Introduction
Features
Basic network topology
Scope
What’s New
Key Concepts and Features
Server load balancing
Feature Summary
Authentication and authorization
Caching
Compression
Content rewriting
Content routing
Scripting
SSL offloading
SSL Certificates
SSL Cipher Suites
Link load balancing
Global load balancing
Security
High availability
Virtual domains
Getting Started
Step 1: Install the appliance
Step 2: Configure the management interface
Step 3: Configure basic network settings
Step 4: Test connectivity to destination servers
Step 5: Complete product registration, licensing, and upgrades
Step 6: Configure a basic server load balancing policy
Step 7: Test the deployment
Step 8: Back up the configuration
Server Load Balancing
Server load balancing basics
Server load balancing configuration overview
Using real server pools
Configuring pools of real servers
Example: Using port ranges and the port 0 configuration
Configuring persistence rules
Configuring content routes
Using content rewriting rules
Overview
Configuring content rewriting rules
Example: Redirecting HTTP to HTTPS
Example: Rewriting the HTTP response when using content routing
Example: Rewriting the HTTP request and response to mask application details
Example: Rewriting the HTTP request to harmonize port numbers
Configuring compression rules
Configuring caching rules
Configuring profiles
Configuring error pages
Using source pools
Configuring source pools
Example: DNAT
Example: full NAT
Example: NAT46 (Layer 4 virtual servers)
Example: NAT64 (Layer 4 virtual servers)
Example: NAT46 (Layer 7 virtual servers)
Example: NAT64 (Layer 7 virtual servers)
Configuring auth policies
Configuring methods
Configuring virtual servers
Link Load Balancing
Link load balancing basics
Using link groups
Using virtual tunnels
Link load balancing configuration overview
Configuring gateway links
Configuring persistence rules
Configuring proximity route settings
Configuring a link group
Configuring a virtual tunnel group
Configuring link policies
Global Load Balancing
Global load balancing basics
Global load balancing configuration overview
Configuring data centers
Configuring servers
Configuring virtual server pools
Configuring hosts
Configuring an address group
Configuring remote DNS servers
Configuring the DSSET list
Configuring DNS zones
Configuring DNS64
Configuring the response rate limit
Configuring a Global DNS policy
Configuring general settings
Configuring the trust anchor key
Security Features
Security features basics
Configuring a firewall policy
Configuring the firewall connection limit
Managing IP Reputation policy settings
Using the Geo IP block list
Using web application firewall policies
Web application firewall basics
Web application firewall configuration overview
Predefined configuration elements
Severity
Configuring a Web Attack Signature policy
Configuring a URL Protection policy
Configuring a HTTP Protocol Constraint policy
Configuring an SQL/XSS Injection Detection policy
Configuring a WAF Profile
Enabling denial of service protection
User Management
Managing administrator users
Administrator user overview
Configuring access profiles
Creating administrator users
Using the local authentication server
Using a RADIUS authentication server
Using an LDAP authentication server
Configuring user groups
Using Shared Resources
Creating schedule groups
Creating IP address objects
Managing the ISP address books
Creating service objects
Configuring health checks
Using scripts
Basic Networking
Configuring network interfaces
Using physical interfaces
Using VLAN interfaces
Using aggregate interfaces
Configuring network interfaces
Configuring static routes
Configuring policy routes
System Management
Configuring basic system settings
Configuring system time
Backing up and restoring the configuration
Updating firmware
Upgrade considerations
Updating firmware using the web UI
Updating firmware using the CLI
Configuring FortiGuard service settings
Configuring an SMTP mail server
Configuring SNMP
Using certificates
Overview
Prerequisite tasks
Downloading the CA certificate from a backend server
Managing local certificates
Importing a local certificate
Generating a CSR
Creating a local certificate group
Importing a CA
Creating a CA group
Importing an Intermediate CA
Creating an Intermediate CA group
Using OCSP
Using CRLs
Configuring a certificate validator
Rebooting, resetting, and shutting down the system
Logging and Reporting
Using the system dashboard
Configuring local log settings
Configuring syslog settings
Configuring high speed logging
Configuring alert email settings
Using the event log
Using the security log
Using the traffic log
Downloading logs
Using reports
Using the Overall report
Using the Server Load Balance report
Using the Link Load Balance report
Using the Global Load Balance report
Using the Security report
High Availability Deployments
HA feature overview
HA system requirements
HA synchronization
Configuring HA settings
Monitoring an HA cluster
Updating firmware for an HA cluster
Deploying an active-passive cluster
Overview
Basic steps
Best practice tips
Deploying an active-active cluster
Configuration overview
Basic steps
Expected behavior
Traffic to TCP virtual servers
Traffic to HTTP virtual servers
FTP traffic and traffic processed by firewall rules
Best practice tips
Virtual Domains
Virtual domain basics
Enabling the virtual domain feature
Creating virtual domains
Assigning network interfaces and admin users to VDOMs
Disabling virtual domains
Advanced Networking
NAT
Configuring SNAT
Configuring 1-to-1 NAT
QoS
Configuring the QoS queue
Configuring the QoS filter
ISP Routes
OSPF
TCP multiplexing
Reverse path route caching
Best Practices and Fine Tuning
Regular backups
Security
Topology
Administrator access
Performance tips
System performance
Reducing the impact of logging on performance
Reducing the impact of reports on system performance
Reducing the impact of packet capture on system performance
High availability
Troubleshooting
Logs
Tools
execute commands
diagnose commands
Packet capture
Diff
Solutions by issue type
Login issues
Connectivity issues
Checking hardware connections
Checking routing
Testing for connectivity with ping
Testing routes and latency with traceroute
Examining the routing table
Examining server daemons
Checking port assignments
Performing a packet trace
Checking the SSL/TLS handshake & encryption
Resource issues
Monitoring traffic load
DoS attacks
Resetting the configuration
Restoring firmware (“clean install”)
Additional resources
Appendix A: Fortinet MIBs
Appendix B: Port Numbers
Appendix C: Scripts
Events and actions
Predefined Commands
Control structures
Operators
String library
Examples
Select content routes based on URI string matches
Rewrite the HTTP request host header and path
Rewrite the HTTP response Location header
Redirect HTTP to HTTPS using Lua string substitution
Redirect mobile users to the mobile version of a website
Appendix C: Maximum Configuration Values
Introduction
Appendix C: Maximum Configuration Values
slb_pool
vs_auth_policy
slb_persistence
content_routing
content_rewriting
compression
caching
profile
error_page
ippool
slb_method
virtual_server
gateway
llb_persistence
proximity_route
link_group
virtual_tunnel
llb_policy
gslb_dc
gslb_server
gslb_vspool
gslb_host
glb_address_group
remote_dns_server
dsset_info_list
zone
dns64
response_rate_limit
glb_policy
general
trust_anchor_key
firewall_policy
connlimit
reputation
geoip
waf_signature
waf_url
waf_protocol
waf_sql_xss
waf_profile
dos_prevention
admin
accprofile
user_local
user_radius
user_ldap
user_group
schedule_group
address_group
address_isp
service_group
healthcheck
scripting
interface
routing_static
routing_policy
basic
maintenance
fortiguard
services
snmp
local_cert
local_cert_group
ca
ca_group
intermediate_ca
intermediate_ca_group
oscp
crl
verify_cert
status
log_local
log_remote
log_highspeed
alert
log_event
log_attack
log_traffic
log_download
report_all
report_slb
report_llb
report_glb
report_attack
ha
vdom
nat_snat
nat_vip
qos_queue
qos_filter
routing_isp
ospf
tcpdump