This section provides features for configuring and viewing advanced network settings, such as High Availability (HA) cluster and interface settings, SNMPv1/v2 and v3, FortiGuard web-filtering settings, replacement messages, and messaging servers.
This section describes the following:
FortiProxyHA provides a system management solution that synchronizes configuration changes among the clustering members. You can fine-tune the performance of the HA cluster to change how a cluster forms and shares information among clustering members.
The HA heartbeat keeps cluster units communicating with each other. The heartbeat consists of hello packets that are sent at regular intervals by the heartbeat interface of all cluster units. These hello packets describe the state of the cluster unit and are used by other cluster units to keep all the units synchronized.
HA heartbeat packets are non-TCP packets that use Ethertype values 0x8890, 0x8891, and 0x8893. The default time interval between HA heartbeats is 200 ms.
Your FortiProxy device can be configured as a standalone unit or you can configure two FortiProxy devices in the Active-Passive mode for failover protection. To configure HA and cluster settings or to view the cluster member list, select System > HA.
Configure the following settings and then select OK:
When deployed in a cluster, depending on the deployed architecture, requests for the same URL might have hit each cache device and been cached separately on each. Methods are available to mitigate this through load balancing with FortiADC or WCCP.
FortiProxy has the Cache Collaboration feature, where the storage of all devices within the FortiProxy HA Cluster is accessible as a shared entity. This feature allows content cached by one device to be shared by other FortiProxy devices within the cluster, significantly increasing the cache rate.
config wanopt cache-service
set prefer-senario {balance | prefer-speed | prefer-cache} Default is balance.
set collaboration {enable | disable} Default is disable.
set device-id <name>
set acceptable-connections {any | peers} Default is any.
end
The Simple Network Management Protocol (SNMP) allows you to monitor hardware on your network. You can configure the hardware, such as the FortiProxy SNMP agent, to report system information and traps.
SNMP traps alert you to events that happen, such as a log disk becoming full, or a virus being detected. These traps are sent to the SNMP managers. An SNMP manager (or host) is typically a computer running an application that can read the incoming traps and event messages from the agent and can send out SNMP queries to the SNMP agents. A FortiManager unit can act as an SNMP manager to one or more FortiProxy units.
By using an SNMP manager, you can access SNMP traps and data from any FortiProxy interface configured for SNMP management access. Part of configuring an SNMP manager is to list it as a host in a community on the FortiProxy unit it will be monitoring. Otherwise, the SNMP monitor will not receive any traps from, and be unable to query, that FortiProxy unit.
When using SNMP, you must also ensure you have added the correct Management Information Base (MIB) files to the unit, regardless of whether or not your SNMP manager already includes standard and private MIBs in a ready-to-use, compiled database. A MIB is a text file that describes a list of SNMP data objects used by the SNMP manager. See Fortinet MIBs for more information.
The FortiProxy SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP managers have read-only access to FortiProxy system information through queries and can receive trap messages from the unit.
The FortiProxy SNMP v3 implementation includes support for queries, traps, authentication, and privacy. Authentication and encryption are configured in the CLI.
FortiProxy supports Low crypto (LENC) mode for LENC models. |
Before a remote SNMP manager can connect to the FortiProxy agent, you must configure one or more FortiProxy interfaces to accept SNMP connections. Interfaces are configured in Network > Interfaces. See Interfaces.
For security reasons, Fortinet recommends that neither “public” nor “private” be used for SNMP community names. |
When the unit is in virtual domain mode, SNMP traps can only be sent on interfaces in the management virtual domain. |
If you want to allow SNMP access on an interface, you must go to Network > Interfaces and select SNMP in the Access field in the settings for the interface that you want the SNMP manager to connect to. |
For SNMP configuration, go to System > SNMP.
Configure the following settings and select Apply:
Download FortiProxy MIB File | Download the FortiProxy MIB file. See Fortinet MIBs. | |
Download Fortinet Core MIB File | Download the Fortinet MIB file. | |
SNMP Agent | Enable the FortiProxy SNMP agent. | |
Description | Enter a description of the unit. The description can be up to 35 characters long. | |
Location | Enter the physical location of the unit. The system location description can be up to 35 characters long. | |
Contact Info | Enter the contact information for the person responsible for this unit. The contact information can be up to 35 characters. | |
SNMP v1/v2c | Lists the communities for SNMP v1/v2c. From within this section, you can create, edit or remove SNMP communities. | |
Create New | Creates a new SNMP community. When you select Create New, the New SNMP Community page opens. See Manage SNMP communities. | |
Edit | Modifies settings within an SNMP community. When you select Edit, the Edit SNMP Community page opens. | |
Delete | Removes an SNMP community from the list. To remove multiple SNMP communities, select multiple rows in the list by holding down the Ctrl or Shift keys and then select Delete. |
|
Status | Enable or disable the SNMP community. | |
Community Name | The name of the community. | |
Queries | Indicates whether queries protocols (v1 and v2c) are enabled or disabled. A green check mark indicates that queries are enabled; a gray x indicates that queries are disabled. If one query is disabled and another one enabled, there will still be a green check mark. | |
Traps | Indicates whether trap protocols (v1 and v2c) are enabled or disabled. A green check mark indicates that traps are enabled; a gray x indicates that traps are disabled. If one query is disabled and another one enabled, there will still be a green check mark. | |
Hosts | Number of hosts that are part of the SNMP community. | |
Events | Number of events that have occurred. | |
Status | Indicates whether the SNMP community is enabled or disabled. | |
SNMP v3 | Lists the SNMP v3 users. From within this section, you can edit, create or remove an SNMP v3 user. | |
Create New | Creates a new SNMP v3 user. When you select Create New, the Create New SNMP User page opens. See Manage SNMP v3 users. | |
Edit | Modifies settings within the SNMP v3 user. When you select Edit, the Edit SNMP User page opens. | |
Delete | Removes an SNMP v3 user from the page. To remove multiple SNMP v3 users, select multiple rows in the list by holding down the Ctrl or Shift keys and then select Delete. |
|
Status | Enable or disable the SNMP v3 user. | |
User Name | The name of the SNMP v3 user. | |
Security Level | The security level of the user. | |
Queries | Indicates whether queries are enabled or disabled. A green check mark indicates that queries are enabled; a gray x indicates that queries are disabled. | |
Hosts | Number of hosts. | |
Events | Number of SNMP events associated with the SNMPv3 user. | |
Status | Indicates whether the SNMPv3 user is enabled or disabled. |
The FortiProxy SNMP agent must be enabled before configuring other SNMP options. Enter information about the FortiProxy unit to identify it so that when your SNMP manager receives traps from the FortiProxy unit, you will know which unit sent the information.
Enter the following CLI commands:
config system snmp sysinfo
set status enable
set contact-info <contact_information>
set description <description_of_FortiProxy>
set location <FortiProxy_location>
end
An SNMP community is a grouping of devices for network administration purposes. Within that SNMP community, devices can communicate by sending and receiving traps and other information. One device can belong to multiple communities, such as one administrator terminal monitoring both a firewall SNMP and a printer SNMP community.
Add SNMP communities to your FortiProxy unit so that SNMP managers can view system information and receive SNMP traps. You can add up to three SNMP communities. Each community can have a different configuration for SNMP queries and traps and can be configured to monitor the FortiProxy unit for a different set of events. You can also add the IP addresses of up to eight SNMP managers to each community.
Selecting Create New on the SNMP v1/v2c table opens the New SNMP Community page, which provides settings for configuring a new SNMP community. Selecting a community from the list and selecting Edit opens the Edit SNMP Community page.
Configure the following settings and select OK:
Selecting Create New on the SNMP v3 table opens the New SNMP User page, which provides settings for configuring a new SNMP v3 user. Selecting a user name from the route list and selecting Edit opens the Edit SNMP User page.
Configure the following settings and select OK:
User Name | Enter the name of the user. | |
Enabled | Toggle the slider to enable or disable this SNMP user. | |
Security Level |
Select the type of security level the user will have:
|
|
Authentication Algorithm | If the security level is set to Authentication and No Private, you can select MD5 or SHA1 for the authentication algorithm. If the security level is set to Authentication and Private, you can select AES, DES, AES256, or AES256 Cisco for the authentication algorithm. |
|
Password | If the security level is set to Authentication, select Change and enter a password in the Password field. | |
Hosts | Settings for configuring the hosts of an SNMP community. | |
IP Address | Enter the IP address of the notification host. If you want to add more than one host, select the plus sign to add another host. Up to 16 hosts can be added. Select X to delete any hosts. | |
Queries | Settings for configuring queries for both SNMP v1 and v2c. | |
Enabled | Enable or disable the query. By default, the query is enabled. | |
Port | Enter the port number in the Port field (161 by default). | |
SNMP Events | Select the SNMP events that will be associated with the user. |
The FortiProxy SNMP agent supports Fortinet proprietary MIBs, as well as standard RFC 1213 and RFC 2665 MIBs. RFC support includes support for the parts of RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to FortiProxy unit configuration.
There are two MIB files for FortiProxy units; both files are required for proper SNMP data collection:
The Fortinet and FortiProxy MIB files are available for download on the Fortinet Customer Support site. Each Fortinet product has its own MIB—if you use other Fortinet products, you need to download their MIB files as well.
The Fortinet MIB and FortiProxy MIB, along with the two RFC MIBs, are listed in the table in this section.
To download the MIB files, go to System > SNMP and select a MIB link in the SNMP section. See SNMP configuration.
Your SNMP manager may already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIB to this database to have access to the Fortinet-specific information.
MIB files are updated for each version of FortiProxy. When upgrading the firmware, ensure that you update the Fortinet FortiProxy MIB file compiled in your SNMP manager as well. |
MIB file name or RFC | Description |
---|---|
FORTINET-CORE-MIB.mib | The Fortinet MIB includes all system configuration information and trap information that is common to all Fortinet products. Your SNMP manager requires this information to monitor FortiProxy unit configuration settings and receive traps from the FortiProxy SNMP agent. |
FORTINET-FORTIPROXY-MIB.mib | The FortiProxy MIB includes all system configuration information and trap information that is specific to FortiProxy units. Your SNMP manager requires this information to monitor FortiProxy configuration settings and receive traps from the FortiProxy SNMP agent. FortiManager systems require this MIB to monitor FortiProxy units. |
Normally, to get configuration and status information for a FortiProxy unit, an SNMP manager would use an SNMP get
command to get the information in a MIB field. The SNMP get
command syntax would be similar to:
snmpget -v2c -c <community_name> <address_ipv4> {<OID> | <MIB_field>}
where:
<community_name>
refers to the SNMP community name added to the FortiProxy configuration. You can add more than one community name to a FortiProxy SNMP configuration. The most commonly used community name is public
. For security reasons, Fortinet recommends that neither public
nor private
be used for SNMP community names.<address_ipv4>
is the IP address of the FortiProxy interface that the SNMP manager connects to{<OID> | <MIB_field>}
is the object identifier for the MIB field or the MIB field name itself.For example, to query the firmware version running on the FortiProxy unit, the following command could be issued:
snmpget -v2c -c public 10.10.10.1 1.3.6.1.4.1.12356.109.4.1.1.0
In this example, the community name is public
, the IP address of the interface configured for SNMP management access is 10.10.10.1
. The firmware version is queried using the MIB field fchSysVersion
, the OID for which is 1.3.6.1.4.1.12356.109.4.1.1.0
.
The value returned is a string with a value of v2.0,build0225,130213
.
Replacement pages can be customized as required from System > Replacement Messages.
The following options are available:
Manage Images | Select to view the available images and their respective tags. |
Search | Enter a search term to search the replacement message list. |
Simple View or Extended View |
Select the view:
|
Name | The message name. |
Description | The message description. |
Modified | A check mark is shown when the message has been modified. |
Save | Save any customizations that you made to the message. |
Restore Default | Restore the message back to its default state. |
Preview | A preview of how the message looks. |
Message HTML | The HTML code for the message that you can edit. |
The following table outlines all of the messages that can be customized, as shown in Extended View:
Category | Messages | Description |
---|---|---|
Administrator | Post-login Disclaimer Message | Replacement message for post-login disclaimer. |
Pre-login Disclaimer Message | Replacement message for pre-login disclaimer. | |
Alert Email | alertmail-block | Alert email text for block incidents. |
alertmail-crit-event | Alert email text for critical event notification. | |
alertmail-disk-full | Alert email text for disk-full events. | |
alertmail-nids-event | Alert email text for IPS events. | |
alertmail-virus | Alert email text for virus incidents. | |
Authentication | Authentication Success Page | Replacement HTML for authentication success page. |
Block Notification Page | Replacement HTML for block notification page. | |
Certificate Password Page | Replacement HTML for certificate password page. | |
Declined Disclaimer Page | Replacement HTML for user-declined disclaimer page. | |
Declined Quarantine Page | Replacement HTML for user-declined quarantine page. | |
Disclaimer Page | Replacement HTML for authentication disclaimer page. | |
Email Collection | Replacement HTML for email collection page. | |
Email Collection Invalid Email | Replacement HTML for email collection page after the user enters invalid email. | |
Email Token Page | Replacement HTML for email-token authentication page. | |
FortiToken Page | Replacement HTML for FortiToken authentication page. | |
Guest User Email Template | Replacement text for guest-user credentials email message. | |
Guest User Print Template | Replacement HTML for guest-user credentials printout. | |
Authentication (continued) | Keepalive Page | Replacement HTML for authentication keep-alive page. |
Login Challenge Page | Replacement HTML for authentication login-challenge page. | |
Login Failed Page | Replacement HTML for authentication failed page. | |
Login Page | Replacement HTML for authentication login page. | |
Next FortiToken Page | Replacement HTML for next FortiToken authentication page. | |
Password Expiration Page | Replacement HTML for password expiration page. | |
Portal Page | Replacement HTML for post-authentication portal page. | |
Quarantine Notification Page | Replacement HTML for quarantine notification page. | |
SMS Token Page | Replacement HTML for SMS-token authentication page. | |
Success Message | Replacement text for authentication success message. | |
Two-Factor Login Failed | Replacement HTML for two-factor authentication failed page. | |
Two-Factor Login Page | Replacement HTML for two-factor authentication login page | |
Device Detection Portal | Device Detection Portal Failure Page | Replacement HTML for device detection portal failure page. |
AV Engine Load Error Email Block Message | Replacement text for email blocked because the antivirus engine failed. to load. | |
Email DLP Ban | Replacement text for emails blocked due to data leak detection. | |
Email DLP Subject | Replacement text for subject of emails blocked due to data leak detection. | |
Email File Block Message | Replacement text for message indicating removal of blocked attachment from email. | |
Email File Size Block Message | Replacement text for message indicating removal of oversized attachment from email. | |
Partial Email Block Message | Replacement text for emails rejected because they are fragmented. | |
SMTP File Block Message | Replacement text for emails rejected due to blocked attachments. | |
SMTP File Size Message | Replacement text for emails rejected due to file size limit. | |
FortiGuard Web Filtering | FortiGuard Block Page | Replacement HTML for FortiGuard web filter block page. |
FortiGuard HTTP Error Page | Replacement HTML for FortiGuard web filter HTTP error page. | |
FortiGuard Override Page | Replacement HTML for FortiGuard web filter override page. | |
FortiGuard Quota Page | Replacement HTML for FortiGuard web filter quota exceeded block page. | |
FortiGuard Warning Page | Replacement HTML for FortiGuard web filter warning page. | |
FTP | Archive Block Message | Replacement text for FTP archive file block message. |
AV Engine Load Error Block Message | Replacement text for FTP blocked because the antivirus engine failed to load. | |
Block Message | Replacement text for FTP permission-denied block message. | |
DLP Ban Message | Replacement text for FTP data-leak detected ban message. | |
Explicit Banner Message | Replacement text for explicit FTP proxy banner message. | |
File Size Block Message | Replacement text for FTP oversized file block message. | |
HTTP | Archive Block Message | Replacement HTML for HTTP archive block message. |
Block Message | Replacement HTML for HTTP file block message. | |
Content Block Message | Replacement HTML for HTTP content-type block message. | |
Content Block Page | Replacement HTML for HTTP file content block page. | |
Content Upload Block Page | Replacement HTML for HTTP file upload content block page. | |
DLP Ban Message | Replacement HTML for HTTP data-leak detected ban message. | |
Invalid Certificate Message | Replacement HTML for HTTP invalid certificate message. | |
Oversized File Message | Replacement HTML for HTTP oversized file block message. | |
Oversized Upload Message | Replacement HTML for HTTP oversized file upload block message. | |
POST Block Message | Replacement HTML for HTTP POST block message. | |
Previously Infected Block Page | Replacement HTML for HTTP URL previously infected block page. | |
Switching Protocols Blocked | Replacement HTML for HTTP Switching Protocols Blocked page. | |
Upload Archive Block Message | Replacement HTML for HTTP archive upload block message. | |
Upload Block Message | Replacement HTML for HTTP file upload block message. | |
URL Block Page | Replacement HTML for HTTP URL blocked page. | |
URL Filter Error Message | Replacement HTML for HTTP web filter service error message. | |
Network Quarantine | Network Quarantine Administrative Block Page | Replacement HTML for network quarantine administrative block page. |
Network Quarantine Application Block Page | Replacement HTML for network quarantine application block page. | |
Network Quarantine AV Block Page | Replacement HTML for network quarantine antivirus block page. | |
Network Quarantine DLP Block Page | Replacement HTML for network quarantine DLP block page. | |
Network Quarantine DOS Block Page | Replacement HTML for network quarantine DOS block page. | |
Network Quarantine IPS Block Page | Replacement HTML for network quarantine IPS block page. | |
NNTP | NNTP AV Engine Load Error Block Message | Replacement text for NNTP article blocked because the antivirus engine failed to load. |
NNTP DLP Ban Message | Replacement text for NNTP user banned by data leak prevention. | |
NNTP DLP Block Message | Replacement text for body of NNTP message blocked by data leak prevention. | |
NNTP DLP Block Subject | Replacement text for subject of NNTP message blocked by data leak prevention. | |
NNTP File Size Block Message | Replacement text for NNTP article too large block message. | |
Security | Application Control Block Page | Replacement HTML for Application Control block page. |
DLP Block Message | Replacement text for DLP block message. | |
DLP Block Page | Replacement HTML for DLP block page. | |
IPS Scan Failure Block Page | Replacement HTML for IPS scan failure block page. | |
IPS Sensor Block Page | Replacement HTML for IPS sensor block page. | |
Virus Block Message | Replacement text for antivirus block message. | |
Virus Block Page | Replacement HTML for antivirus block page. | |
Virus Upload Block Page | Replacement HTML for virus infected file upload block page. | |
Web Application Firewall Block Page | Replacement HTML for web application firewall block page. | |
Windows Executable Block Page | Replacement text for blocked Windows executables. | |
Spam | ASE Block Message | Replacement text for emails blocked due to detection by Advanced Antispam Engine (ASE). |
Banned Word Block Message | Replacement text for emails blocked due to prohibited content (banned words) in message. | |
DNSBL Block Message | Replacement text for emails blocked due to detection by antispam DNSBL. | |
False-Positive Submit Message | Replacement text for email submit message as false-positive message. | |
FortiGuard Block Message | Replacement text for emails blocked due to IP blacklist by FortiGuard. | |
HELO Block Message | Replacement text for emails blocked due to HELO check. | |
IP Blacklist Message | Replacement text for emails blocked due to blacklisted sending IP addresses. | |
MIME Header Block Message | Replacement text for emails blocked due to invalid MIME header. | |
Reverse DNS Block Message | Replacement text for emails blocked due to invalid return domain. | |
Sender Address Block Message | Replacement text for emails blocked due to blacklisted sender address. | |
Traffic Quota | Traffic Quota Limit Exceeded Page | Replacement HTML for traffic quota limit exceeded block page. |
Web-proxy | Web-proxy Authentication Failed Page | Replacement HTML for web-proxy authentication failed page. |
Web-proxy Authorization Failed Page | Replacement HTML for web-proxy authorization failed page. | |
Web-proxy Block Page | Replacement HTML for web-proxy block page. | |
Web-proxy Challenge Page | Replacement HTML for web-proxy authentication required block page. | |
Web-proxy HTTP Error Page | Replacement HTML for web-proxy HTTP error page. | |
Web-proxy IP Blackout Page | Replacement HTML for web-proxy IP Blackout page. | |
Web-proxy User Limit Page | Replacement HTML for web-proxy user limit block page. |
The FortiGuard Distribution Network page provides information and configuration settings for FortiGuard subscription services. For more information about FortiGuard services, see the FortiGuard Center web page.
To view and configure FortiGuard connections, go to System > FortiGuard.
Configure the following settings and select Apply:
Scripts are text files containing CLI command sequences. Scripts can be used to deploy identical configurations to many devices. For example, if all of your devices use identical security policies, you can enter the commands required to create the security policies in a script, and then deploy the script to all the devices which should use those same settings.
Use a text editor such as Notepad or other application that creates simple text files. Enter the commands in sequence, with each line as one command.
After you have created a script file, you can then upload it through System > Advanced. When a script is uploaded, it is automatically executed.
Commands that require the FortiProxy unit to reboot when entered in the command line will also force a reboot if included in a script.
If the FortiProxy unit is not configured for remote management, or if it is configured to use a FortiManager unit, uploaded scripts are discarded after execution. Save script files to your management PC if you want to execute them again later.
If the FortiProxy unit is configured to use the FortiGuard Analysis and Management Service, the script file is saved to the remote server for later reuse. You can view the script or run it from the FortiGuard Analysis and Management Service portal web site.
Go to System > Advanced to view the disk information. The Disk Settings area shows information about the storage space for different features for each hard disk and allows you to edit quota and storage settings. You can use this section for WAN optimization and logging. Hover over the label for the hard disk to see the partition size, disk size, how much is used, and how much is free.
If you want to use WAN optimization, go to System > Feature Visibility and enable WAN Opt. & Cache.
Configure the following settings and select Apply:
Status | Enable or disable the hard disk drive. |
Disk Usage | Select whether the disk is used for WAN Opt. & Cache or Mix. Select Mix if you want to allow logging on the hard disk, as well as WAN optimization and web caching. WAN optimization requires significant memory resources and generates a high amount of I/O on disk. If possible, avoid other disk-intensive features such as heavy traffic logging on the same disk as the one configured for WAN optimization. |
Wanopt Mode | Select Wanopt if you want the hard disk used just for WAN optimization, select Web Cache if you want the hard disk used just for web caching, or select Both. |
When possible, performance can be improved by logging to a disk that is not used for caching.
Go to Log > Log Settings to change the settings for logging and archiving. See Log settings.
Various FortiProxy features can be enabled or disabled as required. Disable features are not shown in the GUI.
Go to System > Feature Visibility to configure which feature are available.
The following options can be turned on or off by toggling the sliders:
To configure a messaging server, use the following CLI commands:
config system email-server
set type --Configure a custom email server.
set reply-to --Enter the default reply to email address.
set server <IP or hostname> --Enter the name or address of the SMTP email server.
set port --Set the SMTP server port.
set source-ip --Set the SMTP server source IP.
set source-ip6 --Set the SMTP server source IP.
set authenticate --Enable or disable authentication.
set validate-server --Enable or disable the validation of the server certificate.
set security --Set connection security.
next
end