Video Cookbook Recipes
Explicit Web Proxy
Authentication
Virtual Domains
Inside FortiOS - Virtual Domains
Basic Virtual Domain setup
Routing
Policies and Firewall Objects
Security Profiles
VPN (IPsec and SSL)
User and Device Authentication
Wireless
Logging and Reporting
Chapter 1 What’s New for FortiOS 5.0
New Features in FortiOS 5.0 Patch 7
OpenSSL Vulnerability (Heartbleed) Fixed
New features in FortiOS 5.0 Patch 6
Endpoint Control Daemon Improvement
IPS Hardware Acceleration
802.11g Protection Mode
Miglogd Child Processes
IPv6 in CRL/SCEP
Extended IPS Database for D-series Desktop Models
Logging Options for 3000 and 5000 Series Models
Wireless Controller on FortiGate-30D
New features in FortiOS 5.0 Patch 5
Improvements to Endpoint Control
New menu options
Default profile
FortiClient Monitor
FortiAP LAN port support
Bridging with the FortiAP’s SSID(s)
Bridging with the WAN port
Configuring bridging
Restrictions
Automatically allowing basic applications
Pre-authorizing a FortiAP unit
Preventing IP fragmentation of packets in CAPWAP tunnels
Limiting access for unauthenticated users
Use case - allowing limited access for unauthenticated users
Use case - multiple levels of authentication
LDAP browser to import users into a user group
Dedicated management CPU
Improvements to the Traffic History and Threat History widgets
Assigning an IP address to a dynamic IPsec VPN interface
SSL VPN History widget
Port Block Allocation (PBA) for CGN to reduce logs
Neighbor cache table for IPv6
Improved HA diagnose commands
Secure disk erasing
Anonymize user names in logs
VLAN interface traffic statistics
Preserving the Class of Service bit
Front panel illustration
USB entropy token support
Station locate for FortiWiFi units
Switch Controller added models 200D, 240D, 600C, 800C, and 1000C
Diagnose command for 5000 series FortiGate units
New platforms for FortiGate-VM
Supported RFCs
New features in FortiOS 5.0 Patch 4
FortiSandbox
Wireless Health Dashboard
IPsec VPN
Dial-up IPsec VPN Creation Wizard
Show or Hide policy-based IPsec VPN
Managing FortiAP units
Units remain online when their WiFi Controller goes offline
Assigning the same profile to multiple FortiAP units
Dynamic VLANs for SSIDs
NAT46 & NAT64
Enhancements to Tables
Policy Table
Member Display
Fortinet Top Bar
FortiAnalyzer and FortiManager log encryption
FortiToken Mobile
Load balancing for explicit web proxy forwarding server groups
Server load balancing enhancements
SNMP traps
HTTP redirects
Additional filters for IPS and Application Control
Blocking IPv6 packets by extension headers
Distinguishing between HTTP GET and POST in DLP
RADIUS Accounting
H3C Compatibility
Web filter administrative overrides
Configurable idle timeout for console admin login sessions
TCP reset
Log Volume Monitor
Invalid Packet log
Server limits
PoE Power Management display
Other new features
New features in FortiOS 5.0 Patch 3
Security Features
Exempting IP addresses from IPS
DLP Watermarking Client
Predefined Device Groups
Client Reputation Configuration
Feature Select
Changes to Endpoint Control
Endpoint control for Android
Assigning endpoint profiles to specific users and user groups
Endpoint profile portal pages
Managing FortiAP units
Firmware Auto-detection
Wireless Device Locating Service
More Wireless Controller MIB Support
Normal or Remote WTP mode parameter
FortiGuard Subscription Services
Adding Explicit Web Proxy services
SSO Authentication failover for the Explicit Web Proxy
User Creation Wizard
FortiClient Registration
DSS and ECDSA Certificates for FortiGate SSL-related features
LDAP Servers
User Monitor
Web Filter Profiles
CAPWAP Administrative Access
IPS Algorithms
NAC-Quarantine Traffic Logs
New System Report Charts
Memory Logging
URL-based Web Proxy Forwarding
Changes to Routing
RADIUS Support for Dynamic VLANs
Dedicated Management Port
URL Filtering
URL Source Tracking
IPv6 Denial of Service Policies
Support for NAT46, VIP64 and VIP46
Packet Capture Filters
Configure hosts in an SNMP v1/2c community to send queries or receive traps
IP in IP tunneling support (RFC 1853)
GTP-u acceleration on FortiGate units with SP3 processors
New features in FortiOS 5.0 Patch 2
Endpoint Profile Changes
Client Reputation Changes
Changes to logging in security policies
Configuring the FortiGate unit to be an NTP Server
Customizing and viewing the local FortiGate UTM Security Analysis Report
Wireless changes: Custom mesh downlink SSIDs and new identifier for local bridge SSIDs
SSL-VPN Realm Support (multiple custom SSL VPN logins)
Automatically add devices found by device identification to the vulnerability scanner configuration
The SIP ALG can receive SIP traffic on multiple TCP and UDP ports
IPv6 PIM sparse mode multicast routing
Wireless RADIUS-Based MAC Authentication
Security Features
FortiSandbox
Configuration
Sending files to FortiSandbox
Tracking submitted files
Botnet and phishing protection
Windows file sharing (CIFS) flow-based antivirus scanning
Advanced Application Control and IPS sensor creation
Custom Application Control signatures and IPS signatures
Exempting IP addresses from IPS
Flow-based inspection improvements
Configuring SSL inspection for flow-based and proxy protection
Explicit web Proxy Extensions – SSL inspection, IPS, Application Control, and flow‑based antivirus, web filtering and DLP
Replacement messages for flow-based web filtering of HTTPS traffic
DNS web filtering
FortiGuard Web Filter quotas can be set based on traffic volume
Customizing the authentication replacement message for a FortiGuard web filter category
YouTube Education Filter implemented in Web Filtering Profiles
IPS hardware acceleration
New SIP ALG features
Inspecting SIP over SSL/TLS (secure SIP)
Adding the SIP server and client certificates
Adding SIP over SSL/TLS support to a VoIP profile
Opening and closing SIP via and record-route pinholes
Adding the original IP address and port to the SIP header after NAT
DLP watermarking
Fortinet watermarking utility
Installation of the watermarking client on Linux
Syntax of the watermarking client on Linux
Using the watermarking client with Windows
Using the watermarking client with Linux
SSH inspection
Optimizing SSL encryption/decryption performance
Authentication: users and devices
User authentication menu changes
User identity policy changes
Authentication-based routing
Secondary and tertiary RADIUS, LDAP, and TACAS+ servers
FortiToken two-factor authentication and FortiToken Mobile
Configuring FortiToken mobile soft token support
SSO using a FortiAuthenticator unit
User’s view of FortiAuthenticator SSO authentication
Users without FortiClient Endpoint Security - SSO widget
Users with FortiClient Endpoint Security - FortiClient SSO Mobility Agent
Administrator’s view of FortiAuthenticator SSO authentication
SSO widget
FortiClient SSO Mobility Agent
SSO with Windows AD or Novell
Citrix Agent support for Single Sign On
Installing Citrix/Terminal Service Support Agent (TS Agent)
Installing the FSSO collector
To enable single sign-on using polling mode
Verifying the configuration
Configuring guest access
User’s view of guest access
Administrator’s view of guest access
Creating guest management administrators
Creating guest user groups
Creating guest user accounts
Guest Management Account List
Batch guest account creation
Vulnerability Scanning
Running and configuring scans and viewing scan results
FortiOS and BYOD
Device monitoring
Device Groups
Creating a custom device group
Controlling access with a MAC Address Access Control List
Device policies
Adding endpoint control
Device policy portal options
Creating the WiFi SSID
Configuring Internet access for guests with mobile devices
Client Reputation
Setting the client reputation profile/definition
Applying client reputation monitoring to your network
Viewing client reputation results
Expanding client reputation to include more types of behavior
Client reputation execute commands
Client reputation diagnose commands
Wireless
Wireless IDS
Syntax
WiFi performance improvements
FortiAP web‑based manager and CLI
WiFi guest access provisioning
Adding guest access to a WiFi network
FortiAP local bridging (Private Cloud-Managed AP)
WiFi data channel encryption
Configuring DTLS on the FortiGate unit
Configuring encryption on the FortiAP unit
Wireless client load balancing for high-density deployments
Access point hand-off
Frequency hand-off or band-steering
Configuration
Bridge SSID to FortiGate wired network
IPv6
IPv6 Policy routing
IPv6 security policies
IPv6 Explicit web proxy
Restricting the IP address of the explicit IPv6 web proxy
Restricting the outgoing source IP address of the IPv6 explicit web proxy
IPv6 NAT – NAT64, DNS64, NAT66
NAT64 and DNS64
NAT66
NAT66 destination address translation
IPv6 Forwarding Policies - IPS, Application Control, and flow‑based antivirus, web filtering and DLP
New Fortinet FortiGate IPv6 MIB fields
New OIDs
EXAMPLE SNMP get/walk output
IPv6 Per-IP traffic shaper
DHCPv6 relay
FortiGate interfaces can get IPv6 addresses from an IPv6 DHCP server
Logging and reporting
Log message reorganization
Log Viewer Improvements
The FortiGate Security Analysis Report
Viewing the current report
Viewing the saved (historical) security analysis reports
Customizing the security analysis report
Converting compact log format
Firewall
Choosing the policy type
Creating a basic security policy
Creating a security policy to authenticate users
Creating a security policy to authenticate devices for BYOD
Creating a policy-based IPsec VPN security policy
Creating a route-based IPsec VPN security policy
Creating an SSL VPN security policy
Reorganized Firewall Services
Editing and deleting services
Adding an address to a service
Adding a new service
Adding a new service category
Local in policies
Multicast Policies
Adding DoS Anomaly protection to a FortiGate interface
Changes to security proxy options
Protocol port mapping
Common options, web options and email options
SSL and SSH inspection
SSL inspection options
SSH inspection options
WAN optimization and Web Caching
Configuring WAN optimization profiles
Dynamic data chunking for WAN optimization byte caching
Policy-based WAN optimization configuration changes summary
On the client side
On the server side
Client side configuration summary
WAN optimization profile
Local host ID and peer settings
Security policies
Server Side configuration summary
Local host ID and peer settings
Security policies
Combining web caching for HTTP traffic with WAN optimization
Turning on web caching and SSL offloading for HTTPS traffic
Changing the ports on which to look for HTTP and HTTPS traffic to cache
Web proxy URL debugging
Debugging caching of a specific web page
Debugging caching of multiple web pages
FortiOS Web Caching now caches Windows/MS-Office software updates
Usability enhancements
Feature Select
Security Features Presets
Improved list editing
Dynamic comment fields
Setup Wizard enhancements
Fortinet Top Bar
VDOM Mode GUI changes
Enhanced Top Sessions dashboard widget
Top Sources
Top Destinations
Top Applications
Identifying Skype sessions
Customizing the Top Sessions dashboard widget
Improved CLI syntax for multi-value fields
Example
SSL VPN
New default SSL VPN portals
SSL VPN user groups no longer required
SSL VPN policy interface name change
Support SSL VPN push configuration of DNS suffix
Other new features
New FortiGuard features
FortiGate Auto-config using DHCP
FortiGate Session Life Support Protocol (FGSP)
HA failover supports more features
New HA mode: Fortinet redundant UTM protocol (FRUP)
ICAP and the explicit web proxy
Example ICAP sequence for an ICAP server performing web URL filtering on web proxy HTTP requests
Example ICAP configuration
Adding ICAP to a web proxy security policy - web‑based manager
Adding ICAP to a web proxy security policy - CLI
New interface features - DHCP server and authentication
Adding a DHCP server to an interface
Reserving, assigning and blocking MAC addresses
Authentication - Captive Portal
Replacement Message Improvements
Acceleration of Inter-VDOM Traffic (by NP4)
Virtual Hardware Switch
FortiExplorer for iOS devices
Connecting to and logging into a FortiGate unit
Updating firmware and configuring network settings
Inter-VDOM links between NAT mode and Transparent mode VDOMs
About inter-VDOM links between NAT and Transparent mode VDOMs
Sniffer modes: one-armed and normal
Configuring an interface to operate as a one-arm sniffer
Integrated switch fabric (ISF) access control list (ACL) short-cut path
Generalized TTL Security Mechanism (GTSM) support
Firewall services
Chapter 2 Advanced Routing for FortiOS 5.0
Advanced Static Routing
Routing concepts
Routing in VDOMs
Default route
Adding a static route
Routing table
Viewing the routing table in the web-based manager
Viewing the routing table in the CLI
Searching the routing table
Building the routing table
Static routing security
Network Address Translation (NAT)
Access Control List (ACL)
Blackhole Route
Reverse path lookup
Multipath routing and determining the best route
Route priority
Troubleshooting static routing
Ping
Traceroute
Examine routing table contents
Static routing tips
Always configure a default route
Have an updated network plan
Plan for expansion
Configure as much security as possible
Policy routing
Adding a policy route
Example policy route
Type of Service
Moving a policy route
Transparent mode static routing
Static routing example
Network layout and assumptions
General configuration steps
Get your ISP information such as DNS, gateway, etc.
Configure FortiGate unit
Configure the internal interface (port1)
Configure the external interface (port2)
Configure networking information
Configure basic security policies
Configure static routing
Configure Admin PC and Dentist PCs
Configure other PCs on the local network
Testing network configuration
To test that PCs on the local network can communicate
To test that Internet_PCs can reach the Internet
Advanced static example: ECMP failover and load balancing
Equal-Cost Multi-Path (ECMP)
ECMP routing of simultaneous sessions to the same destination IP address
Configuring interface status detection for gateway load balancing
Configuring spillover or usage-based ECMP
Detailed description of how spill-over ECMP selects routes
Determining if an interface has exceeded its Spillover Threshold
Configuring weighted static route load balancing
Dynamic Routing Overview
What is dynamic routing?
Comparing static and dynamic routing
Dynamic routing protocols
Classful versus classless routing protocols
Interior versus exterior routing protocols
Distance vector versus link-state protocols
Minimum configuration for dynamic routing
Comparison of dynamic routing protocols
Features of dynamic routing protocols
Routing protocols
Routing algorithm
Authentication
Convergence
IPv6 Support
When to adopt dynamic routing
Budget
Current network size and topology
Expected network growth
Available resources for ongoing maintenance
Choosing a routing protocol
Answer questions about your network
Evaluate your chosen protocol
Implement your dynamic routing protocol
Dynamic routing terminology
Aggregated routes and addresses
Autonomous system (AS)
Area border router (ABR)
Neighbor routers
Route maps
Access lists
Bi-directional forwarding detection (BFD)
IPv6 in dynamic routing
Routing Information Protocol (RIP)
RIP background and concepts
Background
RIP v1
RIP v2
RIPng
Parts and terminology of RIP
RIP and IPv6
Default information originate option
Garbage, timeout, and update timers
Authentication and key-chain
Access Lists
How RIP works
RIP versus static routing
RIP metric — hop count
The Bellman–Ford routing algorithm
Passive versus active RIP interfaces
RIP packet structure
Troubleshooting RIP
Routing Loops
Routing loops’ effect on the network
How can you spot a routing loop
Action to take on discovering a routing loop
Holddowns and Triggers for updates
Holddown Timers
Triggers
Split horizon and Poison reverse updates
Debugging IPv6 on RIPng
Simple RIP example
Network layout and assumptions
Basic network layout
Assumptions
General configuration steps
Configuring the FortiGate units system information
Configure the hostname, interfaces, and default route
Configuring FortiGate unit RIP router information
Configuring other networking devices
Testing network configuration
RIPng — RIP and IPv6
Network layout and assumptions
Basic network layout
Assumptions
Configuring the FortiGate units system information
Configuring RIPng on FortiGate units
Configuring other network devices
Testing the configuration
Testing the IPv6 RIPng information
Border Gateway Protocol (BGP)
BGP background and concepts
Background
Parts and terminology of BGP
BGP and IPv6
Roles of routers in BGP networks
Confederations
Network Layer Reachability Information (NLRI)
BGP attributes
AS_PATH
MULTI_EXIT_DESC (MED)
COMMUNITY
NEXT_HOP
ATOMIC_AGGREGATE
ORIGIN
How BGP works
IBGP versus EBGP
BGP path determination — which route to use
Decision phase 1
Decision phase 2
Decision phase 3
Aggregate routes and addresses
Troubleshooting BGP
Clearing routing table entries
Route flap
Holddown timer
Dampening
Graceful restart
Bi-directional forwarding detection (BFD)
Dual-homed BGP example
Why dual home?
Why dual home?
Potential dual homing issues
Network layout and assumptions
Assumptions
Configuring the FortiGate unit
Configure interfaces and default routes
Configure firewall services, addresses, and policies
Set the FortiGate BGP information
Add the internal network to the AS
Add BGP neighbor information
Additional FortiGate BGP configuration
Configuring other networking devices
Testing this configuration
Testing network connectivity
Verifying the FortiGate unit’s routing tables
Verifying traffic routing
Verifying the dual-homed side of the configuration
Redistributing and blocking routes in BGP
Network layout and assumptions
Assumptions
Configuring the FortiGate unit
Configuring the FortiGate unit — networks and firewalls
Configuring the FortiGate unit - BGP
Configuring the FortiGate unit - OSPF
Configuring other networking devices
Testing network configuration
Open Shortest Path First (OSPF)
OSPF Background and concepts
Background
The parts and terminology of OSPF
OSPFv3 and IPv6
Router ID
Adjacency
Designated router (DR) and backup router (BDR)
Area
Authentication
Hello and dead intervals
Access Lists
How OSPF works
OSPF router discovery
How OSPF works on FortiGate units
External routes
Link-state Database (LSDB) and route updates
OSPF packets
Troubleshooting OSPF
Clearing OSPF routes from the routing table
Checking the state of OSPF neighbors
Passive interface problems
Timer problems
Bi-directional Forwarding Detection (BFD)
Authentication issues
DR and BDR election issues
Basic OSPF example
Network layout and assumptions
Assumptions
Configuring the FortiGate units
Configuring Router1
Configuring Router2
Configuring Router3
Configuring OSPF on the FortiGate units
Configuring OSPF on Router1
Configuring OSPF on Router2
Configuring OSPF on Router3
Configuring other networking devices
Testing network configuration
Advanced inter-area OSPF example
Network layout and assumptions
Assumptions
Configuring the FortiGate units
Configuring Router1
Configuring Router2
Configuring Router3
Configuring Router4
Configuring OSPF on the FortiGate units
Configuring other networking devices
Testing network configuration
Controlling redundant links by cost
Adjusting the route costs
Verifying route redundancy
Intermediate System to Intermediate System Protocol (IS-IS)
IS-IS background and concepts
Background
How IS-IS works
IS-IS versus static routing
TLV
LSP structure
Parts and terminology of IS-IS
DIS election and pseudonode LSP
Packet types
Default routing
Timer options
Authentication
Integrated IS-IS
Troubleshooting IS-IS
Routing loops
Routing loop effect on the network
How can you spot a routing loop
Action to take on discovering a routing loop
Split horizon and Poison reverse updates
Simple IS-IS example
Network layout and assumptions
Expectations
CLI configuration
Verification
Troubleshooting
Debugging IPv6 on IS-ISng
Chapter 3 Authentication for FortiOS 5.0
Introduction to authentication
What is authentication?
Methods of authentication
Local password authentication
Server-based password authentication
Certificate-based authentication
Certificate authorities
Certificates for users
Two-factor authentication
Types of authentication
Firewall authentication (identity-based policies)
FSSO
NTLM
Certificates
RADIUS SSO
FortiGuard Web Filter override authentication
VPN authentication
Authenticating IPsec VPN peers (devices)
Authenticating IPsec VPN users
Authenticating SSL VPN users
Authenticating PPTP and L2TP VPN users
Single Sign On authentication for users
User’s view of authentication
Web-based user authentication
VPN client-based authentication
FortiGate administrator’s view of authentication
General authentication settings
Authentication servers
FortiAuthenticator servers
RADIUS servers
Microsoft RADIUS servers
Microsoft RADIUS servers
RADIUS user database
RADIUS authentication with a FortiGate unit
RADIUS attribute value pairs
Vendor-specific attributes
Role Based Access Control
Configuring the FortiGate unit to use a RADIUS server
Troubleshooting RADIUS
LDAP servers
Components and topology
Binding
Supported versions
LDAP directory organization
Locating your identifier in the hierarchy
Configuring the FortiGate unit to use an LDAP server
password-expiry-warning and password-renewal
Using the Query icon
Example — wildcard admin accounts - CLI
Configuring the LDAP server
Configuring the admin account
Example of LDAP to allow Dial-in through member-attribute - CLI
Configuring LDAP member-attribute settings
Configuring LDAP group settings
Troubleshooting LDAP
LDAP user test
LDAP authentication debugging
TACACS+ servers
Configuring a TACACS+ server on the FortiGate unit
SSO servers
RSA ACE (SecurID) servers
Components
Configuring the SecurID system
Using the SecurID user group for authentication
Security policy
IPsec VPN XAuth
PPTP VPN
SSL VPN
Users and user groups
Users
Local users
Creating users
Removing users
Removing references to users
PKI or peer users
Creating a peer user
Two-factor authentication
Certificate
Email
SMS
FortiToken
The FortiToken authentication process
Adding FortiTokens to the FortiGate
Activating a FortiToken on the FortiGate
Associating FortiTokens with accounts
FortiToken maintenance
IM users
Monitoring users
Filtering the list of users
User groups
Firewall user groups
SSL VPN access
IPsec VPN access
Configuring a firewall user group
Multiple group enforcement support
User group timeouts
SSO user groups
Configuring Peer user groups
Viewing, editing and deleting user groups
Editing a user group
Deleting a user group
Managing Guest Access
Introduction
User’s view of guest access
Administrator’s view of guest access
Configuring guest user access
Creating guest management administrators
Creating guest user groups
Creating guest user accounts
Guest Management Account List
Guest access in a retail environment
Implementing email harvesting
Checking for harvested emails
Configuring authenticated access
Authentication timeout
Security authentication timeout
SSL VPN authentication timeout
Password policy
Configuring password minimum requirement policy
Password best practices
Maximum logon attempts and blackout period
Authentication protocols
Authentication in security policies
Enabling authentication protocols
Authentication replacement messages
Access to the Internet
Configuring authentication security policies
Disclaimer
Customizing authentication replacement messages
Enabling security logging
Identity-based policy
Identity-based sub-policies
NTLM authentication
NTLM guest access - CLI
NTLM enabled browsers - CLI
Certificate authentication
Certificate redirect authentication
Restricting number of concurrent user logons
Limited access for unauthenticated users
Use case - allowing limited access for unauthenticated users
Use case - multiple levels of authentication
VPN authentication
Configuring authentication of SSL VPN users
Configuring authentication timeout
Configuring authentication of remote IPsec VPN users
Configuring XAuth authentication
Configuring authentication of PPTP VPN users and user groups
Configuring authentication of L2TP VPN users/user groups
Certificate-based authentication
What is a security certificate?
Certificates overview
Certificates and protocols
SSL and HTTPS
Certificate-related protocols
IPsec VPNs and certificates
Certificate types on the FortiGate unit
Local certificates
Remote certificates
CA root certificates
Certificate revocation list
Certificate signing
Managing X.509 certificates
Generating a certificate signing request
Generating certificates with CA software
Server certificate
CA certificate
PKI certificate
Obtaining and installing a signed server certificate from an external CA
Installing a CA root certificate and CRL to authenticate remote clients
Troubleshooting certificates
Certificate is reported as expired when it is not
A secure connection cannot be completed (Certificate cannot be found)
Online updates to certificates and CRLs
Local certificates
CA certificates
Certificate Revocation Lists
Backing up and restoring local certificates
Configuring certificate-based authentication
Authenticating administrators with security certificates
Authenticating SSL VPN users with security certificates
Authenticating IPsec VPN users with security certificates
Example — Generate a CSR on the FortiGate unit
Example — Generate and Import CA certificate with private key pair on OpenSSL
Assumptions
Generating and importing the CA certificate and private key
Example — Generate an SSL certificate in OpenSSL
Assumptions
Generating a CA signed SSL certificate
Generating a self-signed SSL certificate
Import the SSL certificate into FortiOS
SSO using a FortiAuthenticator unit
User’s view of FortiAuthenticator SSO authentication
Administrator’s view of FortiAuthenticator SSO authentication
Configuring the FortiAuthenticator unit
Configuring the FortiGate unit
Adding a FortiAuthenticator unit as an SSO agent
Configuring an FSSO user group
Configuring security policies
Configuring the FortiClient SSO Mobility Agent
Viewing SSO authentication events on the FortiGate unit
Single Sign-On to Windows AD
Introduction to Single Sign-On with Windows AD
Configuring Single Sign On to Windows AD
Configuring LDAP server access
Creating Fortinet Single Sign-On (FSSO) user groups
Configuring the LDAP Server as a Single Sign-On server
Creating security policies
Enabling guest access through FSSO security policies
FortiOS FSSO log messages
Enabling authentication event logging
Testing FSSO
Troubleshooting FSSO
General troubleshooting tips for FSSO
Users on a particular computer (IP address) can not access the network
Solutions
Guest users do not have access to network
Solution
Agent-based FSSO
Introduction to agent-based FSSO
Introduction to FSSO agents
Domain Controller (DC) agent
eDirectory agent
Citrix/Terminal Server (TS) agent
Collector (CA) agent
FSSO for Windows AD
DC Agent mode
Polling mode
Collector agent AD Access mode - Standard versus Advanced
FSSO for Citrix
FSSO for Novell eDirectory
FSSO security issues
FSSO NTLM authentication support
NTLM in a multiple domain environment
Agent installation
Collector agent installation
DC agent installation
Installing FSSO without using an administrator account
Citrix TS agent installation
Novell eDirectory agent installation
Updating FSSO agents on Windows AD
Configuring the FSSO Collector agent for Windows AD
Configuring Windows AD server user groups
Configuring Collector agent settings
Selecting Domain Controllers and working mode for monitoring
Configuring Directory Access settings
BaseDN example
Configuring the Ignore User List
Configuring FortiGate group filters
Configuring FSSO ports
TCP ports for FSSO agent with client computers
Configuring ports on the Collector agent computer
Configuring alternate user IP address tracking
Viewing FSSO component status
Viewing Collector agent status
Viewing DC agent status
Configuring the FSSO TS agent for Citrix
Configuring the FSSO eDirectory agent for Novell eDirectory
Configuring the eDirectory agent
Adding an eDirectory server
Configuring a group filter
Configuring FSSO on FortiGate units
Configuring LDAP server access
Specifying your Collector agents or Novell eDirectory agents
Creating Fortinet Single Sign-On (FSSO) user groups
Creating security policies
Users belonging to multiple groups
Enabling guest access through FSSO security policies
FortiOS FSSO log messages
Enabling authentication event logging
Testing FSSO
Troubleshooting FSSO
General troubleshooting tips for FSSO
User status “Not Verified” on the Collector agent
Solution
After initial configuration, there is no connection to the Collector agent
Solution
Collector Agent service freezing and shutting down
Solution
FortiGate performance is slow on a large network with many users
Solution
Users from the Windows AD network are not able to access the network
Solutions
Users on a particular computer (IP address) can not access the network
Solutions
Guest users do not have access to network
Solution
Can’t find the DCagent service
Solution
User logon events not received by FSSO Collector agent
User list from Windows AD is empty
Solution
Mac OS X users can’t access external resources after waking from sleep mode
Solution
SSO using RADIUS accounting records
User’s view of RADIUS SSO authentication
Configuration Overview
Configuring the RADIUS server
Creating the FortiGate RADIUS SSO agent
Selecting which RADIUS attributes are used for RSSO
Configuring logging for RSSO
Defining local user groups for RADIUS SSO
Creating security policies
Example: webfiltering for student and teacher accounts
Monitoring authenticated users
Monitoring firewall users
Monitoring SSL VPN users
Monitoring IPsec VPN users
Monitoring banned users
Monitoring IM users
Examples and Troubleshooting
Firewall authentication example
Overview
Creating a locally-authenticated user account
Creating a RADIUS-authenticated user account
Creating user groups
Creating the FSSO user group
Creating the Firewall user group
Defining policy addresses
Creating security policies
LDAP Dial-in using member-attribute
RADIUS SSO example
Assumptions
Topology
General configuration
Configuring RADIUS
Configuring FortiGate interfaces
Configuring a RADIUS SSO Agent on the FortiGate unit
Creating a RADIUS SSO user group
Configuring FortiGate regular and RADIUS SSO security policies
Schedules, address groups, and services groups
Configuring regular security policies
Configuring RADIUS SSO security policy
Testing
Troubleshooting
Chapter 4 FortiOS Carrier
Overview of FortiOS Carrier features
Overview
MMS
GTP
Registering FortiOS Carrier
MMS background
MMS content interfaces
How MMS content interfaces are applied
How FortiOS Carrier processes MMS messages
FortiOS Carrier and MMS content scanning
MM1 Content Scanning
Filtering message retrieval
FortiOS Carrier and MMS duplicate messages and message floods
MMS protection profiles
Bypassing MMS protection profile filtering based on carrier endpoints
Applying MMS protection profiles to MMS traffic
GTP basic concepts
PDP Context
Creating a PDP context
Terminating a PDP context
GPRS security
GPRS authentication
Parts of a GTPv1 network
Radio access
Transport
GTP
GTPv0
GTPv1
GTPv1-C
GTPv1-U
GGSN
SGSN
GTPv2
GTPv2-C
MME
Billing and records
GTP’ (GTP prime)
HLR
VLR
GPRS network common interfaces
Interfaces between devices on the network
Packet flow through the GPRS network
SCTP
Overview
State required at each endpoint
Reliable data transfer
Congestion control and avoidance
Message boundary conservation
Path MTU discovery and message fragmentation
Message bundling
Multi-homed hosts support
Multi-stream support
Unordered data delivery
Security cookie against SYN flood attack
Built-in heartbeat (reachability check)
SCTP Firewall
SCTP example scenario
Carrier web-based manager settings
MMS profiles
MMS profile configuration settings
MMS scanning options
MMS bulk email filtering options
MMS Address Translation options
MMS Notifications
DLP Archive options
Logging
MMS Content Checksum
Notification List
Notification list configuration settings
Message Flood
Message flood configuration settings
Duplicate Message
Duplicate message configuration settings
Carrier Endpoint Filter Lists
Carrier endpoint filter lists configuration settings
GTP Profile
GTP profile configuration settings
General settings options
Message type filtering options
APN filtering options
Basic filtering options
Advanced filtering options
Adding an advanced filtering rule
Information Element (IE) removal policy options
Encapsulated IP traffic filtering options
Encapsulated non-IP end user traffic filtering options
Protocol Anomaly prevention options
Anti-Overbilling options
Log options
Specifying logging types
MMS Security features
Why scan MMS messages for viruses and malware?
Example: COMMWARRIOR
MMS virus scanning
MMS virus monitoring
MMS virus scanning blocks messages (not just attachments)
Scanning MM1 retrieval messages
Configuring MMS virus scanning
Removing or replacing blocked messages
Carrier Endpoint Block
Enabling carrier endpoint blocking
Create a carrier endpoint filter list
Configuring endpoint filter list entries
Blocking network access based on endpoints
MMS Content Checksum
Passing or blocking fragmented messages
Client comforting
MM1 and MM7 client comforting steps
Server comforting
Handling oversized MMS messages
MM1 sample messages
HTTP proxy
Scan engine
MMS file filtering
Built-in patterns and supported file types
Filtering based on file name
Filtering based on file type
MMS file filtering blocks messages (not just attachments)
Configuring MMS file filtering
Sender notifications and logging
MMS notifications
Replacement messages
Logging and reporting
MMS logging options
SNMP
MMS content-based Antispam protection
Overview
Configurable dictionary
Black listing
White listing
Scores and thresholds
Configuring content-based antispam protection
Configuring sender notifications
MMS notifications
Replacement messages
MMS DLP archiving
Configuring MMS DLP archiving
Viewing DLP archives
Message flood protection
Setting message flood thresholds
Example
Flood actions
Notifying administrators of floods
Example — three flood threshold levels with different actions for each threshold
Notifying message flood senders and receivers
Responses to MM1 senders and receivers
Forward responses for MM4 message floods
Viewing DLP archived messages
Order of operations: flood checking before duplicate checking
Bypassing message flood protection based on user’s carrier endpoints
Configuring message flood detection
Sending administrator alert notifications
Configuring how and when to send alert notifications
Configuring who to send alert notifications to
Duplicate message protection
Using message fingerprints to identify duplicate messages
Messages from any sender to any recipient
Setting duplicate message thresholds
Duplicate message actions
Notifying duplicate message senders and receivers
Responses to MM1 senders and receivers
Forward responses for duplicate MM4 messages
Viewing DLP archived messages
Order of operations: flood checking before duplicate checking
Bypassing duplicate message detection based on user’s carrier endpoints
Configuring duplicate message detection
Sending administrator alert notifications
Configuring how and when to send alert notifications
Configuring who to send alert notifications to
Select the duplicate thresholds at which to send alert notifications to the MSISDN.
Configuring GTP on FortiOS Carrier
GTP support on the Carrier-enabled FortiGate unit
Packet sanity checking
GTP stateful inspection
Protocol anomaly detection and prevention
HA
Virtual domain support
Configuring General Settings on the Carrier-enabled FortiGate unit
Configuring Encapsulated Filtering in FortiOS Carrier
Configuring Encapsulated IP Traffic Filtering
When to use encapsulated IP traffic filtering
Configuring Encapsulated Non-IP End User Address Filtering
Configuring the Protocol Anomaly feature in FortiOS Carrier
Configuring Anti-overbilling in FortiOS Carrier
Overbilling in GPRS networks
Anti-overbilling with FortiOS Carrier
Logging events on the Carrier-enabled FortiGate unit
GTP message type filtering
Common message types on carrier networks
GTP-C messages
Path Management Messages
Tunnel Management Messages
Location Management Messages
Mobility Management Messages
GTP-U messages
MBMS messages
GTP-U and Charging Management Messages
Unknown Action messages
Configuring message type filtering in FortiOS Carrier
Message Type Fields
Unknown Message Action
Path Management Messages
Tunnel Management Messages
Location Management Messages
Mobility Management Messages
MBMS messages
GTP-U and Charging Management Messages
GTP identity filtering
IMSI on carrier networks
Other identity and location based information elements
Access Point Number (APN)
Access Point Number (APN)
Mobile Subscriber Integrated Services Digital Network (MSISDN)
Radio Access Technology (RAT) type
User Location Information (ULI)
Routing Area Identifier (RAI)
International Mobile Equipment Identity (IMEI)
When to use APN, IMSI, or advanced filtering
Configuring APN filtering in FortiOS Carrier
Configuring IMSI filtering in FortiOS Carrier
Configuring advanced filtering in FortiOS Carrier
Troubleshooting
FortiOS Carrier diagnose commands
GTP related diagnose commands
Applying IPS signatures to IP packets within GTP-U tunnels
GTP packets are not moving along your network
Attempt to identify the section of your network with the problem
Ensure you have an APN configured
Check the logs and adjust their settings if required
Check the routing table
Perform a sniffer trace
What can sniffing packets tell you
How to sniff packets
Generate specific packets to test the network
Chapter 5 Compliance
Configuring FortiGate units for PCI DSS compliance
Introduction to PCI DSS
What is PCI DSS?
What is the Customer Data Environment
PCI DSS objectives and requirements
Wireless guidelines
Network topology
Internet
The CDE wired LAN
The CDE wireless LAN
Other internal networks
Security policies for the CDE network
Controlling the source and destination of traffic
Controlling the types of traffic in the CDE
The default deny policy
Wireless network security
On-wire detection of rogue APs
Setting up rogue access point scanning
Viewing the results of rogue AP scanning
Logging the results of rogue AP scanning
Securing a CDE network WAP
Setting wireless security
Logging wireless network activity
Protecting stored cardholder data
Protecting communicated cardholder data
Configuring IPsec VPN security
Encryption
Authentication
Configuring SSL VPN security
Protecting the CDE network from viruses
Enabling FortiGate antivirus protection
Configuring antivirus updates
Enforcing firewall use on endpoint PCs
Monitoring the network for vulnerabilities
FortiGate logs
Using the FortiOS Network Vulnerability Scan feature
Monitoring with other Fortinet products
Fortinet Database Security (FortiDB)
FortiScan Vulnerability and Compliance Management platform
FortiWeb Web Application Security
Restricting access to cardholder data
Controlling access to the CDE network
Password complexity and change requirements
Password non-reuse requirement
Administrator lockout requirement
Administrator timeout requirement
Administrator access security
Remote access security
SSL VPN users
IPsec VPN users
Chapter 6 Deploying Wireless Networks for FortiOS 5.0
Introduction to wireless networking
Wireless concepts
Bands and channels
Power
Antennas
Security
Whether to broadcast SSID
Encryption
Separate access for employees and guests
Captive portal
Power
Monitoring for rogue APs
Suppressing rogue APs
Wireless Intrusion Detection (WIDS)
Authentication
Wireless networking equipment
FortiWiFi units
FortiAP units
Deployment considerations
Types of wireless deployment
Deployment methodology
Evaluating the coverage area environment
Positioning access points
Selecting access point hardware
Single access point networks
Multiple access point networks
Fast Roaming
WiFi Mesh Network
Automatic Radio Resource Provisioning
Configuring a WiFi LAN
Overview of WiFi controller configuration
About SSIDs on FortiWiFi units
About automatic AP profile settings
Process to create a wireless network
Setting your geographic location
Creating a custom AP Profile
Defining a wireless network interface (SSID)
Configuring DHCP for WiFi clients
Configuring security
WPA-Personal security
WPA-Enterprise security
Captive Portal security
Adding a MAC filter
Multicast enhancement
Dynamic VLAN assignment
Configuring user authentication
WPA-Enterprise authentication
Creating a wireless user group
MAC-based authentication
Authenticating guest WiFi users
Configuring firewall policies for the SSID
Customizing captive portal pages
Modifying the login page
Changing the logo
Modifying text
Modifying the login failed page
Configuring the built-in access point on a FortiWiFi unit
Access point deployment
Overview
Network topology for managed APs
Discovering and authorizing APs
Configuring the network interface for the AP unit
Pre-authorizing a FortiAP unit
Enabling and configuring a discovered AP
Assigning the same profile to multiple FortiAP units
Checking and updating FortiAP unit firmware
Checking the FortiAP unit firmware version
Updating FortiAP firmware from the FortiGate unit
Updating FortiAP firmware from the FortiAP unit
Advanced WiFi controller discovery
Controller discovery methods
Static IP configuration
Broadcast request
Multicast request
DHCP
Connecting to the FortiAP CLI
Wireless client load balancing for high-density deployments
Access point hand-off
Frequency hand-off or band-steering
Configuration
LAN port options
Bridging a LAN port with a FortiAP SSID
Bridging a LAN port with the WAN port
Configuring FortiAP LAN ports
Configuring LAN ports for an FortiAP unit - web-based manager
Configuring LAN ports in a custom AP profile - web-based manager
Preventing IP fragmentation of packets in CAPWAP tunnels
Wireless Mesh
Overview of Wireless Mesh
Wireless mesh deployment modes
Firmware requirements
Types of wireless mesh
Configuring a meshed WiFi network
Creating custom AP profiles
Configuring the mesh root AP
Configuring the mesh branches or leaves
Authorizing mesh branch/leaf APs
Viewing the status of the mesh network
Configuring a point-to-point bridge
WiFi-Ethernet Bridge Operation
Bridge SSID to FortiGate wired network
VLAN configuration
Additional configuration
FortiAP local bridging (Private Cloud-Managed AP)
Continued FortiAP operation when WiFi controller connection is down
Using bridged FortiAPs to increase scalability
Protecting the WiFi Network
Wireless IDS
WiFi data channel encryption
Configuring encryption on the FortiGate unit
Configuring encryption on the FortiAP unit
Wireless network monitoring
Monitoring wireless clients
Monitoring rogue APs
On-wire rogue AP detection technique
Exact MAC address match
MAC adjacency
Limitations
Logging
Rogue AP scanning as a background activity
Configuring rogue scanning
Exempting an AP from rogue scanning
MAC adjacency
Using the Rogue AP Monitor
Suppressing rogue APs
Monitoring wireless network health
Configuring wireless network clients
Windows XP client
Windows 7 client
Mac OS client
Linux client
Troubleshooting
Checking that the client has received IP address and DNS server information
Windows XP
Mac OS
Linux
Wireless network examples
Basic wireless network
Configuring authentication for wireless users
Configuring the SSID
Configuring firewall policies
Connecting the FortiAP units
A more complex example
Scenario
Configuration
Configuring authentication for employee wireless users
Configuring authentication for guest wireless users
Configuring the SSIDs
Configuring the custom AP profile
Configuring firewall policies
Connecting the FortiAP units
Using a FortiWiFi unit as a client
Use of client mode
Configuring client mode
Support for location-based services
Overview
Configuring location tracking
Viewing device location data on the FortiGate unit
Example output
Chapter 7 Firewall for FortiOS 5.0
FortiGate Firewall Components
FortiGate Firewall Components
How does a FortiGate Protect Your Network
Firewall concepts
What is a Firewall?
Network Layer or Packet Filter Firewalls
Stateless Firewalls
Stateful Firewalls
Application Layer Firewalls
Proxy Servers
Security Profiles
Advantages of using Security Profiles
IPv6
What is IPv6?
IPv6 in FortiOS
Dual Stack routing configuration
IPv6 Tunnelling
Tunnel Configurations
Tunnelling IPv6 through IPSec VPN
NAT
What is NAT?
The Origins of NAT
Static NAT
Dynamic NAT
Overloading
Overlapping
Benefits of NAT
More IP addresses Available while Conserving Public IP Addresses
Financial Savings
Security Enhancements
Ease of Compartmentalization of Your Network
NAT in Transparent Mode
Example:
Central NAT Table
NAT 64 and NAT46
NAT 66
How Packets are handled by FortiOS
FortiGate Modes
NAT/Route Mode
Transparent Mode
Quality of Service
Traffic policing
Traffic Shaping
Queuing
Interfaces and Zones
Firewall objects
Addresses
IPv4 Address and Net Mask
FQDN Addressing
Geography Based Addressing
Address Groups
Wildcard Addressing
Virtual IP Addresses (VIPs)
Virtual IP Groups
IP Pools
Source IP address and IP pool address matching when using a range
ARP Replies
IP pools and zones
Fixed Port
Match-VIP
Services and TCP ports
Categories
Protocol Types
TCP/UDP/SCTP
ICMP or ICMP6
IP
TCP
UDP
SCTP
Specific Addresses in TCP/UDP/SCTP
Protocol Port Values
ICMP
ICMP Types and Codes
ICMPv6
ICMPv6 Types and Codes
IP
Protocol Number
Service Groups
Example Scenario: Using FortiGate services to support Audio/Visual Conferencing
VIP
Creating an address for the subnet
Configuring the services
Services already created:
Existing Services to be edited:
To edit an existing service:
Custom Services that need to be created:
Creating the Service Group
Creating the IPS Security Profile
Policies
Incoming Policy
Outgoing Policy
Firewall schedules
Schedule Groups
Schedule Expiration
Security profiles
AntiVirus
Web Filtering
Application Control
Intrusion Protection (IPS)
Email Filtering
Data Leak Prevention (DLP)
VoIP
ICAP
EndPoint Control
Proxy Option Components
The use of different proxy profiles and profile options
Oversized File Log
Invalid Certificate Log
Port
Comfort Clients
Oversized File/Email Threshold
Chunked Bypass
Allow Fragmented Messages
Append Email Signature
SSL/SSH Inspection
Allow Invalid SSL Certificate
Allow Invalid SSL Certificate
Creating a new SSL/SSH Inspection profile
Security policies
Firewall policies
What is not expressly allowed is denied
Policy order
Exception to policy order (VIPs)
Viewing Firewall Policies
How “Any” policy can remove the Section View
Security policy configuration extensions
Identity Based Policies
Identity-based policy positioning
Identity-based sub-policies
Identity policies an unauthenticated users
Device Identity Policies
VPN Policies
IPSec Policies
SSL VPN Policies
Interface Policies
DoS Protection
Settings used in configuring DoS
One-Arm IDS
IPv6 IPS
Traffic Destined to the FortiGate unit
Dropped, Flooded, Broadcast, Multicast and L2 packets
GUI and CLI
Local-In Policies
Security Policy 0
Deny Policies
Accept Policies
IPv6 Policies
Fixed Port
Endpoint Security
Traffic Logging
Quality of Service
Queuing
Policy Monitor
Upper Pane
Lower Pane
Network defense
Monitoring
Blocking external probes
Address sweeps
Port scans
Probes using IP traffic options
Configure packet replay and TCP sequence checking
Configure ICMP error message verification
Protocol header checking
Evasion techniques
Packet fragmentation
Non-standard ports
Negotiation codes
HTTP URL obfuscation
HTTP header obfuscation
HTTP body obfuscation
Microsoft RPC evasion
Defending against DoS attacks
The “three-way handshake”
SYN flood
SYN spoofing
DDoS SYN flood
Configuring the SYN threshold to prevent SYN floods
SYN proxy
Other flood types
DoS policies
DoS policy recommendations
GUI & CLI - What You May Not Know
Mouse Tricks
Changing the default column setting on the policy page
Example:
Naming Rules and Restrictions
Character Restrictions
Length of Fields Restrictions
Object Tagging and Coloring
Tags
Coloring
Numeric Values
Selecting options from a list
Enabling or disabling options
To Enable or Disable Optionally Displayed Features
Building firewall objects and policies
IPv4 Firewall Addresses
Scenario: Mail Server
Scenario: First Floor Network
Scenario: Marketing Department
Verification
IPv6 Firewall Addresses
Scenario: Mail Server
Scenario: First Floor Network
Verification
FQDN address
Verification
Changing the TTL of a FQDN address
New Geography-based Address
Wildcard Address
IPv4 Address Group
IPv6 Address Group
Multicast Address
Service Category
TCP/UDP/SCTP Service
ICMP Service
ICMPv6 Service
Service Group
Virtual IP address
VIP Group
IP Pool
Central NAT Table
Firewall Schedule - Recurring
Firewall Schedule - One-time
Schedule Group
Proxy Option
Oversized Files
Option 1
Option 2
Firewall Address Policy
Firewall User Identity Policy
Firewall Device Identity Policy
DoS Policy
Multicast forwarding
Sparse mode
Dense mode
Multicast IP addresses
PIM Support
Multicast forwarding and FortiGate units
Multicast forwarding and RIPv2
Configuring FortiGate multicast forwarding
Adding multicast security policies
Enabling multicast forwarding
Multicast routing examples
Example FortiGate PIM-SM configuration using a static RP
Configuration steps
FortiGate PIM-SM debugging examples
Checking that the receiver has joined the required group
Checking the PIM-SM neighbors
Checking that the PIM router can reach the RP
Viewing the multicast routing table (FGT-3)
Viewing the PIM next-hop table
Viewing the PIM multicast forwarding table
Viewing the kernel forwarding table
Viewing the multicast routing table (FGT-2)
Viewing the multicast routing table (FGT-1)
Example multicast destination NAT (DNAT) configuration
Example PIM configuration that uses BSR to find the RP
Commands used in this example
Adding a loopback interface (lo0)
Defining the multicast routing
Adding the NAT multicast policy
Configuration steps
Example debug commands
Chapter 8 Hardware Acceleration
Hardware acceleration overview
Content processors (CP4, CP5, CP6 and CP8)
Determining the content processor in your FortiGate unit
Viewing SSL acceleration status
Disabling CP offloading
Security processors (SPs)
SP Processing Flow
Displaying information about security processing modules
Network processors (NP1, NP2, NP3, NP4 and NP6)
Determining the network processors installed on your FortiGate unit
How NP hardware acceleration alters packet flow
NP processors and traffic logging and monitoring
NP session offloading in HA active-active configuration
Configuring NP HMAC check offloading
Offloading NP pre-IPS anomaly detection
Example
Software switch interfaces and NP processors
Configuring NP accelerated VPN encryption/decryption offloading
Example
Checking that traffic is offloaded by NP processors
Using the packet sniffer
Checking the firewall session offload tag
Verifying IPsec VPN traffic offloading
Controlling IPS NPx and CPx acceleration
NP6 Acceleration
NP6 session fast path requirements
Packet fast path requirements
Mixing fast path and non-fast path traffic
Viewing your FortiGate NP6 processor configuration
Increasing NP6 offloading capacity using link aggregation groups (LAGs)
Configuring Inter-VDOM link acceleration with NP6 processors
Using VLANs to add more accelerated Inter-VDOM links
Confirm that the traffic is accelerated
FortiGate NP6 architectures
FortiGate-1500D fast path architecture
FortiGate-3700D fast path architecture
NP4 Acceleration
Viewing your FortiGate’s NP4 configuration
NP4lite CLI commands (disabling NP4Lite offloading)
Configuring NP4 traffic offloading
NP4 session fast path requirements
Packet fast path requirements
Mixing fast path and non-fast path traffic
NP4 traffic shaping offloading
NP4 IPsec VPN offloading
NP4 IPsec VPN offloading configuration example
Accelerated policy mode IPsec configuration
Accelerated interface mode IPsec configuration
Configuring Inter-VDOM link acceleration with NP4 processors
Using VLANs to add more accelerated Inter-VDOM links
Confirm that the traffic is accelerated
FortiGate NP4 architectures
FortiGate-600C
FortiGate-800C
FortiGate-1000C
FortiGate-1240B
FortiGate-3040B
FortiGate-3140B
FortiGate-3140B — load balance mode
FortiGate-3240C
FortiGate-3600C
XAUI interfaces
FortiGate-3950B and FortiGate-3951B
FortiGate-3950B and FortiGate-3951B — load balance mode
FortiGate-5001C
FortiGate-5001B
Setting switch-mode mapping on the ADM-XD4
Chapter 9 High Availability for FortiOS 5.0
Solving the High Availability problem
FortiGate Cluster Protocol (FGCP)
FortiGate Session Life Support Protocol (FGSP)
VRRP
Fortinet redundant UTM protocol (FRUP)
An introduction to the FGCP
About the FGCP
FGCP failover protection
Session Failover
Load Balancing
Virtual Clustering
Full Mesh HA
Cluster Management
Synchronizing the configuration (and settings that are not synchronized)
Configuring FortiGate units for FGCP HA operation
Connecting a FortiGate HA cluster
Active-passive and active-active HA
Active-passive HA (failover protection)
Active-active HA (load balancing and failover protection)
Identifying the cluster and cluster units
Group name
Password
Group ID
Device failover, link failover, and session failover
Primary unit selection
Primary unit selection and monitored interfaces
Primary unit selection and age
Cluster age difference margin (grace period)
Changing the cluster age difference margin
Displaying cluster unit age differences
Resetting the age of all cluster units
Primary unit selection and device priority
Controlling primary unit selection by changing the device priority
Primary unit selection and the FortiGate unit serial number
Points to remember about primary unit selection
HA override
Override and primary unit selection
Controlling primary unit selection using device priority and override
Points to remember about primary unit selection when override is enabled
Configuration changes can be lost if override is enabled
The solution
Override and disconnecting a unit from a cluster
FortiGate HA compatibility with PPPoE and DHCP
HA and distributed clustering
Hard disk configuration and HA
FGCP high availability best practices
Heartbeat interfaces
Interface monitoring (port monitoring)
Troubleshooting
FGCP HA terminology
Cluster
Cluster unit
Device failover
Failover
Failure
FGCP
Full mesh HA
HA virtual MAC address
Heartbeat
Heartbeat device
Heartbeat failover
Hello state
High availability
Interface monitoring
Link failover
Load balancing
Monitored interface
Primary unit
Session failover
Session pickup
Standby state
State synchronization
Subordinate unit
Virtual clustering
Work state
HA web‑based manager options
Configuring and connecting HA clusters
About the procedures in this chapter
Example: NAT/Route mode active-passive HA configuration
Example NAT/Route mode HA network topology
General configuration steps
Configuring a NAT/Route mode active-passive cluster of two FortiGate-620B units - web‑based manager
Configuring a NAT/Route mode active-passive cluster of two FortiGate-620B units - CLI
Example: Transparent mode active-active HA configuration
Example Transparent mode HA network topology
General configuration steps
Configuring a Transparent mode active-active cluster of two FortiGate-620B units - web‑based manager
Configuring a Transparent mode active-active cluster of two FortiGate-620B units - CLI
Example: advanced Transparent mode active-active HA configuration
Example Transparent mode HA network topology
Configuring a Transparent mode active-active cluster of three FortiGate-5005FA2 units - web‑based manager
Configuring a Transparent mode active-active cluster of three FortiGate-5005FA2 units - CLI
Example: converting a standalone FortiGate unit to a cluster
Example: adding a new unit to an operating cluster
Example: replacing a failed cluster unit
Example: HA and 802.3ad aggregated interfaces
HA interface monitoring, link failover, and 802.3ad aggregation
HA MAC addresses and 802.3ad aggregation
Link aggregation, HA failover performance, and HA mode
General configuration steps
Configuring active-passive HA cluster that includes aggregated interfaces - web‑based manager
Configuring active-passive HA cluster that includes aggregate interfaces - CLI
Example: HA and redundant interfaces
HA interface monitoring, link failover, and redundant interfaces
HA MAC addresses and redundant interfaces
Connecting multiple redundant interfaces to one switch while operating in active-passive HA mode
Connecting multiple redundant interfaces to one switch while operating in active-active HA mode
General configuration steps
Configuring active-passive HA cluster that includes redundant interfaces - web‑based manager
Configuring active-passive HA cluster that includes redundant interfaces - CLI
Troubleshooting HA clusters
Ignoring hardware revisions
Before you set up a cluster
Troubleshooting the initial cluster configuration
More troubleshooting information
Virtual clusters
Virtual clustering overview
Virtual clustering and failover protection
Virtual clustering and heartbeat interfaces
Virtual clustering and HA override
Virtual clustering and load balancing or VDOM partitioning
Configuring HA for virtual clustering
Example: virtual clustering with two VDOMs and VDOM partitioning
Example virtual clustering network topology
General configuration steps
Configuring virtual clustering with two VDOMs and VDOM partitioning - web‑based manager
Configuring virtual clustering with two VDOMs and VDOM partitioning - CLI
Example: inter-VDOM links in a virtual clustering configuration
Configuring inter-VDOM links in a virtual clustering configuration
Troubleshooting virtual clustering
Full mesh HA
Full mesh HA overview
Full mesh HA and redundant heartbeat interfaces
Full mesh HA, redundant interfaces and 802.3ad aggregate interfaces
Example: full mesh HA configuration
FortiGate-620B full mesh HA configuration
Full mesh switch configuration
Full mesh network connections
How packets travel from the internal network through the full mesh cluster and to the Internet
Configuring FortiGate-620B units for HA operation - web‑based manager
Configuring FortiGate-620B units for HA operation - CLI
Troubleshooting full mesh HA
Operating a cluster
Operating a cluster
Operating a virtual cluster
Managing individual cluster units using a reserved management interface
Configuring the reserved management interface and SNMP remote management of individual cluster units
The primary unit acts as a router for subordinate unit management traffic
Cluster communication with RADIUS and LDAP servers
Clusters and FortiGuard services
FortiGuard and active-passive clusters
FortiGuard and active-active clusters
FortiGuard and virtual clustering
Clusters and logging
Viewing and managing log messages for individual cluster units
About HA event log messages
HA log messages
Fortigate HA message "HA master heartbeat interface <intf_name> lost neighbor information"
Formatting cluster unit hard disks (log disks)
Clusters and SNMP
SNMP get command syntax for the primary unit
SNMP get command syntax for any cluster unit
Getting serial numbers of cluster units
SNMP get command syntax - reserved management interface enabled
Clusters and file quarantine
Cluster members list
Virtual cluster members list
Viewing HA statistics
Changing the HA configuration of an operating cluster
Changing the HA configuration of an operating virtual cluster
Changing the subordinate unit host name and device priority
Upgrading cluster firmware
Changing how the cluster processes firmware upgrades
Synchronizing the firmware build running on a new cluster unit
Downgrading cluster firmware
Backing up and restoring the cluster configuration
Monitoring cluster units for failover
Viewing cluster status from the CLI
Examples
About the HA cluster index and the execute ha manage command
Using the execute ha manage command
Using get system ha status to display cluster indexes
Example: actual and operating cluster indexes do not match
Virtual clustering example output
Managing individual cluster units
Disconnecting a cluster unit from a cluster
Adding a disconnected FortiGate unit back to its cluster
HA diagnose commands
all-xdb
all-vcluster
stat
HA and failover protection
About active-passive failover
Device failure
Link failure
Session failover
Primary unit recovery
About active-active failover
Device failover
HA heartbeat and communication between cluster units
Heartbeat interfaces
Connecting HA heartbeat interfaces
Heartbeat packets and heartbeat interface selection
Interface index and display order
HA heartbeat interface IP addresses
Heartbeat packet Ethertypes
Modifying heartbeat timing
Changing the lost heartbeat threshold
Changing the heartbeat interval
Changing the time to wait in the helo state
Enabling or disabling HA heartbeat encryption and authentication
Cluster virtual MAC addresses
Changing how the primary unit sends gratuitous ARP packets after a failover
Disabling gratuitous ARP packets after a failover
How the virtual MAC address is determined
Example virtual MAC addresses
Displaying the virtual MAC address
Diagnosing packet loss with two FortiGate HA clusters in the same broadcast domain
Changing the HA group ID to avoid MAC address conflicts
Example topology
Ping testing for packet loss
Viewing MAC address conflicts on attached switches
Synchronizing the configuration
Configuration settings that are not synchronized
Disabling automatic configuration synchronization
Incremental synchronization
Periodic synchronization
Console messages when configuration synchronization succeeds
Console messages when configuration synchronization fails
Comparing checksums of cluster units
How to diagnose HA out of sync messages
Recalculating the checksums to resolve out of sync messages
Synchronizing kernel routing tables
Configuring graceful restart for dynamic routing failover
Controlling how the FGCP synchronizes kernel routing table updates
Change how long routes stay in a cluster unit routing table
Change the time between routing updates
Change the time the primary unit waits after receiving a routing update
Synchronizing IPsec VPN SAs
Synchronizing SAs for IKEv1
Synchronizing SAs for IKEv2
Link failover (port monitoring or interface monitoring)
If a monitored interface on the primary unit fails
If a monitored interface on a subordinate unit fails
How link failover maintains traffic flow
Recovery after a link failover and controlling primary unit selection (controlling falling back to the prior primary unit)
Preventing a primary unit change after a failed link is restored
Testing link failover
Updating MAC forwarding tables when a link failover occurs
Multiple link failures
Example link failover scenarios
Example: the port1 link on FGT_1 fails
Example: port2 on FGT_1 and port1 on FGT_2 fail
Subsecond failover
Remote link failover
Adding HA remote IP monitoring to multiple interfaces
Changing the ping server failover threshold
Monitoring multiple IP addresses from one interface
Flip timeout
Detecting HA remote IP monitoring failovers
Session failover (session pick-up)
If session pickup is not selected
Improving session synchronization performance
Reducing the number of sessions that are synchronized
Using multiple FortiGate interfaces for session synchronization
Session failover not supported for all sessions
IPv6, NAT64, and NAT66 session failover
SIP session failover
Explicit web proxy, WCCP, and WAN optimization session failover
SSL offloading and HTTP multiplexing session failover
IPsec VPN session failover
SSL VPN session failover and SSL VPN authentication failover
PPTP and L2TP VPN sessions
UDP, ICMP, multicast and broadcast packet session failover
FortiOS Carrier GTP session failover
Active-active HA subordinate units sessions can resume after a failover
WAN optimization and HA
Failover and attached network equipment
Monitoring cluster units for failover
NAT/Route mode active-passive cluster packet flow
Packet flow from client to web server
Packet flow from web server to client
When a failover occurs
Transparent mode active-passive cluster packet flow
Packet flow from client to mail server
Packet flow from mail server to client
When a failover occurs
Failover performance
Device failover performance
Link failover performance
Reducing failover times
HA and load balancing
Load balancing overview
Load balancing schedules
Selecting which packets are load balanced
More about active-active failover
HTTPS sessions, active-active load balancing, and proxy servers
Using FortiGate network processor interfaces to accelerate active-active HA performance
Configuring load balancing settings
Selecting a load balancing schedule
Load balancing UTM sessions, TCP sessions, and UDP sessions
Configuring weighted-round-robin weights
Dynamically optimizing weighted load balancing according to how busy cluster units are
Example weighted load balancing configuration
NAT/Route mode active-active cluster packet flow
Packet flow from client to web server
Packet flow from web server to client
When a failover occurs
Transparent mode active-active cluster packet flow
Packet flow from client to mail server
Packet flow from mail server to client
When a failover occurs
HA with FortiGate-VM and third-party products
FortiGate-VM for VMware HA configuration
FortiGate VM for Hyper-V HA configuration
Troubleshooting layer-2 switches
Forwarding delay on layer 2 switches
Failover issues with layer-3 switches
Changing spanning tree protocol settings for some switches
Spanning Tree protocol (STP)
Bridge Protocol Data Unit (BPDU)
Failover and attached network equipment
Ethertype conflicts with third-party switches
LACP, 802.3ad aggregation and third-party switches
VRRP
Adding a VRRP virtual router to a FortiGate interface
Adding a VRRP virtual router to a FortiGate interface
VRRP virtual MAC address
Configuring VRRP
Example VRRP configuration: two FortiGate units in a VRRP group
Example VRRP configuration: VRRP load balancing two FortiGate units and two VRRP groups
Optional VRRP configuration settings
FortiGate Session Life Support Protocol (FGSP)
Synchronizing the configuration
Synchronizing UDP and ICMP (connectionless) sessions
Synchronizing NAT sessions
Synchronizing expectation (asymmetric) sessions
UTM Flow-based Inspection and Asymmetric Traffic
Notes and limitations
Configuring FGSP HA
Configuring the session synchronization link
Basic example configuration
Verifying FGSP configuration and synchronization
FGSP configuration summary and status
Verifying that sessions are synchronized
Configuring FRUP
FRUP configuration example
Configuring FGT-A
Configuring FGT-B
Connecting, testing and operating the FRUP cluster
Chapter 10 Install and System Administration for FortiOS 5.0
Differences between Models and Firmware
Differences between Models
Differences between Firmware Versions
Using the web-based manager
Web-based manager overview
Web-based manager menus and pages
Using information tables
Using page navigation
Adding filters to web‑based manager lists
Using column settings
Entering text strings
Entering text strings (names)
Entering numeric values
Enabling or disabling options
Dashboard
Adding dashboards and widgets
System Information widget
Changing the FortiGate unit’s host name
Changing the operation mode
Configuring system time
Changing the firmware
Backing up the configuration
Formatting USB
Remote FortiManager backup and restore options
Remote FortiGuard backup and restore options
Restoring your firmware configuration
Viewing online administrators
Changing the currently logged in administrator’s password
License Information widget
FortiGate unit Operation widget
System Resources widget
Alert Message Console widget
CLI Console widget
Session History widget
Top Sessions widget
USB Modem widget
Advanced Threat Protection Statistics widget
Features widget
RAID monitor widget
RAID disk configuration
Basic configurations
Changing your administrator password
Changing the web‑based manager language
Changing administrative access
Changing the web‑based manager idle timeout
Switching VDOMs
Connecting to the CLI from the web‑based manager
Logging out
Using the CLI
Connecting to the CLI
Connecting to the CLI using a local console
Enabling access to the CLI through the network (SSH or Telnet)
Connecting to the CLI using SSH
Connecting to the CLI using Telnet
Command syntax
Terminology
Indentation
Notation
Sub-commands
Example of table commands
Permissions
Tips
Help
Shortcuts and key commands
Command abbreviation
Adding and removing options from lists
Environment variables
Special characters
Using grep to filter get and show command output
Language support and regular expressions
Screen paging
Baud rate
Editing the configuration file on an external host
Using Perl regular expressions
Differences between regular expression and wildcard pattern matching
Word boundary
Case sensitivity
Basic Administration
Connecting to the FortiGate unit
Connecting to the web-based manager
Connecting to the CLI
System configuration
Setting the time and date
Using the NTP Server
Configuring FortiGuard
Updating antivirus and IPS definitions
Passwords
Password considerations
Password policy
Lost Passwords
Administrators
Adding administrators
LDAP Admin Access and Authorization
Configure the LDAP server
Add the LDAP server to a user group
Configure the administrator account
Monitoring administrators
Administrator profiles
super_admin profile
Creating profiles
Global and vdom profiles
Regular (password) authentication for administrators
Management access
Security Precautions
Change the admin username and password
Preventing unwanted login attempts
Prevent multiple admin sessions
Segregated administrative roles
Disable admin services
SSH login time out
Administrator lockout
Idle time-out
Administrative ports
HTTPS redirect
Log in/out warning message
Disable the console interface
Disable interfaces
RADIUS authentication for administrators
Configuring LDAP authentication for administrators
TACACS+ authentication for administrators
PKI certificate authentication for administrators
General Settings
Administrative port settings
Password policies
Feature Select
Configuration backups
Backup and restore a configuration file using SCP
Enable SSH access on the interface
Using the SCP client
SCP public-private key authentication
Restoring a configuration using SCP
Restoring a configuration
Configuration revisions
Restore factory defaults
Firmware
Downloading firmware
Testing new firmware before installing
Upgrading the firmware - web-based manager
Upgrading the firmware - CLI
Installing firmware from a system reboot using the CLI
Reverting to a previous firmware version - web-based manager
Reverting to a previous firmware version - CLI
Configuration Revision
Backup and Restore from a USB key
Backup and Restore an encrypted config file from a USB key
Controlled upgrade
Best practices
Hardware
Environmental specifications
Grounding
Rack mount instructions
Shutting down
Performance
Firewall
Intrusion protection
Antivirus
Web filtering
Antispam
Security
FortiGuard
FortiGuard Services
Next Generation Firewall
Advanced Threat Protection
Other Services
Support Contract and FortiGuard Subscription Services
FortiCloud
Antivirus and IPS
Detection during update
Antivirus and IPS Options
Manual updates
Automatic updates
Scheduling updates
Push updates
Push IP override
Web filtering
Web Filtering and Email Filtering Options
URL verification
Email filtering
Security tools
URL lookup
IP and signature lookup
Online virus scanner
Malware removal tools
FortiSandbox
Troubleshooting
Web-based manager verification
CLI verification
Port assignment
FortiCloud
FortiCloud Features
Simplified central management for your FortiGate network
Hosted log retention with large default storage allocated
Monitoring and alerting in real time
Customized or pre-configured reporting and analysis tools
Maintain important configuration information uniformly
Service security
Registration and Activation
Registering with Support
Registering and Activating your FortiCloud account
FortiGate 300 and below, all FortiWifi units
FortiGate 600 to 800
Enabling logging to FortiCloud
FortiOS 5.0
Configuring policies 5.0
Logging into the FortiCloud portal
Upgrading to a 200Gb subscription
The FortiCloud Portal
Using FortiCloud
Cloud Sandboxing
Interfaces
Physical
Interface settings
Interface configuration and settings
Software switch
Soft switch example
Clear the interfaces and back up the configuration
Merge the interfaces
Final steps
Virtual Switch
Loopback interfaces
Redundant interfaces
One-armed sniffer
Aggregate Interfaces
Example
DHCP addressing mode on an interface
PPPoE addressing mode on an interface
Administrative access
Wireless
Interface MTU packet size
Secondary IP addresses to an interface
Virtual domains
Virtual LANs
Zones
Probing Interfaces
Central management
Adding a FortiGate to FortiManager
FortiGate configuration
Configuring an SSL connection
FortiManager configuration
Configuration through FortiManager
Global objects
Locking the FortiGate web-based manager
Firmware updates
FortiGuard
Backup and restore configurations
Administrative domains
Monitoring
Dashboard
Widgets
FortiClient software
sFlow
Configuration
Enable sFlow
Monitor menus
Logging
FortiCloud
FortiGate memory
FortiGate hard disk
Syslog server
FortiAnalyzer
Sending logs using a secure connection
Configuring an SSL connection
Packet Capture
Alert email
SNMP
SNMP configuration settings
Gigabit interfaces
SNMP agent
SNMP community
Enabling on the interface
Fortinet MIBs
SNMP get command syntax
VLANs
VLAN ID rules
VLAN switching and routing
VLAN layer-2 switching
Layer-2 VLAN example
VLAN layer-3 routing
Layer-3 VLAN example
VLANs in NAT mode
Adding VLAN subinterfaces
Physical interface
IP address and netmask
VLAN ID
VDOM
Configuring security policies and routing
Configuring security policies
Configuring routing
Example VLAN configuration in NAT mode
General configuration steps
Configure the FortiGate unit
Configure the external interface
Add VLAN subinterfaces
Add the firewall addresses
Add the security policies
Configure the VLAN switch
Test the configuration
Testing traffic from VLAN_100 to VLAN_200
Testing traffic from VLAN_200 to the external network
VLANs in transparent mode
VLANs and transparent mode
Add VLAN subinterfaces
Create security policies
Example of VLANs in transparent mode
General configuration steps
Configure the FortiGate unit
Add VLAN subinterfaces
Add the security policies
Configure the Cisco switch and router
Configure the Cisco switch
Configure the Cisco router
Test the configuration
Testing traffic from VLAN_100 to VLAN_200
Troubleshooting VLAN issues
Asymmetric routing
Layer-2 and Arp traffic
ARP traffic
Multiple VDOMs solution
Vlanforward solution
Forward-domain solution
NetBIOS
STP forwarding
Too many VLAN interfaces
PPTP and L2TP
How PPTP VPNs work
FortiGate unit as a PPTP server
Configuring user authentication for PPTP clients
Configuring a user account
Configuring a user group
Enabling PPTP and specifying the PPTP IP address range
Adding the security policy
Configuring the FortiGate unit for PPTP VPN
Configuring the FortiGate unit for PPTP pass through
Configuring a virtual IP address
Configuring a port-forwarding security policy
Testing PPTP VPN connections
Logging VPN events
Configuring L2TP VPNs
Network topology
L2TP infrastructure requirements
L2TP configuration overview
Authenticating L2TP clients
Enabling L2TP and specifying an address range
Defining firewall source and destination addresses
Adding the security policy
Configuring a Linux client
Monitoring L2TP sessions
Testing L2TP VPN connections
Logging L2TP VPN events
Advanced concepts
Dual internet connections (redundant Internet connections)
Redundant interfaces
Ping server
Routing
Security policies
Load sharing
Link redundancy and load sharing
Single firewall vs. multiple virtual domains
Single firewall vs. vdoms
Modem
USB modem port
Modes
Configuring stand alone mode
Configuring redundant mode
Ping server
Additional modem configuration
Modem interface routing
DHCP servers and relays
DHCP Server configuration
DHCP in IPv6
Service
Lease time
DHCP options
Exclude addresses in DHCP a range
DHCP Monitor
Breaking a address lease
Assigning IP address by MAC address
DNS services
DNS settings
Additional DNS CLI configuration
DNS server
Recursive DNS
Dynamic DNS
FortiClient discovery and registration
FortiClient discovery
FortiClient Registration
IP addresses for self-originated traffic
Administration for schools
Security policies
DNS
Encrypted traffic (HTTPS)
FTP
Example security policies
UTM security profiles
Antivirus profiles
Web filtering
Email Filtering
IPS
Application control
Logging
Tag management
Adding and removing tags
Reviewing tags
Tagging guidelines
Replacement messages list
Replacement message images
Adding images to replacement messages
Modifying replacement messages
Replacement message tags
Administration replacement message
Alert Mail replacement messages
Authentication replacement messages
Example
Captive Portal Default replacement messages
Device Detection Portal replacement message
Email replacement messages
Endpoint Control replacement message
FTP replacement messages
FortiGuard Web Filtering replacement messages
HTTP replacement messages
IM replacement messages
NNTP replacement messages
Spam replacement messages
NAC quarantine replacement messages
SSL VPN replacement message
Web Proxy replacement messages
Traffic quota control replacement messages
MM1 replacement messages
MM3 replacement messages
MM4 replacement messages
MM7 replacement messages
MMS replacement messages
Replacement message groups
Disk
Formatting the disk
Setting space quotas
CLI Scripts
Uploading script files
Rejecting PING requests
Opening TCP 113
Obfuscate HTTP responses
Session helpers
Viewing the session helper configuration
Changing the session helper configuration
Changing the protocol or port that a session helper listens on
Disabling a session helper
DCE-RPC session helper (dcerpc)
DNS session helpers (dns-tcp and dns-udp)
File transfer protocol (FTP) session helper (ftp)
H.245 session helpers (h245I and h245O)
H.323 and RAS session helpers (h323 and ras)
Alternate H.323 gatekeepers
Media Gateway Controller Protocol (MGCP) session helper (mgcp)
ONC-RPC portmapper session helper (pmap)
PPTP session helper for PPTP traffic (pptp)
Remote shell session helper (rsh)
Real-Time Streaming Protocol (RTSP) session helper (rtsp)
Session Initiation Protocol (SIP) session helper (sip)
Trivial File Transfer Protocol (TFTP) session helper (tftp)
Oracle TNS listener session helper (tns)
Chapter 11 IPsec VPN for FortiOS 5.0
IPsec VPN concepts
VPN tunnels
VPN gateways
Clients, servers, and peers
Encryption
Authentication
Preshared keys
Additional authentication
Phase 1 and Phase 2 settings
Phase 1
Phase 2
Security Association
IPsec VPN Overview
Types of VPNs
Route-based VPNs
Policy-based VPNs
Comparing policy-based or route-based VPNs
Planning your VPN
Network topologies
General preparation steps
How to use this guide to configure an IPsec VPN
IPsec VPN in the web-based manager
Auto Key (IKE)
Phase 1 configuration
Phase 1 advanced configuration settings
Phase 2 configuration
Phase 2 advanced configuration settings
FortiClient VPN
Manual Key
Manual key configuration settings
Concentrator
IPsec Monitor
Auto Key phase 1 parameters
Overview
Defining the tunnel ends
Choosing main mode or aggressive mode
Choosing the IKE version
Authenticating the FortiGate unit
Authenticating the FortiGate unit with digital certificates
Authenticating the FortiGate unit with a pre-shared key
Authenticating remote peers and clients
Enabling VPN access for specific certificate holders
Before you begin
Configuring certificate authentication for a VPN
Enabling VPN access by peer identifier
Enabling VPN access with user accounts and pre-shared keys
Defining IKE negotiation parameters
Generating keys to authenticate an exchange
Defining IKE negotiation parameters
NAT traversal
NAT keepalive frequency
Dead peer detection
Using XAuth authentication
Using the FortiGate unit as an XAuth server
Using the FortiGate unit as an XAuth client
Phase 2 parameters
Basic phase 2 settings
Advanced phase 2 settings
P2 Proposals
Replay detection
Perfect forward secrecy (PFS)
Keylife
Auto-negotiate
Autokey Keep Alive
DHCP-IPsec
Quick mode selectors
Configure the phase 2 parameters
Specifying the phase 2 parameters
Defining VPN security policies
Defining policy addresses
Defining VPN security policies
Defining an IPsec security policy for a policy-based VPN
Allow traffic to be initiated from the remote site
Outbound and inbound NAT
Source and destination addresses
Enabling other policy features
Before you begin
Defining multiple IPsec policies for the same tunnel
Defining security policies for a route-based VPN
Gateway-to-gateway configurations
Configuration overview
General configuration steps
Using auto-ipsec
Configuring the two VPN peers
Configuring Phase 1 and Phase 2 for both peers
Creating security policies
Creating firewall addresses
Creating route-based VPN security policies
Configuring a default route for VPN interface
Creating policy-based VPN security policy
How to work with overlapping subnets
Solution for route-based VPN
Solution for policy-based VPN
Testing
Hub-and-spoke configurations
Configuration overview
Hub-and-spoke infrastructure requirements
Spoke gateway addressing
Protected networks addressing
Using aggregated subnets
Using aggregated subnets
Using an address group
Authentication
Configure the hub
Define the hub-spoke VPNs
Define the hub-spoke security policies
Route-based VPN security policies
Policy-based VPN security policy
Configuring communication between spokes (policy-based VPN)
Configuring communication between spokes (route-based VPN)
Using a zone as a concentrator
Using a zone with a policy as a concentrator
Using security policies as a concentrator
Configure the spokes
Configuring security policies for hub-to-spoke communication
Route-based VPN security policy
Policy-based VPN security policy
Configuring security policies for spoke-to-spoke communication
Route-based VPN security policy
Policy-based VPN security policy
Dynamic spokes configuration example
Configure the hub (FortiGate_1)
Define the IPsec configuration
Define the security policies
Configure communication between spokes
Configure the spokes
Define the IPsec configuration
Define the security policies
Dynamic DNS configuration
Dynamic DNS over VPN concepts
Dynamic DNS (DDNS)
Routing
Dynamic DNS over VPN
Remote Gateway
Local ID (peer ID)
Route-based or policy-based VPN
Dynamic DNS topology
Assumptions
General configuration steps
Configure the dynamically-addressed VPN peer
Configuring branch_2 VPN tunnel settings
Configuring branch_2 security policies
Define address ranges for branch_2 security policies
Creating branch_2 route-based security policies
Creating branch_2 policy-based security policies
Configure the fixed-address VPN peer
Configuring branch_1 VPN tunnel settings
Configuring branch_1 security policies
Defining address ranges for branch_1 security policies
Creating branch_1 route-based security policies
Creating branch_1 policy-based security policies
Testing
FortiClient dialup-client configurations
Configuration overview
Peer identification
Automatic configuration of FortiClient dialup clients
One button FortiGate - to - FortiClient Phase1 VPN
How the FortiGate unit determines which settings to apply
Using virtual IP addresses
Assigning VIPs by RADIUS user group
FortiClient dialup-client infrastructure requirements
FortiClient-to-FortiGate VPN configuration steps
Configure the FortiGate unit
Configuring FortiGate unit VPN settings
Route-based VPN security policies
Policy-based VPN security policy
Configuring the FortiGate unit as a VPN policy server
Configuring DHCP services on a FortiGate interface
Configure the FortiClient Endpoint Security application
Configuring FortiClient
Adding XAuth authentication
FortiClient dialup-client configuration example
Configuring FortiGate_1
Configuring the FortiClient Endpoint Security application
FortiGate dialup-client configurations
Configuration overview
FortiGate dialup-client infrastructure requirements
FortiGate dialup-client configuration steps
Configure the server to accept FortiGate dialup-client connections
Route-based VPN security policy
Policy-based VPN security policy
Configure the FortiGate dialup client
Route-based VPN security policy
Policy-based VPN security policy
Supporting IKE Mode config clients
Automatic configuration overview
IKE Mode Config overview
Configuring IKE Mode Config
Configuring an IKE Mode Config client
Configuring an IKE Mode Config server
IP address assignment
Example: FortiGate unit as IKE Mode Config server
Example: FortiGate unit as IKE Mode Config client
Internet-browsing configuration
Configuration overview
Creating an Internet browsing security policy
Routing all remote traffic through the VPN tunnel
Configuring a FortiGate remote peer to support Internet browsing
Configuring a FortiClient application to support Internet browsing
Redundant VPN configurations
Configuration overview
General configuration steps
Configure the VPN peers - route-based VPN
Redundant route-based VPN configuration example
Configuring FortiGate_1
Configuring FortiGate_2
Partially-redundant route-based VPN example
Configuring FortiGate_1
Configuring FortiGate_2
Creating a backup IPsec interface
Transparent mode VPNs
Configuration overview
Transparent VPN infrastructure requirements
Before you begin
Configure the VPN peers
Manual-key configurations
Configuration overview
Specify the manual keys for creating a tunnel
IPv6 IPsec VPNs
Overview of IPv6 IPsec support
Certificates
Configuring IPv6 IPsec VPNs
Phase 1 configuration
Phase 2 configuration
Security policies
Routing
Site-to-site IPv6 over IPv6 VPN example
Configure FortiGate A interfaces
Configure FortiGate A IPsec settings
Configure FortiGate A security policies
Configure FortiGate A routing
Configure FortiGate B
Site-to-site IPv4 over IPv6 VPN example
Configure FortiGate A interfaces
Configure FortiGate A IPsec settings
Configure FortiGate A security policies
Configure FortiGate A routing
Configure FortiGate B
Site-to-site IPv6 over IPv4 VPN example
Configure FortiGate A interfaces
Configure FortiGate A IPsec settings
Configure FortiGate A security policies
Configure FortiGate A routing
Configure FortiGate B
L2TP and IPsec (Microsoft VPN)
Overview
Layer 2 Tunneling Protocol (L2TP)
Assumptions
Configuring the FortiGate unit
Configuring LT2P users and firewall user group
Creating user accounts
Creating a user group
Configuring L2TP
Configuring IPsec
Configuring security policies
Configuring the Windows PC
Troubleshooting
Quick checks
Mac OS X and L2TP
Setting up logging
Using the FortiGate unit debug commands
Typical L2TP over IPsec session startup log entries - raw format
GRE over IPsec (Cisco VPN)
Overview
Configuring the FortiGate unit
Enabling overlapping subnets
Configuring the IPsec VPN
Adding IPsec tunnel end addresses
Configuring the GRE tunnel
Adding GRE tunnel end addresses
Configuring security policies
Configuring routing
Configuring the Cisco router
Troubleshooting
Quick checks
Setting up logging
Using diagnostic commands
Protecting OSPF with IPsec
Overview
OSPF over IPsec configuration
Configuring the IPsec VPN
Configuring static routing
Configuring OSPF
FortiGate_1 OSPF configuration
FortiGate_2 OSPF configuration
Creating a redundant configuration
Adding the second IPsec tunnel
Adding the OSPF interface
Hardware offloading and acceleration
Overview
IPsec session offloading requirements
Packet offloading requirements
IPsec encryption offloading
HMAC check offloading
IPsec offloading configuration examples
Accelerated route-based VPN configuration
Accelerated policy-based VPN configuration
Monitoring and troubleshooting
Monitoring VPN connections
Monitoring connections to remote peers
Monitoring dialup IPsec connections
Testing VPN connections
LAN interface connection
Dialup connection
Troubleshooting VPN connections
Logging VPN events
VPN troubleshooting tips
The VPN proposal is not connecting
Attempting hardware offloading beyond SHA1
Check Phase 1 proposal settings
Check your routing
Try enabling XAuth
General troubleshooting tips
A word about NAT devices
IPv6 for FortiOS 5.0
IPv6 packet structure
Jumbograms and jumbo payloads
Fragmentation and reassembly
Benefits of IPv6
IPv6 Features
IPv6 policies
IPv6 policy routing
IPv6 security policies
IPv6 explicit web proxy
Restricting the IP address of the explicit IPv6 web proxy
Restricting the outgoing source IP address of the IPv6 explicit web proxy
VIP64
VIP46
IPv6 Network Address Translation
NAT64 and DNS64 (DNS proxy)
NAT64 policies
NAT66
NAT66 destination address translation
NAT64 and NAT66 session failover
NAT46
ICMPv6
ICMPv6 Types and Codes
IPv6 in dynamic routing
Dual stack routing
IPv6 tunnelling
Tunnel configuration
Tunnelling IPv6 through IPsec VPN
SIP over IPv6
New Fortinet FortiGate IPv6 MIB fields
New OIDs
EXAMPLE SNMP get/walk output
IPv6 Per-IP traffic shaper
DHCPv6
DHCPv6 relay
IPv6 forwarding—Policies, IPS, Application Control, flow‑based antivirus, web filtering, and DLP
FortiGate interfaces can get IPv6 addresses from an IPv6 DHCP server
IPv6 Configuration
IPv6 address groups
IPv6 firewall addresses
Scenario: Mail Server
Scenario: First Floor Network
ICMPv6
IPv6 IPsec VPN
Overview of IPv6 IPsec support
Certificates
Configuring IPv6 IPsec VPNs
Phase 1 configuration
Phase 2 configuration
Security policies
Routing
Site-to-site IPv6 over IPv6 VPN example
Configure FortiGate A interfaces
Configure FortiGate A IPsec settings
Configure FortiGate A security policies
Configure FortiGate A routing
Configure FortiGate B
Site-to-site IPv4 over IPv6 VPN example
Configure FortiGate A interfaces
Configure FortiGate A IPsec settings
Configure FortiGate A security policies
Configure FortiGate A routing
Configure FortiGate B
Site-to-site IPv6 over IPv4 VPN example
Configure FortiGate A interfaces
Configure FortiGate A IPsec settings
Configure FortiGate A security policies
Configure FortiGate A routing
Configure FortiGate B
BGP and IPv6
RIPng — RIP and IPv6
Network layout and assumptions
Basic network layout
Assumptions
Configuring the FortiGate units system information
Configuring RIPng on FortiGate units
Configuring other network devices
Testing the configuration
Testing the IPv6 RIPng information
Debugging IPv6 on RIPng
IPv6 IPS
Blocking IPv6 packets by extension headers
IPv6 Denial of Service policies
Configure hosts in an SNMP v1/2c community to send queries or receive traps
IPv6 PIM sparse mode multicast routing
Chapter 12 Load Balancing for FortiOS 5.0
Before you begin
Before you begin
How this chapter is organized
Configuring load balancing
Load balancing overview
Load balancing, UTM, authentication, and other FortiOS features
Configuring load balancing virtual servers
Load balancing methods
Session persistence
Real servers
Real server active, standby, and disabled modes
Adding real servers
Health check monitoring
Virtual IP, load balance virtual server and load balance real server limitations
Monitoring load balancing
Load balancing get command
Load balancing diagnose commands
Logging Diagnostics
Real server diagnostics
Basic load balancing configuration example
HTTP and HTTPS load balancing, multiplexing, and persistence
HTTP and HTTPS multiplexing
Preserving the client IP address
HTTP and HTTPS persistence
How HTTP cookie persistence options work
HTTP host-based load balancing
Host load balancing and HTTP cookie persistence
SSL/TLS load balancing
SSL offloading
Additional SSL load balancing options
SSL offloading support or Internet Explorer 6
Disabling SSL/TLS re-negotiation
IP, TCP, and UDP load balancing
Load balancing configuration examples
Example: HTTP load balancing to three real web servers
Web-based manager configuration
CLI configuration
Example: Basic IP load balancing configuration
Example: Adding a server load balance port forwarding virtual IP
Example: Weighted load balancing configuration
Web-based manager configuration
CLI configuration
Example: HTTP and HTTPS persistence configuration
CLI configuration: adding persistence for a specific domain
Chapter 13 Logging and Reporting
Logging and reporting overview
What is logging?
How the FortiGate unit records log messages
Example: How the FortiGate unit records a DLP event
FortiOS features available for logging
Traffic
Other Traffic
Event
Traffic Shaping
Data Leak Prevention
NAC Quarantine
Media Access Control (MAC) Address
Application control
Antivirus
Web Filter
IPS (attack)
Packet logs
Email filter
Archives (DLP)
Network scan
Log messages
Explanation of a debug log message
Viewing log messages and archives
Viewing log messages in detail
Quarantine
Customizing the display of log messages on the web-based manager
How to download log messages and view them from on a computer
Log files and types
Log database and datasets
How to view datasets
How to create datasets (advanced)
Notifications about network activity
How to configure email notifications
Log devices
FortiGate unit’s system memory and hard disk
FortiAnalyzer unit
Syslog server
WebTrends server
How to choose a log device for your network topology
How to create a backup solution for logging
Reports
What are FortiOS reports?
The parts of a FortiOS report
What you can do with the default FortiOS report
How to modify the default FortiOS report
How to create a FortiOS report
Best Practices: Log management
Logging and reporting for small networks
Modifying default log device settings
Modifying the FortiGate unit’s system memory default settings
Modifying the FortiGate unit’s hard disk default settings
Testing sending logs to the log device
Configuring the backup solution
Configuring logging to a FortiCloud server
Configuring uploading logs to the FortiAnalyzer unit
Testing uploading logs to a FortiAnalyzer unit
Modifying the default FortiOS report
Logging and reporting for large networks
Modifying default log device settings
Modifying multiple FortiGate units’ system memory default settings
Modifying multiple FortiGate units’ hard disk default log settings
Testing the modified log settings
Configuring the backup solution
Configuring logging to multiple FortiAnalyzer units
Configuring logging to the FortiCloud server
Modifying the default FortiOS report
Creating datasets
Creating charts for the datasets
Uploading the corporate images
Adding a new report cover and page
Advanced logging
Configuring logging to multiple Syslog servers
Using Automatic Discovery to connect to a FortiAnalyzer unit
Activating a FortiCloud account for logging purposes
Viewing log storage space
Customizing and filtering log messages
Viewing logs from the CLI
Configuring NAC quarantine logging
Logging local-in policies
Tracking specific search phrases in reports
Creating a dataset containing attack name instead of attack ID
Reverting modified report settings to default settings
Customizing FortiOS reports with CLI
Configuring a style
Example
Configuring a theme
Example of a theme
Configuring charts
Example of a new chart
Adding a chart
Troubleshooting and logging
Using log messages to help in troubleshooting issues
Using IPS packet logging in diagnostics
Using HA log messages to determine system status
Connection issues between FortiGate unit and logging devices
Unable to connect to a supported log device
FortiGate unit has stopped logging
Log database issues
SQL statement syntax errors
Connection problems
SQL database errors
Logging daemon (Miglogd)
Appendix: FortiGate report charts
Traffic charts
Web filter charts
IPS (or attack) charts
Antivirus charts
Email filter charts
VPN charts
Chapter 14 Managing Devices for FortiOS 5.0
Managing “bring your own device”
Device monitoring
Device Groups
Creating a custom device group
Controlling access with a MAC Address Access Control List
Device policies
Creating device policies
Adding endpoint protection
Setting Device Policy Options
Endpoint Protection
Endpoint Protection overview
User experience
FortiClient non-compliance
FortiGate endpoint registration limits
Configuration overview
Changing the FortiClient installer download location
Creating a FortiClient profile
Enabling Endpoint Protection in security policies
Configuring endpoint registration over a VPN
Endpoint registration on an IPsec VPN
Endpoint registration on the SSL VPN
Synchronizing endpoint registrations
Monitoring endpoints
Modifying the Endpoint Protection replacement messages
Vulnerability Scan
Configuring vulnerability scans
Running a vulnerability scan and viewing scan results
Requirements for authenticated scanning and ports scanned
Microsoft Windows hosts - domain scanning
Group Policy - Security Options
Group Policy - System Services
Group Policy - Administrative Templates
Microsoft Windows hosts - local (non-domain) scanning
Windows firewall settings
Unix hosts
Chapter 15 Unified Threat Management for FortiOS 5.0
Security Profiles overview
Traffic inspection
IPS signatures
IPS recommendations
Suspicious traffic attributes
Application control
Application control recommendations
Content inspection and filtering
AntiVirus
AntiVirus recommendations
FortiGuard Web Filtering
FortiGuard Web Filtering recommendations
Email filter
Email filter recommendations
DLP
DLP recommendations
Security Profiles components
AntiVirus
Intrusion Protection System (IPS)
Web filtering
Email filtering
Data Leak Prevention (DLP)
Application Control
ICAP
Security Profiles/lists/sensors
Client Reputation
Summary of the Client Reputation features
Applying client reputation monitoring to your network
Viewing client reputation results
Changing the client reputation reporting window and database size
Client reputation data update and maintenance intervals
Setting the client reputation profile/definition
Expanding client reputation to include more types of behavior
Client reputation execute commands
Client reputation diagnose commands
AntiVirus
Antivirus concepts
How antivirus scanning works
Flow-based antivirus scanning
Antivirus scanning order
Proxy-based antivirus scanning order
Flow-based antivirus scanning order
Antivirus databases
Antivirus techniques
Virus scan
Grayware
Heuristics
FortiGuard Antivirus
Enable antivirus scanning
Antivirus Profiles
Changing the default antivirus database
Configuring the scan buffer size
Configuring archive scan depth
Configuring a maximum allowed file size
Configuring client comforting
Grayware scanning
Windows file sharing (CIFS) flow-based antivirus scanning
Advanced Persistent Threat (APT) protection
Botnet and phishing protection
FortiGuard Sandbox (in the cloud sandboxing, zero day threat analysis and submission)
Testing your antivirus configuration
Antivirus examples
Configuring simple antivirus protection
Creating an antivirus profile
Selecting the antivirus profile in a security policy
Protecting your network against malicious email attachments
Enabling antivirus scanning in the antivirus profile
Selecting the antivirus profile in a security policy
Email filter
Email filter concepts
Email filter techniques
FortiGuard IP address check
FortiGuard URL check
Detect phishing URLs in email
FortiGuard email checksum check
FortiGuard spam submission
IP address black/white list check
HELO DNS lookup
Email address black/white list check
Return email DNS check
Banned word check
Order of spam filtering
Order of SMTP and SMTPS spam filtering
Order of IMAP, POP3, IMAPS and POP3S spam filtering
Enable email filtering
Configure email traffic types to inspect
Configure the spam action
Configure the tag location
Configure the tag format
Configure FortiGuard email filters
Configure local email filters
Enabling IP address and email address black/white list checking
Enabling HELO DNS lookup
Enabling return email DNS checking
Enabling banned word checking
How content is evaluated
Adding words to a banned word list
Email filter examples
Configuring simple antispam protection
Creating an email filter profile
Selecting the email filter profile in a security policy
Blocking email from a user
Intrusion protection
IPS concepts
Anomaly-based defense
Signature-based defense
Signatures
Protocol decoders
IPS engine
IPS sensors
IPS filters
Custom/predefined signature entries
Policies
Enable IPS scanning
General configuration steps
Creating an IPS sensor
Creating an IPS filter
Updating predefined IPS signatures
Viewing and searching predefined IPS signatures
Searching manually
Applying filters
IPS processing in an HA cluster
Active-passive
Active-active
Configure IPS options
Hardware Acceleration
Extended IPS Database.
Configuring the IPS engine algorithm
Configuring the IPS engine-count
Configuring fail-open
Configuring the session count accuracy
Configuring the IPS buffer size
Configuring protocol decoders
Configuring security processing modules
IPS signature rate count threshold
Enable IPS packet logging
IPS examples
Configuring basic IPS protection
Creating an IPS sensor
Selecting the IPS sensor in a security policy
Using IPS to protect your web server
Create and test a packet logging IPS sensor
Configuring a Fortinet Security Processing module
Assumptions
Network configuration
Security module configuration
IPS Sensor
Custom Application & IPS Signatures
Creating a custom IPS signature
Custom signature syntax
Custom signature keywords
Information keywords
attack_id
name
Session keywords
flow
service
Content keywords
byte_jump
byte_test
depth
distance
content
context
no_case
offset
pattern
pcre
uri
within
IP header keywords
dst_addr
ip_id
ip_option
ip_tos
ip_ttl
protocol
src_addr
TCP header keywords
ack
dst_port
seq
src_port
tcp_flags
window_size
UDP header keywords
dst_port
src_port
ICMP keywords
icmp_code
icmp_id
icmp_seq
icmp_type
Other keywords
data_size
data_at
rate
rpc_num
same_ip
track
Creating a custom signature to block access to example.com
Creating a custom signature to block the SMTP “vrfy” command
Web filter
Web filter concepts
Different ways of controlling access
Order of web filtering
Inspections Modes
Proxy
Flow-based
DNS
FortiGuard Web Filtering Service
FortiGuard Web Filter and your FortiGate unit
Enabling FortiGuard Web Filter
General configuration steps
Configuring FortiGuard Web Filter settings
To configure the FortiGuard Web Filter categories
Configuring FortiGuard Web Filter usage quotas
Quota hierarchy
Overriding FortiGuard website categorization
The different methods of override
Using Alternate Categories
Rating Overrides
Local Categories
Configuring Rating Overrides
Using Alternate Profiles
Allow Blocked Overrides or Web Overrides
The Concept
Identity or Address
Settings
SafeSearch
YouTube Education Filter
Enabling YouTube Education Filter in CLI
Deep Scanning Restrictions
Enable HTTPS URL Scan Only
Categories Exempt from Deep Scanning
Web Site Filter
URL formats
URL formats
Web Site Filter actions
Block
Allow
Monitor
Exempt
Status
Configuring a Web Site Filter
Configuring a URL filter list
Web content filter
General configuration steps
Creating a web filter content list
How content is evaluated
Enabling the web content filter and setting the content threshold
Advanced web filter configurations
Allow websites when a rating error occurs
ActiveX filter
Block HTTP redirects by rating
Block Invalid URLs
Cookie filter
Provide Details for Blocked HTTP 4xx and 5xx Errors
HTTP POST action
Java applet filter
Rate Images by URL
Rate URLs by Domain and IP Address
Web resume download block
Working with the Interface
Profile page
New Web Filter Profile page
Profile
Web profile configuration settings
URL Filter
URL filter configuration settings
Web filtering example
Video: Example of Web Filter configuration relating to blocking HTTPS.
Video: Example of Web Filtering configuration relating to blocking HTTP and HTTPS.
School district
Data leak prevention
Data leak prevention concepts
DLP sensor
DLP filter
Fingerprint
File filter
File size
Regular expression
Watermark
Software Versions
File types
Using the FortiExplorer Watermark tool
Installation of the watermark utility on Linux
Syntax of the Watermark utility
Using the watermark utility
Enable data leak prevention
General configuration steps
Creating a DLP sensor
Adding filters to a DLP sensor
DLP document fingerprinting
Fingerprinted Documents
File filter
General configuration steps
Creating a file filter list
Video: Example of DLP using a File Filter configuration.
Creating a file pattern
Creating a file type
Preconfigured sensors
DLP archiving
DLP examples
Blocking content with credit card numbers
Blocking emails larger than 15 MB and logging emails from 5 MB to 15 MB
Selective blocking based on a finger print
Sensitivity Level Addition
Finger print configuration
Create DLP Sensors
Configuration for the second sensor that allows transmission.
Create policies and attach DLP sensors
Policy to allow transmission of copyrighted material
Policy to block transmission of copyrighted material
Application control
Application control concepts
Application considerations
Automatically allowing basic applications
Syntax
IM applications
Skype
Application traffic shaping
Direction of traffic shaping
Shaper re-use
Application control monitor
Application Control monitor
Enable application control
General configuration steps
Creating an application sensor
Adding applications to an application sensor
Viewing and searching the application list
Searching manually
Applying application list filters
Creating a New Custom Application Signature
Creating a new Application Filter
Enabling application traffic shaping
Application control examples
Video: Example of Application Control configurations.
Blocking all instant messaging
Allowing only software updates
Selecting the application sensor in a security policy
ICAP
The Protocol
Offloading using ICAP
Configuration Settings
Servers
IP address
Maximum Connections
Port
Profiles
Enable Request Processing
Enable Response Processing
Enable Streaming Media Bypass
Example ICAP sequence
Example Scenerio
Other Security Profiles considerations
Profile Groups
Creating a new group
Security profiles that can be grouped
Using the Web-based Manager
Using the CLI
Adding a Profile Group to a policy
When adding a Profile Group to a policy there are 2 potential points of confusion:
Security Profiles and Virtual domains (VDOMs)
Conserve mode
The AV proxy
Entering and exiting conserve mode
Conserve mode effects
off
pass
one-shot
idledrop
Configuring the av-failopen command
SSL content scanning and inspection
Setting up certificates to avoid client warnings
SSL content scanning and inspection settings
Exeptions
Monitoring Security Profiles activity
Configuring packet logging options
Limiting memory use
Limiting disk use
Configuring how many packets are captured
Using wildcards and Perl regular expressions
Regular expression vs. wildcard match pattern
Word boundary
Case sensitivity
Perl regular expression formats
Examples of regular expressions
Monitor interface reference
AV Monitor
Intrusion Monitor
Web Monitor
Email Monitor
Archive & Data Leak Monitor
Application Monitor
FortiGuard Quota
Endpoint Monitor
Chapter 16 SSL VPN for FortiOS 5.0
Introduction to SSL VPN
SSL VPN modes of operation
Web-only mode
Tunnel mode
Port forwarding mode
Application support
SSL VPN and IPv6
Traveling and security
Host check
Cache cleaning
Basic Configuration
User accounts and groups
Authentication
MAC host check
IP addresses for users
Authentication of remote users
Setting the client authentication timeout
Allow one time login per user
Strong authentication with security certificates
NSA Suite B cryptography support
Configuring SSL VPN web portals
SSL connection configuration
Portal configuration
Adding bookmarks
Personal bookmarks
Custom login screen
Tunnel mode and split tunneling
Port forward tunnel
The Connection tool widget
Configuring security policies
Firewall addresses
Create an SSL VPN security policy
Create a tunnel mode security policy
Routing for tunnel mode
Split tunnel Internet browsing policy
Enabling a connection to an IPsec VPN
Route-based connection
Policy-based connection
Additional configuration options
Routing in tunnel mode
Changing the port number for web portal connections
SSL offloading
Customizing the web portal login page
Host check
Creating a custom host check list
Windows OS check
Configuring cache cleaning
Configuring virtual desktop
Configuring virtual desktop application control
Configuring client OS Check
Adding WINS and DNS services for clients
Setting the idle timeout setting
SSL VPN logs
Monitoring active SSL VPN sessions
Troubleshooting
The SSL VPN client
FortiClient
Tunnel mode client configuration
Setup examples
Remote Access with SSLVPN
Secure internet browsing
Creating an SSL VPN IP pool and SSL VPN web portal
Creating the SSL VPN user and user group
Creating a static route for the remote SSL VPN user
Creating security policies
Results
Split Tunnel
Creating a firewall address for the head office server
Creating an SSL VPN IP pool and SSL VPN web portal
Creating the SSL VPN user and user group
Creating a static route for the remote SSL VPN user
Creating security policies
Results
Multiple user groups with different access permissions example
General configuration steps
Creating the firewall addresses
Creating the destination addresses
Creating the tunnel client range addresses
Creating the web portals
Creating the user accounts and user groups
Creating the security policies
Create the static route to tunnel mode clients
Chapter 17 Traffic Shaping for FortiOS 5.0
The purpose of traffic shaping
Quality of Service
Traffic policing
Bandwidth guarantee, limit, and priority interactions
FortiGate traffic
Through traffic
Calculation and regulation of packet rates
Important considerations
Traffic shaping methods
Traffic shaping options
Shared policy shaping
Per policy
All policies
Maximum and guaranteed bandwidth
Traffic priority
VLAN, VDOM and virtual interfaces
Shared traffic shaper configuration settings
Example
Per-IP shaping
Per-IP traffic shaping configuration settings
Example
Adding Per-IP traffic shapers to a security policy
Application control shaping
Example
Enabling in the security policy
Reverse direction traffic shaping
Setting the reverse direction only
Application control shaper
Type of Service priority
Example
Example
TOS in FortiOS
Differentiated Services
DSCP examples
Example
Example
Example
Example
Tos and DSCP mapping
Traffic Shaper Monitor
Examples
QoS using priority from security policies
Sample configuration
QoS using priority from ToS or differentiated services
Sample configuration
Example setup for VoIP
Creating the traffic shapers
VoIP shaper
FTP shaper
Regular traffic shaper
Creating security policies
Troubleshooting traffic shaping
Interface diagnosis
Shaper diagnose commands
TOS command
Shared shaper
Per-IP shaper
Packet loss with statistics on shapers
Packet lost with the debug flow
Session list details with dual traffic shaper
Additional Information
Chapter 18 Troubleshooting
Life of a Packet
Stateful inspection
Connections over connectionless
What is a session?
Differences between connections and sessions
Flow inspection
Proxy inspection
Comparison of inspection layers
FortiOS functions and security layers
Packet flow
Packet inspection (Ingress)
Interface
DoS sensor
IP integrity header checking
IPsec
Destination NAT (DNAT)
Routing
Policy lookup
Session tracking
User authentication
Management traffic
SSL VPN traffic
ICAP traffic
Session helpers
Flow-based inspection engine
Proxy‑based inspection engine
IPsec
Source NAT (SNAT)
Routing
Egress
Example 1: client/server connection
Example 2: Routing table update
Example 3: Dialup IPsec VPN with application control
Verifying FortiGate admin access security
Install the FortiGate unit in a physically secure location
Add new administrator accounts
Change the admin account name and limit access to this account
Only allow administrative access to the external interface when needed
When enabling remote access, configure Trusted Hosts and Two-factor Authentication
Configuring Trusted Hosts
Configuring Two-factor Authentication
Change the default administrative port to a non-standard port
Enable Password Policy
Maintain short login timeouts
Modify administrator account Lockout Duration and Threshold values
Administrator account Lockout Duration
Administrator account Lockout Threshold
Disable auto installation via USB
Auditing and Logging
Troubleshooting resources
Technical Documentation
Fortinet Video Library
Release Notes
Knowledge Base
Fortinet Technical Discussion Forums
Fortinet Training Services Online Campus
Fortinet Customer Support
Troubleshooting tools
FortiOS diagnostics
Check date and time
Resource usage
Proxy operation
Hardware NIC
Traffic trace
Session table
Web-based manager session information
How to find which security policy a specific connection is using
CLI session information
Firewall session setup rate
Finding object dependencies
CLI method
Web-based manager method
Flow trace
Flow trace output example - HTTP
Flow trace output example - IPsec (policy-based)
Packet sniffing and packet capture
Packet sniffing
Packet capture
FA2 and NP2 based interfaces
Debug command
Debug output example
The execute tac report command
Other commands
ARP table
Time and date settings
IP address
FortiOS ports
FortiAnalyzer/FortiManager ports
FortiGuard troubleshooting
Troubleshooting process for FortiGuard updates
FortiGuard server settings
Displaying the server list
Sorting the server list
Calculating weight
FortiGuard URL rating
Troubleshooting methodologies
Establish a baseline
Define the problem
Gathering Facts
Create a troubleshooting plan
Providing Supporting Elements
Obtain any required additional equipment
Ensure you have administrator level access to required equipment
Contact Fortinet customer support for assistance
Technical Support Organization Overview
Fortinet Global Customer Services Organization
Creating an account
Registering a device
Reporting problems
Logging online tickets
Fortinet partners
Fortinet customers
Following up on online tickets
Telephoning a technical support center
Assisting technical support
Support priority levels
Priority 1
Priority 2
Priority 3
Priority 4
Return material authorization process
Chapter 19 Virtual Domains
Virtual Domains
Benefits of Virtual Domains
Improving Transparent mode configuration
Easier administration
Continued security
Savings in physical space and power
More flexible MSSP configurations
Enabling and accessing Virtual Domains
Enabling Virtual Domains
Changes to the web-based manager and CLI
Changes to FortiGate unit settings
Viewing the VDOM list
Global and per-VDOM settings
Global settings - web-based manager
Per-VDOM settings - web-based manager
Global settings - CLI
Per-VDOM settings - CLI
Resource settings
Global resource settings
Per-VDOM resource settings
Virtual Domain Licensing
Logging in to VDOMs
Configuring Virtual Domains
Creating a Virtual Domain
Disabling a Virtual Domain
Deleting a VDOM
Removing references to a VDOM
Common objects that refer to VDOMs
Administrators in Virtual Domains
Administrator VDOM permissions
Creating administrators for Virtual Domains
Virtual Domain administrator dashboard display
Virtual Domains in NAT/Route mode
Virtual domains in NAT/Route mode
Changing the management virtual domain
Configuring interfaces in a NAT/Route VDOM
Adding a VLAN to a NAT/Route VDOM
Moving an interface to a VDOM
Deleting an interface
Adding a zone to a VDOM
Configuring VDOM routing
Default static route for a VDOM
Dynamic Routing in VDOMs
Configuring security policies for NAT/Route VDOMs
Configuring a security policy for a VDOM
Configuring security profiles for NAT/Route VDOMs
Configuring VPNs for a VDOM
Example NAT/Route VDOM configuration
Network topology and assumptions
General configuration steps
Creating the VDOMs
Configuring the FortiGate interfaces
Configuring the vdomA interfaces
Configuring the vdomB interfaces
Configuring the vdomA VDOM
Adding vdomA firewall addresses
Adding the vdomA security policy
Adding the vdomA default route
Configuring the vdomB VDOM
Adding the vdomB firewall address
Adding the vdomB security policy
Adding a default route to the vdomB VDOM
Testing the configuration
Testing traffic from the internal network to the ISP
Virtual Domains in Transparent mode
Transparent operation mode
Broadcast domains
Forwarding domains
Spanning Tree Protocol
Differences between NAT/Route and Transparent mode
Operation mode differences in VDOMs
Configuring VDOMs in Transparent mode
Switching to Transparent mode
Adding VLAN subinterfaces
Creating security policies
Example of VDOMs in Transparent mode
Network topology and assumptions
General configuration steps
Configuring common items
Creating virtual domains
Configuring the Company_A VDOM
Adding VLAN subinterfaces
Creating the Lunch schedule
Configuring Company_A firewall addresses
Creating Company_A security policies
Configuring the Company_B VDOM
Adding VLAN subinterfaces
Creating Company_B service groups
Configuring Company_B firewall addresses
Configuring Company_B security policies
Configuring the VLAN switch and router
Configuring the Cisco switch
Configuring the Cisco router
Testing the configuration
Testing traffic from VLAN_100 to the Internet
Testing traffic from VLAN_100 to VLAN_200
Inter-VDOM routing
Benefits of inter-VDOM routing
Continued support for secure firewall policies
Configuration flexibility
Getting started with VDOM links
Viewing VDOM links
Creating VDOM links
IP addresses and inter-VDOM links
Deleting VDOM links
NAT to Transparent VDOM links
Inter-VDOM configurations
Standalone VDOM configuration
Independent VDOMs configuration
Management VDOM configuration
Meshed VDOM configuration
Dynamic routing over inter-VDOM links
HA virtual clusters and VDOM links
What is virtual clustering?
Virtual clustering and failover protection
Virtual clustering and heartbeat interfaces
Virtual clustering and HA override
Virtual clustering and load balancing or VDOM partitioning
Example of inter-VDOM routing
Network topology and assumptions
General configuration steps
Creating the VDOMs
Configuring the physical interfaces
Configuring the VDOM links
Configuring the firewall and Security Profile settings
Configuring firewall service groups
Configuring Security Profile settings for the Accounting VDOM
Configuring firewall settings for the Accounting VDOM
Configuring Security Profile settings for the Sales VDOM
Configuring firewall settings for the Sales VDOM
Configuring firewall settings between the Accounting and Sales VDOMs
Testing the configuration
Testing connectivity
Troubleshooting Tips
Troubleshooting Virtual Domains
VDOM admin having problems gaining access
Confirm the admin’s VDOM
Confirm the VDOM’s interfaces
Confirm the VDOMs admin access
FortiGate unit running very slowly
Too many VDOMs
One or more VDOMs are consuming all the resources
Too many Security Features in use
General VDOM tips and troubleshooting
Perform a sniffer trace
What sniffing packets can tell you
How to sniff packets
Debugging the packet flow
Chapter 20 Virtual FortiGate Units for FortiOS 5.0
FortiGate VM Overview
FortiGate VM models and licensing
FortiGate VM evaluation license
Registering FortiGate VM with Customer Service & Support
Downloading the FortiGate VM deployment package
Deployment package contents
Citrix XenServer
OpenXEN
Microsoft Hyper-V