection profile, 478 password administrator, 24 configuring authentication password, 246 HA, 208 recovering lost password, 49, 245, 246 PAT virtual IPs, 422 patch number, 88 pattern, 28 default list of file block patterns, 513 email filter banned word, 564 spam filter banned word, 564 pattern type email filter email address, 569 spam filter banned word, 564 web content block, 546 PC-Anywhere service, 404 peer group configuring, 657 Peer option IPSec VPN, phase 1, 607 peer user configuring, 657 Perl regular expressions email filter, 571 persistence, 449 Phase, 611 phase 1 IPSec VPN, 606, 611 phase 1 advanced options IPSec VPN, 608 phase 2 IPSec VPN, 611 phase 2 advanced options IPSec VPN, 611 PIM BSR, 348 dense mode, 348 DR, 348 RFC 2362, 348 RFC 3973, 348 RP, 348 sparse mode, 348 PING, 451 service, 404 PING6 firewall service, 404 pinholing RTP, 504 SIP, 504 PKI, 656 authentication, 252
policy accept action, 683, 684 action, 367 adding, 367 allow inbound, 376 allow outbound, 376 authentication, 372, 379 changing the position in the policy list, 364, 677 comments, 372, 379 configuring, 367 creating new, 366, 418, 419 deleting, 364, 677 destination, 367 DoS, 379 example, 389 guaranteed bandwidth, 418 ID, 367 inbound NAT, 376 insert policy before, 367, 676 list, 366 log traffic, 372, 375, 379 matching, 363 maximum bandwidth, 418, 676, 681 move, 364, 677 multicast, 365 outbound NAT, 376 protection profile, 371 schedule, 367, 370 service, 367, 371 sniffer, 382 source, 367 SSL VPN options, 376 traffic priority, 676, 681 traffic shaping, 371, 375, 379 policy route moving in list, 332 policy-based routing, 328 POP3 service, 404 port NAT, 385 port 53, 305 port 8888, 305 port 9443, 309 port address translation virtual IPs, 422 port forwarding, 422 port monitor HA, 208 port monitoring, 208 PPPoE and IP Pools, 371 PPPoE (Point-to-Point Protocol over Ethernet) RFC 2516, 162 PPTP, 621, 659 service, 404 PPTP IP address user group, 621, 623 PPTP range defining addresses, 621, 623 PPTP tunnel setup CLI command, 623 customized GUI, 621 FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20091022 http://docs.fortinet.com/ Feedback
744
Index
predefined services, 401 predefined signature default action, 526 list, 525 Pre-shared Key IPSec VPN, phase 1, 607 pre-shared key wireless setting, 193 priority cluster members, 210 private key importing, 283, 284 product registration, 52 products, family, 23 profile category block reports, 558 proposal IPSec phase 1, 609 IPSec VPN, phase 2, 612 protection profile add signature to outgoing email, 479 adding to a firewall policy, 468 allow web sites when a rating error occurs, 484 antivirus options, 477 append tag format, 488 append tag to location, 488 banned word check, 487 block login (IM), 489 category, 485 comfort clients, 478 dashboard statistics, 488 default protection profiles, 468 display content meta-information on dashboard, 489 display content meta-information on the system dashboard options, 488 DoS sensor, 480 email address BWL check, 487 email filtering options, 485 enable FortiGuard Web Filtering, 484 enable FortiGuard Web Filtering overrides, 484 file block, 478 firewall policy, 371 FortiGuard Antispam IP address check, 486 FortiGuard email checksum check, 486 HELO DNS lookup, 487 IP address BWL check, 487 IPS sensor, 480 IPS sensor options, 480 list, 469 logging, blocked files, 490 logging, content block, 490 logging, intrusions, 491 logging, invalid domain name warnings, 490 logging, oversized files/emails, 490 logging, rating errors, 490 logging, spam, 490 logging, URL block, 490 logging, viruses, 490 options, 474 oversized file/email, 478 pass fragmented email, 478 provide details for blocked HTTP errors, 484 quarantine, 478
rate images by URL, 484 rate URLs by domain and IP address, 485 return email DNS check, 487 safe search, 482 scan (default protection profile), 468 spam action, 487 strict (default protection profile), 468 strict blocking (HTTP only), 485 tag format, 488 tag location, 488 unfiltered (default protection profile), 468 virus scan, 478 web (default protection profile), 468 web content block, 481 web filtering options, 480, 542 web resume download block, 482 web URL block, 481 protocol number, custom service, 408 OSPF Hello, 338 service, 402 system status, 83 type, custom service, 407 virtual IP, 427 protocol decoder, 528 list, 528 Protocol Independent Multicast (PIM), 348 protocol recognition, 477 protocol type, 408 provide details for blocked HTTP errors protection profile, 484 proxy SIP, 493 proxy ARP, 426, 446 FortiGate interface, 426, 446 IP pool, 426, 446 virtual IP, 426, 446 proxy server, 308 push updates, 308 push update, 304 configuring, 308 external IP address changes, 309 IP address changes, 309 management IP address changes, 309 through a proxy server, 308
Q
QUAKE service, 404 quarantine age limit, 519 antivirus, 516 autosubmit list, 517 autosubmit list file pattern, 517 configuring, 518 configuring the autosubmit list, 517 enable AutoSubmit, 519 enabling uploading autosubmit file patterns, 517 heuristics, 521 low disk space, 519 max filesize to quarantine, 519 options, 519 protection profile, 478
745
Index
quarantine files list antivirus, 720 apply, 720 date, 720 DC, 721 download, 721 duplicates, 721 file name, 720 filter, 720 service, 721 sorting, 720 status, 721 status description, 721 TTL, 721 upload status, 721 query, 652 Quick Mode Selector IPSec VPN, phase 2, 613
R
RADIUS configuring server, 648 servers, 647 user authentication, 644 viewing server list, 647 WPA Radius, 193 RADIUS authentication VDOM, 139 RADIUS server authentication, 246, 247 wireless setting, 193 range web category reports, 558 rate images by URL protection profile, 484 rate limiting SCCP, 501 SIMPLE, 501 SIP, 499, 500, 501 rate URLs by domain and IP address protection profile, 485 RAUDIO service, 404 read & write access level administrator account, 86, 88, 243 read only access level administrator account, 86, 243, 246 real servers configuring, 450 monitoring, 453 recurring schedule adding, 412 configuring, 412 creating new, 411 list, 411 select, 412 start, 412 stop, 412 redirect SIP, 493 redundant interface adding system settings, 160
redundant mode configuring, 173 refresh every HA statistics, 211 registering Fortinet product, 52 regular administrator, 241 regular expression, 28 relay DHCP, 199, 201 reliable delivery of syslog messages, 707 remote administration, 165, 239 remote certificates options, 284 viewing, 284 Remote Gateway IPSec manual key setting, 615 IPSec VPN, manual key, 614 IPSec VPN, phase 1, 606 remote peer manual key configuration, 614 Remote SPI IPSec VPN, manual key, 615 remote user authentication, 647 Rendezvous Point (RP), 348 replacement messages, 225 report basic traffic, 725 configuring report schedules, 721 FortiAnalyzer, printing, 725 FortiGuard, 557 type, category block, 558 viewing FortiAnalyzer reports, 724 web category block, 557 resource limits dynamic resources, 139, 140 static resources, 139, 140 VDOM, 139 resource usage VDOM, 141 restoring 3.0 configuration, 123 using the CLI, 123 using web-based manager, 123 return email DNS check protection profile, 487 Reverse Path Forwarding (RPF), 350 revision control, 261 REXEC firewall service, 404 RFC, 348 RFC 1058, 334 RFC 1213, 213, 217 RFC 1215, 219 RFC 1321, 344 RFC 1349, 331 RFC 1771, 346 RFC 2132, 203 RFC 2362, 348 RFC 2385, 346 RFC 2453, 334
746
Index
RFC 2460, 265 RFC 2516, 162 RFC 2543, 508 RFC 2665, 213, 217 RFC 3509, 339 RFC 3973, 348 RFC 5237, 330 RFC 791, 331 RIP authentication, 338 hop count, 334 RFC 1058, 334 RFC 2453, 334 service, 404 settings, viewing, 334 split horizon, 337 version 1, 334 version 2, 334 RLOGIN service, 404 role cluster members, 210 route HA, 360 route flapping, 326 router monitor HA, 360 routing administrative distance, 314 blackhole, 315 configuring, 182 ECMP, 315 loopback interface, 316 monitor, 359 static, 316 routing policy protocol number, 330 routing table, 359 searching, 361 RSH firewall service, 404 RTP, 495 pinholing, 504 RTS threshold wireless setting, 193 RTSP firewall service, 404
S
safe search, 482 SAMBA service, 404 scan default protection profile, 468 SCCP DoS sensor, 501 firewall service, 405 protection profile, 501 rate limiting, 501
schedule antivirus and attack definition updates, 307 firewall policy, 367, 370 one-time schedule list, 412 organizing schedules into groups, 413 recurring schedule list, 411 schedule group adding, 413 scheduled updates through a proxy server, 308 screen resolution minimum recommended, 47 search online help, 54 online help wildcard, 54 safe searching, 482 searching routing table, 361 Secure Copy (SCP), 263 security MAC address filtering, 193 security certificates. See system certificates security mode wireless setting, 193 select recurring schedule, 412 sensor DoS, 537 IPS, 529 separate server certificates importing, 284 server DHCP, 199 server certificate, 627 server certificates importing, 283, 284 server health, 453 server load balance port forwarding virtual IP adding, 459 server load balance virtual IP adding, 454 service AH, 402 ANY, 402 AOL, 402 BGP, 402 custom service list, 406 CVSPSERVER, 402 DCE-RPC, 402 DHCP, 200, 402 DHCP6, 402 DNS, 402 ESP, 402 FINGER, 402 firewall policy, 367, 371 FTP, 402 FTP_GET, 402 FTP_PUT, 402 GOPHER, 402 GRE, 402 group, 408 H323, 403 HTTPS, 403
747
Index
ICMP_ANY, 403 IKE, 403 IMAP, 403 INFO_ADDRESS, 403 INFO_REQUEST, 403 Internet-Locator-Service, 403 IRC, 403 L2TP, 403 LDAP, 403 MGCP, 403 MS-SQL, 403 MYSQL, 403 NetMeeting, 403 NFS, 403 NNTP, 403 NTP, 403 ONC-RPC, 404 organizing services into groups, 409 OSPF, 404 PC-Anywhere, 404 PING, 404 PING6, 404 POP3, 404 PPTP, 404 predefined, 401 QUAKE, 404 quarantine files list, 721 RAUDIO, 404 REXEC, 404 RIP, 404 RLOGIN, 404 RSH, 404 RTSP, 404 SAMBA, 404 SCCP, 405 service name, 402 SIP, 405 SIP-MSNmessenger, 405 SMTP, 405 SNMP, 405 SOCKS, 405 SQUID, 405 SSH, 405 SYSLOG, 405 TALK, 405 TCP, 405 TELNET, 405 TFTP, 405 TIMESTAMP, 405 UDP, 405 UUCP, 405 VDOLIVE, 405 VNC, 405 WAIS, 405 WINFRAME, 406 WINS, 406 X-WINDOWS, 406 service group, 408 adding, 408, 409 create new, 408 list, 408 service port virtual IP, 425 service set identifier (SSID), 146
Session Initiation Protocol. See SIP session list viewing, 82 session pickup HA, 208 set time time set the time, 86 settings, 191 administrators, 261 IPv6 support, 263 timeout, 263 Shortest Path First (SPF), 339 signatures custom, intrusion protection signatures, 527 SIMPLE protection profile, 501 rate limiting, 501 SIP, 493 accepting register response, 505 ALG, 495 application level gateway, 495 application list, 502 archiving communication, 504 blocking requests, 504 configuring advanced features, 502 contact headers and NAT, 506 controlling client connection, 505 destination NAT, 496 different source and destination NAT for SIP and RTP, 497 DoS sensor, 501 enabling, 499, 500, 501, 502 logging, 501 NAT, 495 NAT with dynamic IP pool, 497 operating modes, 493 preserving NAT IP, 505 protection profile, 501 proxy, 493 rate limiting, 499, 500, 501 redirect, 493 RTP pinholing, 504 service, 405 source NAT, 495 support workflow, 498 turning on tracking, 503 VoIP, 493 sip vpn pptp, 624 SIP requests, 504 SIP support workflow, 498 SIP-MSNmessenger service, 405 Skinny Call Control Protocol. See SCCP SMTP service, 405 user, 710 SMTPS, 231 SNAT virtual IPs, 423 sniffer policy, 382 viewing, 383
748
Index
SNMP configuring community, 215 contact information, 214 event, 217 manager, 213, 215 MIB, 221 MIBs, 217 queries, 216 RFC 12123, 217 RFC 1215, 219 RFC 2665, 217 service, 405 traps, 217, 218 v3, 213 SNMP Agent, 214 SNMP communities, 214 socket-size, CLI command for IPS, 540 SOCKS service, 405 sorting quarantine files list, 720 URL filter list, 551 source firewall policy, 367, 370, 378 source IP address system status, 83 source IP port system status, 83 source NAT SIP, 495 source port, 407 spam action protection profile, 487 spam email archiving, 585 spam filter adding an email address or domain to the email address list, 570 banned word list, 563 see email filter, 485 spam filter, see email filter, 559 spilt DNS, 177, 180 splice, 478, 487 split-DNS, 177, 180 SQUID service, 405 SSH, 239 service, 405 SSID wireless setting, 192 SSID broadcast wireless setting, 192 SSL content inspection, 469 content scanning, 469 inspection, 469 service definition, 403, 404
SSL VPN checking client certificates, 627 configuring settings, 626 default web portal, 628 firewall policy, 376 setting the cipher suite, 627 specifying server certificate, 627 specifying timeout values, 627 web-only mode, 625 SSL VPN Client Certificate, 376 SSL VPN login message, 236 SSL VPN web portal, 627 default, 628 standalone mode modem, 171, 174 start IP pool, 440 one-time schedule, 413 recurring schedule, 412 static default route, 318 static IP monitor, 618 static NAT port forwarding adding for IP address and port range, 432 adding for single address and port, 431 static resources VDOM resource limits, 139, 140 static route adding, 320 adding policy, 329 administrative distance, 314 concepts, 313 creating, 316 default gateway, 318 default route, 318 editing, 316 moving in list, 332 overview, 313 policy, 328 policy list, 329 selecting, 314 table building, 314 table priority, 315 table sequence, 315 viewing, 316 statistics viewing, 91 viewing HA statistics, 211 status HA statistics, 211 interface, 149 quarantine files list, 721 vpn pptp, 624 status description quarantine files list, 721 stop one-time schedule, 413 recurring schedule, 412 streaming mode, 478, 487 strict default protection profile, 468 strict blocking (HTTP only) protection profile, 485
749
Index
string, 28 stub OSPF area, 343 subnet adding object, 110 firewall address, 398 subscription expired, 303 not registered, 303 valid license, 303 super administrator, 241 switch mode, 150 sync interval NTP, 87 synchronize with NTP Server, 87 SYSLOG service, 405 syslog reliable, 707 system administrators, 241 system certificate FortiGate unit self-signed security certificate, 48 system certificates CA, 286 CRL, 287 importing, 283 OCSP, 285 requesting, 281, 282 viewing, 280 system configuration, 205 system DHCP see also DHCP, 199 system global av_failopen antivirus, 520 system global optimize antivirus, 520 system idle timeout, 239 system information viewing, 69 system maintenance advanced, 296 backup and restore, 290 creating scripts, 299 enabling push updates, 308 firmware, 294 firmware upgrade, 295 managing configuration, 289 push update through a NAT device, 309 remote FortiManager options, 292 remote management options, 293 revision control, 297 scripts, 298 updating antivirus and attack definitions, 307 uploading scripts, 299 USB disks, 296 VDOM, 290 system resources viewing, 75 system status viewing, 68 system status widgets customizing, 68
T
TACACS+ configuring server, 652, 653 user authentication, 644 TACACS+ server authentication, 246, 251 tag format protection profile, 488 tag location protection profile, 488 TALK service, 405 TCP, 451 service, 405 TCP custom service, 407 adding, 406 destination port, 407 protocol type, 407 source port, 407 technical support, 29, 132 TELNET service, 405 TFTP service, 405 threshold oversize, 478 time configuring, 86 timeout settings, 263 timeout values specifying for SSL VPN, 627 TIMESTAMP service, 405 top attacks viewing, 83 top sessions viewing, 80 top viruses viewing, 83 topology viewer, 107 total bytes HA statistics, 212 total packets HA statistics, 212 tracking SIP, 503 traffic history viewing, 84 Traffic Priority, 676, 681 traffic priority firewall policy, 676, 681 traffic shaping, 676, 681 traffic reports viewing, 725
750
Index
traffic shaping configuring, 417 firewall policy, 371, 375, 379 guaranteed bandwidth, 418 guaranteed bandwidth and maximum bandwidth, 415 maximum bandwidth, 418, 676, 681 priority, 416 traffic priority, 676, 681 transparent mode IP pools, 442 NAT, 442 VDOMs, 126 VIP, 442 virtual IP, 442 WAN optimization, 679 traps SNMP, 218 troubleshooting FDN connectivity, 306 trusted host administrators options, 246 security issues, 254 TTL quarantine files list, 721 tunnel mode SSL VPN, SSL VPN tunnel mode, 625 Tunnel Name IPSec VPN, manual key, 614 Tx Power wireless setting, 191 type, 407 virtual IP, 426
U
UDP custom service, 407 adding, 406 destination port, 407 protocol type, 407 source port, 407 UDP service, 405 unfiltered default protection profile, 468 unit HA statistics, 211 unit operation viewing, 73 up time HA statistics, 211 update push, 308 upgrading 3.0 using web-based manager, 117 4.0 using the CLI, 118 backing up using the CLI, 3.0, 114 firmware, 88 FortiGate unit to 3.0, 117 using the web-based manager, 117 using web-based manager, 3.0, 114 upload status quarantine files list, 721
URL block adding a URL to the web filter block list, 550 configuring overrides, 553 local categories, 555 web filter, 547 URL filter adding new list, 548 catalog, 548 sorting in list, 551 viewing list, 549 URL formats, 550 USB disk, 290 auto-install, 296 backup and restore configuration, 289 formatting, 296 system maintenance, 296 user authentication overview, 643 PKI, 656 remote, 647 user group configuring, 661 PPTP source IP address, 621, 623 user groups configuring, 658 Directory Service, 660 firewall, 659 SSL VPN, 660 viewing, 661 usrgrp vpn pptp, 624 UTF-8 character set, 483 UUCP service, 405
V
valid license, 303 value parse error, 28 VDOLIVE service, 405 VDOM adding interface, 135 assigning administrator, 138 assigning interface, 137 configuration settings, 127 dynamic resource limits, 139, 140 enabling multiple VDOMs, 130 FortiAnalyzer, 126 inter-VDOM links, 136 license key, 311 limited resources, 132 management VDOM, 135 maximum number, 132 NAT/Route, 126 packets, 126 RADIUS authentication, 139 resource limits, 139 resource usage, 141 static resource limits, 139, 140 system maintenance, 290 transparent mode, 126
751
Index
VDOM partitioning HA, 208 verifying downgrade to 2.80 MR11, 121 upgrade to 4.0, 119 viewing address group list, 398 admin profiles list, 257 administrators, 264 administrators list, 243 Alert Message Console, 76 antispam email address list catalog, 568 antispam IP address list, 566 antispam IP address list catalog, 565 antivirus file filter list, 515 antivirus file pattern list catalog, 514 antivirus list, 519 antivirus quarantined files list, 720 autosubmit list, 517 banned word list, 563 banned word list catalog, 562 BGP settings, 346 CA certificates, 286 certificates, 280 cluster members list, 209 CRL (Certificate Revocation List), 287 custom service list, firewall service, 406 custom signatures, 527 DHCP address leases, 203 DLP archive, 91 DLP archives, 586, 719 DoS sensor list, 538 firewall policy list, 366 firewall service group list, 408 firewall service list, 401 firmware, 294 FortiAnalyzer reports, 724 FortiGuard support contract, 302 HA statistics, 211 hostname, 87 IP pool list, 440 IPS sensor list, 529 IPS sensor options, 480 IPSec VPN auto key list, 605 IPSec VPN concentrator list, 617 IPSec VPN manual key list, 614 IPSec VPN monitor list, 618 LDAP server list, 649 licenses, 70 local ratings list, 555 modem status, 176 multicast settings, 348 one-time schedule list, 412 operational history, 90 protection profile list, 469 protocol decoder list, 528 RADIUS server list, 647 recurring schedule list, 411 remote certificates, 284 revision control, 297 RIP settings, 334 routing information, 359 session list, 82 static route, 316
statistics, 91 system information, 69 system resources, 75 system status, 68 system topology, 107 TACACS+ server, 652 top attacks, 83 top sessions, 80 top viruses, 83 traffic history, 84 traffic reports, 725 unit operation, 73 URL filter list, 549 URL filter list catalog, 548 URL override list, 552 user group list, 661 VIP group list, 436 virtual IP group list, 436 virtual IP list, 425 virtual IP pool list, 440 web content block list, 545 web content filter list, 545 web content filter list catalog, 545 wireless monitor, 195 viewport, 108 VIP transparent mode, 442 VIP group configuring, 436 Virtual IP transparent mode, 442 virtual IP, 426, 446 configuring, 426 create new, 425, 436 destination network address translation (DNAT), 423, 424 external interface, 426 external IP address, 427 external service port, 427 IP, 425 list, 425 map to IP, 425 map to port, 425, 427 NAT, 422 PAT, 422 port address translation, 422 protocol, 427 server down, 453 service port, 425 SNAT, 423 source network address translation, 423 type, 426 virtual IP group configuring, 436 virtual IP group list viewing, 436 virtual IP, port translation only adding, 435 virtual IPSec configuring interface, 164 virtual servers configuring, 446 virus detected HA statistics, 212
752
Index
virus list, 519 virus name, 237 virus protection. See antivirus virus scan protection profile, 478 VLAN jumbo frames, 167 OSPF, 344 VNC service, 405 VoIP SIP, 493 VoIP security, 495 VPN IPSec (see also IPSec VPN), 603 VPN PPTP, 621 VPN SSL. See SSL VPN VPN tunnel IPSec VPN, firewall policy, 376 VPN, IPSec firewall policy, 376 VPNs, 621
W
WAIS service, 405 WAN optimization explicit mode, 679 monitoring, 682 transparent mode, 679 WAN optimization peer configuring, 680 WAN optimization rule configuring, 675 web default protection profile, 468 web category block changing the host name, 557 CLI configuration, 557 configuration options, 552 report allowed, 558 report blocked, 558 report category, 558 report profiles, 558 report range, 558 report type, 558 reports, 557 web content block language, 546 pattern type, 546 protection profile, 481 web content filter web filter, 546 web content filter list web filter, 545 web equivalent privacy, 193
web filter, 541 adding a URL to the web URL block list, 550 character set, 483 configuring the web content filter list, 546 configuring the web URL block list, 550 content block, 544 filter interaction, 542 FortiGuard, 552 protection profile options, 542 URL block, 547 URL category, 305 web content filter list, 545 web URL block list, 549 web filtering safe search, 482 web filtering options protection profile, 480 web filtering service, 237 web portal SSL VPN,SSL VPN web portal customize, 627 web resume download block protection profile, 482 web site, content category, 236 Web UI. See web-based manager web URL block configuring the web URL block list, 550 list, 549 list, web filter, 549 protection profile, 481 web-based manager, 47, 48 changing the language, 49 connecting to the CLI, 51 idle timeout, 50 IPv6 support, 263 language, 49, 263 logging out, 55 online help, 52 pages, 55 screen resolution, 47 using the menu, 56 using web-based manager lists, 57 web-only mode SSL VPN, 625 WEP, 192 WEP128, 187, 193 WEP64, 187, 193 WiFi protected access, 193 wild cards, 28 wildcard online help search, 54 Windows Active Directory, 654 WINFRAME service, 406 WINS service, 406
753
Index
wireless band, 191 beacon interval, 191 channel, 191 configuration, 187 data encryption, 193 fragmentation threshold, 193 geography, 191 interface, 187 key, 193 MAC filter, 193 operation mode, 191 pre-shared key, 193 RADIUS server, 193 RTS threshold, 193 security, 192 security mode, 193 settings FortiWiFi-50B, 190 settings FortiWiFi-60A, 190 settings FortiWiFi-60AM, 190 settings FortiWiFi-60B, 190 SSID, 192 SSID broadcast, 192 Tx power, 191 viewing monitor, 195 WLAN interface, 187
WLAN interface adding to a FortiWiFi-50B, 191 adding to a FortiWiFi-60A, 191 adding to a FortiWiFi-60AM, 191 adding to a FortiWiFi-60B, 191 WPA, 187, 192, 193 WPA Radius wireless security, 193 WPA2, 187, 193 WPA2 Auto, 187, 193 WPA2 Radius wireless security, 193
X
X.509 security certificates. See system certificates XAuth IPSec VPN, phase 1, 610 X-Forwarded-For (XFF), 183 X-WINDOWS service, 406
Z
zones configuring, 170
754
www.fortinet.com
www.fortinet.com