Home
Chapter 1 - What's New for FortiOS 5.2
Introduction
New features in FortiOS 5.2.12
New features in FortiOS 5.2.9
New features in FortiOS 5.2.8
New features in FortiOS 5.2.5
New features in FortiOS 5.2.4
New features in FortiOS 5.2.3
New features in FortiOS 5.2.2
New features in FortiOS 5.2.1
Top Features
System Features
Usability Enhancements
Firewall
Security Profiles
IPsec VPN
SSL VPN
Authentication
Managing Devices
Wireless Networking
IPv6
High Availability
WAN Optimization, Web Cache, and Explicit Proxy
Advanced Routing
Logging and Reporting
Other New Features
RFC List
Chapter 2 - Getting Started
Introduction
Differences between Models
Installation
Using the Web-Based Manager
Basic Administration
Next Steps
Chapter 3 - Advanced Routing
Introduction
Advanced Static Routing
Routing concepts
Static routing tips
Policy routing
Transparent mode static routing
Static routing example
Advanced static routing example: ECMP failover and load balancing
Dynamic Routing Overview
What is dynamic routing?
Comparison of dynamic routing protocols
Choosing a routing protocol
Dynamic routing terminology
IPv6 in dynamic routing
Routing Information Protocol (RIP)
RIP background and concepts
Troubleshooting RIP
Simple RIP example
RIPng — RIP and IPv6
Border Gateway Protocol (BGP)
BGP background and concepts
Troubleshooting BGP
Dual-homed BGP example
Redistributing and blocking routes in BGP
Open Shortest Path First (OSPF)
OSPF Background and concepts
Troubleshooting OSPF
Basic OSPF example
Advanced inter-area OSPF example
Controlling redundant links by cost
Intermediate System to Intermediate System Protocol (IS-IS)
IS-IS background and concepts
How IS-IS works
Simple IS-IS example
Chapter 4 - Authentication
Change log
Introduction
Introduction to authentication
Authentication servers
Users and user groups
Managing Guest Access
Configuring authenticated access
Captive portals
Certificate-based authentication
Single Sign-On using a FortiAuthenticator unit
Single Sign-On to Windows AD
Agent-based FSSO
SSO using RADIUS accounting records
Monitoring authenticated users
Examples and Troubleshooting
Chapter 5 - Best Practices
Overview
General Considerations
Customer service and technical support
Fortinet Knowledge Base
System and performance
Performance
Shutting down
Migration
Information gathering
Object and policy migration
Testing and validation
Going live and obtaining feedback
Adding new services
Environmental specifications
Grounding
Rack mounting
Firmware
Firmware change management
Performing a firmware upgrade
Performing a firmware downgrade
Performing a configuration backup
Security Profiles
Firewall
Security
Authentication
Antivirus
Antispam
Intrusion Prevention System (IPS)
Email filter
URL filtering
Web filtering
Patch management
Policy configuration
Networking
Routing configuration
Advanced routing
Network Address Translation (NAT)
Transparent Mode
Using Virtual IPs (VIPs)
High Availability
Heartbeat interfaces
Interface monitoring
WAN Optimization
VDOMs
Per-VDOM resource settings
Virtual domains in NAT/Route mode
Virtual clustering
Explicit proxy
Wireless
Encryption and authentication
Geographic location
Network planning
Lowering the power level to reduce RF interference
Wireless client load balancing
Local bridging
Advertising SSIDs
Using static IPs in a CAPWAP configuration
Logging and reporting
Log management
System memory and hard disks
Chapter 6 - FortiOS Carrier
Introduction
Overview of FortiOS Carrier features
Carrier web-based manager settings
MMS Security features
Message flood protection
Duplicate message protection
Configuring GTP on FortiOS Carrier
GTP message type filtering
GTP identity filtering
Troubleshooting
Chapter 7 - Compliance
Introduction
Configuring FortiGate units for PCI DSS compliance
Chapter 8 - Deploying Wireless Networks
Introduction
Introduction to wireless networking
Wireless concepts
Security
Authentication
Wireless networking equipment
Automatic Radio Resource Provisioning
Configuring a WiFi LAN
Overview of WiFi controller configuration
Setting your geographic location
Creating a FortiAP Profile
Defining a wireless network interface (SSID)
Dynamic VLAN assignment
Configuring user authentication
Configuring firewall policies for the SSID
Configuring the built-in access point on a FortiWiFi unit
Access point deployment
Network topology for managed APs
Discovering and authorizing APs
Advanced WiFi controller discovery
Wireless client load balancing for high-density deployments
LAN port options
Preventing IP fragmentation of packets in CAPWAP tunnels
Wireless Mesh
Overview of Wireless Mesh
Configuring a meshed WiFi network
Configuring a point-to-point bridge
Combining WiFi and wired networks with a software switch
Combining WiFi and wired networks with a software switch
FortiAP local bridging (Private Cloud-Managed AP)
Using bridged FortiAPs to increase scalability
Using Remote FortiAPs
Features for high-density deployments
Protecting the WiFi Network
Wireless IDS
WiFi data channel encryption
Wireless network monitoring
Monitoring wireless clients
Monitoring rogue APs
Suppressing rogue APs
Monitoring wireless network health
Configuring wireless network clients
Windows XP client
Windows 7 client
Mac OS client
Linux client
Troubleshooting
Wireless network examples
Basic wireless network
A more complex example
Using a FortiWiFi unit as a client
Use of client mode
Configuring client mode
Support for location-based services
Overview
Configuring location tracking
Viewing device location data on the FortiGate unit
Reference
Wireless radio channels
FortiAP CLI
Chapter 9 - Firewall
Introduction
How does a FortiGate Protect Your Network
Firewall concepts
What is a Firewall
IPv6
NAT
How Packets are handled by FortiOS
FortiGate Modes
Quality of Service
Interfaces and Zones
Firewall objects
UUID Support
Addresses
Address Groups
Virtual IPs
Virtual IP Groups
IP Pools
Services and TCP ports
Firewall schedules
Schedule Groups
Security policies
Firewall policies
Security profiles
SSL/SSH Inspection
Identity Based Policies
VPN Policies
Interface Policies
DoS Protection
Local-In Policies
Security Policy 0
Deny Policies
Accept Policies
Fixed Port
Endpoint Security
Traffic Logging
Quality of Service
Policy Monitor
Network defense
Monitoring
Blocking external probes
Defending against DoS attacks
GUI & CLI - What You May Not Know
Mouse Tricks
Changing the default column setting on the policy page
Naming Rules and Restrictions
Character Restrictions
Numeric Values
Numeric Values
Selecting options from a list
Enabling or disabling options
To Enable or Disable Optionally Displayed Features
Building firewall objects and policies
Building firewall objects and policies
Example: IPv4 Firewall Addresses
Example: IPv6 Firewall Addresses
Example: FQDN address
Changing the TTL of a FQDN address
Example: Geography-based Address
Example: IPv4 Address Group
Example: IPv6 Address Group
Example: Multicast Address
Example: Service Category
Example: TCP/UDP/SCTP Service
Example: ICMP Service
Example: ICMPv6 Service
Example: Service Group
Example: Virtual IP address
Example: IP Pool
Example: Central NAT Table
Example: Firewall Schedule - Recurring
Example: Firewall Schedule - One-time
Example: Schedule Group
Example: Proxy Option
Example: DoS Policy
Multicast forwarding
Sparse mode
Dense mode
Multicast IP addresses
PIM Support
Multicast forwarding and FortiGate units
Configuring FortiGate multicast forwarding
Multicast routing examples
Chapter 10 - FortiView
Introduction
Overview
Enabling FortiView
Dashboard Interface
FortiView consoles
Sources
Applications
Cloud Applications
Destinations
Web Sites
Threats
All Sessions
System Events
Admin Logins
VPN
Reference
Filtering options
Drilldown options
Columns displayed
Risk level indicators
Troubleshooting FortiView
Chapter 11 - Hardening
Hardening your FortiGate
Install the FortiGate unit in a physically secure location
Maintain the firmware
Add new administrator accounts
Change the admin account name and limit access to this account
Only allow administrative access to the external interface when needed
When enabling remote access, configure Trusted Hosts and Two-factor Authentication
Change the default administrative port to a non-standard port
Modify the device name
Register with support services
Maintain short login timeouts
Enable automatic clock synchronization
Enable Password Policy
Modify administrator account Lockout Duration and Threshold values
Disable auto installation via USB
Configure auditing and logging
Chapter 12 - Hardware Acceleration
Introduction
Hardware acceleration overview
NP6 Acceleration
FortiGate NP6 architectures
FortiGate-300D fast path architecture
FortiGate-400D fast path architecture
FortiGate-500D fast path architecture
FortiGate-600D fast path architecture
FortiGate-800D fast path architecture
FortiGate-900D fast path architecture
FortiGate-1000D fast path architecture
FortiGate-1200D fast path architecture
FortiGate-1500D fast path architecture
FortiGate-1500DT fast path architecture
FortiGate-3000D fast path architecture
FortiGate-3100D fast path architecture
FortiGate-3200D fast path architecture
FortiGate-3700D fast path architecture
FortiGate-3700DX fast path architecture
FortiGate-3810D fast path architecture
FortiGate-3815D fast path architecture
FortiGate-5001D fast path architecture
FortiController-5902D fast path architecture
NP4 Acceleration
FortiGate NP4 architectures
NP4 and NP6 diagnose commands
Chapter 13 - High Availability
Introduction
Solving the High Availability problem
An introduction to the FGCP
About the FGCP
Synchronizing the configuration (and settings that are not synchronized)
Preparing the FortiGates before you set up a FGCP cluster
Configuring FortiGate units for FGCP HA operation
Active-passive and active-active HA
Identifying the cluster and cluster units
Device failover, link failover, and session failover
Primary unit selection
HA override
FortiGate HA compatibility with DHCP and PPPoE
HA and distributed clustering
Clusters of three or four FortiGate units
Disk storage configuration and HA
FGCP high availability best practices
FGCP HA terminology
HA GUI options
FGCP configuration examples and troubleshooting
About the examples in this chapter
How to set up FGCP clustering (recommended steps)
Setting up two new FortiGates as an FGCP cluster
Adding a new FortiGate to an operating cluster
Active-active HA cluster in Transparent mode
FortiGate-5000 active-active HA cluster with FortiClient licenses
Example converting a standalone FortiGate unit to a cluster
Example replacing a failed cluster unit
Example FGCP HA and 802.3ad aggregated interfaces
Example HA and redundant interfaces
Troubleshooting HA clusters
Virtual clusters
Full mesh HA
Operating a cluster
HA and failover protection
HA and load balancing
HA with third-party products
VRRP
FortiGate Session Life Support Protocol (FGSP)
Configuring FRUP
Chapter 14 - IPsec VPN
Introduction
IPsec VPN concepts
VPN tunnels
VPN gateways
Clients, servers, and peers
Encryption
Authentication
Phase 1 and Phase 2 settings
Security Association
IKE and IPsec packet processing
IPsec VPN overview
Types of VPNs
Planning your VPN
General preparation steps
How to use this guide to configure an IPsec VPN
IPsec VPN in the web-based manager
Auto Key (IKE)
Concentrator
IPsec Monitor
Phase 1 parameters
Overview
Defining the tunnel ends
Choosing Main mode or Aggressive mode
Authenticating the FortiGate unit
Authenticating remote peers and clients
Defining IKE negotiation parameters
Using XAuth authentication
Dynamic IPsec route control
Phase 2 parameters
Phase 2 settings
Configuring the Phase 2 parameters
Defining VPN security policies
Defining policy addresses
Defining VPN security policies
Gateway-to-gateway configurations
Configuration overview
General configuration steps
Configuring the two VPN peers
How to work with overlapping subnets
Testing
Hub-and-spoke configurations
Configuration overview
Configure the hub
Configure the spokes
Dynamic spokes configuration example
Dynamic DNS configuration
Dynamic DNS over VPN concepts
Dynamic DNS topology