Video Cookbook Recipes
Explicit Web Proxy
Authentication
Virtual Domains
Inside FortiOS - Virtual Domains
Basic Virtual Domain setup
Routing
Policies and Firewall Objects
Security Profiles
VPN (IPsec and SSL)
User and Device Authentication
Wireless
Logging and Reporting
Chapter 1 What’s New for FortiOS 5.2.1
New features in FortiOS 5.2 Patch 1
Include bandwidth and setup rate statistics in the event log
Allow export of collected emails
Ssl-ssh-profile is no longer mandatory when utm profiles are enabled
Disallow multiple destination interfaces on an IPsec firewall policy
Add a new diag test command for fnbamd
Add deregister all option in diagnose endpoint control registration
Redirect kernel messages to non-console terminals
Add FortiExtender supported 3G/4G modem list
Add a new option for STP forwarding
Suppress probe response based on threshold in wireless controller vap
Move global antivirus service settings into profile-protocol-options
Add Ekahau Blink Protocol support and reorganization for station-locate
Implement diagnose command to test flash SSD
Online help improvements
Add iprope check trace in flow trace
Log id-fields reference improvements
Add diagnose debug admin error-log command
Improve hasync debug
Improve interface list and switch mode
Wizard improvement
Allow VIP with port forwarding to permit ICMP
Support captive portal for block notification page
Add diagnose log clear-kernel-state command
Apply new LDAP Tree Browser design to the User Wizard and User Group page
New Join and try requests to FortiCloud for low-end models
Top Features
Unified Policy Management
FortiView Dashboards
SSL Inspection
Web Filtering
Application Control
IPsec VPN Creation Wizard
Captive Portal
FortiAP Management
Flow-based Antivirus
FortiExtender Support
Using a Virtual WAN Link for Redundant Internet Connections
Internet Key Exchange (IKE)
SSL VPN Creation
On-Net Status for FortiClient Devices
System Features
FortiExtender Support
Using a Virtual WAN Link for Redundant Internet Connections
Setting Up a Virtual WAN Link
Setting Up Virtual WAN Link Load Balancing
Directing Traffic to Higher Quality Links
Measured Volume Based Distribution
The Link Monitor
FortiGuard Services
Updates from Multiple FortiManager Units
FortiGuard Server List
Using TCP Port 80 to Receive Updates from a FortiManager Unit
Netflow v9.0
Configuring the Global Settings for Netflow Collector and Timers
Using Netflow with VDOMs
Adding Netflow Sampling to an Interface
Viewing the Configuration
DHCP Server Configuration
Improvements to Aggregate/Redundant Interfaces
Minimum Number of Links in an Aggregation
Avoiding Traffic Disturbances
Setting the Link Up Delay Period
Enabling Priority Override
Link Layer Description Protocol
CPU and Memory Usage per VDOM
Custom Languages for Guest Management and SSL VPN Portals
Packet Capture Options for Admin Profiles
FortiCloud Modem List
SPAN Support for Hard-Switch Interfaces
Setting the Service and AC-name in PPOE PADI/PADO Negotiations
Disabling FortiExplorer, the USB MGMT Port, and the Serial Console
Port Kernel Profiling
Using a Second Destination IP (VRDST)
Session Rate Stats per VDOM
Disable Honoring the Don't-Fragment Flag
Disable Login Time Recording
Per-IP-Bandwidth-Usage Feature Removed
Modem Support
Usability Enhancements
FortiView Dashboards
Sources
Applications
Cloud Applications
Destinations
Web Sites
Threats
All Sessions
Drilldown Options
Sniffer Traffic Support
FortiExplorer Setup Wizard Improvements
Removed Features
FortiWiFi
Internet Access
Remote VPN
AntiVirus Inspection Mode
Interfaces List Improvements
Dragging Objects Between Policies in the Policy List
Cloning Table Objects
DHCP-related Improvements in the Web-based Manager
System Resources Widget
License Information Widget
USB Modem Widget
New Feature Settings Preset
Improved Banned User List Page
Replacement Message Improvements
Sorting and Filtering Support for the Virtual IP list
Web-based Manager Options for the FortiGate-30D
Firewall
Menu Simplification
Policies
Objects
Groups
Traffic Shapers
Unified Policy Management
Importing LDAP Users for a Security Policy
Dynamic VIP According to DNS Translation
GTP Rate Limiting
Per-Stream Rate Limiting
Per-APN Rate Limiting Profiles
Object UUID Support
Configuring the Class of Service Bit
Hairpinning for NAT64 and NAT46
Maximum Number of Available Virtual IPs Increased
Security Profiles
Menu and Options Simplification
AntiVirus
Flow-based Profile Options
Proxy Options
Web Filter
Intrusion Protection
Application Control
Advanced Options
SSL Inspection
Automatic Inspection When Security Profiles are Used
HTTPS Scanning Without Deep Inspection
SSL/Deep Inspection Exemptions
Generating Unique CA and Server Certificates
Server Certificates
Web Filtering
HTTPS for Warnings and Authentication
Modifying HTTP Request Headers
Restrict Google Access to Corporate Accounts
Referer Added to URL Filtering
FortiGuard Rating Checks for Images, JavaScript, CSS, and CRL
Additional Replacement Message Variables
New Daemon for Overrides and Warnings
Application Control
Deep Inspection for Cloud Applications
Traffic Shaping Settings
5-Point-Risk Rating
Replacement Message
Support for SPDY Protocol
Support for Non-HTTP WAN Optimization and Explicit Proxy Traffic
Flow-based Antivirus
Intrusion Protection System (IPS)
Adjusting Rate Based Signatures
Extensible Meta Data
Extended Database
Support for Non-HTTP WAN Optimization and Explicit Proxy Traffic
Vulnerability Scanning Visibility
Removed IM Proxy Options from the CLI
Client Reputation
IPsec VPN
VPN Creation Wizard
New Menu
Expanded VPN Options
Tunnel Templates
Internet Key Exchange (IKE)
Multiple Interfaces
Mode-Configuration
Certificates Groups
Authentication Methods
Inheriting Groups from the Security Policy
Assigning Client IP Addresses Using the DHCP Proxy
Transform Matching
Cookie Notification
Assign Client IP Addresses Using DHCP Proxy
IKEv1 Mesh Selectors
Message ID Sync for High Availability
Dynamic IPsec Route Control
add-route
Blocking IPsec SA Negotiation
Default Lifetimes and Proposal Values
Prioritizing DH Group Configuration
IPv6 Support for IPsec Phase 2
IPsec VPN Support with the FortiController-5103B
SSL VPN
SSL VPN Configuration
VPN Settings
VPN Portal
Creating the Firewall Policy
ECDSA Local Certificates
Host Security Check Error Replacement Message
Authentication
Captive Portal
External Captive Portals
Using Groups from the Security Policy
Exempting a Policy
Replacement Messages
User Authentication via a POP3 Server
Limiting Guest User Accounts
Nested Group Search in LDAP Authentication
Password Length for User Authentication
Certificates for Policy Authentication
Authentication Blackouts
Single Sign-On for Guest Accounts
Managing Devices
On-Net Status for FortiClient Devices
Endpoint Licenses
URL Filter Lists in Endpoint Control
FortiGuard Categories Consistency with FortiClient
Default Device Groups
Device Detection for Traffic Not Flowing Through the FortiGate
Wireless Networking
FortiAP Management
Manually Selecting AP Profiles
AP Scanning
Radio Settings Summary
CLI Console Access
Split Tunneling for Wireless Traffic
Captive Portal for WiFi
New Configuration Options
WPA Personal Security + Captive Portal
New Wireless Health Charts
RADIUS Accounting
802.11ac and DARRP Support
Date Channel DTLS in Kernel
IPv6
IPv6 Address Ranges
TCP MSS Values
RSSO Support
FortiManager Connections
Geographical Database
High Availability
DHCP and PPPOE Support for Active-Passive Mode
VRRP Support
VRRP Groups
Using a Second Destination IP (VRDST)
Trigger Failover
Synchronizing a GTP Tunnel over Physical Ports
IPv6 Management Interface Gateway
WAN Optimization, Web Cache, and Explicit Proxy
Explicit Proxy Policy Table - for explicit web proxy, explicit FTP proxy and WAN optimization policies
Distributing Explicit Web Proxy Traffic to Multiple CPU Cores
Proxy Header Control
Explicit Web Proxy SOCKS services support for TCP and UDP traffic
Preventing the explicit web proxy from changing source addresses
Explicit web proxy firewall address URL patterns
URL patterns and HTTPS scanning
Advanced Routing
BGP Neighbor Groups
OSPF Fast Hello
BGP Conditional Advertising
Source and Destination IP-based Mode for ECMP
Policy Routes
Logging and Reporting
Traffic and UTM Logging Improvements
FortiGate Daily Security Report
GTP Logging Improvements
GTP-U Logging
GTP Event Log
Flash-based Logging Disabled on Some Models
Accessing Policy-specific Logs from the Policy List
IPS Event Context Data in Log Messages
Sniffer Traffic Log
Selecting Sources for Reports
Threat Weight
Disk Usage Information in System Event Logs
Event Log Generated When a Crash Occurs
Displaying FortiFlow Names
Other New Features
SIP Traffic is Handled by the SIP ALG by Default
Changing the Header Name of Load Balanced HTTP/HTTPS Traffic
TOS and DSCP Support for Traffic Mapping
RFC List
Chapter 2 Getting Started
Differences between Models
Features
Names
Menus
Installation
NAT/Route Mode vs Transparent Mode
Installing a FortiGate in NAT/Route Mode
Selecting an Internal Switch mode
Switch mode vs Interface mode
Hardware Switches vs Software Switches
Standard Installation in NAT/Route Mode
Redundant Internet Installation in NAT/Route Mode
Installing a FortiGate in Transparent Mode
Troubleshooting your FortiGate Installation
Using the Web-Based Manager
Connecting to the web-based manager
FortiExplorer
Web browser
Menus
Dashboards
Status Dashboard
Custom Dashboards
System Information
System Resources
USB Modem
License Information
Alert Message Console
Advanced Threat Protection Statistics
Unit Operation
CLI Console
Features
RAID monitor widget
Interface History
All Sessions
FortiView Dashboards
Sources
Applications
Cloud Applications
Destinations
Web Sites
Threats
All Sessions
Drilldown Options
Feature settings
Enabling/disabling features
Security Features Presets
Information tables
Navigation
Adding filters to web‑based manager lists
Using column settings
Text strings
Entering text strings (names)
Entering numeric values
Basic Administration
Registration
System Settings
Default administrator password
Language
Time and date
Idle timeout
Administrator password retries and lockout time
Administrative port settings
Changing the host name
RAID disk configuration
Firmware
Backing up the current configuration
Downloading firmware
Testing new firmware before installing
Upgrading the firmware - web-based manager
Upgrading the firmware - CLI
Installing firmware from a system reboot using the CLI
Reverting to a previous firmware version - web-based manager
Reverting to a previous firmware version - CLI
Restore from a USB key - CLI
Configuration revision
Controlled upgrade
FortiGuard
Support Contract and FortiGuard Subscription Services
Verifying your Connection to FortiGuard
Verification - web-based manager
Verification - CLI
Port assignment
Configuring Antivirus and IPS Options
Manual updates
Automatic updates
Scheduling updates
Push updates
Push IP override
Configuring Web Filtering and Email Filtering Options
Email filtering
Online Security Tools
FortiCloud
Registration and Activation
Enabling logging to FortiCloud
Logging into the FortiCloud portal
Upgrading to a 200Gb subscription
Cloud Sandboxing
Administrators
Adding administrators
LDAP Admin Access and Authorization
Configure the LDAP server
Add the LDAP server to a user group
Configure the administrator account
Monitoring administrators
Administrator profiles
super_admin profile
Creating profiles
Global and vdom profiles
Regular (password) authentication for administrators
Management access
Security Precautions
Preventing unwanted login attempts
Prevent multiple admin sessions
Segregated administrative roles
Disable admin services
SSH login time out
Idle time-out
HTTPS redirect
Log in/out warning message
Disable the console interface
Disable interfaces
RADIUS authentication for administrators
Configuring LDAP authentication for administrators
TACACS+ authentication for administrators
PKI certificate authentication for administrators
Passwords
Password policy
Lost Passwords
Configuration Backups
Backing up the configuration using the web-based manager
Backing up the configuration using the CLI
Backup and restore the local certificates
Backup and restore a configuration file using SCP
Enable SSH access on the interface
Using the SCP client
SCP public-private key authentication
Restoring a configuration using SCP
Restoring a configuration
Configuration revisions
Restore factory defaults
Next Steps
Best Practices
The FortiGate Cookbook
The Fortinet Video Library
The FortiOS Handbook
Chapter 3 Advanced Routing
Advanced Static Routing
Routing concepts
Routing in VDOMs
Default route
Adding a static route
Routing table
Viewing the routing table in the web-based manager
Viewing the routing table in the CLI
Searching the routing table
Building the routing table
Static routing security
Network Address Translation (NAT)
Access Control List (ACL)
Blackhole Route
Reverse path lookup
Multipath routing and determining the best route
Route priority
Troubleshooting static routing
Ping
Traceroute
Examine routing table contents
Static routing tips
Always configure a default route
Have an updated network plan
Plan for expansion
Configure as much security as possible
Policy routing
Adding a policy route
Example policy route
Type of Service
Moving a policy route
Transparent mode static routing
Static routing example
Network layout and assumptions
General configuration steps
Get your ISP information such as DNS, gateway, etc.
Configure FortiGate unit
Configure the internal interface (port1)
Configure the external interface (port2)
Configure networking information
Configure basic security policies
Configure static routing
Configure Admin PC and Dentist PCs
Configure other PCs on the local network
Testing network configuration
To test that PCs on the local network can communicate
To test that Internet_PCs can reach the Internet
Advanced static example: ECMP failover and load balancing
Equal-Cost Multi-Path (ECMP)
ECMP routing of simultaneous sessions to the same destination IP address
Configuring interface status detection for gateway load balancing
Configuring spillover or usage-based ECMP
Detailed description of how spill-over ECMP selects routes
Determining if an interface has exceeded its Spillover Threshold
Configuring weighted static route load balancing
Dynamic Routing Overview
What is dynamic routing?
Comparing static and dynamic routing
Dynamic routing protocols
Classful versus classless routing protocols
Interior versus exterior routing protocols
Distance vector versus link-state protocols
Minimum configuration for dynamic routing
Comparison of dynamic routing protocols
Features of dynamic routing protocols
Routing protocols
Routing algorithm
Authentication
Convergence
IPv6 Support
When to adopt dynamic routing
Budget
Current network size and topology
Expected network growth
Available resources for ongoing maintenance
Choosing a routing protocol
Answer questions about your network
Evaluate your chosen protocol
Implement your dynamic routing protocol
Dynamic routing terminology
Aggregated routes and addresses
Autonomous system (AS)
Area border router (ABR)
Neighbor routers
Route maps
Access lists
Bi-directional forwarding detection (BFD)
IPv6 in dynamic routing
Routing Information Protocol (RIP)
RIP background and concepts
Background
RIP v1
RIP v2
RIPng
Parts and terminology of RIP
RIP and IPv6
Default information originate option
Update, Timeout, and Garbage timers
Authentication and key-chain
Access Lists
How RIP works
RIP versus static routing
RIP metric — hop count
The Bellman–Ford routing algorithm
Passive versus active RIP interfaces
RIP packet structure
Troubleshooting RIP
Routing Loops
Routing loops’ effect on the network
How can you spot a routing loop
Action to take on discovering a routing loop
Holddowns and Triggers for updates
Holddown Timers
Triggers
Split horizon and Poison reverse updates
Debugging IPv6 on RIPng
Simple RIP example
Network layout and assumptions
Basic network layout
Assumptions
General configuration steps
Configuring the FortiGate units system information
Configure the hostname, interfaces, and default route
Configuring FortiGate unit RIP router information
Configuring other networking devices
Testing network configuration
RIPng — RIP and IPv6
Network layout and assumptions
Basic network layout
Assumptions
Configuring the FortiGate units system information
Configuring RIPng on FortiGate units
Configuring other network devices
Testing the configuration
Testing the IPv6 RIPng information
Border Gateway Protocol (BGP)
BGP background and concepts
Background
Parts and terminology of BGP
BGP and IPv6
Roles of routers in BGP networks
Confederations
BGP conditional advertisements
BGP Neighbor Groups
Network Layer Reachability Information (NLRI)
BGP attributes
AS_PATH
MULTI_EXIT_DESC (MED)
COMMUNITY
NEXT_HOP
ATOMIC_AGGREGATE
ORIGIN
How BGP works
IBGP versus EBGP
BGP path determination — which route to use
Decision phase 1
Decision phase 2
Decision phase 3
Aggregate routes and addresses
Troubleshooting BGP
Clearing routing table entries
Route flap
Holddown timer
Dampening
Graceful restart
Bi-directional forwarding detection (BFD)
Dual-homed BGP example
Why dual home?
Why dual home?
Potential dual homing issues
Network layout and assumptions
Assumptions
Configuring the FortiGate unit
Configure interfaces and default routes
Configure firewall services, addresses, and policies
Set the FortiGate BGP information
Add the internal network to the AS
Add BGP neighbor information
Additional FortiGate BGP configuration
Configuring other networking devices
Testing this configuration
Testing network connectivity
Verifying the FortiGate unit’s routing tables
Verifying traffic routing
Verifying the dual-homed side of the configuration
Redistributing and blocking routes in BGP
Network layout and assumptions
Assumptions
Configuring the FortiGate unit
Configuring the FortiGate unit — networks and firewalls
Configuring the FortiGate unit - BGP
Configuring the FortiGate unit - OSPF
Configuring other networking devices
Configuring ECMP support for BGP
Testing network configuration
Open Shortest Path First (OSPF)
OSPF Background and concepts
Background
The parts and terminology of OSPF
OSPFv3 and IPv6
Router ID
Adjacency
Designated router (DR) and backup router (BDR)
Area
Authentication
Hello and dead intervals
Access Lists
How OSPF works
OSPF router discovery
How OSPF works on FortiGate units
External routes
Link-state Database (LSDB) and route updates
OSPF packets
Troubleshooting OSPF
Clearing OSPF routes from the routing table
Checking the state of OSPF neighbors
Passive interface problems
Timer problems
Bi-directional Forwarding Detection (BFD)
Authentication issues
DR and BDR election issues
Basic OSPF example
Network layout and assumptions
Assumptions
Configuring the FortiGate units
Configuring Router1
Configuring Router2
Configuring Router3
Configuring OSPF on the FortiGate units
Configuring OSPF on Router1
Configuring OSPF on Router2
Configuring OSPF on Router3
Configuring other networking devices
Testing network configuration
Advanced inter-area OSPF example
Network layout and assumptions
Assumptions
Configuring the FortiGate units
Configuring Router1
Configuring Router2
Configuring Router3
Configuring Router4
Configuring OSPF on the FortiGate units
Configuring other networking devices
Testing network configuration
Controlling redundant links by cost
Adjusting the route costs
Verifying route redundancy
Intermediate System to Intermediate System Protocol (IS-IS)
IS-IS background and concepts
Background
How IS-IS works
IS-IS versus static routing
TLV
LSP structure
Parts and terminology of IS-IS
DIS election and pseudonode LSP
Packet types
Default routing
Timer options
Authentication
Integrated IS-IS
Troubleshooting IS-IS
Routing loops
Routing loop effect on the network
How can you spot a routing loop
Action to take on discovering a routing loop
Split horizon and Poison reverse updates
Simple IS-IS example
Network layout and assumptions
Expectations
CLI configuration
Verification
Troubleshooting
Debugging IPv6 on IS-ISng
Chapter 4 Authentication
Introduction to authentication
What is authentication?
Methods of authentication
Local password authentication
Server-based password authentication
Certificate-based authentication
Certificate authorities
Certificates for users
Two-factor authentication
Types of authentication
Security policy authentication
FSSO
NTLM
Certificates
RADIUS SSO
FortiGuard Web Filter override authentication
VPN authentication
Authenticating IPsec VPN peers (devices)
Authenticating IPsec VPN users
Authenticating SSL VPN users
Authenticating PPTP and L2TP VPN users
Single Sign On authentication for users
User’s view of authentication
Web-based user authentication
VPN client-based authentication
FortiGate administrator’s view of authentication
General authentication settings
Authentication servers
FortiAuthenticator servers
RADIUS servers
Microsoft RADIUS servers
Microsoft RADIUS servers
RADIUS user database
RADIUS authentication with a FortiGate unit
RADIUS attribute value pairs
Vendor-specific attributes
Role Based Access Control
Configuring the FortiGate unit to use a RADIUS server
Troubleshooting RADIUS
LDAP servers
Components and topology
Binding
Supported versions
LDAP directory organization
Locating your identifier in the hierarchy
Configuring the FortiGate unit to use an LDAP server
password-expiry-warning and password-renewal
Using the Query icon
Example — wildcard admin accounts - CLI
Configuring the LDAP server
Configuring the admin account
Example of LDAP to allow Dial-in through member-attribute - CLI
Configuring LDAP member-attribute settings
Configuring LDAP group settings
Troubleshooting LDAP
LDAP user test
LDAP authentication debugging
TACACS+ servers
Configuring a TACACS+ server on the FortiGate unit
POP3 servers
SSO servers
RSA ACE (SecurID) servers
Components
Configuring the SecurID system
Using the SecurID user group for authentication
Security policy
IPsec VPN XAuth
PPTP VPN
SSL VPN
Users and user groups
Users
Local and remote users
Removing users
Removing references to users
PKI or peer users
Creating a peer user
Two-factor authentication
Certificate
Email
SMS
FortiToken
The FortiToken authentication process
Adding FortiTokens to the FortiGate
Activating a FortiToken on the FortiGate
Associating FortiTokens with accounts
FortiToken maintenance
IM users
Monitoring users
Filtering the list of users
User groups
Firewall user groups
SSL VPN access
IPsec VPN access
Configuring a firewall user group
Multiple group enforcement support
User group timeouts
SSO user groups
Configuring Peer user groups
Viewing, editing and deleting user groups
Editing a user group
Deleting a user group
Managing Guest Access
Introduction
User’s view of guest access
Administrator’s view of guest access
Configuring guest user access
Creating guest management administrators
Creating guest user groups
Creating guest user accounts
Guest Management Account List
Guest access in a retail environment
Creating an email harvesting portal
Creating the security policy
Checking for harvested emails
Configuring authenticated access
Authentication timeout
Security authentication timeout
SSL VPN authentication timeout
Password policy
Configuring password minimum requirement policy
Password best practices
Maximum logon attempts and blackout period
Authentication protocols
Authentication in Captive Portals
Authentication in security policies
Enabling authentication protocols
Authentication replacement messages
Access to the Internet
Configuring authentication security policies
Disclaimer
Customizing authentication replacement messages
Enabling security logging
Identity-based policy
NTLM authentication
NTLM guest access
NTLM enabled browsers - CLI
Certificate authentication
Restricting number of concurrent user logons
VPN authentication
Configuring authentication of SSL VPN users
Configuring authentication timeout
Configuring authentication of remote IPsec VPN users
Configuring XAuth authentication
Configuring authentication of PPTP VPN users and user groups
Configuring authentication of L2TP VPN users/user groups
Captive portals
Introduction to Captive Portals
Configuring a captive portal
Exemption from the captive portal
Customizing captive portal pages
Changing images in portal messages
Modifying text in portal messages
Certificate-based authentication
What is a security certificate?
Certificates overview
Certificates and protocols
SSL and HTTPS
Certificate-related protocols
IPsec VPNs and certificates
Certificate types on the FortiGate unit
Local certificates
Remote certificates
CA root certificates
Certificate revocation list
Certificate signing
Managing X.509 certificates
Generating a certificate signing request
Generating certificates with CA software
Server certificate
CA certificate
PKI certificate
Obtaining and installing a signed server certificate from an external CA
Installing a CA root certificate and CRL to authenticate remote clients
Troubleshooting certificates
Certificate is reported as expired when it is not
A secure connection cannot be completed (Certificate cannot be found)
Online updates to certificates and CRLs
Local certificates
CA certificates
Certificate Revocation Lists
Backing up and restoring local certificates
Configuring certificate-based authentication
Authenticating administrators with security certificates
Authenticating SSL VPN users with security certificates
Authenticating IPsec VPN users with security certificates
Example — Generate a CSR on the FortiGate unit
Example — Generate and Import CA certificate with private key pair on OpenSSL
Assumptions
Generating and importing the CA certificate and private key
Example — Generate an SSL certificate in OpenSSL
Assumptions
Generating a CA signed SSL certificate
Generating a self-signed SSL certificate
Import the SSL certificate into FortiOS
SSO using a FortiAuthenticator unit
User’s view of FortiAuthenticator SSO authentication
Administrator’s view of FortiAuthenticator SSO authentication
Configuring the FortiAuthenticator unit
Configuring the FortiGate unit
Adding a FortiAuthenticator unit as an SSO agent
Configuring an FSSO user group
Configuring security policies
Configuring the FortiClient SSO Mobility Agent
Viewing SSO authentication events on the FortiGate unit
Single Sign-On to Windows AD
Introduction to Single Sign-On with Windows AD
Configuring Single Sign On to Windows AD
Configuring LDAP server access
Creating Fortinet Single Sign-On (FSSO) user groups
Default FSSO group
Configuring the LDAP Server as a Single Sign-On server
Creating security policies
Enabling guest access through FSSO security policies
FortiOS FSSO log messages
Enabling authentication event logging
Testing FSSO
Troubleshooting FSSO
General troubleshooting tips for FSSO
Users on a particular computer (IP address) can not access the network
Solutions
Guest users do not have access to network
Solution
Agent-based FSSO
Introduction to agent-based FSSO
Introduction to FSSO agents
Domain Controller (DC) agent
eDirectory agent
Citrix/Terminal Server (TS) agent
Collector (CA) agent
FSSO for Windows AD
DC Agent mode
Polling mode
Collector agent AD Access mode - Standard versus Advanced
FSSO for Citrix
FSSO for Novell eDirectory
FSSO security issues
FSSO NTLM authentication support
NTLM in a multiple domain environment
Agent installation
Collector agent installation
DC agent installation
Installing FSSO without using an administrator account
Citrix TS agent installation
Novell eDirectory agent installation
Updating FSSO agents on Windows AD
Configuring the FSSO Collector agent for Windows AD
Configuring Windows AD server user groups
Configuring Collector agent settings
Selecting Domain Controllers and working mode for monitoring
Configuring Directory Access settings
BaseDN example
Configuring the Ignore User List
Configuring FortiGate group filters
Configuring FSSO ports
TCP ports for FSSO agent with client computers
Configuring ports on the Collector agent computer
Configuring alternate user IP address tracking
Viewing FSSO component status
Viewing Collector agent status
Viewing DC agent status
Configuring the FSSO TS agent for Citrix
Configuring the FSSO eDirectory agent for Novell eDirectory
Configuring the eDirectory agent
Adding an eDirectory server
Configuring a group filter
Configuring FSSO on FortiGate units
Configuring LDAP server access
Specifying your Collector agents or Novell eDirectory agents
Creating Fortinet Single Sign-On (FSSO) user groups
Creating security policies
Users belonging to multiple groups
Enabling guest access through FSSO security policies
FortiOS FSSO log messages
Enabling authentication event logging
Testing FSSO
Troubleshooting FSSO
General troubleshooting tips for FSSO
User status “Not Verified” on the Collector agent
Solution
After initial configuration, there is no connection to the Collector agent
Solution
Collector Agent service freezing and shutting down
Solution
FortiGate performance is slow on a large network with many users
Solution
Users from the Windows AD network are not able to access the network
Solutions
Users on a particular computer (IP address) can not access the network
Solutions
Guest users do not have access to network
Solution
Can’t find the DCagent service
Solution
User logon events not received by FSSO Collector agent
User list from Windows AD is empty
Solution
Mac OS X users can’t access external resources after waking from sleep mode
Solution
SSO using RADIUS accounting records
User’s view of RADIUS SSO authentication
Configuration Overview
Configuring the RADIUS server
Creating the FortiGate RADIUS SSO agent
Selecting which RADIUS attributes are used for RSSO
Configuring logging for RSSO
Defining local user groups for RADIUS SSO
Creating security policies
Example: webfiltering for student and teacher accounts
Monitoring authenticated users
Monitoring firewall users
Monitoring SSL VPN users
Monitoring IPsec VPN users
Monitoring banned users
Examples and Troubleshooting
Firewall authentication example
Overview
Creating a locally-authenticated user account
Creating a RADIUS-authenticated user account
Creating user groups
Creating the FSSO user group
Creating the Firewall user group
Defining policy addresses
Creating security policies
LDAP Dial-in using member-attribute
RADIUS SSO example
Assumptions
Topology
General configuration
Configuring RADIUS
Configuring FortiGate interfaces
Configuring a RADIUS SSO Agent on the FortiGate unit
Creating a RADIUS SSO user group
Configuring FortiGate regular and RADIUS SSO security policies
Schedules, address groups, and services groups
Configuring regular security policies
Configuring RADIUS SSO security policy
Testing
Troubleshooting
Chapter 5 FortiOS Carrier
Overview of FortiOS Carrier features
Overview
MMS
GTP
Registering FortiOS Carrier
MMS background
MMS content interfaces
How MMS content interfaces are applied
How FortiOS Carrier processes MMS messages
FortiOS Carrier and MMS content scanning
MM1 Content Scanning
Filtering message retrieval
FortiOS Carrier and MMS duplicate messages and message floods
MMS protection profiles
Bypassing MMS protection profile filtering based on carrier endpoints
Applying MMS protection profiles to MMS traffic
GTP basic concepts
PDP Context
Creating a PDP context
Terminating a PDP context
GPRS security
GPRS authentication
Parts of a GTPv1 network
Radio access
Transport
GTP
GTPv0
GTPv1
GTPv1-C
GTPv1-U
GGSN
SGSN
GTPv2
GTPv2-C
MME
Billing and records
GTP’ (GTP prime)
HLR
VLR
GPRS network common interfaces
Interfaces between devices on the network
Packet flow through the GPRS network
SCTP
Overview
State required at each endpoint
Reliable data transfer
Congestion control and avoidance
Message boundary conservation
Path MTU discovery and message fragmentation
Message bundling
Multi-homed hosts support
Multi-stream support
Unordered data delivery
Security cookie against SYN flood attack
Built-in heartbeat (reachability check)
SCTP Firewall
SCTP example scenario
Carrier web-based manager settings
MMS profiles
MMS profile configuration settings
MMS scanning options
MMS bulk email filtering options
MMS Address Translation options
MMS Notifications
DLP Archive options
Logging
MMS Content Checksum
Notification List
Notification list configuration settings
Message Flood
Message flood configuration settings
Duplicate Message
Duplicate message configuration settings
Carrier Endpoint Filter Lists
Carrier endpoint filter lists configuration settings
GTP Profile
GTP profile configuration settings
General settings options
Message type filtering options
APN filtering options
Basic filtering options
Advanced filtering options
Adding an advanced filtering rule
Information Element (IE) removal policy options
Encapsulated IP traffic filtering options
Encapsulated non-IP end user traffic filtering options
Protocol Anomaly prevention options
Anti-Overbilling options
Log options
Specifying logging types
MMS Security features
Why scan MMS messages for viruses and malware?
Example: COMMWARRIOR
MMS virus scanning
MMS virus monitoring
MMS virus scanning blocks messages (not just attachments)
Scanning MM1 retrieval messages
Configuring MMS virus scanning
Removing or replacing blocked messages
Carrier Endpoint Block
Enabling carrier endpoint blocking
Create a carrier endpoint filter list
Configuring endpoint filter list entries
Blocking network access based on endpoints
MMS Content Checksum
Passing or blocking fragmented messages
Client comforting
MM1 and MM7 client comforting steps
Server comforting
Handling oversized MMS messages
MM1 sample messages
HTTP proxy
Scan engine
Sender notifications and logging
MMS notifications
Replacement messages
Logging and reporting
MMS logging options
SNMP
MMS content-based Antispam protection
Overview
Configurable dictionary
Black listing
White listing
Scores and thresholds
Configuring content-based antispam protection
Configuring sender notifications
MMS notifications
Replacement messages
MMS DLP archiving
Configuring MMS DLP archiving
Viewing DLP archives
Message flood protection
Setting message flood thresholds
Example
Flood actions
Notifying administrators of floods
Example — three flood threshold levels with different actions for each threshold
Notifying message flood senders and receivers
Responses to MM1 senders and receivers
Forward responses for MM4 message floods
Viewing DLP archived messages
Order of operations: flood checking before duplicate checking
Bypassing message flood protection based on user’s carrier endpoints
Configuring message flood detection
Sending administrator alert notifications
Configuring how and when to send alert notifications
Configuring who to send alert notifications to
Duplicate message protection
Using message fingerprints to identify duplicate messages
Messages from any sender to any recipient
Setting duplicate message thresholds
Duplicate message actions
Notifying duplicate message senders and receivers
Responses to MM1 senders and receivers
Forward responses for duplicate MM4 messages
Viewing DLP archived messages
Order of operations: flood checking before duplicate checking
Bypassing duplicate message detection based on user’s carrier endpoints
Configuring duplicate message detection
Sending administrator alert notifications
Configuring how and when to send alert notifications
Configuring who to send alert notifications to
Select the duplicate thresholds at which to send alert notifications to the MSISDN.
Configuring GTP on FortiOS Carrier
GTP support on the Carrier-enabled FortiGate unit
Packet sanity checking
GTP stateful inspection
Protocol anomaly detection and prevention
HA
Virtual domain support
Configuring General Settings on the Carrier-enabled FortiGate unit
Configuring Encapsulated Filtering in FortiOS Carrier
Configuring Encapsulated IP Traffic Filtering
When to use encapsulated IP traffic filtering
Configuring Encapsulated Non-IP End User Address Filtering
Configuring the Protocol Anomaly feature in FortiOS Carrier
Configuring Anti-overbilling in FortiOS Carrier
Overbilling in GPRS networks
Anti-overbilling with FortiOS Carrier
Logging events on the Carrier-enabled FortiGate unit
GTP message type filtering
Common message types on carrier networks
GTP-C messages
Path Management Messages
Tunnel Management Messages
Location Management Messages
Mobility Management Messages
GTP-U messages
MBMS messages
GTP-U and Charging Management Messages
Unknown Action messages
Configuring message type filtering in FortiOS Carrier
Message Type Fields
Unknown Message Action
Path Management Messages
Tunnel Management Messages
Location Management Messages
Mobility Management Messages
MBMS messages
GTP-U and Charging Management Messages
GTP identity filtering
IMSI on carrier networks
Other identity and location based information elements
Access Point Number (APN)
Access Point Number (APN)
Mobile Subscriber Integrated Services Digital Network (MSISDN)
Radio Access Technology (RAT) type
User Location Information (ULI)
Routing Area Identifier (RAI)
International Mobile Equipment Identity (IMEI)
When to use APN, IMSI, or advanced filtering
Configuring APN filtering in FortiOS Carrier
Configuring IMSI filtering in FortiOS Carrier
Configuring advanced filtering in FortiOS Carrier
Troubleshooting
FortiOS Carrier diagnose commands
GTP related diagnose commands
Applying IPS signatures to IP packets within GTP-U tunnels
GTP packets are not moving along your network
Attempt to identify the section of your network with the problem
Ensure you have an APN configured
Check the logs and adjust their settings if required
Check the routing table
Perform a sniffer trace
What can sniffing packets tell you
How to sniff packets
Generate specific packets to test the network
Chapter 6 Deploying Wireless Networks
Introduction to wireless networking
Wireless concepts
Bands and channels
Power
Antennas
Security
Whether to broadcast SSID
Encryption
Separate access for employees and guests
Captive portal
Power
Monitoring for rogue APs
Suppressing rogue APs
Wireless Intrusion Detection (WIDS)
Authentication
Wireless networking equipment
FortiWiFi units
FortiAP units
Deployment considerations
Types of wireless deployment
Deployment methodology
Evaluating the coverage area environment
Positioning access points
Selecting access point hardware
Single access point networks
Multiple access point networks
Fast Roaming
WiFi Mesh Network
Automatic Radio Resource Provisioning
Configuring a WiFi LAN
Overview of WiFi controller configuration
About SSIDs on FortiWiFi units
Process to create a wireless network
Setting your geographic location
Creating a FortiAP Profile
Defining a wireless network interface (SSID)
Configuring DHCP for WiFi clients
Configuring security
WPA-Personal security
WPA-Enterprise security
Captive Portal security
Adding a MAC filter
Multicast enhancement
Dynamic VLAN assignment
Configuring user authentication
WPA2 Enterprise authentication
Creating a wireless user group
MAC-based authentication
Authenticating guest WiFi users
Configuring firewall policies for the SSID
Configuring the built-in access point on a FortiWiFi unit
Access point deployment
Overview
Network topology for managed APs
Discovering and authorizing APs
Configuring the network interface for the AP unit
Pre-authorizing a FortiAP unit
Enabling and configuring a discovered AP
Assigning the same profile to multiple FortiAP units
Connecting to the FortiAP CLI
Checking and updating FortiAP unit firmware
Checking the FortiAP unit firmware version
Updating FortiAP firmware from the FortiGate unit
Updating FortiAP firmware from the FortiAP unit
Advanced WiFi controller discovery
Controller discovery methods
Static IP configuration
Broadcast request
Multicast request
DHCP
Wireless client load balancing for high-density deployments
Access point hand-off
Frequency hand-off or band-steering
Configuration
LAN port options
Bridging a LAN port with an SSID
Bridging a LAN port with the WAN port
Configuring FortiAP LAN ports
Preventing IP fragmentation of packets in CAPWAP tunnels
Wireless Mesh
Overview of Wireless Mesh
Wireless mesh deployment modes
Firmware requirements
Types of wireless mesh
Configuring a meshed WiFi network
Creating custom AP profiles
Configuring the mesh root AP
Configuring the mesh branches or leaves
Authorizing mesh branch/leaf APs
Viewing the status of the mesh network
Configuring a point-to-point bridge
WiFi-Ethernet Bridge Operation
Bridge SSID to FortiGate wired network
VLAN configuration
Additional configuration
FortiAP local bridging (Private Cloud-Managed AP)
Continued FortiAP operation when WiFi controller connection is down
Using bridged FortiAPs to increase scalability
Protecting the WiFi Network
Wireless IDS
Rogue AP detection
WiFi data channel encryption
Configuring encryption on the FortiGate unit
Configuring encryption on the FortiAP unit
Wireless network monitoring
Monitoring wireless clients
Monitoring rogue APs
On-wire rogue AP detection technique
Exact MAC address match
MAC adjacency
Limitations
Logging
Rogue AP scanning as a background activity
Configuring rogue scanning
Exempting an AP from rogue scanning
MAC adjacency
Using the Rogue AP Monitor
Suppressing rogue APs
Monitoring wireless network health
Configuring wireless network clients
Windows XP client
Windows 7 client
Mac OS client
Linux client
Troubleshooting
Checking that client received IP address and DNS server information
Windows XP
Mac OS
Linux
Wireless network examples
Basic wireless network
Configuring authentication for wireless users
Configuring the SSID
Adding the SSID to the FortiAP Profile
Configuring firewall policies
Connecting the FortiAP units
A more complex example
Scenario
Configuration
Configuring authentication for employee wireless users
Configuring authentication for guest wireless users
Configuring the SSIDs
Configuring the FortiAP profile
Configuring firewall policies
Connecting the FortiAP units
Using a FortiWiFi unit as a client
Use of client mode
Configuring client mode
Support for location-based services
Overview
Configuring location tracking
Viewing device location data on the FortiGate unit
Example output
Reference
Wireless radio channels
IEEE 802.11a/n channels
IEEE 802.11b/g/n channel numbers
FortiAP CLI
FortiAP web-based manager
System Information
Status
Network Configuration
Connectivity
WTP Configuration
Wireless Information
Chapter 7 Firewall
FortiGate Firewall Components
FortiGate Firewall Components
How does a FortiGate Protect Your Network
Firewall concepts
What is a Firewall?
Network Layer or Packet Filter Firewalls
Stateless Firewalls
Stateful Firewalls
Application Layer Firewalls
Proxy Servers
Security Profiles
Advantages of using Security Profiles
IPv6
IPv6 in FortiOS
Dual Stack routing configuration
IPv6 Tunnelling
Tunnel Configurations
Tunnelling IPv6 through IPSec VPN
NAT
The Origins of NAT
Static NAT
Dynamic NAT
Overloading
Overlapping
Benefits of NAT
More IP addresses Available while Conserving Public IP Addresses
Financial Savings
Security Enhancements
Ease of Compartmentalization of Your Network
NAT in Transparent Mode
Example:
Central NAT Table
NAT 64 and NAT46
NAT 66
How Packets are handled by FortiOS
FortiGate Modes
NAT/Route Mode
Transparent Mode
Quality of Service
Traffic policing
Traffic Shaping
Queuing
Interfaces and Zones
Firewall objects
UUID Support
UUID Support
Addresses
Interfaces
IPv4 Addresses
Subnet Addresses
Creating a Subnet address
Example
IP Range Addresses
Creating a IP Range address
Example
FQDN Addresses
IPv6 does not support geography-based addressing. This feature is for IPv4 addresses only.
Creating a Fully Qualified Domain Name address
Example
Geography Based Addresses
Creating a Geography address
Example
URL Pattern address
Creating a IP Range address
Example
Address Groups
Creating an Address Group
Creating an Address Group
UUID Support
Virtual IPs
UUID Support for VIP
UUID Support for VIP
Dynamic VIP according to DNS translation
Syntax
Creating a Virtual IP
Example
Virtual IP Groups
Creating a Virtual IP Group
IP Pools
Source IP address and IP pool address matching when using a range
Source IP address and IP pool address matching when using a range
ARP Replies
IP pools and zones
Creating a Dynamic IP Pool
Fixed Port
Match-VIP
Services and TCP ports
Categories
Protocol Types
TCP/UDP/SCTP
ICMP or ICMP6
IP
TCP
UDP
SCTP
Specific Addresses in TCP/UDP/SCTP
Protocol Port Values
ICMP
ICMP Types and Codes
ICMPv6
ICMPv6 Types and Codes
IP
Protocol Number
Service Groups
Creating a ServiceGroup
Example Scenario: Using FortiGate services to support Audio/Visual Conferencing
VIP
Creating an address for the subnet
Configuring the services
Services already created:
Existing Services to be edited:
Custom Services that need to be created:
Creating the Service Group
Creating the IPS Security Profile
Policies
Incoming Policy
Outgoing Policy
Firewall schedules
Schedule Groups
Schedule Expiration
Security policies
Firewall policies
Firewall policy parameters
Incoming Interface
Outgoing Interface
Source Address
Destination Address
Schedule
Service
What is not expressly allowed is denied
Policy order
Policy Identification
UUID Support
Security profiles
AntiVirus
Web Filtering
Application Control
Intrusion Protection (IPS)
Email Filtering
Data Leak Prevention (DLP)
VoIP
ICAP
EndPoint Control
Proxy Option Components
The use of different proxy profiles and profile options
Oversized File Log
Protocol Port Mapping
Comfort Clients
Oversized File/Email Threshold
Chunked Bypass
Allow Fragmented Messages
Append Email Signature
SSL/SSH Inspection
Inspection Exemption
Allow Invalid SSL Certificate
Creating or editing an SSL/SSH Inspection profile
Viewing Firewall Policies
How “Any” policy can remove the Section View
Security policy configuration extensions
Identity Based Policies
Identity-based policy positioning
Identity fall through rules
Implicit Protocols
VPN Policies
IPSec Policies
Interface Policies
DoS Protection
Settings used in configuring DoS
One-Arm IDS
IPv6 IPS
Traffic Destined to the FortiGate unit
Dropped, Flooded, Broadcast, Multicast and L2 packets
GUI and CLI
Local-In Policies
Security Policy 0
Deny Policies
Accept Policies
IPv6 Policies
Fixed Port
Endpoint Security
Traffic Logging
Quality of Service
Queuing
Policy Monitor
Upper Pane
Lower Pane
Network defense
Monitoring
Blocking external probes
Address sweeps
Port scans
Probes using IP traffic options
Configure packet replay and TCP sequence checking
Configure ICMP error message verification
Protocol header checking
Evasion techniques
Packet fragmentation
Non-standard ports
Negotiation codes
HTTP URL obfuscation
HTTP header obfuscation
HTTP body obfuscation
Microsoft RPC evasion
Defending against DoS attacks
The “three-way handshake”
SYN flood
SYN spoofing
DDoS SYN flood
Configuring the SYN threshold to prevent SYN floods
SYN proxy
Other flood types
DoS policies
DoS policy recommendations
GUI & CLI - What You May Not Know
Mouse Tricks
Changing the default column setting on the policy page
Example:
Naming Rules and Restrictions
Character Restrictions
Length of Fields Restrictions
Numeric Values
Selecting options from a list
Enabling or disabling options
To Enable or Disable Optionally Displayed Features
Building firewall objects and policies
IPv4 Firewall Addresses
Scenario: Mail Server
Scenario: First Floor Network
Scenario: Marketing Department
Verification
IPv6 Firewall Addresses
Scenario: Mail Server
Scenario: First Floor Network
Verification
FQDN address
Verification
Changing the TTL of a FQDN address
New Geography-based Address
IPv4 Address Group
IPv6 Address Group
Multicast Address
Service Category
TCP/UDP/SCTP Service
ICMP Service
ICMPv6 Service
Service Group
Virtual IP address
VIP Group
IP Pool
Central NAT Table
Firewall Schedule - Recurring
Firewall Schedule - One-time
Schedule Group
Proxy Option
Oversized Files
Option 1
Option 2
DoS Policy
Multicast forwarding
Sparse mode
Dense mode
Multicast IP addresses
PIM Support
Multicast forwarding and FortiGate units
Multicast forwarding and RIPv2
Configuring FortiGate multicast forwarding
Adding multicast security policies
Enabling multicast forwarding
Multicast routing examples
Example FortiGate PIM-SM configuration using a static RP
Configuration steps
FortiGate PIM-SM debugging examples
Checking that the receiver has joined the required group
Checking the PIM-SM neighbors
Checking that the PIM router can reach the RP
Viewing the multicast routing table (FGT-3)
Viewing the PIM next-hop table
Viewing the PIM multicast forwarding table
Viewing the kernel forwarding table
Viewing the multicast routing table (FGT-2)
Viewing the multicast routing table (FGT-1)
Example multicast destination NAT (DNAT) configuration
Example PIM configuration that uses BSR to find the RP
Commands used in this example
Adding a loopback interface (lo0)
Defining the multicast routing
Adding the NAT multicast policy
Configuration steps
Example debug commands
Chapter 8 Hardware Acceleration
Hardware acceleration overview
Content processors (CP4, CP5, CP6 and CP8)
Determining the content processor in your FortiGate unit
Viewing SSL acceleration status
Disabling CP offloading
Security processors (SPs)
SP Processing Flow
Displaying information about security processing modules
Network processors (NP1, NP2, NP3, NP4 and NP6)
Determining the network processors installed on your FortiGate unit
How NP hardware acceleration alters packet flow
NP processors and traffic logging and monitoring
NP session offloading in HA active-active configuration
Configuring NP HMAC check offloading
Offloading NP pre-IPS anomaly detection
Example
Software switch interfaces and NP processors
Configuring NP accelerated VPN encryption/decryption offloading
Example
Checking that traffic is offloaded by NP processors
Using the packet sniffer
Checking the firewall session offload tag
Verifying IPsec VPN traffic offloading
Controlling IPS NPx and CPx acceleration
Dedicated Management CPU
NP6 Acceleration
NP6 session fast path requirements
Packet fast path requirements
Mixing fast path and non-fast path traffic
Viewing your FortiGate NP6 processor configuration
Increasing NP6 offloading capacity using link aggregation groups (LAGs)
Configuring Inter-VDOM link acceleration with NP6 processors
Using VLANs to add more accelerated Inter-VDOM links
Confirm that the traffic is accelerated
Enabling per-session accounting for offloaded NP6 sessions
FortiGate NP6 architectures
FortiGate-500D fast path architecture
FortiGate-1000D fast path architecture
FortiGate-1500D fast path architecture
FortiGate-3700D fast path architecture
FortiGate-5001D fast path architecture
NP4 Acceleration
Viewing your FortiGate’s NP4 configuration
NP4lite CLI commands (disabling NP4Lite offloading)
Configuring NP4 traffic offloading
NP4 session fast path requirements
Packet fast path requirements
Mixing fast path and non-fast path traffic
NP4 traffic shaping offloading
NP4 IPsec VPN offloading
NP4 IPsec VPN offloading configuration example
Accelerated policy mode IPsec configuration
Accelerated interface mode IPsec configuration
Configuring Inter-VDOM link acceleration with NP4 processors
Using VLANs to add more accelerated Inter-VDOM links
Confirm that the traffic is accelerated
FortiGate NP4 architectures
FortiGate-600C
FortiGate-800C
FortiGate-1000C
FortiGate-1240B
FortiGate-3040B
FortiGate-3140B
FortiGate-3140B — load balance mode
FortiGate-3240C
FortiGate-3600C
XAUI interfaces
FortiGate-3950B and FortiGate-3951B
FortiGate-3950B and FortiGate-3951B — load balance mode
FortiGate-5001C
FortiGate-5001B
Setting switch-mode mapping on the ADM-XD4
Chapter 9 High Availability
FortiOS 5.2 HA new features
FortiOS 5.2 HA new features
Solving the High Availability problem
FortiGate Cluster Protocol (FGCP)
FortiGate Session Life Support Protocol (FGSP)
VRRP
Fortinet redundant UTM protocol (FRUP)
An introduction to the FGCP
About the FGCP
FGCP failover protection
Session Failover
Load Balancing
Virtual Clustering
Full Mesh HA
Cluster Management
Synchronizing the configuration (and settings that are not synchronized)
Configuring FortiGate units for FGCP HA operation
Connecting a FortiGate HA cluster
Active-passive and active-active HA
Active-passive HA (failover protection)
Active-active HA (load balancing and failover protection)
Identifying the cluster and cluster units
Group name
Password
Group ID
Device failover, link failover, and session failover
Primary unit selection
Primary unit selection and monitored interfaces
Primary unit selection and age
Cluster age difference margin (grace period)
Changing the cluster age difference margin
Displaying cluster unit age differences
Resetting the age of all cluster units
Primary unit selection and device priority
Controlling primary unit selection by changing the device priority
Primary unit selection and the FortiGate unit serial number
Points to remember about primary unit selection
Temporarily setting a cluster unit to be the primary unit
HA override
Override and primary unit selection
Controlling primary unit selection using device priority and override
Points to remember about primary unit selection when override is enabled
Configuration changes can be lost if override is enabled
The solution
Override and disconnecting a unit from a cluster
FortiGate HA compatibility with DHCP and PPPoE
HA and distributed clustering
Disk storage configuration and HA
FGCP high availability best practices
Heartbeat interfaces
Interface monitoring (port monitoring)
Troubleshooting
FGCP HA terminology
Cluster
Cluster unit
Device failover
Failover
Failure
FGCP
Full mesh HA
HA virtual MAC address
Heartbeat
Heartbeat device
Heartbeat failover
Hello state
High availability
Interface monitoring
Link failover
Load balancing
Monitored interface
Primary unit
Session failover
Session pickup
Standby state
State synchronization
Subordinate unit
Virtual clustering
Work state
HA web‑based manager options
Configuring and connecting HA clusters
About the procedures in this chapter
Example: NAT/Route mode active-passive HA configuration
Example NAT/Route mode HA network topology
General configuration steps
Configuring a NAT/Route mode active-passive cluster of two FortiGate units - web‑based manager
Configuring a NAT/Route mode active-passive cluster of two FortiGate units - CLI
Example: Transparent mode active-active HA configuration
Example Transparent mode HA network topology
General configuration steps
Configuring a Transparent mode active-active cluster of two FortiGate units - web‑based manager
Configuring a Transparent mode active-active cluster of two FortiGate units - CLI
Example: FortiGate-5000 active-active HA with FortiClient licenses
Example network topology
Configuring the FortiGate-5000 active-active cluster - web‑based manager
Configuring the FortiGate-5000 active-active cluster - CLI
Example: converting a standalone FortiGate unit to a cluster
Example: adding a new unit to an operating cluster
Example: replacing a failed cluster unit
Example: HA and 802.3ad aggregated interfaces
HA interface monitoring, link failover, and 802.3ad aggregation
HA MAC addresses and 802.3ad aggregation
Link aggregation, HA failover performance, and HA mode
General configuration steps
Configuring active-passive HA cluster that includes aggregated interfaces - web‑based manager
Configuring active-passive HA cluster that includes aggregate interfaces - CLI
Example: HA and redundant interfaces
HA interface monitoring, link failover, and redundant interfaces
HA MAC addresses and redundant interfaces
Connecting multiple redundant interfaces to one switch while operating in active-passive HA mode
Connecting multiple redundant interfaces to one switch while operating in active-active HA mode
General configuration steps
Configuring active-passive HA cluster that includes redundant interfaces - web‑based manager
Configuring active-passive HA cluster that includes redundant interfaces - CLI
Troubleshooting HA clusters
Ignoring hardware revisions
Before you set up a cluster
Troubleshooting the initial cluster configuration
More troubleshooting information
Virtual clusters
Virtual clustering overview
Virtual clustering and failover protection
Virtual clustering and heartbeat interfaces
Virtual clustering and HA override
Virtual clustering and load balancing or VDOM partitioning
Configuring HA for virtual clustering
Example: virtual clustering with two VDOMs and VDOM partitioning
Example virtual clustering network topology
General configuration steps
Configuring virtual clustering with two VDOMs and VDOM partitioning - web‑based manager
Configuring virtual clustering with two VDOMs and VDOM partitioning - CLI
Example: inter-VDOM links in a virtual clustering configuration
Configuring inter-VDOM links in a virtual clustering configuration
Troubleshooting virtual clustering
Full mesh HA
Full mesh HA overview
Full mesh HA and redundant heartbeat interfaces
Full mesh HA, redundant interfaces and 802.3ad aggregate interfaces
Example: full mesh HA configuration
Full mesh HA configuration
Full mesh switch configuration
Full mesh network connections
How packets travel from the internal network through the full mesh cluster and to the Internet
Configuring full-mesh HA - web‑based manager
Configuring Full Mesh HA - CLI
Troubleshooting full mesh HA
Operating a cluster
Operating a cluster
Operating a virtual cluster
Managing individual cluster units using a reserved management interface
Configuring the reserved management interface and SNMP remote management of individual cluster units
The primary unit acts as a router for subordinate unit management traffic
Cluster communication with RADIUS and LDAP servers
Clusters and FortiGuard services
FortiGuard and active-passive clusters
FortiGuard and active-active clusters
FortiGuard and virtual clustering
Clusters and logging
Viewing and managing log messages for individual cluster units
About HA event log messages
HA log messages
FortiGate HA message "HA master heartbeat interface <intf_name> lost neighbor information"
Formatting cluster unit hard disks (log disks)
Clusters and SNMP
SNMP get command syntax for the primary unit
SNMP get command syntax for any cluster unit
Getting serial numbers of cluster units
SNMP get command syntax - reserved management interface enabled
Adding FortiClient licenses to a cluster
Adding FortiClient licenses to cluster units with a reserved management interface
Adding FortiClient licenses to cluster units with no reserved management interface
Viewing FortiClient license status and active FortiClient users for each cluster unit
Cluster members list
Virtual cluster members list
Viewing HA statistics
Changing the HA configuration of an operating cluster
Changing the HA configuration of an operating virtual cluster
Changing the subordinate unit host name and device priority
Upgrading cluster firmware
Changing how the cluster processes firmware upgrades
Synchronizing the firmware build running on a new cluster unit
Downgrading cluster firmware
Backing up and restoring the cluster configuration
Monitoring cluster units for failover
Viewing cluster status from the CLI
Examples
About the HA cluster index and the execute ha manage command
Using the execute ha manage command
Using get system ha status to display cluster indexes
Example: actual and operating cluster indexes do not match
Virtual clustering example output
Managing individual cluster units
Disconnecting a cluster unit from a cluster
Adding a disconnected FortiGate unit back to its cluster
HA diagnose commands
all-xdb
all-vcluster
stat
HA and failover protection
About active-passive failover
Device failure
Link failure
Session failover
Primary unit recovery
About active-active failover
Device failover
HA heartbeat and communication between cluster units
Heartbeat interfaces
Connecting HA heartbeat interfaces
Heartbeat packets and heartbeat interface selection
Interface index and display order
HA heartbeat interface IP addresses
Heartbeat packet Ethertypes
Modifying heartbeat timing
Changing the lost heartbeat threshold
Changing the heartbeat interval
Changing the time to wait in the helo state
Enabling or disabling HA heartbeat encryption and authentication
Cluster virtual MAC addresses
Changing how the primary unit sends gratuitous ARP packets after a failover
Disabling gratuitous ARP packets after a failover
How the virtual MAC address is determined
Example virtual MAC addresses
Displaying the virtual MAC address
Diagnosing packet loss with two FortiGate HA clusters in the same broadcast domain
Changing the HA group ID to avoid MAC address conflicts
Example topology
Ping testing for packet loss
Viewing MAC address conflicts on attached switches
Synchronizing the configuration
Disabling automatic configuration synchronization
Incremental synchronization
Periodic synchronization
Console messages when configuration synchronization succeeds
Console messages when configuration synchronization fails
Comparing checksums of cluster units
How to diagnose HA out of sync messages
Recalculating the checksums to resolve out of sync messages
Synchronizing routing table updates
Configuring graceful restart for dynamic routing failover
Controlling how the FGCP synchronizes routing updates
Change how long routes stay in a cluster unit routing table
Change the time between routing updates
Change the time the primary unit waits after receiving a routing update
Synchronizing IPsec VPN SAs
Synchronizing SAs for IKEv1
Synchronizing SAs for IKEv2
Link failover (port monitoring or interface monitoring)
If a monitored interface on the primary unit fails
If a monitored interface on a subordinate unit fails
How link failover maintains traffic flow
Recovery after a link failover and controlling primary unit selection (controlling falling back to the prior primary unit)
Preventing a primary unit change after a failed link is restored
Testing link failover
Updating MAC forwarding tables when a link failover occurs
Multiple link failures
Example link failover scenarios
Example: the port1 link on FGT_1 fails
Example: port2 on FGT_1 and port1 on FGT_2 fail
Subsecond failover
Remote link failover
Adding HA remote IP monitoring to multiple interfaces
Changing the link monitor failover threshold
Monitoring multiple IP addresses from one interface
Flip timeout
Detecting HA remote IP monitoring failovers
Session failover (session pick-up)
If session pickup is not selected
Improving session synchronization performance
Reducing the number of sessions that are synchronized
Using multiple FortiGate interfaces for session synchronization
Synchronizing GTP sessions to support GTP tunnel failover
Session failover not supported for all sessions
IPv6, NAT64, and NAT66 session failover
SIP session failover
Explicit web proxy, WCCP, and WAN optimization session failover
SSL offloading and HTTP multiplexing session failover
IPsec VPN session failover
SSL VPN session failover and SSL VPN authentication failover
PPTP and L2TP VPN sessions
UDP, ICMP, multicast and broadcast packet session failover
FortiOS Carrier GTP session failover
Active-active HA subordinate units sessions can resume after a failover
WAN optimization and HA
Failover and attached network equipment
Monitoring cluster units for failover
NAT/Route mode active-passive cluster packet flow
Packet flow from client to web server
Packet flow from web server to client
When a failover occurs
Transparent mode active-passive cluster packet flow
Packet flow from client to mail server
Packet flow from mail server to client
When a failover occurs
Failover performance
Device failover performance
Link failover performance
Reducing failover times
HA and load balancing
Load balancing overview
Load balancing schedules
Selecting which packets are load balanced
More about active-active failover
HTTPS sessions, active-active load balancing, and proxy servers
Using FortiGate network processor interfaces to accelerate active-active HA performance
Configuring load balancing settings
Selecting a load balancing schedule
Load balancing UTM sessions, TCP sessions, and UDP sessions
Configuring weighted-round-robin weights
Dynamically optimizing weighted load balancing according to how busy cluster units are
Example weighted load balancing configuration
NAT/Route mode active-active cluster packet flow
Packet flow from client to web server
Packet flow from web server to client
When a failover occurs
Transparent mode active-active cluster packet flow
Packet flow from client to mail server
Packet flow from mail server to client
When a failover occurs
HA with third-party products
Troubleshooting layer-2 switches
Forwarding delay on layer 2 switches
Failover issues with layer-3 switches
Changing spanning tree protocol settings for some switches
Spanning Tree protocol (STP)
Bridge Protocol Data Unit (BPDU)
Failover and attached network equipment
Ethertype conflicts with third-party switches
LACP, 802.3ad aggregation and third-party switches
VRRP
Adding a VRRP virtual router to a FortiGate interface
Adding a VRRP virtual router to a FortiGate interface
VRRP virtual MAC address
VRRP Groups
Using a Second Destination IP (VRDST)
Configuring VRRP
Example VRRP configuration: two FortiGate units in a VRRP group
Example VRRP configuration: VRRP load balancing two FortiGate units and two VRRP groups
Optional VRRP configuration settings
FortiGate Session Life Support Protocol (FGSP)
Synchronizing the configuration
Synchronizing UDP and ICMP (connectionless) sessions
Synchronizing NAT sessions
Synchronizing expectation (asymmetric) sessions
UTM Flow-based Inspection and Asymmetric Traffic
Notes and limitations
Configuring FGSP HA
Configuring the session synchronization link
Basic example configuration
Configuring FRUP
FRUP configuration example
Configuring FGT-A
Configuring FGT-B
Connecting, testing and operating the FRUP cluster
Chapter 10 IPsec VPN
IPsec VPN concepts
VPN tunnels
Tunnel templates
VPN tunnel list
VPN gateways
Clients, servers, and peers
Encryption
IPsec overheads
Authentication
Preshared keys
Additional authentication
Phase 1 and Phase 2 settings
Phase 1
Phase 2
Security Association
IKE and IPsec packet processing
IKEv1
IKEv2
IPsec VPN Overview
Types of VPNs
Route-based VPNs
Policy-based VPNs
Comparing policy-based or route-based VPNs
Planning your VPN
Network topologies
General preparation steps
How to use this guide to configure an IPsec VPN
IPsec VPN in the web-based manager
Auto Key (IKE)
Phase 1 configuration
Phase 1 advanced configuration settings
IKE fragmentation
Phase 2 configuration
Phase 2 advanced configuration settings
FortiClient VPN
Concentrator
IPsec Monitor
Phase 1 parameters
Overview
Defining the tunnel ends
Choosing Main mode or Aggressive mode
Choosing the IKE version
IKEv2 cookie notification for IKE_SA_INIT
Authenticating the FortiGate unit
Authenticating the FortiGate unit with digital certificates
Authenticating the FortiGate unit with a pre-shared key
Authenticating remote peers and clients
Enabling VPN access for specific certificate holders
Before you begin
Configuring certificate authentication for a VPN
Enabling VPN access by peer identifier
Enabling VPN access with user accounts and pre-shared keys
Defining IKE negotiation parameters
Generating keys to authenticate an exchange
Defining IKE negotiation parameters
NAT traversal
NAT keepalive frequency
Dead peer detection
Using XAuth authentication
Using the FortiGate unit as an XAuth server
Using the FortiGate unit as an XAuth client
Dynamic IPsec route control
Blocking IPsec SA Negotiation
Phase 2 parameters
Basic Phase 2 settings
Advanced Phase 2 settings
Phase 2 Proposals
Replay Detection
Perfect Forward Secrecy (PFS)
Keylife
Quick mode selectors
Using the add-route option
Configure the Phase 2 parameters
Specifying the Phase 2 parameters
Autokey Keep Alive
Auto-negotiate
DHCP-IPsec
Defining VPN security policies
Defining policy addresses
Defining VPN security policies
Defining an IPsec security policy for a policy-based VPN
Allow traffic to be initiated from the remote site
Outbound and inbound NAT
Source and destination addresses
Enabling other policy features
Before you begin
Defining multiple IPsec policies for the same tunnel
Defining security policies for a route-based VPN
Gateway-to-gateway configurations
Configuration overview
General configuration steps
Configuring the two VPN peers
Configuring Phase 1 and Phase 2 for both peers
Creating security policies
Creating firewall addresses
Creating route-based VPN security policies
Configuring a default route for VPN interface
Creating policy-based VPN security policy
How to work with overlapping subnets
Solution for route-based VPN
Solution for policy-based VPN
Testing
Hub-and-spoke configurations
Configuration overview
Hub-and-spoke infrastructure requirements
Spoke gateway addressing
Protected networks addressing
Using aggregated subnets
Using aggregated subnets
Using an address group
Authentication
Configure the hub
Define the hub-spoke VPNs
Define the hub-spoke security policies
Route-based VPN security policies
Policy-based VPN security policy
Configuring communication between spokes (policy-based VPN)
Configuring communication between spokes (route-based VPN)
Using a zone as a concentrator
Using a zone with a policy as a concentrator
Using security policies as a concentrator
Configure the spokes
Configuring security policies for hub-to-spoke communication
Route-based VPN security policy
Policy-based VPN security policy
Configuring security policies for spoke-to-spoke communication
Route-based VPN security policy
Policy-based VPN security policy
Dynamic spokes configuration example
Configure the hub (FortiGate_1)
Define the IPsec configuration
Define the security policies
Configure communication between spokes
Configure the spokes
Define the IPsec configuration
Define the security policies
Dynamic DNS configuration
Dynamic DNS over VPN concepts
Dynamic DNS (DDNS)
Routing
Dynamic DNS over VPN
Remote Gateway
Local ID (peer ID)
Route-based or policy-based VPN
Dynamic DNS topology
Assumptions
General configuration steps
Configure the dynamically-addressed VPN peer
Configuring branch_2 VPN tunnel settings
Configuring branch_2 security policies
Define address ranges for branch_2 security policies
Creating branch_2 route-based security policies
Creating branch_2 policy-based security policies
Configure the fixed-address VPN peer
Configuring branch_1 VPN tunnel settings
Configuring branch_1 security policies
Defining address ranges for branch_1 security policies
Creating branch_1 route-based security policies
Creating branch_1 policy-based security policies
Testing
FortiClient dialup-client configurations
Configuration overview
Peer identification
Automatic configuration of FortiClient dialup clients
One button FortiGate-to-FortiClient Phase 1 VPN
How the FortiGate unit determines which settings to apply
Using virtual IP addresses
Assigning VIPs by RADIUS user group
FortiClient dialup-client infrastructure requirements
FortiClient-to-FortiGate VPN configuration steps
Configure the FortiGate unit
Configuring FortiGate unit VPN settings
Route-based VPN security policies
Policy-based VPN security policy
Configuring the FortiGate unit as a VPN policy server
Configuring DHCP services on a FortiGate interface
Configure the FortiClient Endpoint Security application
Configuring FortiClient
Adding XAuth authentication
FortiClient dialup-client configuration example
Configuring FortiGate_1
Configuring the FortiClient Endpoint Security application
FortiGate dialup-client configurations
Configuration overview
FortiGate dialup-client infrastructure requirements
FortiGate dialup-client configuration steps
Configure the server to accept FortiGate dialup-client connections
Route-based VPN security policy
Policy-based VPN security policy
Configure the FortiGate dialup client
Route-based VPN security policy
Policy-based VPN security policy
Supporting IKE Mode config clients
Automatic configuration overview
IKE Mode Config overview
Configuring IKE Mode Config
Configuring an IKE Mode Config client
Configuring an IKE Mode Config server
IP address assignment
Certificate groups
Example: FortiGate unit as IKE Mode Config server
Example: FortiGate unit as IKE Mode Config client
Internet-browsing configuration
Configuration overview
Creating an Internet browsing security policy
Routing all remote traffic through the VPN tunnel
Configuring a FortiGate remote peer to support Internet browsing
Configuring a FortiClient application to support Internet browsing
Redundant VPN configurations
Configuration overview
General configuration steps
Configure the VPN peers - route-based VPN
Redundant route-based VPN configuration example
Configuring FortiGate_1
Configuring FortiGate_2
Partially-redundant route-based VPN example
Configuring FortiGate_1
Configuring FortiGate_2
Creating a backup IPsec interface
Transparent mode VPNs
Configuration overview
Transparent VPN infrastructure requirements
Before you begin
Configure the VPN peers
IPv6 IPsec VPNs
Overview of IPv6 IPsec support
Certificates
Configuring IPv6 IPsec VPNs
Phase 1 configuration
Phase 2 configuration
Security policies
Routing
Site-to-site IPv6 over IPv6 VPN example
Configure FortiGate A interfaces
Configure FortiGate A IPsec settings
Configure FortiGate A security policies
Configure FortiGate A routing
Configure FortiGate B
Site-to-site IPv4 over IPv6 VPN example
Configure FortiGate A interfaces
Configure FortiGate A IPsec settings
Configure FortiGate A security policies
Configure FortiGate A routing
Configure FortiGate B
Site-to-site IPv6 over IPv4 VPN example
Configure FortiGate A interfaces
Configure FortiGate A IPsec settings
Configure FortiGate A security policies
Configure FortiGate A routing
Configure FortiGate B
L2TP and IPsec (Microsoft VPN)
Overview
Layer 2 Tunneling Protocol (L2TP)
Assumptions
Configuring the FortiGate unit
Configuring LT2P users and firewall user group
Creating user accounts
Creating a user group
Configuring L2TP
Configuring IPsec
Configuring security policies
Configuring the Windows PC
Troubleshooting
Quick checks
Mac OS X and L2TP
Setting up logging
Using the FortiGate unit debug commands
Typical L2TP over IPsec session startup log entries - raw format
GRE over IPsec (Cisco VPN)
Overview
Configuring the FortiGate unit
Enabling overlapping subnets
Configuring the IPsec VPN
Adding IPsec tunnel end addresses
Configuring the GRE tunnel
Adding GRE tunnel end addresses
Configuring security policies
Configuring routing
Configuring the Cisco router
Troubleshooting
Quick checks
Setting up logging
Using diagnostic commands
Protecting OSPF with IPsec
Overview
OSPF over IPsec configuration
Configuring the IPsec VPN
Configuring static routing
Configuring OSPF
FortiGate_1 OSPF configuration
FortiGate_2 OSPF configuration
Creating a redundant configuration
Adding the second IPsec tunnel
Adding the OSPF interface
Hardware offloading and acceleration
Overview
IPsec session offloading requirements
Packet offloading requirements
IPsec encryption offloading
HMAC check offloading
IPsec offloading configuration examples
Accelerated route-based VPN configuration
Accelerated policy-based VPN configuration
Monitoring and troubleshooting
Monitoring VPN connections
Monitoring connections to remote peers
Monitoring dialup IPsec connections
Testing VPN connections
LAN interface connection
Dialup connection
Troubleshooting VPN connections
Logging VPN events
VPN troubleshooting tips
The VPN proposal is not connecting
Attempting hardware offloading beyond SHA1
Check Phase 1 proposal settings
Check your routing
Try enabling XAuth
General troubleshooting tips
A word about NAT devices
Chapter 11 IPv6
IPv6 packet structure
IPv6 packet structure
Jumbograms and jumbo payloads
Fragmentation and reassembly
Benefits of IPv6
IPv6 Features
IPv6 policies
IPv6 policy routing
IPv6 security policies
IPv6 Policy Monitor
IPv6 explicit web proxy
Restricting the IP address of the explicit IPv6 web proxy
Restricting the outgoing source IP address of the IPv6 explicit web proxy
VIP64
VIP46
IPv6 Network Address Translation
NAT64 and DNS64 (DNS proxy)
NAT64 policies
NAT66
NAT66 destination address translation
NAT64 and NAT66 session failover
NAT46
ICMPv6
ICMPv6 Types and Codes
IPv6 in dynamic routing
Dual stack routing
IPv6 tunnelling
Tunnel configuration
Tunnelling IPv6 through IPsec VPN
SIP over IPv6
New Fortinet FortiGate IPv6 MIB fields
New OIDs
EXAMPLE SNMP get/walk output
IPv6 Per-IP traffic shaper
DHCPv6
DHCPv6 relay
IPv6 forwarding—Policies, IPS, Application Control, flow‑based antivirus, web filtering, and DLP
FortiGate interfaces can get IPv6 addresses from an IPv6 DHCP server
IPv6 Configuration
IPv6 address groups
IPv6 address ranges
IPv6 firewall addresses
Scenario: Mail Server
Scenario: First Floor Network
ICMPv6
IPv6 IPsec VPN
Overview of IPv6 IPsec support
Certificates
Configuring IPv6 IPsec VPNs
Phase 1 configuration
Phase 2 configuration
Security policies
Routing
Site-to-site IPv6 over IPv6 VPN example
Configure FortiGate A interfaces
Configure FortiGate A IPsec settings
Configure FortiGate A security policies
Configure FortiGate A routing
Configure FortiGate B
Site-to-site IPv4 over IPv6 VPN example
Configure FortiGate A interfaces
Configure FortiGate A IPsec settings
Configure FortiGate A security policies
Configure FortiGate A routing
Configure FortiGate B
Site-to-site IPv6 over IPv4 VPN example
Configure FortiGate A interfaces
Configure FortiGate A IPsec settings
Configure FortiGate A security policies
Configure FortiGate A routing
Configure FortiGate B
TCP MSS values
BGP and IPv6
RIPng — RIP and IPv6
Network layout and assumptions
Basic network layout
Assumptions
Configuring the FortiGate units system information
Configuring RIPng on FortiGate units
Configuring other network devices
Testing the configuration
Testing the IPv6 RIPng information
Debugging IPv6 on RIPng
IPv6 RSSO support
IPv6 IPS
Blocking IPv6 packets by extension headers
IPv6 Denial of Service policies
Configure hosts in an SNMP v1/2c community to send queries or receive traps
IPv6 PIM sparse mode multicast routing
Chapter 12 Load Balancing
Before you begin
Before you begin
How this chapter is organized
Configuring load balancing
Load balancing overview
Load balancing, UTM, authentication, and other FortiOS features
Configuring load balancing virtual servers from the web‑based manager
Configuring load balancing virtual Servers from the CLI
Load balancing methods
Session persistence
Real servers
Real server active, standby, and disabled modes
Adding real servers from the web‑based manager
Adding real servers from the CLI
Health check monitoring
Virtual IP, load balance virtual server and load balance real server limitations
Monitoring load balancing
Load balancing diagnose commands
Logging Diagnostics
Real server diagnostics
Basic load balancing configuration example
HTTP and HTTPS load balancing, multiplexing, and persistence
HTTP and HTTPS multiplexing
Preserving the client IP address
Preserving the client IP address but changing the X-Forwarded-For header name
HTTP and HTTPS persistence
How HTTP cookie persistence options work
HTTP host-based load balancing
Host load balancing and HTTP cookie persistence
SSL/TLS load balancing
SSL offloading
Additional SSL load balancing options
SSL offloading support or Internet Explorer 6
Disabling SSL/TLS re-negotiation
IP, TCP, and UDP load balancing
Load balancing configuration examples
Example: HTTP load balancing to three real web servers
Web-based manager configuration
CLI configuration
Example: Basic IP load balancing configuration
Example: Adding a server load balance port forwarding virtual IP
Example: Weighted load balancing configuration
Web-based manager configuration
CLI configuration
Example: HTTP and HTTPS persistence configuration
CLI configuration: adding persistence for a specific domain
Chapter 13 Logging and Reporting
Logging and reporting overview
What is logging?
How the FortiGate unit records log messages
Example: How the FortiGate unit records a DLP event
FortiOS features available for logging
Traffic
Sniffer
Other Traffic
Event
Traffic Shaping
Data Leak Prevention
NAC Quarantine
Media Access Control (MAC) Address
Application control
Antivirus
Web Filter
IPS (attack)
Packet logs
Email filter
Archives (DLP)
Network scan
Log messages
Explanation of a debug log message
Viewing log messages and archives
Viewing log messages in detail
Quarantine
Customizing the display of log messages on the web-based manager
How to download log messages and view them from on a computer
Log files and types
Log database and datasets
Notifications about network activity
How to configure email notifications
Log devices
FortiGate unit’s system memory and hard disk
FortiAnalyzer unit
Syslog server
How to choose a log device for your network topology
How to create a backup solution for logging
Reports
What are FortiOS reports?
The parts of a FortiOS report
What you can do with the default FortiOS report
How to modify the default FortiOS report
Best Practices: Log management
Logging and reporting for small networks
Modifying default log device settings
Modifying the FortiGate unit’s system memory default settings
Modifying the FortiGate unit’s hard disk default settings
Testing sending logs to the log device
Configuring the backup solution
Configuring logging to a FortiCloud server
Configuring uploading logs to the FortiAnalyzer unit
Testing uploading logs to a FortiAnalyzer unit
Modifying the default FortiOS report
Logging and reporting for large networks
Modifying default log device settings
Modifying multiple FortiGate units’ system memory default settings
Modifying multiple FortiGate units’ hard disk default log settings
Testing the modified log settings
Configuring the backup solution
Configuring logging to multiple FortiAnalyzer units
Configuring logging to the FortiCloud server
Modifying the default FortiOS report
Creating datasets
Creating charts for the datasets
Uploading the corporate images
Adding a new report cover and page
Advanced logging
Configuring logging to multiple Syslog servers
Using Automatic Discovery to connect to a FortiAnalyzer unit
Activating a FortiCloud account for logging purposes
Viewing log storage space
Customizing and filtering log messages
Viewing logs from the CLI
Configuring NAC quarantine logging
Logging local-in policies
Tracking specific search phrases in reports
Reverting modified report settings to default settings
Troubleshooting and logging
Using log messages to help in troubleshooting issues
Using IPS packet logging in diagnostics
Using HA log messages to determine system status
Connection issues between FortiGate unit and logging devices
Unable to connect to a supported log device
FortiGate unit has stopped logging
Log database issues
SQL statement syntax errors
Connection problems
SQL database errors
Logging daemon (Miglogd)
Chapter 14 Managing Devices
Managing “bring your own device”
Device monitoring
Device Groups
Controlling access with a MAC Address Access Control List
Security policies for devices
Creating device policies
Adding endpoint protection
Endpoint Protection
Endpoint Protection overview
User experience
FortiGate endpoint registration limits
Configuration overview
Changing the FortiClient installer download location
Creating a FortiClient profile
Creating the registration key
Enabling Endpoint Protection in security policies
Configuring endpoint registration over a VPN
Endpoint registration on an IPsec VPN
Endpoint registration on the SSL VPN
Synchronizing endpoint registrations
Monitoring endpoints
Deregistering endpoints
Modifying the Endpoint Protection replacement messages
Vulnerability Scan
Configuring vulnerability scans
Running a vulnerability scan and viewing scan results
Requirements for authenticated scanning and ports scanned
Microsoft Windows hosts - domain scanning
Group Policy - Security Options
Group Policy - System Services
Group Policy - Administrative Templates
Microsoft Windows hosts - local (non-domain) scanning
Windows firewall settings
Unix hosts
Chapter 15 Security Profiles
Security Profiles overview
Traffic inspection
IPS signatures
IPS recommendations
Suspicious traffic attributes
Application control
Application control recommendations
Content inspection and filtering
AntiVirus
AntiVirus recommendations
FortiGuard Web Filtering
FortiGuard Web Filtering recommendations
Email filter
Email filter recommendations
DLP
DLP recommendations
Security Profiles components
AntiVirus
Intrusion Protection System (IPS)
Web filtering
Email filtering
Data Leak Prevention (DLP)
Application Control
ICAP
Security Profiles/lists/sensors
AntiVirus
Antivirus concepts
Malware Threats
Viruses
Worms
Trojan horses
Ransomware
Scareware
Spyware
Adware
Botnets
Phishing
Grayware
Scanning Modes
Proxy
Flow-based
Antivirus scanning order
Proxy-based antivirus scanning order
Flow-based antivirus scanning order
Antivirus databases
To change the antivirus database
Antivirus techniques
Virus scan
Grayware
Heuristics
FortiGuard Antivirus
Botnet protection
Quarantine / Source IP ban
FortiGuard Sandbox
Client Comforting
Oversized files and emails
Archive scan depth
Configuring archive scan depth
Scan buffer size
Configuring the uncompression buffer
Windows file sharing (CIFS)
Configuring CIFS/SMB/SAMBA virus scanning
Enabling AntiVirus scanning
Enable Antivirus steps - GUI based
Enable Antivirus steps - CLI based
Testing your antivirus configuration
Example Scenerios
Configuring simple default antivirus profile
Creating the profile - GUI
Creating the profile - CLI
Setting up a basic proxy-based Antivirus profile for email tranffic
Creating the profile - GUI
Creating the profile - CLI
Adding the profile to a policy
Adding the profile - GUI
Block files larger than 8 MB
Set proxy options profile to block files larger than 8 MB
To select the Proxy Options profile in a security policy
Web filter
Web filter concepts
Different ways of controlling access
Order of web filtering
Inspections Modes
Proxy
Flow-based
DNS
FortiGuard Web Filtering Service
FortiGuard Web Filter and your FortiGate unit
FortiGuard Web Filter Actions
FortiGuard Web Filter usage quotas
Quota hierarchy
Overriding FortiGuard website categorization
The different methods of override
Using Alternate Categories
Web Rating Overrides
Local or Custom Categories
Configuring Rating Overrides
Using Alternate Profiles
Allow Blocked Overrides or Web Overrides
The Concept
Identity or Address
Settings
SafeSearch
Search Keywords
YouTube Education Filter
Enabling YouTube Education Filter in CLI
Static URL Filter
URL formats
URL formats
URL Filter actions
Block
Allow
Monitor
Exempt
Status
Configuring a URL filter
Referrer URL
Configuring in the GUI
Configuring in the CLI
Web content filter
General configuration steps
Creating a web filter content list
How content is evaluated
Enabling the web content filter and setting the content threshold
Advanced web filter configurations
Allow websites when a rating error occurs
ActiveX filter
Block HTTP redirects by rating
Block Invalid URLs
Cookie filter
Provide Details for Blocked HTTP 4xx and 5xx Errors
HTTP POST action
Java applet filter
Rate Images by URL
Rate URLs by Domain and IP Address
Web resume download block
Restrict Google account usage to specific domains
Configuring Web Filter Profiles
Enabling FortiGuard Web Filter
General configuration steps
Configuring FortiGuard Web Filter settings
To configure the FortiGuard Web Filter categories
Configuring FortiGuard Category Quotas
Configure Allowed Blocked Overrides
Configure Search Engine Section
Enable Safe Search
Log All Search Keywords
Configure Static URL Filter
Web Content Filter
Configure Rating Options
Allow Websites When a Rating error Occurs
Rate URLs by Domain and IP Address
Block HTTP Redirects by Rating
Rate Images by URL (Blocked images will be replaced with blanks)
Configure Proxy Options
Restrict Google Account Usage to Specific Domains
Configuring the feature in the GIU
Configuring the feature in the CLI
Web Resume Download block
Provide Details for Blocked HTTP 4xx and 5xx Errors
HTTP POST Action
Remove Java Applet Filter
Remove ActiveX Filter
Remove Cookie Filter
Web filtering example
School district
Create a Webfilter for the students
Create a Webfilter for the Teachers
Application control
Application control concepts
Application Control Actions
Allow
Monitor
Block
Reset
Traffic Shaping
View Signatures
Application considerations
IM applications
Skype
SPDY
Working with other FortiOS components
WAN Optimization
Application traffic shaping
Direction of traffic shaping
Shaper re-use
Application control monitor
Enable application control
General configuration steps
Creating an application sensor
Adding applications to an application sensor
Creating a New Custom Application Signature
Enabling application traffic shaping
Messages in response to blocked applications
Application control examples
Blocking all instant messaging
Allowing only software updates
Selecting the application sensor in a security policy
Intrusion protection
IPS concepts
Anomaly-based defense
Signature-based defense
Signatures
Protocol decoders
IPS engine
IPS sensors
IPS filters
Custom/predefined signature entries
Policies
Enable IPS scanning
General configuration steps
Creating an IPS sensor
Adding an IPS filter to a sensor
To create a new Pattern Based Signature and Filter
Adding Rate Based Signatures
Customized signatures
Updating predefined IPS signatures
Viewing and searching predefined IPS signatures
Searching manually
Applying filters
IPS processing in an HA cluster
Active-passive
Active-active
Configure IPS options
Hardware Acceleration
Extended IPS Database.
Configuring the IPS engine algorithm
Configuring the IPS engine-count
Configuring fail-open
Configuring the session count accuracy
Configuring the IPS buffer size
Configuring protocol decoders
Configuring security processing modules
IPS signature rate count threshold
Enable IPS packet logging
IPS examples
Configuring basic IPS protection
Creating an IPS sensor
Selecting the IPS sensor in a security policy
Using IPS to protect your web server
Create and test a packet logging IPS sensor
Configuring a Fortinet Security Processing module
Assumptions
Network configuration
Security module configuration
IPS Sensor
Custom Application & IPS Signatures
Creating a custom IPS signature
Custom signature syntax and keywords
Custom signature syntax
Custom signature keywords
Creating a custom signature to block access to example.com
Creating a custom signature to block the SMTP “vrfy” command
Email filter
Email filter concepts
Inspection Modes
Proxy
Flow-based
Email filter techniques
Black white list
Pattern
Action
Status
Banned word check
How content is evaluated
Adding words to a banned word list
DNS-based Blackhole List (DNSBL)
FortiGuard-Antispam Service.
FortiGuard IP address check
FortiGuard URL check
FortiGuard email checksum check
Detect phishing URLs in email
FortiGuard spam submission
Trusted IP Addresses
MIME header
HELO DNS lookup
Return email DNS check
Order of spam filtering
Order of SMTP and SMTPS spam filtering
Order of IMAP, POP3, IMAPS and POP3S spam filtering
Spam actions
Discard
Pass
Tag
Email traffic types to inspect
Configuring an Email Filters
Spam detection by protocol
Spam Action
Tag Location
Tag Format
FortiGuard Spam Filtering
Local Spam Filtering
Email filter examples
Configuring simple antispam protection
Creating an email filter profile
Selecting the email filter profile in a security policy
Blocking email from a user
Data leak prevention
Data leak prevention concepts
DLP sensor
DLP filter
DLP Filter Actions
None
Log Only
Block
Quarantine IP Address/ Source IP ban
Preconfigured sensors
DLP document fingerprinting
Fingerprinting
File size
DLP filtering by specific file types
Watermarking
Watermark Sensitivity
Software Versions
File types
Using the FortiExplorer Watermark tool
Regular expression
Encrypted
Examining specific services
DLP archiving
Enable data leak prevention
General configuration steps
Creating/editing a DLP sensor
Adding filters to a DLP sensor
DLP examples
Blocking content with credit card numbers
Blocking emails larger than 15 MB and logging emails from 5 MB to 15 MB
Selective blocking based on a finger print
ICAP
The Protocol
Offloading using ICAP
Configuration Settings
Servers
Maximum Connections
Profiles
Name
Enable Request Processing
Enable Response Processing
Enable Streaming Media Bypass
Example ICAP sequence
Example Scenerio
Other Security Profiles considerations
Security Profiles and Virtual domains (VDOMs)
Conserve mode
The AV proxy
Entering and exiting conserve mode
Conserve mode effects
off
pass
one-shot
idledrop
Configuring the av-failopen command
SSL content scanning and inspection
Setting up certificates to avoid client warnings
Exceptions
Configuring packet logging options
Limiting memory use
Limiting disk use
Configuring how many packets are captured
Using wildcards and Perl regular expressions
Regular expression vs. wildcard match pattern
Word boundary
Case sensitivity
Perl regular expression formats
Examples of regular expressions
Chapter 16 SSL VPN
Introduction to SSL VPN
SSL VPN modes of operation
Web-only mode
Tunnel mode
Port forwarding mode
Application support
Antivirus and firewall host compatibility
Traveling and security
Host check
Cache cleaning
SSL VPN and IPv6
Basic configuration
User accounts and groups
Authentication
MAC host check
IP addresses for users
Authentication of remote users
Setting the client authentication timeout
Allow one-time login per user
Strong authentication with security certificates
NSA Suite B cryptography support
Configuring SSL VPN web portals
SSL connection configuration
Portal configuration
Adding bookmarks
Personal bookmarks
SSL VPN Realms
Tunnel mode and split tunneling
Port forwarding
The Connection Tool widget
Configuring security policies
Firewall addresses
Create an SSL VPN security policy
Create a tunnel mode security policy
Routing for tunnel mode
Split tunnel Internet browsing policy
Enabling a connection to an IPsec VPN
Route-based connection
Policy-based connection
Configuring encryption key algorithms
Additional configuration options
Routing in tunnel mode
Changing the port number for web portal connections
SSL offloading
Host check
Replacing the host check error message
Creating a custom host check list
Windows OS check
Configuring cache cleaning
Configuring virtual desktop
Configuring virtual desktop application control
Configuring client OS Check
Adding WINS and DNS services for clients
Setting the idle timeout setting
SSL VPN logs
Monitoring active SSL VPN sessions
Troubleshooting
The SSL VPN client
FortiClient
Tunnel mode client configuration
The SSL VPN web portal
Connecting to the FortiGate unit
Web portal overview
Portal configuration
Portal settings
Portal widgets
Session Information
Bookmarks
Connection Tool
Tunnel Mode
Applications available in the web portal
Using the My Bookmarks widget
Using the Connection Tool
RDP options
Tunnel-mode features
Using the SSL VPN virtual desktop
Using FortiClient
Setup examples
Remote Access with SSLVPN
Secure Internet browsing
Creating an SSL VPN IP pool and SSL VPN web portal
Creating the SSL VPN user and user group
Creating a static route for the remote SSL VPN user
Creating security policies
Configuring authentication rules
Results
Split Tunnel
Creating a firewall address for the head office server
Creating an SSL VPN IP pool and SSL VPN web portal
Creating the SSL VPN user and user group
Creating a static route for the remote SSL VPN user
Creating security policies
Configuring authentication rules
Results
Multiple user groups with different access permissions
General configuration steps
Creating the firewall addresses
Creating the destination addresses
Creating the tunnel client range addresses
Creating the web portals
Creating the user accounts and user groups
Creating the security policies
Configuring authentication rules
Create the static route to tunnel mode clients
Chapter 17 System Administration
Using the CLI
Connecting to the CLI
Connecting to the CLI using a local console
Enabling access to the CLI through the network (SSH or Telnet)
Connecting to the CLI using SSH
Connecting to the CLI using Telnet
Command syntax
Terminology
Indentation
Notation
Sub-commands
Example of table commands
Permissions
Tips
Help
Shortcuts and key commands
Command abbreviation
Adding and removing options from lists
Environment variables
Special characters
Using grep to filter get and show command output
Language support and regular expressions
Screen paging
Baud rate
Editing the configuration file on an external host
Using Perl regular expressions
Differences between regular expression and wildcard pattern matching
Word boundary
Case sensitivity
Interfaces
Physical
Interface settings
Interface configuration and settings
Software switch
Soft switch example
Clear the interfaces and back up the configuration
Merge the interfaces
Final steps
Virtual Switch
Loopback interfaces
Redundant interfaces
One-armed sniffer
Aggregate Interfaces
Example
DHCP addressing mode on an interface
PPPoE addressing mode on an interface
Administrative access
Wireless
Interface MTU packet size
Secondary IP addresses to an interface
Virtual domains
Virtual LANs
Zones
Probing Interfaces
Central management
Adding a FortiGate to FortiManager
FortiGate configuration
Configuring an SSL connection
FortiManager configuration
Configuration through FortiManager
Global objects
Locking the FortiGate web-based manager
Firmware updates
FortiGuard
Backup and restore configurations
Administrative domains
Monitoring
Dashboard
Widgets
FortiClient software
sFlow
Configuration
Enable sFlow
Monitor menus
Logging
FortiCloud
FortiGate memory
FortiGate hard disk
Syslog server
FortiAnalyzer
Sending logs using a secure connection
Configuring an SSL connection
Packet Capture
Alert email
SNMP
SNMP configuration settings
Gigabit interfaces
SNMP agent
SNMP community
Enabling on the interface
Fortinet MIBs
SNMP get command syntax
VLANs
VLAN ID rules
VLAN switching and routing
VLAN layer-2 switching
Layer-2 VLAN example
VLAN layer-3 routing
Layer-3 VLAN example
VLANs in NAT mode
Adding VLAN subinterfaces
Physical interface
IP address and netmask
VLAN ID
VDOM
Configuring security policies and routing
Configuring security policies
Configuring routing
Example VLAN configuration in NAT mode
General configuration steps
Configure the FortiGate unit
Configure the external interface
Add VLAN subinterfaces
Add the firewall addresses
Add the security policies
Configure the VLAN switch
Test the configuration
Testing traffic from VLAN_100 to VLAN_200
Testing traffic from VLAN_200 to the external network
VLANs in transparent mode
VLANs and transparent mode
Add VLAN subinterfaces
Create security policies
Example of VLANs in transparent mode
General configuration steps
Configure the FortiGate unit
Add VLAN subinterfaces
Add the security policies
Configure the Cisco switch and router
Configure the Cisco switch
Configure the Cisco router
Test the configuration
Testing traffic from VLAN_100 to VLAN_200
Troubleshooting VLAN issues
Asymmetric routing
Layer-2 and Arp traffic
ARP traffic
Multiple VDOMs solution
Vlanforward solution
Forward-domain solution
NetBIOS
STP forwarding
Too many VLAN interfaces
PPTP and L2TP
How PPTP VPNs work
FortiGate unit as a PPTP server
Configuring user authentication for PPTP clients
Configuring a user account
Configuring a user group
Enabling PPTP and specifying the PPTP IP address range
Adding the security policy
Configuring the FortiGate unit for PPTP VPN
Configuring the FortiGate unit for PPTP pass through
Configuring a virtual IP address
Configuring a port-forwarding security policy
Testing PPTP VPN connections
Logging VPN events
Configuring L2TP VPNs
Network topology
L2TP infrastructure requirements
L2TP configuration overview
Authenticating L2TP clients
Enabling L2TP and specifying an address range
Defining firewall source and destination addresses
Adding the security policy
Configuring a Linux client
Monitoring L2TP sessions
Testing L2TP VPN connections
Logging L2TP VPN events
Session helpers
Viewing the session helper configuration
Changing the session helper configuration
Changing the protocol or port that a session helper listens on
Disabling a session helper
DCE-RPC session helper (dcerpc)
DNS session helpers (dns-tcp and dns-udp)
File transfer protocol (FTP) session helper (ftp)
H.245 session helpers (h245I and h245O)
H.323 and RAS session helpers (h323 and ras)
Alternate H.323 gatekeepers
Media Gateway Controller Protocol (MGCP) session helper (mgcp)
ONC-RPC portmapper session helper (pmap)
PPTP session helper for PPTP traffic (pptp)
Remote shell session helper (rsh)
Real-Time Streaming Protocol (RTSP) session helper (rtsp)
Session Initiation Protocol (SIP) session helper (sip)
Trivial File Transfer Protocol (TFTP) session helper (tftp)
Oracle TNS listener session helper (tns)
Advanced concepts
Dual internet connections (redundant Internet connections)
Video: Redundant Internet connections using ECMP
Redundant interfaces
Link Health Monitor
Routing
Security policies
Load sharing
Link redundancy and load sharing
Single firewall vs. multiple virtual domains
Single firewall vs. vdoms
Modem
USB modem port
Modes
Configuring stand alone mode
Configuring redundant mode
Link Health Monitor
Additional modem configuration
Modem interface routing
FortiExtender
Installing the 3G/4G modem
Connecting the FortiExtender unit
Configuring the FortiExtender unit
Modem Settings
Configuring the FortiGate unit
DHCP servers and relays
DHCP Server configuration
DHCP in IPv6
Service
Lease time
DHCP options
Exclude addresses in DHCP a range
DHCP Monitor
Breaking a address lease
Assigning IP address by MAC address
DNS services
DNS settings
Additional DNS CLI configuration
DNS server
Recursive DNS
Dynamic DNS
FortiClient discovery and registration
FortiClient discovery
FortiClient Registration
IP addresses for self-originated traffic
Administration for schools
Security policies
DNS
Encrypted traffic (HTTPS)
FTP
Example security policies
UTM security profiles
Antivirus profiles
Web filtering
Email Filtering
IPS
Application control
Logging
Replacement messages list
Replacement message images
Adding images to replacement messages
Modifying replacement messages
Alert Mail replacement messages
Authentication replacement messages
Example
Captive Portal Default replacement messages
Device Detection Portal replacement message
Email replacement messages
Endpoint Control replacement message
FTP replacement messages
FortiGuard Web Filtering replacement messages
HTTP replacement messages
IM replacement messages
NNTP replacement messages
Spam replacement messages
NAC quarantine replacement messages
SSL VPN replacement message
Web Proxy replacement messages
Traffic quota control replacement messages
MM1 replacement messages
MM3 replacement messages
MM4 replacement messages
MM7 replacement messages
MMS replacement messages
Replacement message groups
Disk
Formatting the disk
Setting space quotas
CLI Scripts
Uploading script files
Rejecting PING requests
Opening TCP 113
Obfuscate HTTP responses
Chapter 18 Traffic Shaping
The purpose of traffic shaping
Quality of Service
Traffic policing
Bandwidth guarantee, limit, and priority interactions
FortiGate traffic
Through traffic
Calculation and regulation of packet rates
Important considerations
Traffic shaping methods
Traffic shaping options
Shared policy shaping
Per policy
All policies
Maximum and guaranteed bandwidth
Traffic priority
VLAN, VDOM and virtual interfaces
Shared traffic shaper configuration settings
Example
Per-IP shaping
Per-IP traffic shaping configuration settings
Example
Adding Per-IP traffic shapers to a security policy
Example
Application control shaping
Example
Enabling traffic shaping in the security policy
Reverse direction traffic shaping
Setting the reverse direction only
Type of Service priority
Example
Example
ToS in FortiOS
Differentiated Services
DSCP examples
Example
Example
Example
Example
ToS and DSCP traffic mapping
Traffic Shaper Monitor
Examples
QoS using priority from security policies
Sample configuration
QoS using priority from ToS or differentiated services
Sample configuration
Example setup for VoIP
Creating the traffic shapers
VoIP shaper
FTP shaper
Regular traffic shaper
Creating security policies
Troubleshooting traffic shaping
Interface diagnosis
Shaper diagnose commands
ToS command
Shared shaper
Per-IP shaper
Packet loss with statistics on shapers
Packet lost with the debug flow
Session list details with dual traffic shaper
Additional Information
Chapter 19 Troubleshooting
Life of a Packet
Stateful inspection
Connections over connectionless
What is a session?
Differences between connections and sessions
Flow inspection
Proxy inspection
Comparison of inspection layers
FortiOS functions and security layers
Packet flow
Packet inspection (Ingress)
Interface
DoS sensor
IP integrity header checking
IPsec
Destination NAT (DNAT)
Routing
Policy lookup
Session tracking
User authentication
Management traffic
SSL VPN traffic
ICAP traffic
Session helpers
Flow-based inspection engine
Proxy‑based inspection engine
IPsec
Source NAT (SNAT)
Routing
Egress
Example 1: client/server connection
Example 2: Routing table update
Example 3: Dialup IPsec VPN with application control
Verifying FortiGate admin access security
Install the FortiGate unit in a physically secure location
Add new administrator accounts
Change the admin account name and limit access to this account
Only allow administrative access to the external interface when needed
When enabling remote access, configure Trusted Hosts and Two-factor Authentication
Configuring Trusted Hosts
Configuring Two-factor Authentication
Change the default administrative port to a non-standard port
Enable Password Policy
Maintain short login timeouts
Modify administrator account Lockout Duration and Threshold values
Administrator account Lockout Duration
Administrator account Lockout Threshold
Disable auto installation via USB
Auditing and Logging
Troubleshooting resources
Technical Documentation
Fortinet Video Library
Release Notes
Knowledge Base
Fortinet Technical Discussion Forums
Fortinet Training Services Online Campus
Fortinet Customer Support
Troubleshooting tools
FortiOS diagnostics
Check date and time
Resource usage
Proxy operation
Hardware NIC
Traffic trace
Session table
Web-based manager session information
How to find which security policy a specific connection is using
CLI session information
Firewall session setup rate
Finding object dependencies
CLI method
Web-based manager method
Flow trace
Flow trace output example - HTTP
Flow trace output example - IPsec (policy-based)
Packet sniffing and packet capture
Packet sniffing
Packet capture
NPU based interfaces
Debug command
Debug output example
The execute tac report command
Other commands
ARP table
Time and date settings
IP address
FortiOS ports
FortiAnalyzer/FortiManager ports
FortiGuard troubleshooting
Troubleshooting process for FortiGuard updates
FortiGuard server settings
Displaying the server list
Sorting the server list
Calculating weight
Troubleshooting methodologies
Establish a baseline
Define the problem
Gathering Facts
Create a troubleshooting plan
Providing Supporting Elements
Obtain any required additional equipment
Ensure you have administrator level access to required equipment
Contact Fortinet customer support for assistance
Technical Support Organization Overview
Fortinet Global Customer Services Organization
Creating an account
Registering a device
Reporting problems
Logging online tickets
Fortinet partners
Fortinet customers
Following up on online tickets
Telephoning a technical support center
Assisting technical support
Support priority levels
Priority 1
Priority 2
Priority 3
Priority 4
Return material authorization process
Common questions
How to check hardware connections
How to check FortiOS network settings
Interface settings
DNS settings
DHCP Server settings
How to check CPU and memory resources
How to troubleshoot high memory usage
How to troubleshoot high CPU usage
How to check modem status
How to run ping and traceroute
Ping
Traceroute
How to check the logs
How to verify the contents of the routing table (in NAT mode)
How to verify the correct route is being used
How to verify the correct firewall policy is being used
How to check the bridging information in Transparent mode
How to check the bridging information
How to display forwarding domain information
Sample output
How to check number of sessions used by UTM proxy
Conserve or failopen mode
Checking sessions in use
Related commands
How to examine the firewall session list
Check source NAT information
How to check wireless information
Troubleshooting station connection issue
Enable diagnostic for particular station
How to verify FortiGuard connectivity
How to perform a sniffer trace (CLI and Packet Capture)
What can sniffing packets tell you
How do you sniff packets
How to debug the packet flow
Chapter 20 Virtual Domains
Virtual Domains
Benefits of Virtual Domains
Improving Transparent mode configuration
Easier administration
Continued security
Savings in physical space and power
More flexible MSSP configurations
Enabling and accessing Virtual Domains
Enabling Virtual Domains
Changes to the web-based manager and CLI
Changes to FortiGate unit settings
Viewing the VDOM list
Global and per-VDOM settings
Global settings - web-based manager
Per-VDOM settings - web-based manager
Global settings - CLI
Per-VDOM settings - CLI
Resource settings
Global resource settings
Per-VDOM resource settings
Virtual Domain Licensing
Logging in to VDOMs
Configuring Virtual Domains
Creating a Virtual Domain
Disabling a Virtual Domain
Deleting a VDOM
Removing references to a VDOM
Common objects that refer to VDOMs
Administrators in Virtual Domains
Administrator VDOM permissions
Creating administrators for Virtual Domains
Virtual Domain administrator dashboard display
Virtual Domains in NAT/Route mode
Virtual domains in NAT/Route mode
Changing the management virtual domain
Configuring interfaces in a NAT/Route VDOM
Adding a VLAN to a NAT/Route VDOM
Moving an interface to a VDOM
Deleting an interface
Adding a zone to a VDOM
Configuring VDOM routing
Default static route for a VDOM
in VDOMs
Configuring security policies for NAT/Route VDOMs
Configuring a security policy for a VDOM
Configuring security profiles for NAT/Route VDOMs
Configuring VPNs for a VDOM
Example NAT/Route VDOM configuration
Network topology and assumptions
General configuration steps
Creating the VDOMs
Configuring the FortiGate interfaces
Configuring the vdomA interfaces
Configuring the vdomB interfaces
Configuring the vdomA VDOM
Adding vdomA firewall addresses
Adding the vdomA security policy
Adding the vdomA default route
Configuring the vdomB VDOM
Adding the vdomB firewall address
Adding the vdomB security policy
Adding a default route to the vdomB VDOM
Testing the configuration
Testing traffic from the internal network to the ISP
Virtual Domains in Transparent mode
Transparent operation mode
Broadcast domains
Forwarding domains
Spanning Tree Protocol
Differences between NAT/Route and Transparent mode
Operation mode differences in VDOMs
Configuring VDOMs in Transparent mode
Switching to Transparent mode
Adding VLAN subinterfaces
Creating security policies
Example of VDOMs in Transparent mode
Network topology and assumptions
General configuration steps
Configuring common items
Creating virtual domains
Configuring the Company_A VDOM
Adding VLAN subinterfaces
Creating the Lunch schedule
Configuring Company_A firewall addresses
Creating Company_A security policies
Configuring the Company_B VDOM
Adding VLAN subinterfaces
Creating Company_B service groups
Configuring Company_B firewall addresses
Configuring Company_B security policies
Configuring the VLAN switch and router
Configuring the Cisco switch
Configuring the Cisco router
Testing the configuration
Testing traffic from VLAN_100 to the Internet
Testing traffic from VLAN_100 to VLAN_200
Inter-VDOM routing
Benefits of inter-VDOM routing
Freed-up physical interfaces
More speed than physical interfaces
Continued support for secure firewall policies
Configuration flexibility
Getting started with VDOM links
Viewing VDOM links
Creating VDOM links
IP addresses and inter-VDOM links
Deleting VDOM links
NAT to Transparent VDOM links
Inter-VDOM configurations
Standalone VDOM configuration
Independent VDOMs configuration
Management VDOM configuration
Meshed VDOM configuration
Dynamic routing over inter-VDOM links
HA virtual clusters and VDOM links
What is virtual clustering?
Virtual clustering and failover protection
Virtual clustering and heartbeat interfaces
Virtual clustering and HA override
Virtual clustering and load balancing or VDOM partitioning
Example of inter-VDOM routing
Network topology and assumptions
General configuration steps
Creating the VDOMs
Configuring the physical interfaces
Configuring the VDOM links
Configuring the firewall and Security Profile settings
Configuring firewall service groups
Configuring Security Profile settings for the Accounting VDOM
Configuring firewall settings for the Accounting VDOM
Configuring Security Profile settings for the Sales VDOM
Configuring firewall settings for the Sales VDOM
Configuring firewall settings between the Accounting and Sales VDOMs
Testing the configuration
Testing connectivity
Troubleshooting Tips
Troubleshooting Virtual Domains
VDOM admin having problems gaining access
Confirm the admin’s VDOM
Confirm the VDOM’s interfaces
Confirm the VDOMs admin access
FortiGate unit running very slowly
Too many VDOMs
One or more VDOMs are consuming all the resources
Too many Security Features in use
General VDOM tips and troubleshooting
Perform a sniffer trace
What sniffing packets can tell you
How to sniff packets
Debugging the packet flow
Chapter 21 VM Installation
FortiGate VM Overview
FortiGate VM models and licensing
FortiGate VM evaluation license
Registering FortiGate VM with Customer Service & Support
Downloading the FortiGate VM deployment package
Deployment package contents
Citrix XenServer
OpenXEN
Microsoft Hyper-V
KVM
VMware ESX/ESXi
Deploying the FortiGate VM appliance
Deployment example: VMware
Open the FortiGate VM OVF file with the vSphere client
Configure FortiGate VM hardware settings
Transparent mode configuration
Power on your FortiGate VM
Deployment example: MS Hyper-V
Create the FortiGate VM virtual machine
Configure FortiGate VM hardware settings
FortiGate VM virtual processors
FortiGate VM network adapters
FortiGate VM virtual hard disk
Start the FortiGate VM
Deployment example: KVM
Create the FortiGate VM virtual machine
Configure FortiGate VM hardware settings
Start the FortiGate VM
Deployment example: OpenXen
Create the FortiGate VM virtual machine (VMM)
Deployment example: Citrix XenServer
Create the FortiGate VM virtual machine (XenCenter)
Configure virtual hardware
Configuring number of CPUs and memory size
Configuring disk storage
FortiGate VM Initial Configuration
Set FortiGate VM port1 IP address
Connect to the FortiGate VM Web-based Manager
Upload the FortiGate VM license file
Validate the FortiGate VM license with FortiManager
Configure your FortiGate VM
Chapter 22 VoIP Solutions: SIP
Before you begin
Before you begin
FortiGate VoIP solutions: SIP
SIP overview
Common SIP VoIP configurations
Peer to peer configuration
SIP proxy server configuration
SIP redirect server configuration
SIP registrar configuration
SIP with a FortiGate unit
SIP messages and media protocols
Hardware accelerated RTP processing
Hardware accelerated RTP processing
SIP request messages
SIP response messages
Informational (or provisional)
Success
Redirection
Client error
Server error
Global failure
SIP message start line
SIP headers
The SIP message body and SDP session profiles
Example SIP messages
The SIP session helper
SIP session helper configuration overview
Disabling and enabling the SIP session helper
Changing the port numbers that the SIP session helper listens on
Configuration example: SIP session helper in Transparent Mode
General configuration steps
Configuration steps - web‑based manager
Configuration steps - CLI
SIP session helper diagnose commands
The SIP ALG
SIP ALG configuration overview
Enabling VoIP support on the web‑based manager
VoIP profiles
Changing the port numbers that the SIP ALG listens on
Disabling the SIP ALG in a VoIP profile
SIP ALG get and diagnose commands
Conflicts between the SIP ALG and the session helper
Stateful SIP tracking, call termination, and session inactivity timeout
Adding a media stream timeout for SIP calls
Adding an idle dialog setting for SIP calls
Changing how long to wait for call setup to complete
SIP and RTP/RTCP
How the SIP ALG creates RTP pinholes
Configuration example: SIP in Transparent Mode
General configuration steps
Configuration steps - web‑based manager
Configuration steps - CLI
RTP enable/disable (RTP bypass)
Opening and closing SIP register, contact, via and record-route pinholes
Accepting SIP register responses
How the SIP ALG performs NAT
Source address translation
Destination address translation
Call Re-invite messages
How the SIP ALG translates IP addresses in SIP headers
Source NAT translation of IP addresses in SIP messages
Destination NAT translation of IP addresses in SIP messages
How the SIP ALG translates IP addresses in the SIP body
SIP NAT scenario: source address translation (source NAT)
SIP NAT scenario: destination address translation (destination NAT)
SIP NAT configuration example: source address translation (source NAT)
General configuration steps
Configuration steps - web‑based manager
Configuration steps - CLI
SIP NAT configuration example: destination address translation (destination NAT)
General configuration steps
Configuration steps - web‑based manager
Configuration steps - CLI
Additional SIP NAT scenarios
Source NAT (SIP and RTP)
Destination NAT (SIP and RTP)
Source NAT with an IP pool
Different source and destination NAT for SIP and RTP
NAT with IP address conservation
Configuring SIP IP address conservation for the SIP ALG
Configuring SIP IP address conservation for the SIP session helper
Controlling how the SIP ALG NATs SIP contact header line addresses
Controlling NAT for addresses in SDP lines
Translating SIP session destination ports
Translating SIP sessions to a different destination port
Translating SIP sessions to multiple destination ports
Adding the original IP address and port to the SIP message header after NAT
Enhancing SIP pinhole security
Hosted NAT traversal
Configuration example: Hosted NAT traversal for calls between SIP Phone A and SIP Phone B
General configuration steps
Configuration steps - web‑based manager
Configuration steps - CLI
Hosted NAT traversal for calls between SIP Phone A and SIP Phone C
Restricting the RTP source IP
SIP over IPv6
Deep SIP message inspection
Actions taken when a malformed message line is found
Logging and statistics
Deep SIP message inspection best practices
Configuring deep SIP message inspection
Discarding SIP messages with some malformed header and body lines
Discarding SIP messages with an unknown SIP message type
Discarding SIP messages that exceed a message size
Discarding SIP messages with lines longer than 500 characters
Blocking SIP request messages
SIP rate limiting
Limiting the number of SIP dialogs accepted by a security policy
SIP logging and DLP archiving
Inspecting SIP over SSL/TLS (secure SIP)
Adding the SIP server and client certificates
Adding SIP over SSL/TLS support to a VoIP profile
SIP and HA: session failover and geographic redundancy
SIP geographic redundancy
Supporting geographic redundancy when blocking OPTIONS messages
Support for RFC 2543-compliant branch parameters
SIP and IPS
SIP debugging
SIP debug log format
SIP-proxy filter per VDOM
SIP-proxy filter command
SIP debug log filtering
SIP debug setting
Display SIP rate-limit data
Chapter 23 WAN Optimization, Web Cache, Explicit Proxy, and WCCP
Before you begin
Before you begin
FortiGate models that support WAN optimization
WAN optimization and web caching disk storage
Distributing WAN optimization, explicit proxy, and web caching to multiple CPU Cores
How this chapter is organized
Example network topologies
WAN optimization topologies
Basic WAN optimization topologies
Out-of-path topology
Topology for multiple networks
WAN optimization with web caching
WAN optimization and web caching with FortiClient peers
Explicit Web proxy topologies
Explicit FTP proxy topologies
Web caching topologies
WCCP topologies
Configuring WAN optimization
Client/server architecture
WAN optimization peers
Manual (peer-to-peer) and active-passive WAN optimization
Manual (peer to peer) configurations
Manual mode client-side policy
Manual mode server-side explicit proxy policy
Active-passive configurations
Active client-side policy
Server-side tunnel policy
Server-side passive policy
WAN optimization profiles
Processing non-HTTP sessions accepted by a WAN optimization profile with HTTP optimization
Processing unknown HTTP sessions
Protocol optimization
Protocol optimization and MAPI
Byte caching
Dynamic data chunking for byte caching
WAN optimization transparent mode
FortiClient WAN optimization
Operating modes and VDOMs
WAN optimization tunnels
Tunnel sharing
WAN optimization and user and device identity policies, load balancing and traffic shaping
Traffic shaping
WAN optimization and HA
WAN optimization, web caching and memory usage
Monitoring WAN optimization performance
Traffic Summary
Bandwidth Optimization
WAN optimization configuration summary
Client-side configuration summary
WAN optimization profile
Local host ID and peer settings
Security policies
server-side configuration summary
Local host ID and peer settings
Security policies
Best practices
Peers and authentication groups
Basic WAN optimization peer requirements
Accepting any peers
How FortiGate units process tunnel requests for peer authentication
Configuring peers
Configuring authentication groups
Secure tunneling
Monitoring WAN optimization peer performance
Configuration examples
Example: Basic manual (peer-to-peer) WAN optimization configuration
Network topology and assumptions
General configuration steps
Configuring basic peer-to-peer WAN optimization - web‑based manager
Configuring basic peer-to-peer WAN optimization - CLI
Testing and troubleshooting the configuration
Example: Active-passive WAN optimization
Network topology and assumptions
General configuration steps
Configuring basic active-passive WAN optimization - web‑based manager
Configuring basic active-passive WAN optimization - CLI
Testing and troubleshooting the configuration
Example: Adding secure tunneling to an active-passive WAN optimization configuration
Network topology and assumptions
General configuration steps
Configuring WAN optimization with secure tunneling - web‑based manager
Configuring WAN optimization with secure tunneling - CLI
Web caching and SSL offloading
Turning on web caching for HTTP and HTTPS traffic
Turning on web caching for HTTPS traffic
Full mode SSL server configuration
Half mode SSL server configuration
Changing the ports on which to look for HTTP and HTTPS traffic to cache
Web caching and HA
Web caching and memory usage
Changing web cache settings
Always revalidate
Max cache object size
Negative response duration
Fresh factor
Max TTL
Min TTL
Default TTL
Proxy FQDN
Max HTTP request length
Max HTTP message length
Ignore
Cache Expired Objects
Revalidated Pragma-no-cache
Forwarding URLs to forwarding servers and exempting web sites from web caching
Forwarding URLs and URL patterns to forwarding servers
Exempting web sites from web caching
Monitoring Web caching performance
Example: Web caching of HTTP and HTTPS Internet content for users on an internal network
Network topology and assumptions
General configuration steps
Configuration Steps - web‑based manager
Configuration Steps - CLI
Example: reverse proxy web caching and SSL offloading for an Internet web server using a static one-to-one virtual IP
Network topology and assumptions
General configuration steps
Configuration steps - web‑based manager
Configuration steps - CLI
FortiClient WAN optimization
FortiClient WAN optimization over IPsec VPN configuration example
The FortiGate explicit web proxy
Explicit web proxy configuration overview
General configuration steps
Proxy auto-config (PAC) configuration
PAC File Content
Unknown HTTP version
Authentication realm
Other explicit web proxy options
Restricting the IP address of the IPv4 explicit web proxy
Restricting the outgoing source IP address of the IPv4 explicit web proxy
Restricting the IP address of the explicit IPv6 web proxy
Restricting the outgoing source IP address of the IPv6 explicit web proxy
Proxy chaining (web proxy forwarding servers)
Adding a web proxy forwarding server
Web proxy forwarding server monitoring and health checking
Grouping forwarding servers and load balancing traffic to them
Adding proxy chaining to an explicit web proxy policy
Explicit web proxy authentication
IP-Based authentication
Per session authentication
Security profiles, threat weight, device identification, and the explicit web proxy
Web Proxy firewall services and service groups
Explicit web proxy firewall address URL patterns
URL patterns and HTTPS scanning
Changing HTTP headers
Preventing the explicit web proxy from changing source addresses
Example: users on an internal network browsing the Internet through the explicit web proxy with web caching, RADIUS authentication, web filtering and virus scanning
General configuration steps
Configuring the explicit web proxy - web‑based manager
Configuring the explicit web proxy - CLI
Testing and troubleshooting the configuration
Explicit proxy sessions and user limits
The FortiGate explicit FTP proxy
How to use the explicit FTP proxy to connect to an FTP server
Explicit FTP proxy configuration overview
General configuration steps
Restricting the IP address of the explicit FTP proxy
Restricting the outgoing source IP address of the explicit FTP proxy
Security profiles, threat weight, device identification, and the explicit FTP proxy
Explicit FTP proxy options and SSL/SSH inspection
Explicit FTP proxy sessions and antivirus
Example: users on an internal network connecting to FTP servers on the Internet through the explicit FTP with RADIUS authentication and virus scanning
General configuration steps
Configuring the explicit FTP proxy - web‑based manager
Configuring the explicit FTP proxy - CLI
Testing and troubleshooting the configuration
Explicit FTP proxy sessions and user limits
FortiGate WCCP
WCCP service groups, service numbers, service IDs and well known services
Example WCCP server and client configuration for caching HTTP sessions (service ID = 0)
Example WCCP server and client configuration for caching HTTPS sessions
Example WCCP server and client configuration for caching HTTP and HTTPS sessions
Other WCCP service group options
Server configuration options
Client configuration options
WCCP configuration overview
Example: caching HTTP sessions on port 80 using WCCP
Configuring the WCCP server (WCCP_srv)
Configuring the WCCP client (WCCP_client)
Example: caching HTTP sessions on port 80 and HTTPS sessions on port 443 using WCCP
Configuring the WCCP server (WCCP_srv)
Configuring the WCCP client (WCCP_client)
WCCP packet flow
Configuring the forward and return methods and adding authentication
WCCP Messages
Troubleshooting WCCP
Real time debugging
Application debugging
Storage
Formatting the hard disk
Configuring WAN optimization and Web cache storage
Changing the amount of space allocated for WAN optimization and Web cache storage
Adjusting the relative amount of disk space available for byte caching and web caching
Diagnose commands
get test {wad | wccpd} <test_level>
Examples
diagnose wad
Example: diagnose wad tunnel list
Example: diagnose wad webcache list
diagnose wacs
diagnose wadbd
diagnose debug application {wad | wccpd} [<debug_level>]
Video Cookbook Recipes
diagnose debug application {wad | wccpd} [<debug_level>]
edit_filter
edit_host
firmware
config_rev
vcm_upd
admins
admins_newedit
admin_profile
admin_profile_newedit
router_static_newedit
router_static
router_monitor
router_policy
router_policy_newedit
router_policy_edit
router_policy_move
router_settings
router_gwdetect
router_rip
router_rip_newedit
router_bgp
router_ospf
router_ospf_interfaces_newedit
router_ospf_networks_newedit
router_ospf_area_newedit
userauth
radius
radius_newedit
ldap
ldap_newedit
tacplus
tacplus_newedit
userfsaelist
user_local
user_local_newedit
pkinewedit
pki_newedit
pki
ftoken
ftoken_newedit
imp2puserlist
usergrp_newedit
usergrp
guest
cert_local
cert_remote
cert_remote_newedit
cert_ca
cert_crl
cert_local_generate
cert_local_import
cert_ca_newedit
cert_crl_newedit
userfsae
userfsaelist_newedit
userauthlist
userban
carrier_mmsprofile
carrier_mmscontentchk
carrier_notification
carrier_notification_newedit
carrier_msgflood
carrier_duplicatemsg
carrier_endpoint
carrier_endpoint_newedit
carrier_gtpprofile
carrier_gtpprofile_newedit
wireless_approfile
wireless_approfile_newedit
wireless_vap
wireless_physap
wireless_physap_newedit
wids_profile
wirelessclientmonitor
syswirelesssetting
wirelessroguemonitor
wireless_dashboard
policy_centnat
address
addr
Address Groups
addr_group
Virtual IP Addresses
vip
Virtual IP Groups
vip_group
IP Pools
vip_pool
service
custom
srv_group
sch_grp
schedule_list
onetime
recurring
schedule_newedit
policy_list
policy_listpolicy6_list
policy_protocol
deep_inspection
deep_inspection_newedit
policy_dos
policy_local_in
monitor_policy
address_newedit
addr_newedit
addr_group_newedit
srv_group_newedit
vip_newedit
vip_group_newedit
vip_pool_newedit
central_nat_edit
recurring_newedit
onetime_newedit
sch_grp_newedit
policy_protocol_newedit
policy_dos_newedit
multicast_policy
multicast_policy_newedit
ha
ipsecvpn_wizard
autokey
autokey_phase1_newedit
autokey_phase2_newedit
vpn_tunnel_forticlient_dlg
concentrator
concentrator_newedit
ipsec_monitor
policy6_list
monitor_policy6
ipv6_nat64
ipv6_nat46
ipv6_dos
ldb_vip_newedit
ldb_vip
ldb_realservers
ldb_realservers_newedit
ldb_monitor_newedit
ldb_monitor
monitor_loadbalance
vip_monitor
vip_realservers
log_monitor
logaccess
avquarantineconfig
logalertsetting
logsetting
report
device
device_group
endpoint_nacprof
endpoint_nacprof_newedit
endpoint_device
endpoint_netscan_asset
web_profile
web_override
web_override_dlg
web_ftgd_lrat
web_ufilter
web_profile_newedit
app_list
app_list_newedit
ips_sensor
ips_sensor_newedit
ips_list
idssignaturecustom
dlpfilepattern_newedit
dlpsensor_newedit
dlp_finger
icap_server
icap_profile
carrier_profilegrp
ssl_vpn_portal
ssl_config
ssl_portal
ssl_bookmarks
ssl_realms
ssl_hostchk
ssl_hostchk_newedit
ssl_vdapp_newedit
ssl_vdapp
ssl_monitor
interface
interface_newedit
zone_newedit
central_mgmt
stat_session
sniffer
messaging
snmpv1_newedit
snmpv3_newedit
snmpv1
user_edit
user_grp_list
sysdhcpservice
sysdhcpservice_newedit
sys_dhcpmonitor
options
dnsdatabase
dnsdatabase_newedit
dnsservice_newedit
rmsg_list
rmsg
rmsg_image
rmsg_image_newedit
rmsg_list_newedit
rmsg_group
rmsg_group_newedit
disk
shaper_list
shaper_dlg
shaper_shared
shaper_shared_newedit
shaper_perIP
shaper_perIP_newedit
monitor_trafficshaper
vdom
global_res
vdom_newedit
vdom_current
voip_profile
voip_profile_newedit
wanopt_pro
wanopt_profile
wanopt_monitor
wan_monitor
wan_peer
wanopt_peer
wanopt_peer_newedit
wan_auth
wanopt_authgrp_newedit
wanopt_authgrp
wanopt_peer_monitor
wan_cache_setting
wanopt_settings_newedit
wanopt_settings
wanopt_url_match
cache_exmpt
wanopt_exempt_newedit
wanopt_cache_monitor
web_proxy
policy_explicit_proxy
fwdsrv_newedit