Configuration

This section provides features for configuring and viewing advanced network settings, such as High Availability (HA) cluster and interface settings, SNMPv1/v2 and v3, FortiGuard web-filtering settings, replacement messages, and messaging servers.

This section describes the following:

High availability

FortiProxyHA provides a system management solution that synchronizes configuration changes among the clustering members. You can fine-tune the performance of the HA cluster to change how a cluster forms and shares information among clustering members.

The HA heartbeat keeps cluster units communicating with each other. The heartbeat consists of hello packets that are sent at regular intervals by the heartbeat interface of all cluster units. These hello packets describe the state of the cluster unit and are used by other cluster units to keep all the units synchronized.

HA heartbeat packets are non-TCP packets that use Ethertype values 0x8890, 0x8891, and 0x8893. The default time interval between HA heartbeats is 200 ms.

Your FortiProxy device can be configured as a standalone unit or you can configure two FortiProxy devices in the Active-Passive mode for failover protection. To configure HA and cluster settings or to view the cluster member list, select System > HA.

Configure the following settings and then select OK:

Mode Enter the mode. Select Standalone or Active-Passive from the drop-down menu. If you select Standalone, no other options are displayed.
Device priority You can set a different device priority for each cluster member to control the order in which cluster units become the primary unit (HA master) when the primary unit fails. The device with the highest device priority becomes the primary unit. The default value is 128.
Cluster Settings

 
Group name Enter a name to identify the cluster.
Password Select Change to enter a password to identify the HA cluster. The maximum password length is 15 characters. The password must be the same for all cluster FortiProxy units before the FortiProxy units can form the HA cluster.

When the cluster is operating, you can add a password, if required. Two clusters on the same network must have different passwords.
Session pickup Enable so that if the primary unit fails, sessions are picked up by the cluster unit that becomes the new primary unit.

You must enable session pickup for session failover protection. If you do not require session failover protection, leaving session pickup disabled might reduce HA CPU usage and reduce HA heartbeat network bandwidth usage.
Monitor interfaces Select the specific ports to monitor.

If a monitored interface fails or is disconnected from its network, the interface leaves the cluster and a link failover occurs. The link failover causes the cluster to reroute the traffic being processed by that interface to the same interface of another cluster that still has a connection to the network. This other cluster becomes the new primary unit.
Heartbeat Interface Select to enable or disable the HA heartbeat communication for each interface in the cluster and then set the heartbeat interface priority.

The heartbeat interface with the highest priority processes all heartbeat traffic. You must select at least one heartbeat interface. If the interface functioning as the heartbeat fails, the heartbeat is transferred to another interface configured as a heartbeat interface. If heartbeat communication is interrupted, the cluster stops processing traffic. Priority ranges from 0 to 512.
Management Interface Reservation You can provide direct management access to individual cluster units by reserving a management interface as part of the HA configuration. Once this management interface is reserved, you can configure a different IP address, administrative access and other interface settings for this interface for each cluster unit. You can also specify static routing settings for this interface. Then by connecting this interface of each cluster unit to your network you can manage each cluster unit separately from a different IP address.

Cache Collaboration

When deployed in a cluster, depending on the deployed architecture, requests for the same URL might have hit each cache device and been cached separately on each. Methods are available to mitigate this through load balancing with FortiADC or WCCP.

FortiProxy has the Cache Collaboration feature, where the storage of all devices within the FortiProxy HA Cluster is accessible as a shared entity. This feature allows content cached by one device to be shared by other FortiProxy devices within the cluster, significantly increasing the cache rate.

CLI syntax

config wanopt cache-service

set prefer-senario {balance | prefer-speed | prefer-cache} Default is balance.

set collaboration {enable | disable} Default is disable.

set device-id <name>

set acceptable-connections {any | peers} Default is any.

end

SNMP settings

The Simple Network Management Protocol (SNMP) allows you to monitor hardware on your network. You can configure the hardware, such as the FortiProxy SNMP agent, to report system information and traps.

SNMP traps alert you to events that happen, such as a log disk becoming full, or a virus being detected. These traps are sent to the SNMP managers. An SNMP manager (or host) is typically a computer running an application that can read the incoming traps and event messages from the agent and can send out SNMP queries to the SNMP agents. A FortiManager unit can act as an SNMP manager to one or more FortiProxy units.

By using an SNMP manager, you can access SNMP traps and data from any FortiProxy interface configured for SNMP management access. Part of configuring an SNMP manager is to list it as a host in a community on the FortiProxy unit it will be monitoring. Otherwise, the SNMP monitor will not receive any traps from, and be unable to query, that FortiProxy unit.

When using SNMP, you must also ensure you have added the correct Management Information Base (MIB) files to the unit, regardless of whether or not your SNMP manager already includes standard and private MIBs in a ready-to-use, compiled database. A MIB is a text file that describes a list of SNMP data objects used by the SNMP manager. See Fortinet MIBs for more information.

The FortiProxy SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP managers have read-only access to FortiProxy system information through queries and can receive trap messages from the unit.

The FortiProxy SNMP v3 implementation includes support for queries, traps, authentication, and privacy. Authentication and encryption are configured in the CLI.

note icon FortiProxy supports Low crypto (LENC) mode for LENC models.

SNMP configuration

Before a remote SNMP manager can connect to the FortiProxy agent, you must configure one or more FortiProxy interfaces to accept SNMP connections. Interfaces are configured in Network > Interfaces. See Interfaces.

For security reasons, Fortinet recommends that neither “public” nor “private” be used for SNMP community names.
When the unit is in virtual domain mode, SNMP traps can only be sent on interfaces in the management virtual domain.
If you want to allow SNMP access on an interface, you must go to Network > Interfaces and select SNMP in the Access field in the settings for the interface that you want the SNMP manager to connect to.

For SNMP configuration, go to System > SNMP.

Configure the following settings and select Apply:

Download FortiProxy MIB File Download the FortiProxy MIB file. See Fortinet MIBs.
Download Fortinet Core MIB File Download the Fortinet MIB file.
SNMP Agent Enable the FortiProxy SNMP agent.
Description Enter a description of the unit. The description can be up to 35 characters long.
Location Enter the physical location of the unit. The system location description can be up to 35 characters long.
Contact Info Enter the contact information for the person responsible for this unit. The contact information can be up to 35 characters.
 SNMP v1/v2c Lists the communities for SNMP v1/v2c. From within this section, you can create, edit or remove SNMP communities.
Create New Creates a new SNMP community. When you select Create New, the New SNMP Community page opens. See Manage SNMP communities.
Edit Modifies settings within an SNMP community. When you select Edit, the Edit SNMP Community page opens.
Delete Removes an SNMP community from the list.

To remove multiple SNMP communities, select multiple rows in the list by holding down the Ctrl or Shift keys and then select Delete.
Status Enable or disable the SNMP community.
Community Name The name of the community.
Queries Indicates whether queries protocols (v1 and v2c) are enabled or disabled. A green check mark indicates that queries are enabled; a gray x indicates that queries are disabled. If one query is disabled and another one enabled, there will still be a green check mark.
Traps Indicates whether trap protocols (v1 and v2c) are enabled or disabled. A green check mark indicates that traps are enabled; a gray x indicates that traps are disabled. If one query is disabled and another one enabled, there will still be a green check mark.
Hosts Number of hosts that are part of the SNMP community.
Events Number of events that have occurred.
Status Indicates whether the SNMP community is enabled or disabled.
SNMP v3 Lists the SNMP v3 users. From within this section, you can edit, create or remove an SNMP v3 user.
Create New Creates a new SNMP v3 user. When you select Create New, the Create New SNMP User page opens. See Manage SNMP v3 users.
Edit Modifies settings within the SNMP v3 user. When you select Edit, the Edit SNMP User page opens.
Delete Removes an SNMP v3 user from the page.

To remove multiple SNMP v3 users, select multiple rows in the list by holding down the Ctrl or Shift keys and then select Delete.
Status Enable or disable the SNMP v3 user.
User Name The name of the SNMP v3 user.
Security Level The security level of the user.
Queries Indicates whether queries are enabled or disabled. A green check mark indicates that queries are enabled; a gray x indicates that queries are disabled.
Hosts Number of hosts.
Events Number of SNMP events associated with the SNMPv3 user.
Status Indicates whether the SNMPv3 user is enabled or disabled.

SNMP agent

The FortiProxy SNMP agent must be enabled before configuring other SNMP options. Enter information about the FortiProxy unit to identify it so that when your SNMP manager receives traps from the FortiProxy unit, you will know which unit sent the information.

To configure the SNMP agent:
  1. Go to System > SNMP.
  2. Enable the SNMP agent by moving the slider in the SNMP Agent field.
  3. Enter a descriptive name for the agent and the location of the FortiProxy unit.
  4. Enter a contact or administrator for the SNMP agent or FortiProxy unit.
  5. Select Apply.
To configure the SNMP agent with the CLI:

Enter the following CLI commands:

config system snmp sysinfo

set status enable

set contact-info <contact_information>

set description <description_of_FortiProxy>

set location <FortiProxy_location>

end

Manage SNMP communities

An SNMP community is a grouping of devices for network administration purposes. Within that SNMP community, devices can communicate by sending and receiving traps and other information. One device can belong to multiple communities, such as one administrator terminal monitoring both a firewall SNMP and a printer SNMP community.

Add SNMP communities to your FortiProxy unit so that SNMP managers can view system information and receive SNMP traps. You can add up to three SNMP communities. Each community can have a different configuration for SNMP queries and traps and can be configured to monitor the FortiProxy unit for a different set of events. You can also add the IP addresses of up to eight SNMP managers to each community.

Selecting Create New on the SNMP v1/v2c table opens the New SNMP Community page, which provides settings for configuring a new SNMP community. Selecting a community from the list and selecting Edit opens the Edit SNMP Community page.

Configure the following settings and select OK:

Community Name Enter a name to identify the SNMP community.
Enabled Enable or disable the SNMP community.
Hosts Settings for configuring the hosts of an SNMP community.
  IP Address Enter the IP address/netmask of the SNMP managers that can use the settings in this SNMP community to monitor the unit.

You can also set the IP address to 0.0.0.0 to so that any SNMP manager can use this SNMP community.
  Host Type Select one of the following: Accept queries and send traps, Accept queries only, or Send traps only
  X Removes an SNMP manager from the list within the Hosts section.
+ Select to add a blank line to the Hosts list. You can add up to 16 SNMP managers to a single community.
Queries Settings for configuring queries for both SNMP v1 and v2c.
v1 Enabled Enable or disable SNMP v1 queries.
  Port Enter the port number (161 by default) that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive configuration information from the unit.

The SNMP client software and the unit must use the same port for queries.
  v2c Enabled Enable or disable SNMP v2c queries.
Traps Settings for configuring local and remote ports for both v1 and v2c.
  v1 Enabled Enable or disable SNMP v1 traps.
  Local Port Enter the remote port numbers (162 by default) that the unit uses to send SNMP v1 or SNMP v2c traps to the SNMP managers in this community.

The SNMP client software and the unit must use the same port for traps.
  Remote Port Enter the remote port number (162 by default) that the unit uses to send SNMP traps to the SNMP managers in this community.

The SNMP client software and the unit must use the same port for traps.
  v2c Enabled Enable or disable SNMP v2c traps.
SNMP Events

Enable each SNMP event for which the unit should send traps to the SNMP managers in this community.
Note:

  • The CPU usage too high trapʼs sensitivity is slightly reduced by spreading values out over 8 polling cycles. This reduction prevents sharp spikes due to CPU intensive short-term events such as changing a policy.

Manage SNMP v3 users

Selecting Create New on the SNMP v3 table opens the New SNMP User page, which provides settings for configuring a new SNMP v3 user. Selecting a user name from the route list and selecting Edit opens the Edit SNMP User page.

Configure the following settings and select OK:

User Name Enter the name of the user.
Enabled Toggle the slider to enable or disable this SNMP user.
Security Level

Select the type of security level the user will have:

  • No Authentication
  • Authentication and No Private—Enter the authentication algorithm and password to use.
  • Authentication and Private—Enter the authentication algorithm and password to use.
Authentication Algorithm If the security level is set to Authentication and No Private, you can select MD5 or SHA1 for the authentication algorithm.
If the security level is set to Authentication and Private, you can select AES, DES, AES256, or AES256 Cisco for the authentication algorithm.
Password If the security level is set to Authentication, select Change and enter a password in the Password field.
Hosts Settings for configuring the hosts of an SNMP community.
IP Address Enter the IP address of the notification host. If you want to add more than one host, select the plus sign to add another host. Up to 16 hosts can be added. Select X to delete any hosts.
Queries Settings for configuring queries for both SNMP v1 and v2c.
Enabled Enable or disable the query. By default, the query is enabled.
Port Enter the port number in the Port field (161 by default).
SNMP Events Select the SNMP events that will be associated with the user.

Fortinet MIBs

The FortiProxy SNMP agent supports Fortinet proprietary MIBs, as well as standard RFC 1213 and RFC 2665 MIBs. RFC support includes support for the parts of RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to FortiProxy unit configuration.

There are two MIB files for FortiProxy units; both files are required for proper SNMP data collection:

The Fortinet and FortiProxy MIB files are available for download on the Fortinet Customer Support site. Each Fortinet product has its own MIB—if you use other Fortinet products, you need to download their MIB files as well.

The Fortinet MIB and FortiProxy MIB, along with the two RFC MIBs, are listed in the table in this section.

To download the MIB files, go to System > SNMP and select a MIB link in the SNMP section. See SNMP configuration.

Your SNMP manager may already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIB to this database to have access to the Fortinet-specific information.

MIB files are updated for each version of FortiProxy. When upgrading the firmware, ensure that you update the Fortinet FortiProxy MIB file compiled in your SNMP manager as well.
MIB file name or RFC Description
FORTINET-CORE-MIB.mib The Fortinet MIB includes all system configuration information and trap information that is common to all Fortinet products. Your SNMP manager requires this information to monitor FortiProxy unit configuration settings and receive traps from the FortiProxy SNMP agent.
FORTINET-FORTIPROXY-MIB.mib The FortiProxy MIB includes all system configuration information and trap information that is specific to FortiProxy units. Your SNMP manager requires this information to monitor FortiProxy configuration settings and receive traps from the FortiProxy SNMP agent. FortiManager systems require this MIB to monitor FortiProxy units.

SNMP get command syntax

Normally, to get configuration and status information for a FortiProxy unit, an SNMP manager would use an SNMP get command to get the information in a MIB field. The SNMP get command syntax would be similar to:

snmpget -v2c -c <community_name> <address_ipv4> {<OID> | <MIB_field>}

For example, to query the firmware version running on the FortiProxy unit, the following command could be issued:

snmpget -v2c -c public 10.10.10.1 1.3.6.1.4.1.12356.109.4.1.1.0

 

In this example, the community name is public, the IP address of the interface configured for SNMP management access is 10.10.10.1. The firmware version is queried using the MIB field fchSysVersion, the OID for which is 1.3.6.1.4.1.12356.109.4.1.1.0.

The value returned is a string with a value of v2.0,build0225,130213.

Replacement messages

Replacement pages can be customized as required from System > Replacement Messages.

The following options are available:

Manage Images Select to view the available images and their respective tags.
Search Enter a search term to search the replacement message list.
Simple View or Extended View Select the view:
  • Simple View displays a selection of Security and Authentication messages.
  • Extended View displays all messages.
See the table at the end of this section for a list of all the messages.
Name The message name.
Description The message description.
Modified A check mark is shown when the message has been modified.
Save Save any customizations that you made to the message.
Restore Default Restore the message back to its default state.
Preview A preview of how the message looks.
Message HTML The HTML code for the message that you can edit.

The following table outlines all of the messages that can be customized, as shown in Extended View:

Category Messages Description
Administrator Post-login Disclaimer Message Replacement message for post-login disclaimer.
Pre-login Disclaimer Message Replacement message for pre-login disclaimer.
Alert Email alertmail-block Alert email text for block incidents.
alertmail-crit-event Alert email text for critical event notification.
alertmail-disk-full Alert email text for disk-full events.
alertmail-nids-event Alert email text for IPS events.
alertmail-virus Alert email text for virus incidents.
Authentication Authentication Success Page Replacement HTML for authentication success page.
Block Notification Page Replacement HTML for block notification page.
Certificate Password Page Replacement HTML for certificate password page.
Declined Disclaimer Page Replacement HTML for user-declined disclaimer page.
Declined Quarantine Page Replacement HTML for user-declined quarantine page.
Disclaimer Page Replacement HTML for authentication disclaimer page.
Email Collection Replacement HTML for email collection page.
Email Collection Invalid Email Replacement HTML for email collection page after the user enters invalid email.
Email Token Page Replacement HTML for email-token authentication page.
FortiToken Page Replacement HTML for FortiToken authentication page.
Guest User Email Template Replacement text for guest-user credentials email message.
Guest User Print Template Replacement HTML for guest-user credentials printout.
Authentication (continued) Keepalive Page Replacement HTML for authentication keep-alive page.
Login Challenge Page Replacement HTML for authentication login-challenge page.
Login Failed Page Replacement HTML for authentication failed page.
Login Page Replacement HTML for authentication login page.
Next FortiToken Page Replacement HTML for next FortiToken authentication page.
Password Expiration Page Replacement HTML for password expiration page.
Portal Page Replacement HTML for post-authentication portal page.
Quarantine Notification Page Replacement HTML for quarantine notification page.
SMS Token Page Replacement HTML for SMS-token authentication page.
Success Message Replacement text for authentication success message.
Two-Factor Login Failed Replacement HTML for two-factor authentication failed page.
Two-Factor Login Page Replacement HTML for two-factor authentication login page
Device Detection Portal Device Detection Portal Failure Page Replacement HTML for device detection portal failure page.
Email AV Engine Load Error Email Block Message Replacement text for email blocked because the antivirus engine failed. to load.
Email DLP Ban Replacement text for emails blocked due to data leak detection.
Email DLP Subject Replacement text for subject of emails blocked due to data leak detection.
Email File Block Message Replacement text for message indicating removal of blocked attachment from email.
Email File Size Block Message Replacement text for message indicating removal of oversized attachment from email.
Partial Email Block Message Replacement text for emails rejected because they are fragmented.
SMTP File Block Message Replacement text for emails rejected due to blocked attachments.
SMTP File Size Message Replacement text for emails rejected due to file size limit.
FortiGuard Web Filtering FortiGuard Block Page Replacement HTML for FortiGuard web filter block page.
FortiGuard HTTP Error Page Replacement HTML for FortiGuard web filter HTTP error page.
FortiGuard Override Page Replacement HTML for FortiGuard web filter override page.
FortiGuard Quota Page Replacement HTML for FortiGuard web filter quota exceeded block page.
FortiGuard Warning Page Replacement HTML for FortiGuard web filter warning page.
FTP Archive Block Message Replacement text for FTP archive file block message.
AV Engine Load Error Block Message Replacement text for FTP blocked because the antivirus engine failed to load.
Block Message Replacement text for FTP permission-denied block message.
DLP Ban Message Replacement text for FTP data-leak detected ban message.
Explicit Banner Message Replacement text for explicit FTP proxy banner message.
File Size Block Message Replacement text for FTP oversized file block message.
HTTP Archive Block Message Replacement HTML for HTTP archive block message.
Block Message Replacement HTML for HTTP file block message.
Content Block Message Replacement HTML for HTTP content-type block message.
Content Block Page Replacement HTML for HTTP file content block page.
Content Upload Block Page Replacement HTML for HTTP file upload content block page.
DLP Ban Message Replacement HTML for HTTP data-leak detected ban message.
Invalid Certificate Message Replacement HTML for HTTP invalid certificate message.
Oversized File Message Replacement HTML for HTTP oversized file block message.
Oversized Upload Message Replacement HTML for HTTP oversized file upload block message.
POST Block Message Replacement HTML for HTTP POST block message.
Previously Infected Block Page Replacement HTML for HTTP URL previously infected block page.
Switching Protocols Blocked Replacement HTML for HTTP Switching Protocols Blocked page.
Upload Archive Block Message Replacement HTML for HTTP archive upload block message.
Upload Block Message Replacement HTML for HTTP file upload block message.
URL Block Page Replacement HTML for HTTP URL blocked page.
URL Filter Error Message Replacement HTML for HTTP web filter service error message.
Network Quarantine Network Quarantine Administrative Block Page Replacement HTML for network quarantine administrative block page.
Network Quarantine Application Block Page Replacement HTML for network quarantine application block page.
Network Quarantine AV Block Page Replacement HTML for network quarantine antivirus block page.
Network Quarantine DLP Block Page Replacement HTML for network quarantine DLP block page.
Network Quarantine DOS Block Page Replacement HTML for network quarantine DOS block page.
Network Quarantine IPS Block Page Replacement HTML for network quarantine IPS block page.
NNTP NNTP AV Engine Load Error Block Message Replacement text for NNTP article blocked because the antivirus engine failed to load.
NNTP DLP Ban Message Replacement text for NNTP user banned by data leak prevention.
NNTP DLP Block Message Replacement text for body of NNTP message blocked by data leak prevention.
NNTP DLP Block Subject Replacement text for subject of NNTP message blocked by data leak prevention.
NNTP File Size Block Message Replacement text for NNTP article too large block message.
Security Application Control Block Page Replacement HTML for Application Control block page.
DLP Block Message Replacement text for DLP block message.
DLP Block Page Replacement HTML for DLP block page.
IPS Scan Failure Block Page Replacement HTML for IPS scan failure block page.
IPS Sensor Block Page Replacement HTML for IPS sensor block page.
Virus Block Message Replacement text for antivirus block message.
Virus Block Page Replacement HTML for antivirus block page.
Virus Upload Block Page Replacement HTML for virus infected file upload block page.
Web Application Firewall Block Page Replacement HTML for web application firewall block page.
Windows Executable Block Page Replacement text for blocked Windows executables.
Spam ASE Block Message Replacement text for emails blocked due to detection by Advanced Antispam Engine (ASE).
Banned Word Block Message Replacement text for emails blocked due to prohibited content (banned words) in message.
DNSBL Block Message Replacement text for emails blocked due to detection by antispam DNSBL.
False-Positive Submit Message Replacement text for email submit message as false-positive message.
FortiGuard Block Message Replacement text for emails blocked due to IP blacklist by FortiGuard.
HELO Block Message Replacement text for emails blocked due to HELO check.
IP Blacklist Message Replacement text for emails blocked due to blacklisted sending IP addresses.
MIME Header Block Message Replacement text for emails blocked due to invalid MIME header.
Reverse DNS Block Message Replacement text for emails blocked due to invalid return domain.
Sender Address Block Message Replacement text for emails blocked due to blacklisted sender address.
Traffic Quota Traffic Quota Limit Exceeded Page Replacement HTML for traffic quota limit exceeded block page.
Web-proxy Web-proxy Authentication Failed Page Replacement HTML for web-proxy authentication failed page.
Web-proxy Authorization Failed Page Replacement HTML for web-proxy authorization failed page.
Web-proxy Block Page Replacement HTML for web-proxy block page.
Web-proxy Challenge Page Replacement HTML for web-proxy authentication required block page.
Web-proxy HTTP Error Page Replacement HTML for web-proxy HTTP error page.
Web-proxy IP Blackout Page Replacement HTML for web-proxy IP Blackout page.
Web-proxy User Limit Page Replacement HTML for web-proxy user limit block page.

FortiGuard settings

The FortiGuard Distribution Network page provides information and configuration settings for FortiGuard subscription services. For more information about FortiGuard services, see the FortiGuard Center web page.

To view and configure FortiGuard connections, go to System > FortiGuard.

Configure the following settings and select Apply:

FortiCare Support The availability or status of your unit’s support contract. The status can be Unreachable, Not Registered, or Valid Contract.

You can update your registration status by selecting Register and loading the license file from a location on your management computer.
Application Control Signatures Application Control is a free FortiGuard service. Application Control allows you to identify and control applications on networks and endpoints regardless of port, protocol, and IP address used. It gives you unmatched visibility and control over application traffic, even traffic from unknown applications and sources. Although the Application Control profile can be used for free, signature database updates require a valid FortiGuard subscription. To update the database of Application Control signatures, select Upgrade Database.
IPS The FortiGuard Intrusion Prevention System (IPS) uses a customizable database of more than 4000 known threats to stop attacks that evade conventional firewall defenses. It also provides behavior-based heuristics, enabling the system to recognize threats when no signature has yet been developed. It also provides more than 1000 application identity signatures for complete Application Control. To update the IPS database, select Upgrade Database.
AntiVirus The FortiGuard AntiVirus Service provides fully automated updates to ensure protection against the latest content level threats. It employs advanced virus, spyware, and heuristic detection engines to prevent both new and evolving threats from gaining access to your network and protects against vulnerabilities. To update the AntiVirus database, select Upgrade Database.
Web Filtering Web Filtering provides Web URL filtering to block access to harmful, inappropriate, and dangerous web sites that may contain phishing/pharming attacks, malware such as spyware, or objectionable content that can expose your organization to legal liability. Based on automatic research tools and targeted research analysis, real-time updates enable you to apply highly-granular policies that filter web access based on 78 web content categories, over 45 million rated web sites, and more than two billion web pages—all continuously updated.
Antivirus & IPS Updates  
Accept push updates Enable to allow updates sent automatically to your FortiProxy. New definitions are added as soon as they are released by FortiGuard. If a specific override push IP address is required, select Use override push IP and enter an IP address and port number in the required fields.
Use override push This option is available only when Accept push updates is enabled.

Enable to configure an override server if you cannot connect to the FDN or if your organization provides updates using their own FortiGuard server.

Enter the IP address and port of the NAT device in front of your FortiProxy. FDN connects to this device when attempting to reach the FortiProxy. The NAT device must be configured to forward the FDN traffic to the FortiProxy unit on UDP port 9443.
Scheduled Updates Enable to receive scheduled updates and then select when the updates occur: Every 1-23 hours, Daily at a specific hour, or Weekly on a specific day at a specific hour.
Improve IPS quality Enable to help Fortinet maintain and improve IPS signatures. The information sent to the FortiGuard servers when an attack occurs and can be used to keep the database current as variants of attacks evolve.
Use extended IPS signature package Some models have access to an extended IPS database.
Update AV & IPS Definitions Select to manually initiate an FDN update.
Filtering  
Web Filter Cache Enable the web filter cache.

Enter the number of minutes the FortiProxy unit stores blocked IP addresses or URLs locally, saving time and network access traffic by not checking the FortiGuard server. After the specified time, the FortiProxy unit contacts the FDN server to verify a web address.
Clear Web Filter Cache Select to manually delete the contents of the web filter cache.
Anti-Spam Cache Enable the antispam cache and then enter the number of minutes to store the antispam cache.
FortiGuard Filtering Port Select the port assignments for contacting the FortiGuard servers, either the default port (53) or the alternate port (8888).
Filtering Services Availability Indicates the status of filtering service. Select Check Again if the filtering service is not available and then select OK in the confirmation dialog box. A warning is displayed if the FortiProxy unit does not have a valid license.
Request re-evaluation of a URL's category Select to re-evaluate a URL’s category rating using the Fortinet Live URL Rating Support (opens in a new browser window).
Override FortiGuard Servers By default, the FortiProxy unit updates signature packages and queries rating servers using public FortiGuard servers. You can override this list of servers. You can also disable communication with public FortiGuard servers.
Create New Select to display the Create New Override FortiGuard Server page.
Edit Select a server in the list and select Edit to display the Edit Override FortiGuard Server page.
Delete Select a server in the list and select Delete to remove one of the servers in the list.

To remove multiple servers, select multiple rows in the list by holding down the Ctrl or Shift keys and then select Delete.

Configuration scripts

Scripts are text files containing CLI command sequences. Scripts can be used to deploy identical configurations to many devices. For example, if all of your devices use identical security policies, you can enter the commands required to create the security policies in a script, and then deploy the script to all the devices which should use those same settings.

Use a text editor such as Notepad or other application that creates simple text files. Enter the commands in sequence, with each line as one command.

After you have created a script file, you can then upload it through System > Advanced. When a script is uploaded, it is automatically executed.

Commands that require the FortiProxy unit to reboot when entered in the command line will also force a reboot if included in a script.

To execute a script:
  1. Go to System > Advanced.
  2. Select Upload and Run a New Script and then locate the script file.
  3. Select Open.

If the FortiProxy unit is not configured for remote management, or if it is configured to use a FortiManager unit, uploaded scripts are discarded after execution. Save script files to your management PC if you want to execute them again later.

If the FortiProxy unit is configured to use the FortiGuard Analysis and Management Service, the script file is saved to the remote server for later reuse. You can view the script or run it from the FortiGuard Analysis and Management Service portal web site.

Disk management

Go to System > Advanced to view the disk information. The Disk Settings area shows information about the storage space for different features for each hard disk and allows you to edit quota and storage settings. You can use this section for WAN optimization and logging. Hover over the label for the hard disk to see the partition size, disk size, how much is used, and how much is free.

If you want to use WAN optimization, go to System > Feature Visibility and enable WAN Opt. & Cache.

Configure the following settings and select Apply:

Status Enable or disable the hard disk drive.
Disk Usage Select whether the disk is used for WAN Opt. & Cache or Mix. Select Mix if you want to allow logging on the hard disk, as well as WAN optimization and web caching.

WAN optimization requires significant memory resources and generates a high amount of I/O on disk. If possible, avoid other disk-intensive features such as heavy traffic logging on the same disk as the one configured for WAN optimization.
Wanopt Mode Select Wanopt if you want the hard disk used just for WAN optimization, select Web Cache if you want the hard disk used just for web caching, or select Both.

Disk configuration

When possible, performance can be improved by logging to a disk that is not used for caching.

Go to Log > Log Settings to change the settings for logging and archiving. See Log settings.

Feature visibility

Various FortiProxy features can be enabled or disabled as required. Disable features are not shown in the GUI.

Go to System > Feature Visibility to configure which feature are available.

The following options can be turned on or off by toggling the sliders:

IPv6 Allows you to configure the following IPv6 features from the GUI: network interface addresses, trusted hosts for administration, static routes, policy routes, security policies, and firewall addresses.
WAN Opt. & Cache Controls the visibility of the WAN Opt. & Cache menu.

Enables WAN optimization and web caching to reduce the amount of bandwidth used by traffic on your WAN.
Allow Unnamed Policies Relaxes the requirement for every policy to have a name when created in GUI.
Certificates Controls the visibility of the System > Certificates menu.

Allows you to change the certificates used for SSL inspection, SSL load balancing, SSL-VPN, IPsec VPN, and authentication. If Certificates is not enabled, default FortiProxy certificates are used.
DNS Database Allows you to set up the FortiProxy unit as the DNS server for your network. You can add local DNS entries to the DNS database and forward other DNS lookups to external DNS servers, manage the DNS database from Network > DNS, and optionally set up DNS filter profiles (Security Profiles > DNS Filter) and add them to a DNS server on a FortiProxy interface.
ICAP Controls the visibility of the Security Profiles > ICAP menu.

Allows you to offload services to an external server. These services can include: ad insertion, virus scanning, content and language translation, HTTP header or URL manipulation, and content filtering. You can also use this feature to set up profiles and add them to security policies.
Implicit Firewall Policies Firewall policy lists end with an implicit policy that denies all traffic. Enable this feature to see these policies on firewall policy lists in the GUI. You can edit an implicit policy and enable logging to record log messages when the implicit policy denies a session.
Local Reports Controls whether you cna view PDF security reports in the GUI.
Multiple Interface Policies Allows the configuration of policies with multiple source/destination interfaces.
Multiple Security Profiles Allows you to create more than one antivirus profile, web filter profile, application sensor, IPS sensor, antispam profile, DLP sensor, VoIP profile (if enabled), and ICAP profile (if enabled). You can also select the individual UTM profiles in security policies. Enable multiple UTM profiles if you need different levels of UTM protection for different traffic streams.
Traffic Shaping Allows you to configure policies to define how specific types of traffic are shaped by the FortiProxy unit.
AntiVirus Controls the visibility of the Security Profiles > AntiVirus menu.

Allows you to remove viruses, analyze suspicious files with FortiSandbox, and apply botnet protection to network traffic. Set up antivirus profiles (Security Profiles > AntiVirus) and add them to firewall policies. This feature requires a subscription to FortiGuard AntiVirus.
Application Control Controls the visibility of the Security Profiles > Application Control menu.

Visualize and control the applications on your network. Set up application sensors (under Security Profiles > Application Control) and add them to firewall policies. This feature requires a subscription to Application Control Signatures.
DLP Controls the visibility of the Security Profiles > Data Leak Prevention menu.

Allows you to prevent sensitive data, like credit card and social security numbers, from leaving or entering your network. Set up DLP sensors (under Security Profiles > Data Leak Prevention) and add them to firewall policies.
Explicit Proxy Controls the visibility of the Enable Explicit Web Proxy and Enable Explicit FTP Proxy options on the Edit Interface page.

Allows you to enable HTTP, HTTPS, or FTP proxies for your network, which can be added to interfaces. You can create security policies to control access to the proxy and apply UTM and other features to proxy traffic. Users on the network must configure their browsers to use the proxy.
Intrusion Prevention Controls the visibility of the Security Profiles > Intrusion Prevention menu.

Allows you to detect and block network-based attacks. You can set up IPS sensors (under Security Profiles > Intrusion Prevention) and add them to security policies. This feature requires a subscription to FortiGuard IPS.
Web Filter Controls the visibility of the Security Profiles > Web Filter menu.

Allows you to apply web category filtering, URL filtering, and content filtering to control user's access to web resources. You can set up web filter profiles (Security Profiles > Web Filter) and add them to firewall policies. Some features require a subscription to FortiGuard Web Filtering.

Messaging servers

To configure a messaging server, use the following CLI commands:

config system email-server

set type                        --Configure a custom email server.

set reply-to                    --Enter the default reply to email address.

set server <IP or hostname>     --Enter the name or address of the SMTP email server.

set port                        --Set the SMTP server port.

set source-ip                   --Set the SMTP server source IP.

set source-ip6                  --Set the SMTP server source IP.

set authenticate                --Enable or disable authentication.

set validate-server             --Enable or disable the validation of the server certificate.

set security                    --Set connection security.

next

end

Open topic with navigation