FortiOS-6 2 0-Cookbook PDF
FortiOS-6 2 0-Cookbook PDF
FortiOS-6 2 0-Cookbook PDF
Version 6.2.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET VIDEO GUIDE
https://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com
FORTINET COOKBOOK
https://cookbook.fortinet.com
FORTINET TRAINING & CERTIFICATION PROGRAM
https://www.fortinet.com/support-and-training/training.html
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://fortiguard.com/
END USER LICENSE AGREEMENT
https://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: [email protected]
April 5, 2019
FortiOS 6.2.0 Cookbook
01-620-538742-20190405
TABLE OF CONTENTS
What's New 9
Getting Started 10
Differences between models 10
Using the GUI 10
Connecting using a web browser 11
Menus 11
Dashboard 12
Feature Visibility 14
Tables 15
Text strings 16
Using the CLI 17
Connecting to the CLI 17
CLI-only features 21
Command syntax 21
Sub-commands 25
Permissions 28
Tips 28
FortiExplorer for iOS 34
Getting started with FortiExplorer 35
Running a Security Fabric Rating 37
Connecting FortiExplorer to a FortiGate via WiFi 38
Upgrading to FortiExplorer Pro 38
LED specifications 39
Basic administration 41
Registration 41
System settings 41
Passwords 45
Configuration backups 46
Firmware 49
Downloading 50
Testing 50
Upgrading firmware 52
Reverting 53
Installation from system reboot 54
Restoring from a USB key 55
Controlled upgrade 56
FortiGuard 56
FortiCloud 63
Troubleshooting your installation 65
Security Fabric 68
Deploy Security Fabric 68
Security Fabric over IPsec VPN 75
Viewing and controlling network risks via topology view 81
FortiView 86
FortiView from disk 86
Prerequisites 86
Restrictions 86
Configuration 86
Source View 87
Troubleshooting 89
Network Configurations 90
DNS 90
Introduction 90
DNS local domain list 93
Using FortiGate as a DNS server 94
FortiGuard DDNS 96
SD-WAN 99
Basic SD-WAN setup 99
Creating the SD-WAN interface 99
Implicit rule 102
WAN path control 106
Performace SLA - link monitoring 106
Performace SLA - SLA targets 107
SD-WAN rules - best quality 108
SD-WAN rules - lowest cost (SLA) 111
SD-WAN rules - maximize bandwidth (SLA) 113
MPLS (SIP and backup) + DIA (cloud apps) 116
SD-WAN traffic shaping and QoS with SD-WAN 118
Advanced configuration 123
Per packet distribution and tunnel aggregation 123
Forward error correction on VPN overlay networks 128
Using BGP tags with SD-WAN rules 130
System Configurations 134
Administrators 134
Administrator profiles 134
Add a local administrator 136
Remote authentication for administrators 136
Password policy 138
Interface 140
Interface settings 140
VLANs 142
Enhanced MAC VLANs 147
Inter-VDOM routing 150
Software switch 154
Zone 156
Virtual Wire Pair 158
Virtual Domains 160
Split-task VDOM mode 160
Multi VDOM mode 164
Configure VDOM-A 167
Multiple FortiSwitches in tiers via aggregate interface with redundant link enabled 561
Multiple FortiSwitches in tiers via aggregate interface with MCLAG enabled only on
distribution 564
HA (A-P) mode FortiGate pairs as switch controller 568
Multiple FortiSwitches managed via hardware/software switch 568
Multiple FortiSwitches in tiers via aggregate interface with redundant link enabled 573
Multiple FortiSwitches in tiers via aggregate interface with MCLAG enabled only on
distribution 577
Log and Report 582
Configure multiple FortiAnalyzers on a multi-VDOM FortiGate 582
Diagnose command to check FortiAnalyzer connectivity 583
Supported log types to FortiAnalyzer, Syslog, and FortiAnalyzer Cloud 584
Sandbox Inspection 586
What is Sandbox inspection? 586
FAQ for Sandbox inspection 586
FortiSandbox Appliance or FortiSandbox Cloud 587
Recipes for Sandbox inspection 588
AntiVirus 588
Upcoming recipes 611
Change Log 613
For details about new features, see the FortiOS 6.2.0 New Features Guide. New features are organized into the
following sections:
l Expanding fabric family
l Fabric connectors
l SD-WAN
l Multi-Cloud
l Automation and dev-ops
l Advanced threats
l IOT & OT
l SOC adoption
l Compliance
l UX / Usability
l Other
This section explains how to get started with a FortiGate and examines basic configuration tasks and best practices.
Before you get started, note that not all FortiGate models have the same features. This is especially true of the desktop
or entry-level models: FortiGate / FortiWiFi models 30 to 90. If you are using one of these FortiGate models, you may
have some difficulties accessing certain features.
The entry-level, or desktop, models can connect to the internet in two simple steps. They also have a number of
features that are only available using the CLI, rather than appearing in the GUI.
Consult your model's QuickStart Guide, hardware manual, or the Feature / Platform Matrix
for further information about features that vary by model.
FortiGate models differ principally by the names used and the features available:
l Naming conventions may vary between FortiGate models. For example, on some models the hardware switch
interface used for the local area network is called lan, while on other units it is called internal.
l Certain features are not available on all models. Additionally, a particular feature may be available only through the
CLI on some models, while that same feature may be viewed in the GUI on other models.
If you believe your FortiGate model supports a feature that does not appear in the GUI, go to System > Feature
Visibility and confirm that the feature is enabled. For more information, see Feature Visibility on page 14.
This section presents an introduction to the graphical user interface (GUI) on your FortiGate, also called the GUI.
The following topics are included in this section:
l Connecting using a web browser
l Menus
l Dashboard
l Feature Visibility
l Tables
l Text strings
The graphical user interface is best displayed using a 1280 x 1024 resolution. Check the
FortiOS Release Notes for information about browser compatibility.
In order to connect to the GUI using a web browser, an interface must be configured to allow administrative access over
HTTPS or over both HTTPS and HTTP. By default, an interface has already been set up that allows HTTPS access, with
the IP address 192.168.1.99.
Browse to https://192.168.1.99 and enter your username and password. If you have not changed the admin account’s
password, use the default user name, admin, and leave the password field blank.
Menus
If you believe your FortiGate model supports a menu that does not appear in the GUI as
expected, go to System > Feature Visibility and ensure the feature is enabled. For more
information, see Feature Visibility on page 14.
The GUI contains the following main menus, which provide access to configuration options for most FortiOS features:
Dashboard The dashboard displays various widgets that display important system
information and allow you to configure some system options.
For more information, see Dashboard on page 12.
Security Fabric Access the physical topology, logical topology, audit, and settings features of the
Fortinet Security Fabric.
For more information, see Security Fabric on page 68.
FortiView A collection of dashboards and logs that give insight into network traffic, showing
which users are creating the most traffic, what sort of traffic it is, when the traffic
occurs, and what kind of threat the traffic may pose to the network.
Network Options for networking, including configuring system interfaces and routing
options.
For more information, see Network Configurations on page 90.
Policy & Objects Configure firewall policies, protocol options, and supporting content for policies,
including schedules, firewall addresses, and traffic shapers.
For more information, see Policies and Objects on page 199.
Security Profiles Configure your FortiGate's security features, including AntiVirus, Web Filtering,
and Application Control.
For more information, see Security Profiles on page 254.
VPN Configure options for IPsec and SSL virtual private networks (VPNs).
For more information, see IPsec VPNs on page 296 and SSL VPN on page 455.
User & Device Configure user accounts, groups, and authentication methods, including external
authentication and single sign-on (SSO).
WiFi & Switch Controller Configure the unit to act as a wireless network controller, managing the wireless
Access Point (AP) functionality of FortiWiFi and FortiAP units.
On certain FortiGate models, this menu has additional features allowing for
FortiSwitch units to be managed by the FortiGate.
For more information, see WiFi on page 520.
Monitor View a variety of monitors, including the Routing Monitor, VPN monitors for both
IPsec and SSL, monitors relating to wireless networking, and more.
Dashboard
The FortiOS Dashboard consists of a Network Operations Center (NOC) view with a focus on alerts. Widgets are
interactive. By clicking or hovering over most widgets, the user can see additional information or follow links to other
pages.
The dashboard and its widgets include:
l Multiple dashboard support
l VDOM and global dashboards
l Widget resize control
l Notifications on the top header bar
The following widgets are displayed by default:
Widget Description
System Information The System Information widget lists information relevant to the FortiGate system,
including hostname, serial number, and firmware.
Security Fabric The Security Fabric widget displays a visual summary of many of the devices in the
Fortinet Security Fabric.
Widget Description
CPU The real-time CPU usage is displayed for different time frames.
Licenses Hovering over the Licenses widget results in the display of status information (and,
where applicable, database information) on the licenses for FortiCare Support,
Firmware & General Updates, AntiVirus, Web Filtering, Security Rating,
FortiClient, and FortiToken. Note that Mobile Malware is not a separate service in
FortiOS 6.0.0. The Mobile Malware subscription is included with the AntiVirus
subscription. Clicking in the Licenses widget provides you with links to other pages, such
as System > FortiGuard or contract renewal pages.
FortiCloud This widget displays FortiCloud status and provides a link to activate FortiCloud.
Memory Real-time memory usage is displayed for different time frames. Hovering over any point
on the graph displays percentage of memory used along with a timestamp.
Sessions Hovering over the Sessions widget allows you to view memory usage data over time.
Click on the down arrow to change the timeframe displayed.
Security processing unit, or SPU , percentage is displayed if your FortiGate includes an
SPU. Likewise, nTurbo percentage is displayed if supported by your FortiGate.
Bandwidth Hover over the Bandwidth widget to display bandwidth usage data over time. Click on
the down arrow to change the timeframe displayed. Bandwidth is displayed for both
incoming and outgoing traffic.
Virtual Machine The VM widget (shown by default in the dashboard of a FortiOS VM device) includes:
l License status and type
l CPU allocation usage
l License RAM usage
l VMX license information (if the VM supports VMX)
If the VM license specifies 'unlimited' the progress bar is blank. If the VM is in evaluation
mode, it is yellow (warning style) and the dashboard shows the number of evaluation days
used.
Dashboard widget titles can be modified so that widgets with different filters applied can be easily differentiated. The
widget has a default title unless you set a new title.
Syntax
Feature Visibility
Feature Visibility is used to control which features are visible in the GUI. This allows you to hide features that are not
being used. Some features are also disabled by default and must be enabled in order to configure them through the
GUI.
Feature Visibility only alters the visibility of these features, rather than their functionality. For example, disabling web
filtering on the Feature Visibility page does not remove web filtering from the FortiGate, but removes the option of
configuring web filtering from the GUI. Configuration options will still be available using the CLI.
Enabling/disabling features
Feature Visibility can be found at System > Feature Visibility. Ensure that all features you wish to configure in the
GUI are turned on, and that features you wish to hide are turned off. When you have finished, select Apply.
The main security features can be toggled individually, however six system presets (or Feature Sets) are available:
l NGFW should be chosen for networks that require application control and protection from external attacks.
l ATP should be chosen for networks that require protection from viruses and other external threats.
l WF should be chosen for networks that require web filtering.
l NGFW + ATP should be chosen for networks that require protection from external threats and attacks.
l UTM should be chosen for networks that require protection from external threats and wish to use security features
that control network usage. This is the default setting.
l Custom should be chosen for networks that require customization of available features (including the ability to
select all features).
Tables
Many of the GUI pages contain tables of information that you can filter to display specific information. Administrators
with read and write access can define the filters.
Navigation
Some tables contain information and lists that span multiple pages. Navigation controls appear at the bottom of the
page.
Filters
Filters are used to locate a specific set of information or content within multiple pages. These are especially useful in
locating specific log entries. The specific filtering options vary, depending on the type of information in the log.
To create a filter, select Add Filter at the top of the page. A list of the available fields for filtering will be shown.
Column settings
Column settings are used to select the types of information displayed on a certain page. Some pages have large
amounts of information available and not all content can be displayed on a single screen. Some pages may even
contain content that is irrelevant to you. Using column settings, you can choose to display only relevant content.
To view configure column settings, right-click the header of a column and select the columns you wish to view and
deselect any you wish to hide. After you have finished making your selections, click Apply (you may need to scroll down
the list to do so).
Any changes that you make to the column settings are stored in the unit’s configuration. To return columns to the
default state for any given page, right-click any header and select Reset Table.
Copying objects
In tables containing configuration objects, such as the policy table found at Policy & Objects > IPv4 Policy, you have
the option to copy an object. This allows you to create a copy of that object, which you can then configure as needed.
You can also reverse copy a policy to change the direction of the traffic impacted by that policy.
To copy an object:
1. Select that object, then right-click to make a menu appear and select the Copy option.
2. Right-click the row in the table that is either above or below where you want the copied object to be placed, select
the Paste option and indicate Above or Below.
Reverse cloning works much the same way. Instead of selecting Copy, select Clone Reverse.
Once the policy is copied, you must give it a name, configure as needed, and enable it.
Editing objects
Some tables allow you to edit parts of the configuration directly on the table itself. For example, security features can be
added to an existing firewall policy from the policy list by clicking on the plus sign in the Security Profiles column and
selecting the desired profiles.
If this option is not immediately available, check to see that the column is not hidden (see Column settings). Otherwise,
you must select the object and open the policy by selecting the Edit option found at the top of the page.
Text strings
The configuration of a FortiGate is stored in the FortiOS configuration database. To change the configuration, you can
use the GUI or CLI to add, delete, or change configuration settings. These changes are stored in the database as you
make them. Individual settings in the configuration database can be text strings, numeric values, selections from a list
of allowed options, or on/off (enable/disable) settings.
Text strings are used to name entities in the configuration. For example, the name of a firewall address, the name of an
administrative user, and so on. You can enter any character in a FortiGate configuration text string, except the following
characters that present cross-site scripting (XSS) vulnerabilities:
l “ (double quote)
l & (ampersand)
l ' (single quote)
l < (less than)
l > (greater than)
Most GUI text string fields make it easy to add an acceptable number of characters and prevent you from adding the
XSS vulnerability characters.
There is a different character limitation for VDOM names and hostnames. The only valid
characters are numbers (0-9), letters (a-z, A-Z), and special characters - (dash) and _
(underscore).
You can also use the tree command in the CLI to view the number of characters allowed in a name field. For example,
firewall address names can contain up to 64 characters. When you add a firewall address to the GUI, you are limited to
entering 64 characters in the firewall address name field. From the CLI you can enter the following tree command to
confirm that the firewall address name field allows 64 characters.
config firewall address
tree
-- [address] --*name (64)
|- uuid
|- subnet
|- type
|- start-ip
|- end-ip
|- fqdn (256)
|- country (3)
|- cache-ttl (0,86400)
|- wildcard
|- comment
|- visibility
|- associated-interface (36)
|- color (0,32)
|- [tags] --*name (65)
+- allow-routing
The tree command output also shows the number of characters allowed for other firewall address name settings. For
example, the fully qualified domain name (fqdn) field can contain up to 256 characters.
Numeric values set various sizes, rates, addresses, and other numeric values (e.g. a static routing priority of 10, a port
number of 8080, an IP address of 10.10.10.1). Numeric values can be entered as a series of digits without spaces or
commas (for example, 10 or 64400), in dotted decimal format (for example the IP address 10.10.10.1) or, as in the case
of MAC or IPv6 addresses, separated by colons (e.g. the MAC address 00:09:0F:B7:37:00). Most numeric values are
standard base 10 numbers, but some fields, such as MAC addresses, require hexadecimal numbers.
Most GUI numeric value fields make it easy to add the acceptable number of digits within the allowed range. CLI help
text includes information about allowed numeric value ranges. Both the GUI and the CLI prevent you from entering
invalid numbers.
The command line interface (CLI) is an alternative configuration tool to the GUI or GUI. While the configuration of the
GUI uses a point-and-click method, the CLI requires typing commands or uploading batches of commands from a text
file, like a configuration script.
This section explains common CLI tasks that an administrator performs on a regular basis and includes the topics:
l Connecting to the CLI on page 17
l CLI-only features on page 21
l Command syntax on page 21
l Sub-commands on page 25
l Permissions on page 28
l Tips on page 28
l Restoring the firmware utilizes a boot interrupt. Network access to the CLI is not available until after the boot
process has completed, making local CLI access the only viable option.
l SSH or Telnet access — Connect your computer through any network interface attached to one of the network
ports on your FortiGate. The network interface must have enabled Telnet or SSH administrative access if you
connect using an SSH/Telnet client, or HTTP/HTTPS administrative access if you connect by accessing the CLI
Console in the GUI. The CLI console can be accessed from the upper-right hand corner of the screen and appears
as a slide-out window.
l — Use the FortiExplorer app on your iOS device to configure, manage, and monitor your FortiGate.
Local console
Local console connections to the CLI are formed by directly connecting your management computer or console to the
FortiGate unit, using its DB-9 or RJ-45 console port. To connect to the local console you need:
l A computer with an available serial communications (COM) port.
l The RJ-45-to-DB-9 or null modem cable included in your FortiGate package.
l Terminal emulation software such as HyperTerminal for Microsoft Windows.
The following procedure describes the connection using Microsoft HyperTerminal software; steps may vary with other
terminal emulators.
1. Using the null modem or RJ-45-to-DB-9 cable, connect the FortiGate unit’s console port to the serial
communications (COM) port on your management computer.
2. On your management computer, start HyperTerminal.
3. For the Connection Description, enter a Name for the connection, and select OK.
4. On the Connect using drop-down, select the communications (COM) port on your management computer you are
using to connect to the FortiGate unit.
5. Select OK.
6. Select the following Port settings and select OK.
Data bits 8
Parity None
Stop bits 1
SSH or Telnet access to the CLI is accomplished by connecting your computer to the FortiGate unit using one of its
RJ-45 network ports. You can either connect directly, using a peer connection between the two, or through any
intermediary network.
If you do not want to use an SSH/Telnet client and you have access to the GUI, you can
alternatively access the CLI through the network using the CLI Console widget in the GUI.
You must enable SSH and/or Telnet on the network interface associated with that physical network port. If your
computer is not connected directly or through a switch, you must also configure the FortiGate unit with a static route to a
router that can forward packets from the FortiGate unit to your computer. You can do this using either a local console
connection or the GUI.
Requirements
l A computer with an available serial communications (COM) port and RJ-45 port
l Terminal emulation software such as HyperTerminal for Microsoft Windows
l The RJ-45-to-DB-9 or null modem cable included in your FortiGate package
l A network cable
l Prior configuration of the operating mode, network interface, and static route.
To enable SSH or Telnet access to the CLI using a local console connection
1. Using the network cable, connect the FortiGate unit’s network port either directly to your computer’s network port,
or to a network through which your computer can reach the FortiGate unit.
2. Note the number of the physical network port.
3. Using a local console connection, connect and log into the CLI.
4. Enter the following command:
config system interface
edit <interface_str>
set allowaccess <protocols_list>
end
where:
l <interface_str> is the name of the network interface associated with the physical network port and
containing its number, such as port1.
l <protocols_list> is the complete, space-delimited list of permitted administrative access protocols, such
as https ssh telnet.
5. To confirm the configuration, enter the command to display the network interface’s settings:
show system interface <interface_str>
6. The CLI displays the settings, including the allowed administrative access protocols, for the network interfaces.
Once the FortiGate unit is configured to accept SSH connections, you can use an SSH client on your management
computer to connect to the CLI.
Secure Shell (SSH) provides both secure authentication and secure communications to the CLI. FortiGate units support
3DES and Blowfish encryption algorithms for SSH.
Before you can connect to the CLI using SSH, you must first configure a network interface to accept SSH connections.
The following procedure uses PuTTY. Steps may vary with other SSH clients.
If three incorrect log in or password attempts occur in a row, you will be disconnected. If this
occurs, wait one minute, then reconnect to attempt the log in again.
Once the FortiGate unit is configured to accept Telnet connections, you can use a Telnet client on your management
computer to connect to the CLI.
Telnet is not a secure access method. SSH should be used to access the CLI from the
Internet or any other untrusted network.
Before you can connect to the CLI using Telnet, you must first configure a network interface to accept Telnet
connections.
If three incorrect login or password attempts occur in a row, you will be disconnected. If this
occurs, wait one minute, then reconnect to attempt the login again.
CLI-only features
As you can see in the Feature / Platform Matrix, the entry level models have a number of features that are only
available using the CLI, rather than appearing in the GUI.
You can open the CLI console so that it automatically opens to the object you wish to configure. For example, to edit a
firewall policy, right-click on the policy in the policy list (Policy & Objects > IPv4 Policy) and select Edit in CLI. The
CLI console will appear, with the commands to access this part of the configuration added automatically.
Once you have access to the CLI, you can enter instructions for specific tasks that can be found throughout the FortiOS
Handbook. Options are also available at the top of the CLI Console to Clear console, Download, and Copy to
clipboard.
Refer to the CLI Reference for a list of the available commands.
Command syntax
When entering a command, the CLI console requires that you use valid syntax and conform to expected input
constraints. It will reject invalid commands.
Fortinet documentation uses the conventions below to describe valid command syntax.
Terminology
Each command line consists of a command word that is usually followed by configuration data or other specific item that
the command uses or affects.
To describe the function of each word in the command line, especially if that nature has changed between firmware
versions, Fortinet uses terms with the following definitions:
l Command — A word that begins the command line and indicates an action that the FortiGate should perform on a
part of the configuration or host on the network, such as config or execute. Together with other words, such as
fields or values, that end when you press the Enter key, it forms a command line. Exceptions include multiline
command lines, which can be entered using an escape sequence. Valid command lines must be unambiguous if
abbreviated. Optional words or other command line permutations are indicated by syntax notation.
l Sub-command — A config sub-command that is available only when nested within the scope of another
command. After entering a command, its applicable sub-commands are available to you until you exit the scope of
the command, or until you descend an additional level into another sub-command. Indentation is used to indicate
levels of nested commands.Not all top-level commands have sub-commands. Available sub-commands vary by
their containing scope.
l Object — A part of the configuration that contains tables and /or fields. Valid command lines must be specific
enough to indicate an individual object.
l Table — A set of fields that is one of possibly multiple similar sets which each have a name or number, such as an
administrator account, policy, or network interface. These named or numbered sets are sometimes referenced by
other parts of the configuration that use them.
l Field — The name of a setting, such as ip or hostname. Fields in some tables must be configured with values.
Failure to configure a required field will result in an invalid object configuration error message, and the FortiGate
will discard the invalid table.
l Value — A number, letter, IP address, or other type of input that is usually your configuration setting held by a
field. Some commands, however, require multiple input values which may not be named but are simply entered in
sequential order in the same command line. Valid input types are indicated by constraint notation.
l Option — A kind of value that must be one or more words from of a fixed set of options.
Indentation
Indentation indicates levels of nested commands, which indicate what other sub-commands are available from within
the scope. The “next” and “end” lines are used to maintain a hierarchy and flow to CLI commands, especially helping
to distinguish those commands with extensive sub-commands.
The "next" line is entered at the same indentation-level as the previous “edit”, to mark where you would like to finish
that table entry and move on to the next table entry; doing so will not mean that you have “left” that sub-command.
next
After entering settings for <2> and entering next, the <2> table entry has been saved, and you be set back one level of
indentation so you can continue to create more entries (if you wish).
This hierarchy is best indicated in the CLI console, as the example below is what displays in the console after entering
next:
To go-back up an indentation-level from this point on (i.e. to finish configuring the entries
sub-command), you cannot enter next; you must enter end.
end
Below is the same command and sub-command, except end has been entered instead of next after the sub-
command:
Entering end will save the <2> table entry, but bring you out of the sub-command entirely; in this example, you would
enter this when you don’t wish to continue creating new entries.
Again, your hierarchy is best indicated by the CLI console. Below is what displays in the console after entering end:
Notation
Brackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as
<address_ipv4>, indicate which data types or string patterns are acceptable value input.
All syntax uses the following conventions:
Convention Description
Curly braces { } A word or series of words that is constrained to a set of options delimited by either
vertical bars or spaces. You must enter at least one of the options, unless the set
of options is surrounded by square brackets [ ].
Mutually exclusive options - Both mutually and non-mutually exclusive commands will use curly braces, as
delimited by vertical bars | they provide multiple options, however mutually exclusive commands will divide
each option with a pipe. This indicates that you are permitted to enter one option
or the other:
{enable | disable}
Convention Description
Non-mutually exclusive Non-mutually exclusive commands do not use pipes to divide their options. In
options - delimited by spaces those circumstances, multiple options can be entered at once, as long as they are
entered with a space separating each option:
{http https ping snmp ssh telnet}
Angle brackets < > A word constrained by data type. The angled brackets contain a descriptive name
followed by an underscore ( _ ) and suffix that indicates the valid data type. For
example, <retries_int>, indicates that you should enter a number of retries
as an integer.
Data types include:
l <xxx_name>: A name referring to another part of the configuration, such as
policy_A.
l <xxx_index>: An index number referring to another part of the
configuration, such as 0 for the first static route.
l <xxx_pattern>: A regular expression or word with wild cards that
matches possible variations, such as *@example.com to match all email
addresses ending in @example.com.
l <xxx_fqdn>: A fully qualified domain name (FQDN), such as
mail.example.com.
l <xxx_email>: An email address, such as [email protected].
l <xxx_ipv4>: An IPv4 address, such as 192.168.1.99.
l <xxx_v4mask>: A dotted decimal IPv4 netmask, such as
255.255.255.0.
l <xxx_ipv4mask>: A dotted decimal IPv4 address and netmask separated
by a space, such as 192.168.1.99 255.255.255.0.
l <xxx_ipv4/mask>: A dotted decimal IPv4 address and CIDR-notation
netmask separated by a slash, such as 192.168.1.1/24
l <xxx_ipv4range> : A hyphen ( - )-delimited inclusive range of IPv4
addresses, such as 192.168.1.1-192.168.1.255.
l <xxx_ipv6>: A colon( : )-delimited hexadecimal IPv6 address, such as
3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.
l <xxx_v6mask>: An IPv6 netmask, such as /96.
l <xxx_ipv6mask>: A dotted decimal IPv6 address and netmask separated
by a space.
l <xxx_str>: A string of characters that is not another data type, such as
P@ssw0rd. Strings containing spaces or special characters must be
surrounded in quotes or use escape sequences.
l <xxx_int>: An integer number that represents a metric, minutes_int
for the number of minutes.
Any field that is optional will use square-brackets, such as set comment. This is because it doesn’t matter whether it’s
set or not. The overall config command will still successfully be taken.
Another example of where square-brackets would be used is to show that multiple options can be set, even intermixed
with ranges. The example below shows a field that can be set to either a specific value or range, or multiple instances:
config firewall service custom
Sub-commands
Each command line consists of a command word that is usually followed by configuration data or other specific item that
the command uses or affects:
get system admin
Sub-commands are available from within the scope of some commands. When you enter a sub-command level, the
command prompt changes to indicate the name of the current command scope. For example, after entering:
config system admin
Applicable sub-commands are available to you until you exit the scope of the command, or until you descend an
additional level into another sub-command.
For example, the edit sub-command is available only within a command that affects tables; the next sub-command
is available only from within the edit sub-command:
config system interface
edit port1
set status up
next
end
clone <table> Clone (or make a copy of) a table from the current object.
For example, in config firewall policy, you could enter the following
command to clone security policy 27 to create security policy 30:
clone 27 to 30
In config antivirus profile, you could enter the following command to
clone an antivirus profile named av_pro_1 to create a new antivirus profile
named av_pro_2:
clone av_pro_1 to av_pro_2
clone may not be available for all tables.
delete <table> Remove a table from the current object.
end Save the changes to the current object and exit the config command. This
returns you to the top-level command prompt.
get List the configuration of the current object or table.• In objects, get lists the
table names (if present), or fields and their values.• In a table, get lists the
fields and their values.For more information on get commands, see the CLI
Reference.
purge Remove all tables in the current object.
For example, in config user local, you could type get to see the list of
user names, then type purge and then y to confirm that you want to delete all
users. purge is only available for objects containing tables.
Caution: Back up the FortiGate before performing a purge. purge cannot be
undone. To restore purged tables, the configuration must be restored from a
backup.
Caution: Do not purge system interface or system admin tables.
purge does not provide default tables. This can result in being unable to connect
or log in, requiring the FortiGate to be formatted and restored.
show Display changes to the default configuration. Changes are listed in the form of
configuration commands.
edit admin_1
The CLI acknowledges the new table, and changes the command prompt to show that you are now within the admin_1
table:
new entry 'admin_1' added
(admin_1)#
abort Exit both the edit and/or config commands without saving the fields.
end Save the changes made to the current table or object fields, and exit the config
command (to exit without saving, use abort instead).
move Move an object within a list, when list order is important. For example,
rearranging security policies within the policy list.
next Save the changes you have made in the current table’s fields, and exit the edit
command to the object prompt (to save and exit completely to the root prompt,
use end instead).
next is useful when you want to create or edit several tables in the same object,
without leaving and re-entering the config command each time.
next is only available from a table prompt; it is not available from an object
prompt.
show Display changes to the default configuration. Changes are listed in the form of
configuration commands.
To assign the value my1stExamplePassword to the password field, enter the following command from within the
admin_1 table:
set password my1stExamplePassword
Next, to save the changes and edit the next administrator's table, enter the next command.
Permissions
Access profiles control which CLI commands an administrator account can access. Access profiles assign either read,
write, or no access to each area of FortiOS. To view configurations, you must have read access. To make changes, you
must have write access. So, depending on the account used to log in to the FortiGate, you may not have complete
access to all CLI commands. For complete access to all commands, you must log in with an administrator account that
has the super_admin access profile. By default the admin administrator account has the super_admin access
profile.
Administrator accounts, with the super_admin access profile are similar to a root administrator account that always
has full permission to view and change all FortiGate configuration options, including viewing and changing all other
administrator accounts and including changing other administrator account passwords.
Set strong passwords for all administrator accounts (including the admin account) and change passwords regularly.
Tips
Basic features and characteristics of the CLI environment provide support and ease of use for many CLI tasks.
Help
To display brief help during command entry, press the question mark (?) key.
l Press the question mark (?) key at the command prompt to display a list of the commands available and a
description of each command.
l Type a word or part of a word, then press the question mark (?) key to display a list of valid word completions or
subsequent words, and to display a description of each.
Keys Action
Keys Action
Left or Right arrow Move the cursor left or right within the command line.
Ctrl + C Abort current interactive commands, such as when entering multiple lines.
If you are not currently within an interactive command such as config or edit,
this closes the CLI connection.
\ then Enter Continue typing a command on the next line for a multiline command.
For each line that you want to continue, terminate it with a backslash ( \ ). To
complete the command line, terminate it by pressing the spacebar and then the
Enter key, without an immediately preceding backslash.
Command abbreviation
You can abbreviate words in the command line to their smallest number of non-ambiguous characters.
For example, the command get system status could be abbreviated to g sy stat.
When adding options to a list, such as a user group, using the set command will remove the previous configuration.
For example, if you wish to add user D to a user group that already contains members A, B, and C, the command would
need to be set member A B C D. If only set member D was used, then all former members would be removed
from the group.
However, there are additional commands which can be used instead of set for changing options in a list.
For example, unselect member A would remove member A from a group will
all previous group members are retained.
Environment variables
The CLI supports the following environment variables. Variable names are case-sensitive.
Environment variables
$USERFROM The management access type (ssh, telnet, jsconsole for the CLI
Console widget in the GUI, and so on) and the IP address of the administrator
that configured the item.
$USERNAME The account name of the administrator that configured the item.
For example, the FortiGate unit’s host name can be set to its serial number:
config system global
set hostname $SerialNum
end
Special characters
The following special characters, also known as reserved characters, are not permitted in most CLI fields: <, >, (, ), #,
', and ". You may be able to enter special characters as part of a string’s value by using a special command, enclosing
it in quotes, or preceding it with an escape sequence — in this case, a backslash ( \ ) character.
In other cases, different keystrokes are required to input a special character. If you need to enter ? as part of config, you
first need to input CTRL-V. If you enter ? without first using CTRL-V, the question mark has a different meaning in the
CLI; it will show available command options in that section.
For example, if you enter ? without CTRL-V:
edit "*.xe
token line: Unmatched double quote.
Character Keys
? Ctrl + V then ?
Character Keys
Precede the space with a backslash: Security\
Administrator.
' \'
(to be interpreted as part of a string value,
not to end the string)
" \"
(to be interpreted as part of a string value,
not to end the string)
\ \\
In many cases, the get and show (and diagnose) commands may produce a large amount of output. If you are
looking for specific information in a large get or show command output, you can use the grep command to filter the
output to only display what you are looking for. The grep command is based on the standard UNIX grep, used for
searching text output based on regular expressions.
Use the following command to display the MAC address of the FortiGate unit internal interface:
get hardware nic internal | grep Current_HWaddr
Current_HWaddr 00:09:0f:cb:c2:75
Use the following command to display all TCP sessions in the session list and include the session list line number in the
output:
get system session list | grep -n tcp
Use the following command to display all lines in HTTP replacement message commands that contain URL (upper or
lower case):
show system replacemsg http | grep -i url
The option -f is also available to support contextual output, in order to show the complete configuration. The following
example shows the difference in output when -f option is used versus when it is not.
Using -f:
Characters such as ñ, é, symbols, and ideographs are sometimes acceptable input. Support varies by the nature of the
item being configured. CLI commands, objects, field names, and options must use their exact ASCII characters, but
some items with arbitrary names or values may be input using your language of choice. To use other languages in those
cases, you must use the correct encoding.
Input is stored using Unicode UTF-8 encoding but is not normalized from other encodings into UTF-8 before it is stored.
If your input method encodes some characters differently than in UTF-8, your configured items may not display or
operate as expected.
Regular expressions are especially impacted. Matching uses the UTF-8 character values. If you enter a regular
expression using another encoding, or if an HTTP client sends a request in an encoding other than UTF-8, matches may
not be what you expect.
For example, with Shift-JIS, backslashes ( \ ) could be inadvertently interpreted as the symbol for the Japanese yen ( ¥ )
and vice versa. A regular expression intended to match HTTP requests containing money values with a yen symbol
therefore may not work it if the symbol is entered using the wrong encoding.
For best results, you should:
l use UTF-8 encoding, or
l use only the characters whose numerically encoded values are the same in UTF-8, such as the US-ASCII
characters that are also encoded using the same values in ISO 8859-1, Windows code page 1252, Shift-JIS and
other encodings, or
l for regular expressions that must match HTTP requests, use the same encoding as your HTTP clients.
HTTP clients may send requests in encodings other than UTF-8. Encodings usually vary by
the client’s operating system or input language. If you cannot predict the client’s encoding,
you may only be able to match any parts of the request that are in English, because
regardless of the encoding, the values for English characters tend to be encoded identically.
For example, English words may be legible regardless of interpreting a web page as either
ISO 8859-1 or as GB2312, whereas simplified Chinese characters might only be legible if the
page is interpreted as GB2312.
If you configure your FortiGate unit using other encodings, you may need to switch language settings on your
management computer, including for your web browser or Telnet/SSH client. For instructions on how to configure your
management computer’s operating system language, locale, or input method, see its documentation.
If you choose to configure parts of the FortiGate unit using non-ASCII characters, verify that all systems interacting with
the FortiGate unit also support the same encodings. You should also use the same encoding throughout the
configuration if possible in order to avoid needing to switch the language settings of the GUI and your web browser or
Telnet/SSH client while you work.
Similarly to input, your web browser or CLI client should normally interpret display output as encoded using UTF-8. If it
does not, your configured items may not display correctly in the GUI or CLI. Exceptions include items such as regular
expressions that you may have configured using other encodings in order to match the encoding of HTTP requests that
the FortiGate unit receives.
1. On your management computer, start your web browser and go to the URL for the FortiGate unit’s GUI.
2. Configure your web browser to interpret the page as UTF-8 encoded.
3. Log in to the FortiGate unit.
4. Open the CLI Console from the upper right-hand corner.
5. In the title bar of the CLI Console widget, click Edit (the pencil icon).
6. Enable Use external command input box and select OK.
7. The Command field appears below the usual input and display area of the CLI Console .
8. Type a command in this field and press Enter.
In the display area, the CLI Console widget displays your previous command interpreted into its character code
equivalent, such as:
edit \743\601\613\743\601\652
and the command’s output.
Screen paging
You can configure the CLI to pause after displaying each page’s worth of text when displaying multiple pages of output.
When the display pauses, the last line displays --More--. You can then either:
This may be useful when displaying lengthy output, such as the list of possible matching commands for command
completion, or a long list of settings. Rather than scrolling through or possibly exceeding the buffer of your terminal
emulator, you can simply display one page at a time.
To configure the CLI Console to pause display when the screen is full:
config system console
set output more
end
Baud rate
You can change the default baud rate of the local console connection.
To change the baud rate enter the following commands:
config system console
set baudrate {9600 | 19200 | 38400 | 57600 | 115200}
end
You can edit the FortiGate configuration on an external host by first backing up the configuration file to a TFTP server.
Then edit the configuration file and restore it to the FortiGate unit.
Editing the configuration on an external host can be timesaving if you have many changes to make, especially if your
plain text editor provides advanced features such as batch changes.
1. Use execute backup to download the configuration file to a TFTP server, such as your management computer.
2. Edit the configuration file using a plain text editor that supports Unix-style line endings.
Do not edit the first line. The first line(s) of the configuration file (preceded by a #
character) contains information about the firmware version and FortiGate model. If you
change the model number, the FortiGate unit will reject the configuration file when you
attempt to restore it.
3. Use execute restore to upload the modified configuration file back to your FortiGate.
The FortiGate downloads the configuration file and checks that the model information is correct. If it is correct, the
FortiGate unit loads the configuration file and checks each command for errors. If a command is invalid, the
FortiGate unit ignores the command. If the configuration file is valid, the FortiGate unit restarts and loads the new
configuration.
FortiExplorer for iOS is a user-friendly application that helps you to quickly and easily configure, manage, and monitor
FortiGate appliances using an iOS device. FortiExplorer lets you rapidly provision, deploy, and monitor Security Fabric
If your FortiGate is accessible on the wireless network, you can connect to it using FortiExplorer provided that your
iOS device is on the same network (see Connecting FortiExplorer to a FortiGate via WiFi). Otherwise, you will need to
physically connect your iOS device to the FortiGate using a USB cable.
For the purpose of this document, we assume that you are just getting started; you do not have access to the FortiGate
over the wireless network, and the FortiGate is in its factory configuration.
1. Connect your iOS device to your FortiGate’s USB management port.If prompted on your iOS device, Trust this
'computer'.
2. Open the FortiExplorer app and select your FortiGate from the list under USB Attached Device.
3. On the Login screen, select USB.
4. Enter the default Username (admin) and leave the Password field blank.
5. You can opt to Remember Password. Tap Done when you are ready.
6. FortiExplorer opens the FortiGate management interface to the Device Status page:
7. Go to Network > Interfaces and configure the WAN interface(s).In the example, the wan1 interface Address
mode is set to DHCP by default. Set it to Manual and enter its Address, Netmask, and Default Gateway, and
then Apply your changes.
8. (Optional) Configure Administrative Access to allow HTTP and HTTPS access.This will allow administrators to
access the FortiGate GUI using a web browser.
9. Go to Network > Interfaces and configure the local network (internal) interface.Set the Address mode as before
and configure Administrative Access if desired.
10. Configure a DHCP Server for the internal network subnet.
11. Return to the internal interface using the < button at the top of the screen.
12. Go to Network > Static Routes and configure the static route to the gateway.
13. Go to Policy & Objects > IPv4 Policy and edit the Internet access policy. As a best practice, provide a Name for
the policy, enable the desired Security Profiles, and configure Logging Options. Select OK to finalize.
The FortiGate is now configured in a very basic state. Once you've configured the other potential elements of your
network, such as other Interfaces, Schedules, or Managed FortiAPs, it is recommended that you run a Security
Fabric Rating to identify potential vulnerabilities and highlight best practices that could be used to improve your
network’s overall security and performance.
Go to Security Fabric > Security Rating and follow the steps to determine a Security Score for the selected device
(s). The results should identify issues ranging from Medium to Critical importance, and may provide recommended
actions where possible.
If your FortiGate is accessible on the wireless network, you can connect to it using FortiExplorer provided that your
iOS device is on the same network. Assuming this is the case:
1. Open the FortiExplorer app and select Add from the Devices page.
2. Enter the Host information and appropriate Username and Password credentials. If necessary, change the
default Port number, and opt to Remember Password.
3. If the FortiGate device identity cannot be verified, click Connect at the prompt. FortiExplorer opens the FortiGate
management interface to the Device Status page.
Paid features provided with the purchase of FortiExplorer Pro include the ability to add more than two devices and the
ability to download firmware images from FortiCare.
To upgrade to FortiExplorer Pro, open the FortiExplorer app, go to Settings and select Upgrade to FortiExplorer
Pro. Follow the on-screen prompts.
LED specifications
The following section includes information regarding FortiGate LED status indicators.
l Sample FortiGate faceplates on page 39
l LED status codes on page 39
l About alarm levels on page 40
l LED status codes for ports on page 40
The faceplates indicate where the LEDs are typically found on desktop and mid-range FortiGate models.
FortiGate 100D
FortiGate 30E
Flashing Green Booting up. If the FortiGate has a reset button, this could also means that
the reset button was used.
Red The FortiGate has a critical alarm. The status LED will also be red.
Red A failover has occurred. The failover operation feature is not available in all
models.
Minor, major, and critical alarms are defined based on IPMI, ATCA, and Telco standards for naming alarms.
l A minor alarm (also called an IPMI non-critical (NC) alarm) indicates a temperature or a power level outside of the
normal operating range that is not considered a problem. In the case of a minor temperature alarm, the system
could respond by increasing fan speed. A non-critical threshold can be an upper non-critical (UNC) threshold (for
example, a high temperature or a high power level) or a lower non-critical (LNC) threshold (for example, a low
power level). The LEDs do not indicate minor alarms since user intervention is not required.
l A major alarm (also called an IPMI critical or critical recoverable (CR) alarm) indicates that the system itself cannot
correct the cause for the alarm and that intervention is required. For example, the cooling system cannot provide
enough cooling to reduce the temperature. It could also mean that conditions (e.g. temperature) are approaching
the outside limit of the allowed operating range. A critical threshold can also be an upper critical (UC) threshold
(e.g. a high temperature or a high power level) or a lower critical (LC) threshold (e.g. a low power level).
l A critical alarm (also called an IPMI non-recoverable (NR) alarm) indicates detection of a temperature or power
level that is outside of the allowed operating range and could potentially cause physical damage.
Basic administration
This section contains information about basic FortiGate administration that you can do after you installing the unit in
your network.
Registration
In order to have full access to Fortinet Support and FortiGuard Services, you must register your FortiGate.
System settings
There are several system settings that should be configured once your FortiGate is installed:
l Default administrator password on page 42
l Settings on page 42
l Changing the host name on page 42
By default, your FortiGate has an administrator account set up with the username admin and no password. In order to
prevent unauthorized access to the FortiGate, it is highly recommended that you add a password to this account.
Settings
Settings can be accessed by going to System > Settings. On this page, you can change the Host name, set the
system time and identify time zone in System Time, configure HTTP, HTTPS, SSH, and Telnet ports as well as idle
timeout in Administration Settings, designate the Password Policy, and manage display options and designate
inspection mode in View Settings.
The host name of your FortiGate appears in the Hostname row in the System Information widget on the
Dashboard. The host name also appears at the CLI prompt when you are logged in to the CLI, and as the SNMP
system name.
Go to System > Settings and type in the new name in the Host name row. The only administrators that can change a
FortiGate’s host name are administrators whose admin profiles permit system configuration write access. If the
FortiGate is part of an HA cluster, you should use a unique host name to distinguish the FortiGate from others in the
cluster.
System time
For effective scheduling and logging, the FortiGate system time and date should be accurate. You can either manually
set the system time and date or configure the FortiGate to automatically synchronize with a Network Time Protocol
(NTP) server.
NTP enables you to keep the FortiGate time synchronized with other network systems. By enabling NTP on the
FortiGate, FortiOS will check with the NTP server you select at the configured intervals. This will also ensure that logs
and other time-sensitive settings on the FortiGate are correct.
The FortiGate maintains its internal clock using a built-in battery. At start up, the time reported by the FortiGate will
indicate the hardware clock time, which may not be accurate. When using NTP, the system time might change after the
FortiGate has successfully obtained the time from a configured NTP server.
By default, FortiOS has the daylight savings time configuration enabled. The system time
must be manually adjusted after daylight saving time ends. To disable DST, enter the
following commands in the CLI:
config system global
set dst disable
end
Administration settings
In order to improve security, you can change the default port configurations for administrative connections to the
FortiGate. When connecting to the FortiGate when the port has changed, the port must be included, such as
https://<ip_address>:<port>. For example, if you are connecting to the FortiGate using port 99, the URL
would be https://192.168.1.99:99.
1. Go to System > Settings.
2. Under Administration Settings, change the port numbers for HTTP, HTTPS, SSH, and/or Telnet as needed. You
can also select Redirect to HTTPS in order to avoid HTTP being used for the administrators.
3. Select Apply.
When you change the default port number for HTTP, HTTPS, SSH, or Telnet, ensure that the port number is unique. If
a conflict exists with a particular port, a warning message will appear.
By default, the GUI disconnects administrative sessions if no activity occurs for five minutes. This prevents someone
from using the GUI if the management PC is left unattended.
1. Go to System > Settings.
2. In the Administration Settings section, enter the time in minutes in the Idle timeout field.
3. Select Apply.
Password policy
The FortiGate includes the ability to create a password policy for administrators and IPsec pre-shared keys. With this
policy, you can enforce regular changes and specific criteria for a password including:
l minimum length between 8 and 64 characters.
l if the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters.
l if the password must contain numbers (1, 2, 3).
l if the password must contain special or non-alphanumeric characters (!, @, #, $, %, ^, &, *, (, and )).
l where the password applies (admin or IPsec or both).
l the duration of the password before a new one must be specified.
1. Go to System > Settings.
2. Configure Password Policy settings as required.
3. Click Apply.
If you add a password policy or change the requirements on an existing policy, the next time that administrator logs into
the FortiGate, they are prompted to update their password to meet the new requirements before proceeding to log in.
View settings
Three settings can change the presentation of information in the GUI: Language, Lines per page, and Theme.
To change the language, go to System > Settings. Select the language you want from the Language drop-down list:
English (the default), French, Spanish, Portuguese, Japanese, Traditional Chinese, Simplified Chinese, or Korean. For
best results, you should select the language that is used by the management computer.
To change the number of lines per page displayed in the GUI tables, set Lines per page to a value between 20 and
1,000. The default is 50 lines per page.
Five color themes are currently available: Green (the default), Red, Blue, Melongene, and Mariner. To change your
theme, select the color from the Theme drop-down list.
This is also where you select either Flow-based or Proxy Inspection Mode . If you select Flow-based mode, then you
need to specify if it is NGFW Profile-based or NGFW Policy-based inspection.
By default, the FortiGate sets the number of password retries at three, allowing the administrator a maximum of three
attempts to log into their account before locking the account for a set amount of time.
Both the number of attempts (admin-lockout-threshold) and the wait time before the administrator can try to
enter a password again (admin-lockout-duration) can be configured within the CLI.
The default value of admin-lockout-threshold is 3 and the range of values is between 1 and 10. The admin-
lockout-duration is set to 60 seconds by default and the range of values is between 1 and 4294967295 seconds.
Keep in mind that the higher the lockout threshold, the higher the risk that someone may be able to break into the
FortiGate.
Example:
To set the admin-lockout-threshold to one attempt and the admin-lockout-duration to a five minute
duration before the administrator can try to log in again, enter the commands:
config system global
set admin-lockout-threshold 1
set admin-lockout-duration 300
end
If the time span between the first failed login attempt and the admin-lockout-
threshold failed login attempt is less than admin-lockout-duration, the lockout will
be triggered.
Passwords
Using secure passwords are vital for preventing unauthorized access to your FortiGate. When changing the password,
consider the following to ensure better security:
l Do not make passwords that are obvious, such as the company name, administrator names, or other obvious words
or phrases.
l Use numbers in place of letters, for example, passw0rd.
l Administrator passwords can be up to 64 characters.
l Include a mixture of letters, numbers, and upper and lower case.
l Use multiple words together, or possibly even a sentence, for example keytothehighway.
l Use a password generator.
l Change the password regularly and always make the new password unique and not a variation of the existing
password, such as changing from password to password1.
l Make note of the password and store it in a safe place away from the management computer, in case you forget it
or ensure that at least two people know the password in the event that one person becomes ill, is away on vacation,
or leaves the company. Alternatively, have two different admin logins.
Downgrades will typically maintain the administrator password. If you need to downgrade to FortiOS 4.3, remove the
password before the downgrade, then log in after the downgrade and re-configure the password.
Password policy
The FortiGate includes the ability to create a password policy for administrators and IPsec pre-shared keys. With this
policy, you can enforce regular changes and specific criteria for a password including:
l minimum length between 8 and 64 characters.
l if the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters.
l if the password must contain numbers (1, 2, 3).
l if the password must contain special or non-alphanumeric characters (!, @, #, $, %, ^, &, *, (, and )).
1. Go to System > Settings.
2. Configure Password Policy settings as required.
3. Click Apply.
If you add a password policy or change the requirements on an existing policy, the next time that administrator logs into
the FortiGate, they are prompted to update their password to meet the new requirements before proceeding to log in.
Configuration backups
Once you successfully configure the FortiGate, it is extremely important that you backup the configuration. In some
cases, you may need to reset the FortiGate to factory defaults or perform a TFTP upload of the firmware, which will
erase the existing configuration. In these instances, the configuration on the device will have to be recreated, unless a
backup can be used to restore it. You should also backup the local certificates, as the unique SSL inspection CA and
server certificates that are generated by your FortiGate by default are not saved in a system backup.
We also recommend that you backup the configuration after any changes are made, to ensure you have the most
current configuration available. Also, backup the configuration before any upgrades of the FortiGate’s firmware. Should
anything happen to the configuration during the upgrade, you can easily restore the saved configuration.
Always backup the configuration and store it on the management computer or off-site. You have the option to save the
configuration file to various locations including the local PC, USB key, FTP, and TFTP server. The last two are
configurable through the CLI only.
If you have VDOMs, you can back up the configuration of the entire FortiGate or only a specific VDOM. Note that if you
are using FortiManager or FortiCloud, full backups are performed and the option to backup individual VDOMs will not
appear.
You can also backup and restore your configuration using Secure File Copy (SCP). See How
to download/upload a FortiGate configuration file using secure file copy (SCP).
You enable SCP support using the following command:
config system global
set admin-scp enable
end
For more information about this command and about SCP support, see config system global.
1. Click on admin in the upper right-hand corner of the screen and select Configuration > Backup.
2. Direct the backup to your Local PC or to a USB Disk.
The USB Disk option will be grayed out if no USB drive is inserted in the USB port. You can also backup to the
FortiManager using the CLI.
3. If VDOMs are enabled, indicate whether the scope of the backup is for the entire FortiGate configuration (Global)
or only a specific VDOM configuration (VDOM).
4. If backing up a VDOM configuration, select the VDOM name from the list.
5. Select Encryption.
Encryption must be enabled on the backup file to back up VPN certificates.
6. Enter a password and enter it again to confirm it. You will need this password to restore the file.
7. Select OK.
8. The web browser will prompt you for a location to save the configuration file. The configuration file will have a .conf
extension.
or:
execute backup config usb <backup_filename> [<backup_password>]
or for FTP, note that port number, username are optional depending on the FTP site:
execute backup config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]
or for TFTP:
execute backup config tftp <backup_filename> <tftp_servers> <password>
Use the same commands to backup a VDOM configuration by first entering the commands:
config vdom
edit <vdom_name>
This procedure exports a server (local) certificate and private key together as a password protected PKCS12 file. The
export file is created through a customer-supplied TFTP server. Ensure that your TFTP server is running and accessible
to the FortiGate before you enter the command.
where:
l <cert_name> is the name of the server certificate.
l <filename> is a name for the output file.
l <tftp_ip> is the IP address assigned to the TFTP server host interface.
1. Move the output file from the TFTP server location to the management computer.
2. Go to System > Certificates and select Import.
3. Select the appropriate type of certificate from the dropdown menu and fill in any required fields.
4. Select Upload. Browse to the location on the management computer where the exported file has been saved,
select the file and select Open.
Restoring a configuration
Should you need to restore a configuration file, use the following steps:
1. Click on admin in the upper right-hand corner of the screen and select Configuration > Restore.
2. Identify the source of the configuration file to be restored : your Local PC or a USB Disk.
The USB Disk option will be grayed out if no USB drive is inserted in the USB port. You can restore from the
FortiManager using the CLI.
3. Enter the path and file name of the configuration file, or select Browse to locate the file.
4. Enter a password if required.
5. Select Restore.
or:
execute restore config usb <filename> [<password>]
or for FTP, note that port number, username are optional depending on the FTP site:
execute restore config ftp <backup_filename> <ftp_server> [<port>] [<user_name>]
[<password>]
or for TFTP:
execute restore config tftp <backup_filename> <tftp_server> <password>
The FortiGate will load the configuration file and restart. Once the restart has completed, verify that the configuration
has been restored.
Troubleshooting
When restoring a configuration, errors may occur, but the solutions are usually straightforward.
Configuration file error This error occurs when attempting to upload a configuration file that is
incompatible with the device. This may be due to the configuration file being for a
different model or being saved from a different version of firmware.
Solution: Upload a configuration file that is for the correct model of FortiGate
device and the correct version of the firmware.
Invalid password When the configuration file is saved, it can be protected by a password. The
password entered during the upload process is not matching the one associated
with the configuration file.
Solution: Use the correct password if the file is password protected.
Configuration revision
You can manage multiple versions of configuration files on models that have a 512MB flash memory and higher.
Revision control requires either a configured central management server or the local hard drive, if your FortiGate has
this feature. Typically, configuration backup to local drive is not available on lower-end models.
The central management server can either be a FortiManager unit or FortiCloud.
If central management is not configured on your FortiGate unit, a message appears instructing you to either:
l Enable central management, or
l obtain a valid license.
When revision control is enabled on your FortiGate unit, and configuration backups have been made, a list of saved
revisions of those backed-up configurations appears.
Configuration revisions are viewed by clicking on admin in the upper right-hand corner of the screen and selecting
Configuration > Revisions.
There may be a need to reset the FortiGate to its original defaults; for example, to begin with a fresh configuration.
There are two options when restoring factory defaults. The first resets the entire device to the original out-of-the-box
configuration.
You can reset using the CLI by entering the command:
execute factoryreset
Alternatively, in the CLI you can reset the factory defaults but retain the interface and VDOM configuration. Use the
following command:
execute factoryreset2
Firmware
Fortinet periodically updates the FortiGate firmware to include new features and resolve important issues. After you
have registered your FortiGate unit, you can download firmware updates from the Fortinet Support web site,
Before you install any new firmware, be sure to follow the steps below:
l Review the Release Notes for a new firmware release.
l Review the Supported Upgrade Paths SysAdmin note on the Fortinet Cookbook site to prepare for the upgrade of
FortiOS on your FortiGate.
Only FortiGate admin users and administrators whose access profiles contain system read
and write privileges can change the FortiGate firmware.
You should always back up the configuration before installing new firmware, in case you need to restore your FortiGate
configuration.
For more information and instructions on backing up and restoring your configuration, see Configuration backups on
page 46.
Downloading
Firmware images for all FortiGate units are available on the Fortinet Support website.
To download firmware:
1. Log into the site using your user name and password.
2. Go to Download > Firmware Images.
3. A list of Release Notes is shown. If you have not already done so, download and review the Release Notes for the
firmware you wish to upgrade your FortiGate unit to.
4. Select Download.
Firmware can also be downloaded using FTP; however, as FTP is not an encrypted file
transferring protocol, HTTPS downloading is recommended.
5. Navigate to the folder for the firmware version you wish to use.
6. Select your FortiGate model from the list. If your unit is a FortiWiFi, the firmware will have a filename starting with
'FWF'.
7. Save the firmware image to your computer.
Testing
The integrity of firmware images downloaded from Fortinet's support portal can be verified using a file checksum. A file
checksum that does not match the expected value indicates a corrupt file. The corruption could be caused by errors in
transfer or by file modification. A list of expected checksum values for each build of released code is available on
Fortinet’s support portal.
Image integrity is also verified when the FortiGate is booting up. This integrity check is done through a cyclic
redundancy check (CRC). If the CRC fails, the FortiGate unit will encounter an error during the boot process.
Lastly, firmware images are signed and the signature is attached to the code as it is built. When upgrading an image,
the running OS will generate a signature and compare it with the signature attached to the image. If the signatures do
not match, the new OS will not load.
FortiOS lets you test a new firmware image by installing the firmware image from a system reboot and saving it to
system memory. After completing this procedure, the FortiGate unit operates using the new firmware image with the
current configuration. This new firmware image is not permanently installed. The next time the FortiGate unit restarts, it
operates with the originally installed firmware image using the current configuration. If the new firmware image
operates successfully, you can install it permanently using the procedure explained in Upgrading firmware.
To use this procedure, you must connect to the CLI using the FortiGate console port and an RJ-45 to DB-9 or null
modem cable. This procedure temporarily installs a new firmware image using your current configuration.
For this procedure, you must install a TFTP server that you can connect to from the FortiGate internal interface. The
TFTP server should be on the same subnet as the internal interface.
You have only three (3) seconds to press any key. If you do not press a key quickly
enough, the FortiGate unit reboots and you must log in and repeat the execute
reboot command.
8. If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default
[C]: Configuration and information
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G, F, Q, or H:
9. Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP
server address [192.168.1.168]:
10. Type the address of the TFTP server and press Enter. The following message appears: Enter Local
Address [192.168.1.188]:
11. Type an IP address of the FortiGate unit to connect to the TFTP server. The IP address must be on the same
network as the TFTP server.
Make sure you do not enter the IP address of another device on this network.
Upgrading firmware
Installing firmware replaces your current antivirus and attack definitions, along with the definitions included with the
firmware release you are installing. After you install new firmware, make sure that antivirus and attack definitions are up
to date. You can also use the CLI command execute update-now to update the antivirus and attack definitions.
Always remember to back up your configuration before making any changes to the firmware.
You can also backup and restore your configuration using Secure File Copy (SCP).
You enable SCP support using the following command:
config system global
set admin-scp enable
end
Before you begin, ensure you have a TFTP server running and accessible to the FortiGate unit.
1. Make sure the TFTP server is running.
2. Copy the new firmware image file to the root directory of the TFTP server.
3. Log into the CLI.
4. Make sure the FortiGate unit can connect to the TFTP server. You can use the following command to ping the
computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168
execute ping 192.168.1.168
5. Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit:
execute restore image tftp <filename> <tftp_ipv4>
6. The FortiGate unit responds with the message:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
7. Type y. The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, and restarts.
This process takes a few minutes.
8. Reconnect to the CLI.
9. Update antivirus and attack definitions:
execute update-now.
Reverting
The following procedure reverts the FortiGate unit to its factory default configuration and deletes any configuration
settings. If you are reverting to a previous FortiOS version, you might not be able to restore the previous configuration
from the backup configuration file.
Always remember to back up your configuration before making any changes to the firmware.
5. Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit:
execute restore image tftp <name_str> <tftp_ipv4>
6. The FortiGate unit responds with this message:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
7. Type y. The FortiGate unit uploads the firmware image file. After the file uploads, a message similar to the
following appears:
Get image from tftp server OK.
Check image OK.
This operation will downgrade the current firmware version!
Do you want to continue? (y/n)
8. Type y. The FortiGate unit reverts to the old firmware version, resets the configuration to factory defaults, and
restarts. This process takes a few minutes.
9. Reconnect to the CLI.
10. To restore your previous configuration, if needed, use the command:
execute restore config <name_str> <tftp_ipv4>
11. Update antivirus and attack definitions using the command:
execute update-now
In the event that the firmware upgrade does not load properly and the FortiGate unit will not boot, or continuously
reboots, it is best to perform a fresh install of the firmware from a reboot using the CLI.
This procedure installs a firmware image and resets the FortiGate unit to default settings. You can use this procedure to
upgrade to a new firmware version, revert to an older firmware version, or re-install the current firmware.
To use this procedure, you must connect to the CLI using the FortiGate console port and a RJ-45 to DB-9, or null
modem cable. This procedure reverts the FortiGate unit to its factory default configuration.
For this procedure you install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP
server should be on the same subnet as the internal interface.
Before beginning this procedure, ensure you backup the FortiGate unit configuration.
If you are reverting to a previous FortiOS version, you might not be able to restore the previous configuration from the
backup configuration file.
Installing firmware replaces your current antivirus and attack definitions, along with the definitions included with the
firmware release you are installing. After you install new firmware, make sure that antivirus and attack definitions are up
to date.
1. Connect to the CLI using the RJ-45 to DB-9 or null modem cable.
2. Make sure the TFTP server is running.
3. Copy the new firmware image file to the root directory of the TFTP server.
4. Make sure the internal interface is connected to the same network as the TFTP server.
5. To confirm the FortiGate unit can connect to the TFTP server, use the following command to ping the computer
running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168: execute ping
192.168.1.168
6. Enter the following command to restart the FortiGate unit: execute reboot
You have only three (3) seconds to press any key. If you do not press a key quickly
enough, the FortiGate unit reboots and you must log in and repeat the execute
reboot command.
10. If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default
[C]: Configuration and information
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G, F, Q, or H
11. Type G to get to the new firmware image form the TFTP server. The following message appears: Enter TFTP
server address [192.168.1.168]:
12. Type the address of the TFTP server and press Enter. The following message appears: Enter Local
Address [192.168.1.188]:
13. Type an IP address the FortiGate unit can use to connect to the TFTP server. The IP address can be any IP
address that is valid for the network to which the interface is connected.
Make sure you do not enter the IP address of another device on this network.
Controlled upgrade
Using a controlled upgrade, you can upload a new version of the FortiOS firmware to a separate partition in the
FortiGate memory for later upgrade. The FortiGate unit can also be configured so that when it is rebooted, it will
automatically load the new firmware (CLI only). Using this option, you can stage a number of FortiGate units to do an
upgrade simultaneously to all devices using FortiManager or script.
To set the FortiGate unit so that when it reboots, the new firmware is loaded:
FortiGuard
The FortiGuard Distribution Network (FDN) of servers provides updates to antivirus, antispam, and IPS definitions to
your FortiGate. FortiGuard Subscription Services provides comprehensive Unified Threat Management (UTM) security
solutions to enable protection against content and network level threats.
The FortiGuard team can be found around the globe, monitoring virus, spyware and vulnerability activities. As
vulnerabilities are found, signatures are created and pushed to the subscribed FortiGates. The Global Threat Research
Team enables Fortinet to deliver a combination of multi-layered security intelligence and provide true zero-day
protection from new and emerging threats. The FortiGuard Network has data centers around the world located in
secure, high availability locations that automatically deliver updates to the Fortinet security platforms to protect the
network with the latest information.
FortiGuard provides a number of services to monitor world-wide activity and provide the best possible security,
including:
l Intrusion Prevention System (IPS) - IPS uses a customizable database of more than 4000 known threats to
stop attacks that evade conventional firewall defenses. It also provides behavior-based heuristics, enabling the
system to recognize threats when no signature has yet been developed. It also provides more than 1000
application identity signatures for complete application control.
l Application Control- Application Control allows you to identify and control applications on networks and
endpoints regardless of port, protocol, and IP address used. It gives you unmatched visibility and control over
application traffic, even traffic from unknown applications and sources. Application Control is a free FortiGuard
service and the database for Application Control signatures is separate from the IPS database (Botnet Application
signatures are still part of the IPS signature database since these are more closely related with security issues and
less about application detection). Application Control signature database information is displayed under the
System > FortiGuard page in the FortiCare section.
Please note that while the Application Control profile can be used for free, signature
database updates require a valid FortiGuard subscription.
l AntiVirus - The FortiGuard AntiVirus Service provides fully automated updates to ensure protection against the
latest content level threats. It employs advanced virus, spyware, and heuristic detection engines to prevent both
new and evolving threats from gaining access to your network and protects against vulnerabilities.
l Web Filtering - Web Filtering provides Web URL filtering to block access to harmful, inappropriate, and
dangerous web sites that may contain phishing/pharming attacks, malware such as spyware, or objectionable
content that can expose your organization to legal liability. Based on automatic research tools and targeted
research analysis, real-time updates enable you to apply highly-granular policies that filter web access based on six
major categories and nearly 80 micro-categories, over 45 million rated web sites, and more than two billion web
pages - all continuously updated.
l Email Filtering - The FortiGuard Antispam Service uses both a sender IP reputation database and a spam
signature database, along with sophisticated spam filtering tools on Fortinet appliances and agents, to detect and
block a wide range of spam messages. Updates to the IP reputation and spam signature databases are provided
continuously via the FDN.
l Messaging Services - Messaging Services allow a secure email server to be automatically enabled on your
FortiGate to send alert email or send email authentication tokens. With the SMS gateway, you can enter phone
numbers where the FortiGate will send the SMS messages. Note that depending on your carrier, there may be a
slight time delay on receiving messages.
l DNS and DDNS - The FortiGuard DNS and DDNS services provide an efficient method of DNS lookups once
subscribed to the FortiGuard network. This is the default option. The FortiGate connects automatically to the
FortiGuard DNS server. If you do not register, you need to configure an alternate DNS server.
Configure the DDNS server settings using the CLI command:
config system fortiguard
set ddns-server-ip
set ddns-server-port
end
If you are not getting FortiGuard web filtering or antispam services, there are a few things to verify that communication
to the FDN is working. Before any troubleshooting, ensure that the FortiGate has been registered and subscribed to the
FortiGuard services.
Verification - GUI:
The simplest method to check that the FortiGate is communicating with the FDN, is to check the License Information
dashboard widget. Any subscribed services should have a green check mark beside them indicating that connections are
successful. Any other icon indicates a problem with the connection, or you are not subscribed to the FortiGuard services.
You can also view the FortiGuard connection status by going to System > FortiGuard.
Verification - CLI:
You can also use the CLI to see what FortiGuard servers are available to your FortiGate. Use the following CLI
command to ping the FDN for a connection:
execute ping guard.fortinet.net
You can also use the following diagnose command to find out what FortiGuard servers are available:
diagnose debug rating
From this command, you will see output similar to the following:
Locale : english
License : Contract
Expiration : Sun Jul 24 20:00:00 2011
Hostname : service.fortiguard.net
-=- Server List (Tue Nov 2 11:12:28 2010) -=-
An extensive list of servers are available. Should you see a list of three to five available servers, the FortiGuard servers
are responding to DNS replies to service FortiGuard.net, but the INIT requests are not reaching FDS services on the
servers.
The rating flags indicate the server status:
D Indicates the server was found via the DNS lookup of the hostname. If the hostname returns more than
one IP address, all of them will be flagged with 'D' and will be used first for INIT requests before falling
back to the other servers.
I Indicates the server to which the last INIT request was sent.
F The server has not responded to requests and is considered to have failed.
The server list is sorted first by weight and then the server with the smallest RTT is put at the top of the list, regardless
of weight. When a packet is lost, it will be resent to the next server in the list.
The weight for each server increases with failed packets and decreases with successful packets. To lower the possibility
of using a distant server, the weight is not allowed to dip below a base weight, which is calculated as the difference in
hours between the FortiGate and the server, multiplied by 10. The further away the server, the higher its base weight
and the lower in the list it will appear.
Port assignment
The FortiGate contacts FDN for the latest list of FDN servers by sending UDP packets with typical source ports of 1027
or 1031, and destination port 8888. The FDN reply packets have a destination port of 1027 or 1031.
If your ISP blocks UDP packets in this port range, the FortiGate cannot receive the FDN reply packets. As a result, the
FortiGate will not receive the complete FDN server list.
If your ISP blocks the lower range of UDP ports (around 1024), you can configure your FortiGate to use higher-
numbered ports, using the CLI command:
config system global
set ip-src-port-range <start port>-<end port>
end
where the <start port> and <end port> are numbers ranging of 1024 to 25000.
For example, you could configure the FortiGate to not use ports lower than 2048 or ports higher than the following
range:
config system global
set ip-src-port-range 2048-20000
end
Trial and error may be required to select the best source port range. You can also contact your ISP to determine the best
range to use. Push updates might be unavailable if:
l there is a NAT device installed between the unit and the FDN, and/or
l your unit connects to the Internet using a proxy server.
Go to System > FortiGuard, and scroll down to the AntiVirus & IPS Updates section to configure the antivirus and
IPS options for connecting and downloading definition files.
Accept push updates Select to allow updates to be sent automatically to your FortiGate. New
definitions will be added as soon as they are released by FortiGuard.
Scheduled Updates Enable for updates to be sent to your FortiGate at a specific time. For example,
to minimize traffic lag times, you can schedule the update to occur on weekends
or after work hours.
Note that a schedule of once a week means any urgent updates will not be
pushed until the scheduled time. However, if there is an urgent update required,
select the Update Now button.
Improve IPS quality Enable to help Fortinet maintain and improve IPS signatures. The information
sent to the FortiGuard servers when an attack occurs can be used to keep the
database current as variants of attacks evolve.
Use extended IPS signature Regular IPS database protects against the latest common and in-the-wild
package attacks. Extended IPS database includes protection from legacy attacks.
Manual updates
To manually update the signature definitions file, you need to first go to the Fortinet Support web site. Once logged in,
select Download > FortiGuard Service Updates. The browser will present you the most current IPS and AntiVirus
signature definitions which you can download.
Once downloaded to your computer, log into the FortiGate to load the definition file.
1. Go to System > FortiGuard.
2. In the License Information table, select the Upgrade Database link in either the Application Control
Signature, IPS, or AntiVirus row.
3. In the pop-up window, select Upload and locate the downloaded file and select Open.
The upload may take a few minutes to complete.
Automatic updates
The FortiGate can be configured to request updates from FDN on a scheduled basis, or via push notification.
Scheduling updates
Scheduling updates ensures that the virus and IPS definitions are downloaded to your FortiGate on a regular basis,
ensuring that you do not forget to check for the definition files yourself.
Updating definitions can cause a very short disruption in traffic currently being scanned while the FortiGate unit applies
the new signature database, Ideally, schedule updates during off-peak hours, such as evenings or weekends, when
network usage is minimal, to ensure that the network activity will not suffer from the added traffic of downloading the
definition files.
Push updates
Push updates enable you to get immediate updates when new viruses or intrusions have been discovered and new
signatures created. This ensures that the latest signature will be sent to the FortiGate as soon as possible.
When a push notification occurs, the FortiGuard server sends a notice to the FortiGate that there is a new signature
definition file available. The FortiGate then initiates a download of the definition file, similar to the scheduled update.
To ensure maximum security for your network, you should have a scheduled update as well as enable the push update,
in case an urgent signature is created, and your cycle of the updates only occurs weekly.
Push IP override
If the FortiGate is behind another NAT device (or another FortiGate), to ensure it receives the push update notifications,
you need to use an override IP address for the notifications. To do this, you create a virtual IP to map to the external port
of the NAT device.
Generally speaking, if there are two FortiGate devices, the following steps need to be completed on the FortiGate NAT
device to ensure the FortiGate on the internal network receives the updates:
l Add a port forwarding virtual IP to the FortiGate NAT device that connects to the Internet by going to Policy
& Objects > Virtual IPs.
l Add a security policy to the FortiGate NAT device that connects to the Internet that includes the port forwarding
virtual IP.
l Configure the FortiGate on the internal network with an override push IP and port.
On the FortiGate internal device, the virtual IP is entered as the Use push override IP address.
To support following malware trends and making zero-day discoveries, FortiGate units send encrypted statistics to
FortiGuard about IPS, Application Control, and AntiVirus events detected by the FortiGuard services running on your
FortiGate. FortiGuard uses the statistics collected to achieve a balance between performance and security
effectiveness by moving inactive signatures to an extended signature database.
The statistics include some non-personal information that identifies your FortiGate and its country. The information is
never shared with external parties. You can choose to disable the sharing of this information by entering the following
CLI command:
config system global
set fds-statistics disable
end
Go to System > FortiGuard, and scroll down to Filtering to set the size of the caches and ports.
Web Filter Cache Set the Time To Live (TTL) value. This is the number of seconds the FortiGate
will store a blocked IP or URL locally, saving time and network access traffic,
checking the FortiGuard server. Once the TTL has expired, the FortiGate will
contact an FDN server to verify a web address. The TTL must be between 300
and 86400 seconds.
FortiGuard Filtering Port Select the port assignments for contacting the FortiGuard servers.
Filtering Service Availability Indicates the status of the filtering service. Select Check Again if the filtering
service is not available.
Request re-evaluation of a Select to re-evaluate a URL’s category rating on the FortiGuard Web Filter
URL's category service.
Email filtering
The FortiGuard data centers monitor and update email databases of known spam sources. With FortiGuard Anti-Spam
filtering enabled, the FortiGate verifies incoming email sender addresses and IPs against the database, and takes the
necessary actions as defined within the antivirus profiles.
Spam source IP addresses can also be cached locally on the FortiGate, providing a quicker response time, while easing
load on the FortiGuard servers, aiding in a quicker response time for less common email address requests.
By default, the anti-spam cache is enabled. The cache includes a TTL value, which is the amount of time an email
address will stay in the cache before expiring. You can change this value to shorten or extend the time between 5 and
1,440 minutes.
1. Go to System > FortiGuard.
2. Under Filtering, enable Anti-Spam Cache.
Further antispam filtering options can be configured to block, allow, or quarantine specific email addresses. These
configurations are available through the Security Profiles > Anti-Spam menu.
The FortiGuard online center provides a number of online security tools, including but not limited to:
l URL lookup — By entering a website address, you can see if it has been rated and what category and
classification it is filed as. If you find your website or a site you commonly go to has been wrongly categorized, you
can use this page to request that the site be re-evaluated: https://fortiguard.com/webfilter
l Threat Encyclopedia — Browse the Fortiguard Labs extensive encyclopedia of threats. Search for viruses, botnet
C&C, IPS, endpoint vulnerabilities, and mobile malware: https://www.fortiguard.com/encyclopedia
l Application Control — Browse the Fortiguard Labs extensive encyclopedia of applications:
https://fortiguard.com/appcontrol
FortiCloud
FortiCloud is a hosted security management and log retention service for FortiGate devices. It gives you centralized
reporting, traffic analysis, configuration management, and log retention without the need for additional hardware or
software.
FortiCloud offers a wide range of features:
l Simplified central management — FortiCloud provides a central web-based management console to manage
individual or aggregated FortiGate and FortiWiFi devices. Adding a device to the FortiCloud management
subscription is straightforward. FortiCloud has detailed traffic and application visibility across the whole network.
l Hosted log retention with large default storage allocated — Log retention is an integral part of any security
and compliance program but administering a separate storage system is burdensome. FortiCloud takes care of this
automatically and stores the valuable log information in the cloud. Each device is allowed up to 200GB of log
retention storage. Different types of logs can be stored including Traffic, System Events, Web, Applications, and
Security Events.
l Monitoring and alerting in real time — Network availability is critical to a good end-user experience. FortiCloud
enables you to monitor your FortiGate network in real time with different alerting mechanisms to pinpoint potential
issues. Alerting mechanisms can be delivered via email.
l Customized or pre-configured reporting and analysis tools — Reporting and analysis are your eyes and
ears into your network’s health and security. Pre-configured reports are available, as well as custom reports that
can be tailored to your specific reporting and compliance requirements. For example, you may want to look closely
at application usage or website violations. The reports can be emailed as PDFs and can cover different time
periods.
l Maintain important configuration information uniformly — The correct configuration of the devices within
your network is essential to maintaining an optimum performance and security posture. In addition, maintaining the
correct firmware (operating system) level allows you to take advantage of the latest features.
l Service security — All communication (including log information) between the devices and the clouds is
encrypted. Redundant data centers are always used to give the service high availability. Operational security
measures have been put in place to make sure your data is secure — only you can view or retrieve it.
Before you can activate a FortiCloud account, you must first register your device.
FortiCloud accounts can be registered manually through the FortiCloud website, https://www.forticloud.com, but you
can easily register and activate your account directly from your FortiGate.
1. On your device’s dashboard, in the FortiCloud widget, select the Activate button in the status field.
2. A dialogue asking you to register your FortiCloud account appears. Select Create Account, enter your
information, view and accept the terms and conditions, and select OK.
3. A second dialogue window appears, asking you to enter your information to confirm your account. This sends a
confirmation email to your registered email. The dashboard widget then updates to show that confirmation is
required.
4. Open your email, and follow the confirmation link it contains.
Results
A FortiCloud page will open, stating that your account has been confirmed. The Activation Pending message on the
dashboard will change to state the type of account you have (‘1GB Free’ or ‘200GB Subscription’), and will provide a link
to the FortiCloud portal.
Once logging has been configured and you have registered your account, you can log into the FortiCloud portal and
begin viewing your logging results. There are two methods to reach the FortiCloud portal:
l If you have direct networked access to the FortiGate, you can simply open your Dashboard and check the License
Information widget. Next to the current FortiCloud connection status will be a link to reach the FortiCloud Portal.
l If you do not currently have access to the FortiGate’s interface, you can visit the FortiCloud website
(https://forticloud.com) and log in remotely, using your email and password. It will ask you to confirm the
FortiCloud account you are connecting to and then you will be granted access. Connected devices can be remotely
configured using the Scripts page in the Management Tab, useful if an administrator may be away from the unit for
a long period of time.
Cloud sandboxing
FortiCloud can be used for automated sample tracking, or sandboxing, for files from a FortiGate. This allows suspicious
files to be sent to be inspected without risking network security. If the file exhibits risky behavior, or is found to contain a
virus, a new virus signature is created and added to the FortiGuard antivirus signature database.
Cloud sandboxing is configured by going to Security Fabric > Settings. After enabling Sandbox Inspection, select
the FortiSandbox type.
Sandboxing results are shown in a new tab called AV Submissions in the FortiCloud portal. This tab only appears
after a file has been sent for sandboxing.
For more information about FortiCloud, see the FortiCloud documentation.
If your FortiGate does not function as desired after installation, try the following troubleshooting tips:
1. Check for equipment issues Verify that all network equipment is powered on and operating as expected. Refer
to the QuickStart Guide for information about connecting your FortiGate to the network. You will also find detailed
information about the FortiGate LED indicators.The FortiGate has multiple LED lights on the faceplate. Verify
whether or not the LEDs on your FortiGate indicate a problem. For information on what the LEDs mean, see the
LED specifications on page 39
2. Check the physical network connections Check the cables used for all physical connections to ensure that they
are fully connected and do not appear damaged, and make sure that each cable connects to the correct device and
the correct Ethernet port on that device.
3. Verify that you can connect to the internal IP address of the FortiGate Connect to the GUI from the
FortiGate’s internal interface by browsing to its IP address. From the PC, try to ping the internal interface IP
address; for example, ping 192.168.1.99. If you cannot connect to the internal interface, verify the IP
configuration of the PC. If you can ping the interface but can't connect to the GUI, check the settings for
administrative access on that interface. Alternatively, use SSH to connect to the CLI, and then confirm that HTTPS
has been enabled for Administrative Access on the interface.
4. Check the FortiGate interface configurations Check the configuration of the FortiGate interface connected to
the internal network (under Network > Interfaces) and check that Addressing mode is set to the correct mode.
5. Verify the security policy configuration Go to Policy & Objects > IPv4 Policy and verify that the internal
interface to Internet-facing interface security policy has been added and is located near the top of the policy list.
Check the Active Sessions column to ensure that traffic has been processed (if this column does not appear,
right-click on the table header and select Active Sessions). If you are using NAT mode, check the configuration of
the policy to make sure that NAT is enabled and that Use Outgoing Interface Address is selected.
6. Verify the static routing configuration
Go to Network > Static Routes and verify that the default route is correct. Go to Monitor > Routing Monitor
and verify that the default route appears in the list as a static route. Along with the default route, you should see
two routes shown as Connected, one for each connected FortiGate interface.
7. Verify that you can connect to the Internet-facing interface’s IP address Ping the IP address of the Internet-
facing interface of your FortiGate. If you cannot connect to the interface, the FortiGate is not allowing sessions
from the internal interface to Internet-facing interface. Verify that PING has been enabled for Administrative
Access on the interface.
8. Verify that you can connect to the gateway provided by your ISP
Ping the default gateway IP address from a PC on the internal network. If you cannot reach the gateway, contact
your ISP to verify that you are using the correct gateway.
9. Verify that you can communicate from the FortiGate to the Internet
Access the FortiGate CLI and use the command execute ping 8.8.8.8. You can also use the execute
traceroute 8.8.8.8 command to troubleshoot connectivity to the Internet.
10. Verify the DNS configurations of the FortiGate and the PCs
Check for DNS errors by pinging or using traceroute to connect to a domain name; for example: ping
www.fortinet.com.
If the name cannot be resolved, the FortiGate or PC cannot connect to a DNS server and you should confirm that
the DNS server IP addresses are present and correct.
11. Confirm that the FortiGate can connect to the FortiGuard network Once the FortiGate is on your network,
you should confirm that it can reach the FortiGuard network. First, check the License Information widget to make
sure that the status of all FortiGuard services matches the services that you have purchased. Go to System
> FortiGuard. Scroll down to Filtering Services Availability and select Check Again. After a minute, the GUI
should indicate a successful connection.Verify that your FortiGate can resolve and reach FortiGuard at
service.fortiguard.net by pinging the domain name. If you can reach this service, you can then verify the
connection to FortiGuard servers by running the command diagnose debug rating. This displays a list of
FortiGuard IP gateways you can connect to, as well as the following information:
l Weight: Based on the difference in time zone between the FortiGate and this server
l RTT: Return trip time
l Flags: D (IP returned from DNS), I (Contract server contacted), T (being timed), F (failed)
l TZ: Server time zone
l Curr Lost: Current number of consecutive lost packets
l Total Lost: Total number of lost packets
12. Consider changing the MAC address of your external interface Some ISPs do not want the MAC address of
the device connecting to their network cable to change. If you have added a FortiGate to your network, you may
have to change the MAC address of the Internet-facing interface using the following CLI command:
config system interface
edit <interface>
set macaddr <xx:xx:xx:xx:xx:xx>
end
end
13. Check the FortiGate bridge table (transparent mode) When a FortiGate is in transparent mode, the unit acts
like a bridge sending all incoming traffic out on the other interfaces. The bridge is between interfaces on the
FortiGate unit. Each bridge listed is a link between interfaces. Where traffic is flowing between interfaces, you
expect to find bridges listed. If you are having connectivity issues and there are no bridges listed, that is a likely
cause. Check for the MAC address of the interface or device in question.To list the existing bridge instances on the
FortiGate, use the following CLI command:
diagnose netlink brctl name host root.b
show bridge control interface root.b host.
fdb: size=2048, used=25, num=25, depth=1
Bridge root.b host table
port no device devname mac addr ttl attributes
3 4 wan1 00:09:0f:cb:c2:77 88
3 4 wan1 00:26:2d:24:b7:d3 0
3 4 wan1 00:13:72:38:72:21 98
4 3 internal 00:1a:a0:2f:bc:c6 6
1 6 dmz 00:09:0f:dc:90:69 0 Local Static
3 4 wan1 c4:2c:03:0d:3a:38 81
3 4 wan1 00:09:0f:15:05:46 89
3 4 wan1 c4:2c:03:1d:1b:10 0
2 5 wan2 00:09:0f:dc:90:68 0 Local Static
14. Use FortiExplorer if you can’t connect to the FortiGate over Ethernet If you can’t connect to the FortiGate
GUI or CLI, you may be able to connect using FortiExplorer. Refer to the QuickStart Guide or see the section on
FortiExplorer for more details.
15. Either reset the FortiGate to factory defaults or contact Fortinet Support for assistance To reset the
FortiGate to factory defaults, use the CLI command execute factoryreset. When prompted, type y to
confirm the reset.
If you require further assistance, visit the Fortinet Support website.
This recipe provides an example of deploying Security Fabric with three downstream FortiGates connecting to one root
FortiGate. To deploy Security Fabric, you need a FortiAnalyzer running firmware version 6.2.
The following shows a sample network topology of three downstream FortiGates (Accounting, Marketing, and Sales)
connected to the root FortiGate (Edge).
1. Configure interface:
a. In the root FortiGate (Edge), go to Network > Interfaces.
b. Edit port16:
l Set Role to DMZ.
l For the interface connected to FortiAnalyzer, set the IP/Network Mask to 192.168.65.2/255.255.255.0
c. Edit port10:
l Set Role to LAN.
l For the interface connected to the downstream FortiGate (Accounting), set the IP/Network Mask to
192.168.10.2/255.255.255.0
d. Edit port11:
l Set Role to LAN.
l For the interface connected to the downstream FortiGate (Marketing), set the IP/Network Mask to
192.168.200.2/255.255.255.0
2. Configure Security Fabric:
a. In the root FortiGate (Edge), go to Security Fabric > Settings.
l Enable FortiGate Telemetry.
l Set a Group name, such as Office-Security-Fabric.
l Add port10 and port11 to FortiTelemetry enabled interfaces.
After FortiGate Telemetry is enabled, FortiAnalyzer automatically enables Logging and Upload Option is set
to Real Time.
b. Set IP address to the FortiAnalyzer IP 192.168.65.10.
c. Select Test Connectivity.
A warning message indicates that the FortiGate is not authorized on the FortiAnalyzer. The authorization is
configured in a later step on the FortiAnalyzer.
3. Create a policy to allow the downstream FortiGate (Accounting) to access the FortiAnalyzer:
a. In the root FortiGate (Edge), go to Policy & Objects > Addresses.
l Click Create New.
l Set Name to FAZ-addr.
l Set Type to Subnet.
l Set Subnet/IP Range to 192.168.65.10/32.
l Set Interface to any.
l Click Create New.
l Set Name to Accounting.
l Set Type to Subnet.
l Set Subnet/IP Range to 192.168.10.10/32.
l Set Interface to any.
b. In the root FortiGate (Edge), go to Policy & Objects > IPv4 Policy.
l Set Name to Accounting-to-FAZ.
l Set srcintf to port10.
l Set dstintf to port16.
l Set srcaddr to Accounting-addr.
l Set dstaddr to FAZ-addr.
1. Configure interface:
a. In the downstream FortiGate (Accounting), go to Network > Interfaces.
b. Edit interface wan1:
l Set Role to WAN .
l For the interface connected to root, set the IP/Network Mask to 192.168.10.10/255.255.255.0
2. Configure the default static route to connect to the root FortiGate (Edge):
a. In the downstream FortiGate (Accounting), go to Network > Static Routes:
l Set Destination to 0.0.0.0/0.0.0.0.
l Set Interface to wan1.
l Set Gateway Address to 192.168.10.2.
3. Configure Security Fabric:
a. In the downstream FortiGate (Accounting), go to Security Fabric > Settings.
l Enable FortiGate Telemetry.
l Enable Connect to upstream FortiGate.
l FortiGate IP is filled in automatically with the default static route Gateway Address of 192.168.10.2 set
in the previous step.
l Leave FortiTelemetry enabled interfaces empty since there is no downstream FortiGate connecting to it.
After FortiGate Telemetry is enabled, FortiAnalyzer automatically enables Logging. Settings for the
FortiAnalyzer are retrieved from the root FortiGate (Edge) when FortiGate (Accounting) connects to the root
FortiGate (Edge).
1. Configure interface:
a. In the downstream FortiGate (Marketing), go to Network > Interfaces.
b. Edit port12:
l Set Role to LAN.
l For the interface connected to the downstream FortiGate (Sales), set the IP/Network Mask to
192.168.135.11/255.255.255.0.
c. Edit wan1:
l Set Role to WAN .
l For the interface connected to the root FortiGate (Edge), set the IP/Network Mask to
192.168.200.10/255.255.255.0.
2. Configure the default static route to connect to the root FortiGate (Edge):
a. In the downstream FortiGate (Marketing), go to Network > Static Routes:
l Set Destination to 0.0.0.0/0.0.0.0.
l Set Interface to wan1.
l Set Gateway Address to 192.168.200.2.
3. Configure Security Fabric:
a. In the downstream FortiGate (Marketing), go to Security Fabric > Settings.
l Enable FortiGate Telemetry.
l Enable Connect to upstream FortiGate.
l FortiGate IP is filled in automatically with the default static route Gateway Address of 192.168.200.2 set
in the previous step.
l In FortiTelemetry enabled interfaces, add port12.
After FortiGate Telemetry is enabled, FortiAnalyzer automatically enables Logging. Settings for the
FortiAnalyzer are retrieved from the root FortiGate (Edge) when FortiGate (Marketing) connects to the root
FortiGate (Edge).
4. Create a policy to allow another downstream FortiGate (Sales) going through FortiGate (Marketing) to access the
FortiAnalyzer:
a. In the downstream FortiGate (Marketing), go to Policy & Objects > Addresses and click Create New.
l Set Name to FAZ-addr.
l Set Type to Subnet.
l Set Subnet/IP Range to 192.168.65.10/32.
l Set Interface to any.
b. Click Create New.
l Set Name to Sales-addr.
l Set Type to Subnet.
l Set Subnet/IP Range to 192.168.135.10/32.
l Set Interface to any.
c. In the downstream FortiGate (Marketing), go to Policy & Objects > IPv4 Policy.
l Set Name to Sales-to-FAZ.
l Set srcintf to port12.
l Set dstintf to wan1.
1. Configure interface:
a. In the downstream FortiGate (Accounting), go to Network > Interfaces.
b. Edit interface wan1:
l Set Role to WAN .
l For the interface connected to root, set the IP/Network Mask to 192.168.10.10/255.255.255.0
2. Configure the default static route to connect to the root FortiGate (Edge):
a. In the downstream FortiGate (Accounting), go to Network > Static Routes:
l Set Destination to 0.0.0.0/0.0.0.0.
l Set Interface to wan1.
l Set Gateway Address to 192.168.10.2.
3. Configure Security Fabric:
a. In the downstream FortiGate (Accounting), go to Security Fabric > Settings.
l Enable FortiGate Telemetry.
l Enable Connect to upstream FortiGate.
l FortiGate IP is filled in automatically with the default static route Gateway Address of 192.168.10.2 set
in the previous step.
l Leave FortiTelemetry enabled interfaces empty since there is no downstream FortiGate connecting to it.
After FortiGate Telemetry is enabled, FortiAnalyzer automatically enables Logging. Settings for the
FortiAnalyzer are retrieved from the root FortiGate (Edge) when FortiGate (Accounting) connects to the root
FortiGate (Edge).
1. Configure interface:
a. In the downstream FortiGate (Sales), go to Network > Interfaces.
b. Edit wan2:
l Set Role to WAN .
l For the interface connected to the upstream FortiGate (Marketing), set the IP/Network Mask to
192.168.135.10/255.255.255.0.
2. Configure the default static route to connect to the upstream FortiGate (Marketing):
a. In the downstream FortiGate (Sales), go to Network > Static Routes:
l Set Destination to 0.0.0.0/0.0.0.0.
l Set Interface to wan2.
l Set Gateway Address to 192.168.135.11.
To authorize downstream FortiGates (Accounting, Marketing, and Sales) on the root FortiGate
(Edge):
1. Run the diagnose sys csf authorization pending-list command in the root FortiGate to show the
downstream FortiGate pending for root FortiGate authorization:
Edge # diagnose sys csf authorization pending-list
Serial IP Address HA-Members Path
------------------------------------------------------------------------------------
FG201ETK18902514 0.0.0.0 FG3H1E5818900718:FG201ETK18902514
2. Run the diagnose sys csf downstream command in the root or middle FortiGate to show the downstream
FortiGates after they join Security Fabric:
Edge # diagnose sys csf downstream
1: FG201ETK18902514 (192.168.200.10) Management-IP: 0.0.0.0 Management-port:0 parent:
FG3H1E5818900718
path:FG3H1E5818900718:FG201ETK18902514
data received: Y downstream intf:wan1 upstream intf:port11 admin-port:443
authorizer:FG3H1E5818900718
2: FGT81ETK18002246 (192.168.10.10) Management-IP: 0.0.0.0 Management-port:0 parent:
FG3H1E5818900718
path:FG3H1E5818900718:FGT81ETK18002246
data received: Y downstream intf:wan1 upstream intf:port10 admin-port:443
authorizer:FG3H1E5818900718
3: FG101ETK18002187 (192.168.135.10) Management-IP: 0.0.0.0 Management-port:0 parent:
FG201ETK18902514
path:FG3H1E5818900718:FG201ETK18902514:FG101ETK18002187
data received: Y downstream intf:wan2 upstream intf:port12 admin-port:443
authorizer:FG3H1E5818900718
3. Run the diagnose sys csf upstream command in any downstream FortiGate to show the upstream
FortiGate after downstream FortiGate joins Security Fabric:
Marketing # diagnose sys csf upstream
Upstream Information:
Serial Number:FG3H1E5818900718
IP:192.168.200.2
Connecting interface:wan1
Connection status:Authorized
This recipe provides an example of configuring Security Fabric over IPsec VPN.
The following sample topology shows a downstream FortiGate (HQ2) connected to the root FortiGate (HQ1) over IPsec
VPN to join Security Fabric.
1. Configure interface:
a. In the root FortiGate (HQ1), go to Network > Interfaces.
b. Edit port2:
l Set Role to WAN .
l For the interface connected to the Internet, set the IP/Network Mask to 10.2.200.1/255.255.255.0
c. Edit port6:
l Set Role to DMZ.
l For the interface connected to FortiAnalyzer, set the IP/Network Mask to 192.168.8.250/255.255.255.0
2. Configure the static route to connect to the Internet:
a. Go to Network > Static Routes and click Create New.
l Set Destination to 0.0.0.0/0.0.0.0.
l Set Interface to port2.
l Set Gateway Address to 10.2.200.2.
3. Configure IPsec VPN:
a. Go to VPN > IPsec Wizard.
l Set VPN Name to To-HQ2.
l Set Template Type to Custom.
l Click Next.
l Set Authentication to Method.
l Set Pre-shared Key to 123456.
b. Leave all other fields in their default values and click OK.
4. Configure the IPsec VPN interface IP address which will be used to form Security Fabric:
a. Go to Network > Interfaces.
b. Edit To-HQ2:
l Set Role to LAN.
l Set the IP/Network Mask to 10.10.10.1/255.255.255.255.
lSet Remote IP/Network Mask to 10.10.10.3/255.255.255.0.
5. Configure IPsec VPN local and remote subnet:
a. Go to Policy & Objects > Addresses.
l Click Create New
l Set Name to To-HQ2_local_subnet_1.
l Set Type to Subnet.
l Set IP/Network Mask to 192.168.8.0/24.
l Click OK.
l Click Create New
l Set Name to To-HQ2_remote_subnet_1.
l Set Type to Subnet.
l Set IP/Network Mask to 10.1.100.0/24.
l Click OK.
1. Configure interface:
a. Go to Network > Interfaces.
b. Edit interface wan1:
l Set Role to WAN .
l For the interface connected to the Internet, set the IP/Network Mask to 192.168.7.3/255.255.255.0.
c. Edit interface vlan20:
l Set Role to LAN.
l For the interface connected to local endpoint clients, set the IP/Network Mask to
10.1.100.3/255.255.255.0.
2. Configure the static route to connect to the Internet:
a. Go to Network > Static Routes and click Create New.
l Set Destination to 0.0.0.0/0.0.0.0.
l Set Interface to wan1.
lSet Gateway Address to 192.168.7.2.
3. Configure IPsec VPN:
a. Go to VPN > IPsec Wizard.
l Set VPN Name to To-HQ1.
l Set Template Type to Custom.
l Click Next.
l In the Network IP Address, enter 10.2.200.1.
l Set Interface to wan1.
l Set Authentication to Method.
l Set Pre-shared Key to 123456.
b. Leave all other fields in their default values and click OK.
4. Configure the IPsec VPN interface IP address which will be used to form Security Fabric:
a. Go to Network > Interfaces.
b. Edit To-HQ1:
l Set Role to WAN .
l Set the IP/Network Mask to 10.10.10.3/255.255.255.255.
l Set Remote IP/Network Mask to 10.10.10.1/255.255.255.0.0.
5. Configure IPsec VPN local and remote subnet:
a. Go to Policy & Objects > Addresses.
l Click Create New
l Set Name to To-HQ1_local_subnet_1.
l Set Type to Subnet.
l Set IP/Network Mask to 10.1.100.0/24.
l Click OK.
l Click Create New
l Set Name to To-HQ1_remote_subnet_1.
l Set Type to Subnet.
1. Run the diagnose sys csf authorization pending-list command in the root FortiGate (HQ1) to
show the downstream FortiGate pending for root FortiGate authorization:
HQ1 # diagnose sys csf authorization pending-list
Serial IP Address HA-Members
Path
------------------------------------------------------------------------------------
FG101ETK18002187 0.0.0.0
FG3H1E5818900718:FG101ETK18002187
2. Run the diagnose sys csf downstream command in the root FortiGate (HQ1) to show the downstream
FortiGate (HQ2) after it joins Security Fabric:
HQ1 # diagnose sys csf downstream
1: FG101ETK18002187 (10.10.10.3) Management-IP: 0.0.0.0 Management-port:0 parent:
FG3H1E5818900718
path:FG3H1E5818900718:FG101ETK18002187
data received: Y downstream intf:To-HQ1 upstream intf:To-HQ2 admin-port:443
authorizer:FG3H1E5818900718
3. Run the diagnose sys csf upstream command in the downstream FortiGate (HQ2) to show the root
FortiGate (HQ1) after the downstream FortiGate joins Security Fabric:
This recipe shows how to view and control compromised hosts via the Security Fabric > Physical Topology or Security
Fabric > Logical Topology view.
In the following topology, the downstream FortiGate (Marketing) is connected to the root FortiGate (Edge) through a
FortiSwitch (Distribution). The Endpoint Host is connected to the downstream FortiGate (Marketing) through another
FortiSwitch (Access).
3. Configure the default static route to connect to the root FortiGate. Go to Network > Static Routes. Set the
Destination to 0.0.0.0/0.0.0.0, select port4 as the Interface, and set the Gateway Address as 192.168.5.254.
4. Configure the Security Fabric:
a. Go to Security Fabric > Settings.
b. Enable FortiGate Telemetry.
c. Configure a group name.
d. In FortiTelemetry enabled interfaces, add vlan70.
e. FortiAnalyzer logging is enabled and the Upload option is set to Real Time after FortiGate Telemetry is
enabled. Set the IP address to the FortiAnalyzer IP address, which in this example is 192.168.8.250.
FortiAnalyzer settings will be retrieved when the downstream FortiGate connects to the root FortiGate.
5. Create a policy to access the Internet. Go to Policy & Objects > IPv4 Policy. Click Create New, and configure the
policy as follows:
a. Set the Name to Access-internet1.
b. Set the Source Interface to vlan70 and the Destination Interface to port4.
c. Set the Source Address to all and the Destination Address to all.
d. Set the Action to ACCEPT.
e. Set the Schedule to Always.
f. Set the Service to ALL.
g. Enable NAT.
h. Set the IP Pool Configuration to Use Outgoing Interface Address.
6. Create an address for the FortiAnalyzer:
a. Go to Policy & Objects > Addresses. Click Create New, then Address.
b. Set the Name to FAZ-addr.
c. Set the Type to Subnet.
d. Set the Subnet/IP Range to 192.168.8.250/32.
e. Set the Interface to Any.
7. Create a policy for the downstream FortiGate to access the FortiAnalyzer. Go to Policy & Objects > IPv4 Policy.
Click Create New, and configure the policy as follows:
a. Set the Name to Access-Resources.
b. Set the Source Interface to vlan70 and the Destination Interface to port6.
c. Set the Source Address to all and the Destination Address to FAZ-addr.
d. Set the Action to ACCEPT.
e. Set the Schedule to Always.
f. Set the Service to ALL.
g. Enable NAT.
h. Set the IP Pool Configuration to Use Outgoing Interface Address.
d. Return to Network > Interfaces and click Create New. For the new interface, set the name to vlan20, Type to
VLAN, Interface to wan2, VLAN ID to 20, Role to LAN, and IP/Network Mask to 10.1.100.3/255.255.255.0.
2. Authorize the Access FortiSwitch:
a. Go to WiFi & Switch Controller > Managed FortiSwitch.
b. Click the FortiGate icon, then click Edit. Set the Name to Access-Switch, enable the Authorized option, then
click OK.
c. Click the FortiSwitch port2 icon. For port2's Native VLAN, select vlan20.
3. Configure the default static route to connect to the root FortiGate. Go to Network > Static Routes. Set the
Destination to 0.0.0.0/0.0.0.0, select wan1 as the Interface, and set the Gateway Address as 192.168.7.2.
4. Configure the Security Fabric:
a. Go to Security Fabric > Settings.
b. Enable FortiGate Telemetry.
c. Under FortiGate Telemetry, enable Connect to upstream FortiGate.
d. Configure the FortiGate IP to 192.168.7.2.
e. In FortiTelemetry enabled interfaces, add vlan20.
f. FortiAnalyzer logging is enabled after FortiGate Telemetry is enabled. FortiAnalyzer settings will be retrieved
when the downstream FortiGate connects to the root FortiGate.
5. Create a policy to access the Internet. Go to Policy & Objects > IPv4 Policy. Click Create New, and configure the
policy as follows:
a. Set the Name to Access-internet2.
b. Set the Source Interface to vlan20 and the Destination Interface to wan1..
c. Set the Source Address to all and the Destination Address to all.
d. Set the Action to ACCEPT.
e. Set the Schedule to Always.
f. Set the Service to ALL.
g. Enable NAT.
h. Set the IP Pool Configuration to Use Outgoing Interface Address.
i. Choose the default Web Filter profile.
1. In FortiOS on the root FortiGate, go to Security Fabric > Settings. In the Topology field, a highlighted FortiGate
with a serial number is connecting to the root FortiGate, and a highlighted warning asks for authorization of the
highlighted device.
2. Click the highlighted FortiGate, then select Authorize. After authorization, the downstream FortiGate appears in
the Topology field in Security Fabric > Settings, meaning that the downstream FortiGate joined the Security
Fabric successfully.
1. Test that FortiGate detects a compromised endpoint host by opening a browser on the endpoint host and entering
a malicious website URL. The browser displays a Web Page Blocked! warning and does not allow access to the
website.
2. In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology. The endpoint host, connected to the
Access FortiSwitch, is highlighted in red. Mouse over the endpoint host to view a tooltip that shows the IoC verdict.
The endpoint host is compromised.
3. Go to Security Fabric > Logical Topology. The endpoint host, connected to the downstream FortiGate, is
highlighted in red. Mouse over the endpoint host to view a tooltip that shows the IoC verdict. The endpoint host is
compromised.
1. To show the downstream FortiGate after it joins the Security Fabric, run the diagnose sys csf downstream
command in the root FortiGate (Edge) CLI. The output should resemble the following:
Edge # diagnose sys csf downstream
1: FG101ETK18002187 (192.168.7.3) Management-IP: 0.0.0.0 Management-port:0 parent:
FG201ETK18902514
path:FG201ETK18902514:FG101ETK18002187
data received: Y downstream intf:wan1 upstream intf:vlan70 admin-port:443
authorizer:FG201ETK18902514
2. To show the upstream FortiGate after the downstream FortiGate joins the Security Fabric, run the diagnose
sys csf upstream command in the downstream FortiGate (Marketing) CLI. The output should resemble the
following:
Marketing # diagnose sys csf upstream
Upstream Information:
Serial Number:FG201ETK18902514
IP:192.168.7.2
Connecting interface:wan1
Connection status:Authorized
3. To show the quarantined endpoint host in the connected FortiGate, run the following commands in the
downstream FortiGate (Marketing) CLI:
Marketing # show user quarantine
config user quarantine
config targets
edit "PC2"
set description "Manually quarantined"
config macs
edit 00:0c:29:3d:89:39
set description "manual-qtn Hostname: PC2"
next
end
next
end
end
Prerequisites
Restrictions
l Desktop models (for example: under 100D) with SSD only supports five minutes and one hour view.
l Medium models (for example: 200D, 500D) with SSD supports up to 24 hours view.
l Large models (for example: 1500D and above) with SSD supports up to seven days view.
l Confirm that the setting is enabled:
config log setting
set fortiview-weekly-data enable
end
Configuration
A firewall policy needs to be in place with traffic logging enabled. For best operation with FortiView, internal interface
roles should be clearly defined as LAN; DMZ and internet facing or external interface roles should be defined as WAN.
3. Click Apply.
To include sniffer traffic and local-deny traffic when FortiView from Disk:
Source View
Top Level
Sample entry:
Time l Realtime or Now entries are determined by the FortiGate's system session list.
l Historical or 5 minutes and later entries are determined by traffic logs, with additional
information coming from UTM logs.
Graph l The graph shows the bytes sent/received in the time frame. Realtime does not include
a chart.
l Users can customize the time frame by selecting a time period within the graph.
Bubble Chart l Bubble chart shows the same information as the table, but in a different graphical
manner.
Columns l Source shows the IP address (and user as well as user avatar if configured) of the
source device.
l Device shows the device information as listed in User & Device > Device Inventory.
Device detection should be enabled on the applicable interfaces for best function.
l Threat Score is the threat score of the source based on UTM features such as web filter
and antivirus. It shows threat scores allowed and threat scores blocked.
l Bytes is the accumulated bytes sent/received. In realtime, this is calculated from the
session list, and in historical it is from logs.
l Sessions is the total sessions blocked/allowed. In realtime, this is calculated from the
session list, and in historical it is from logs.
l Source is a simplified version of the first column, including only the IP address without
extra information.
l Source Interface is the interface from which the traffic originates. In realtime, this is
calculated from the session list, and in historical it is from the logs.
l More information can be shown in a tooltip while hovering over these entries.
l For realtime, two more columns are available, Bandwidth and Packets, both of which
come from the session list.
Drilldown Level
Sample entry:
Graph l The graph shows the bytes sent/received in the time frame. Realtime does not include
a chart.
l Users can customize the time frame by selecting a time period within the graph.
Summary l Shows information such as the user/avatar, avatar/source IP, bytes, and sessions total
Information for the time period.
l Can quarantine host (access layer quarantine) if they are behind a FortiSwitch or
FortiAP.
l Can ban IP addresses, adds the source IP address into the quarantine list.
Tabs l Drilling down entries in any of these tabs (except sessions tab) will take you to the
underlying traffic log in the sessions tab.
l Applications shows a list of the applications attributed to the source IP. This can
include scanned applications (using application control in a firewall policy or unscanned
applications.
config log gui-display
set fortiview-unscanned-apps enable
end
l Destinations shows destinations grouped by IP address/FQDN.
l Threats lists the threats caught by UTM profiles. This can be from antivirus, IPS,
webfilter, application control, etc.
l Web Sites contains the websites which were detected either with webfilter, or through
FQDN in traffic logs.
l Web Categories groups entries into their categories as dictated by the Web Filter
Database.
l Search Phrases shows entries of search phrases on search engines captured by a web
filter UTM profile, with deep inspection enabled in firewall policy.
l Policies groups the entries into which polices they passed through or were blocked by.
l Sessions shows the underlying logs (historical) or sessions (realtime). Drilldowns from
other tabs end up showing the underlying log located in this tab.
l More information can be shown in a tooltip while hovering over these entries.
Troubleshooting
l Use diagnose debug application httpsd -1 to check which filters were passed through httpsd.
For example:
[httpsd 3163 - 1546543360 info] api_store_parameter[227] -- add API parameter 'filter':
'{ "source": "10.1.100.30", "application": "TCP\/5228", "srcintfrole": [ "lan",
"dmz", "undefined" ] }' (type=object)
l Use diagnose debug application miglogd 0x70000 to check what the SQL command is that is
passed to the underlying SQL database.
For example:
fortiview_request_data()-898: total:31 start:1546559580 end:1546563179
_dump_sql()-799: dataset=fv.general.chart, sql:select a.timestamp1,ses_al,ses_
bk,r,s,ifnull(sc_l,0),ifnull(sc_m,0),ifnull(sc_h,0),ifnull(sc_c,0) from (select
timestamp-(timestamp%60) timestamp1 ,sum(case when passthrough<>'block' then
sessioncount else 0 end) ses_al,sum(case when passthrough='block' then sessioncount
else 0 end) ses_bk,sum(rcvdbyte) r,sum(sentbyte) s from grp_traffic_all_src where
timestamp BETWEEN 1546559580 and 1546563179 and 1=1 AND srcip in ('10.1.100.11')
AND srcintfrole in ('lan','dmz','undefined') group by timestamp1 ) a left join
(select timestamp-(timestamp%60) timestamp1 ,sum(case when threat_level=1 then
crscore else 0 end) sc_l,sum(case when threat_level=2 then crscore else 0 end) sc_
m,sum(case when threat_level=3 then crscore else 0 end) sc_h,sum(case when threat_
level=4 then crscore else 0 end) sc_c from grp_threat where timestamp BETWEEN
1546559580 and 1546563179 and 1=1 AND srcip in ('10.1.100.11') AND srcintfrole in
('lan','dmz','undefined') group by timestamp1 ) b on a.timestamp1 = b.timestamp1;
takes 40(ms), agggr:0(ms)
l Use exe report flush-cache and exe report recreate-db to clear up any irregularities that may be
caused by upgrading or cache issues.
DNS
Introduction
DNS (Domain Name System) is used by devices connecting to the Internet to locate websites by mapping a domain
name to a website’s IP address. For example, a DNS server maps the domain name www.fortinet.com to the IP address
66.171.121.34.
A FortiGate can serve different roles based on user requirements:
l A FortiGate can control which DNS serves network uses.
l A FortiGate can function as a DNS server.
l FortiGuard Dynamic Domain Name Service (DDNS) allows a remote administrator to access a FortiGate's Internet-
facing interface using a domain name that remains constant even when its IP address changes.
FortiOS supports DNS configuration for both IPv4 and IPv6 addressing. When a user requests a website, the FortiGate
looks to the configured DNS servers to provide the IP address of the website in order to know which server to contact to
complete the transaction.
The FortiGate queries the DNS servers whenever it needs to resolve a domain name into an IP address, such as for
NTP or web servers defined by their domain names.
FGT_A (dns) # set
*primary Primary DNS server IP address.
secondary Secondary DNS server IP address.
dns-over-tls Enable/disable/enforce DNS over TLS.
ssl-certificate Name of local certificate for SSL connections.
domain Search suffix list for hostname lookup.
ip6-primary Primary DNS server IPv6 address.
ip6-secondary Secondary DNS server IPv6 address.
timeout DNS query timeout interval in seconds (1 - 10).
retry Number of times to retry (0 - 5).
dns-cache-limit Maximum number of records in the DNS cache.
dns-cache-ttl Duration in seconds that the DNS cache retains information.
cache-notfound-responses Enable/disable response from the DNS server when a record is not
in cache.
source-ip IP address used by the DNS server as its source IP.
dns-over-tls
FortiGate version 6.2 adds DNS over TLS (DoT) support. DoT is a security protocol for encrypting and wrapping DNS
queries and answers via the Transport Layer Security (TLS) protocol.
cache-notfound-responses
When you enable DNS cache not found responses, any DNS requests that are returned with NOT FOUND can be stored
in the cache. When enabled, the DNS server is not asked to resolve the host name for NOT FOUND entries.
config system dns
set cache-notfound-responses enable
end
dns-cache-limit
This command enables you to set how many DNS entries are stored in the cache. Entries that remain in the cache
provide a quicker response to requests than going out to the Internet to get the same information.
config system dns
set dns-cache-limit 2
end
dns-cache-ttl
This command enables you to set how long entries remain in the cache.
FGT_A (dns) # set dns-cache-limit
dns-cache-limit Enter an integer value from <0> to <4294967295> (default = <5000>).
DNS troubleshooting
The FortiGate CLI can collect the following list of DNS debug information.
FGT_A (global) # diagnose test application dnsproxy
worker idx: 0
1. Clear DNS cache
2. Show stats
3. Dump DNS setting
4. Reload FQDN
5. Requery FQDN
6. Dump FQDN
7. Dump DNS cache
8. Dump DNS DB
9. Reload DNS DB
10. Dump secure DNS policy/profile
11. Dump Botnet domain
12. Reload Secure DNS setting
13. Show Hostname cache
14. Clear Hostname cache
15. Show SDNS rating cache
16. Clear SDNS rating cache
17. DNS debug bit mask
99. Restart dnsproxy worker
The example below shows useful information about the ongoing DNS connection.
Important fields include:
For a FortiGate with multiple CPUs, version 6.2 adds a new CLI command to allow the customer to set the DNS process
number from 1 to the number of CPUs. The default DNS process number is 1.
config system global
set dnsproxy-worker-count 4
end
Note: The range of dnsproxy-worker-count is 1 to the number of CPUs that the FortiGate has.
To debug DNS proxy on the worker ID, use the following command. The following example runs test commands on the
second dnsproxy worker. If you do not specify worker ID, the default worker ID is 0.
#diagnose test application dnsproxy 7 1
For debugging, you can also enable it on all workers by specifying -1 as worker ID.
#diagnose debug application dnsproxy -1 -1
End-users who commonly use incomplete URLs without a domain (for example: http://host1) rely on the proxy to locate
the domain and resolve the address. If the configured domain is company.com and the URL is http://host1, the DNS
feature will send a request for host1.company.com to a DNS server for the IP address. If you have local Microsoft
domains on the network, you can enter a domain name in the Local Domain Name field. In situations where all three
fields are configured, the FortiGate first looks to the local domain, and if no match is found, sends a request to the
external DNS servers.
Whenever a client requests a URL which does not include a fully qualified domain name (FQDN), FortiGate resolves the
URL by traversing through the DNS suffix list and doing a DNS query for each entry until the first match.
Sample configuration
1. By default, FortiGate is configured to use FortiGuard's DNS servers which are primary (208.91.112.53) and
secondary (208.91.112.52).
2. To configure the DNS server addresses, go to Network > DNS and select Specify, then enter the preferred DNS
server addresses.
For example: 172.16.200.1 as the primary DNS server and 172.16.200.2 as the secondary.
3. FortiGate supports a total of eight local domain lists.
Additional DNS configuration options are available in the CLI using the config system dns command.
New CLI commands added in 6.2 allow users to set up to eight domains. Retry Time and Timeout values can be
configured to define how many attempts the FortiGate makes to search a particular domain and when FortiGate gives
up on the domain.
FGT_B (dns) # set domain
*domain DNS search domain list separated by space (maximum 8 domains)
In the example below, the local domain resolves host1 to 1.1.1.1 and host2 to 2.2.2.2. The local DNS server has
an entry for host1 mapped to the FQDN of host1.sample.com and a second entry for host2 mapped to the FQDN of
host2.example.com.
ping host1
PING host1.sample.com (1.1.1.1): 56 data bytes
ping host2
PING host2.example.com (2.2.2.2): 56 data bytes
Sample configuration
Run dig to query the FortiGate DNS server. Dig (Domain Information Grouper) is a Unix-like network administration
command line tool for querying DNS servers.
root@PC05:~# dig @172.16.200.1 example.fortinet.com
;; QUESTION SECTION:
;example.fortinet.com. IN A
;; ANSWER SECTION:
example.fortinet.com. 86400 IN A 2.3.3.4
Technical information
The Type of the DNS Database Zone can be one of the following:
The View of the DNS Database Zone can be one of the following:
l An Authoritative zone claims to hold all existing entries concerning this zone. A DNS server holding an authoritative
zone serves requests to this zone only from its local zone file, that is, it does not perform additional recursive
requests such as matching this zone to other defined DNS servers for zone records which do not exist in this zone
file.
l An Unauthoritative zone serves the records it holds itself from the local zone file and performs recursive request to
other defined DNS servers for requests that match the zone but are not listed in the local zone file.
l Recursive DNS servers performs DNS lookups to other defined DNS servers for any zone requests they cannot
fulfill from local files.
l Non-recursive DNS servers only serve from local zone files.
l Forward to system DNS forwards the query to the FortiGate's configured system DNS.
FortiGuard DDNS
If your ISP changes your external IP address regularly and you have a static domain name, you can configure the
external interface to use a dynamic DNS (DDNS) service. This ensures that external users and customers can always
connect to your company firewall. If you have a FortiGuard subscription, you can use FortiGuard as the DDNS server.
You can configure FortiGuard as the DDNS server using the GUI or CLI.
Sample topology
Sample configuration
If you don't have a FortiGuard subscription or want to use a different DDNS server, you can configure DDNS in the CLI.
You can configure a DDNS for each interface. Only the first configured port appears in the FortiGate GUI. Additional
commands vary depending on the DDNS server you select. Use the following CLI commands:
config system ddns
edit <DDNS_ID>
set monitor-interface <external_interface>
set ddns-server <ddns_server_selection>
next
end
You can configure FortiGate to refresh DDNS IP addresses. FortiGate periodically checks the DDNS server that is
configured.
When clear-text is disabled, FortiGate uses the SSL connection to send and receive (DDNS) updates.
To disable cleartext and set the SSL certificate using the CLI:
A DHCP server has an override command option that allows DHCP server communications to go through DDNS to
perform updates for the DHCP client. This enforces a DDS update of the AA field every time even if the DHCP client
does not request it. This allows supporting the allow/ignore/deny client-updates options.
SD-WAN is a software-defined approach to managing Wide-Area Networks (WAN). It allows you to offload internet-
bound traffic, meaning that private WAN services remain available for real-time and mission critical applications. This
added flexibility improves traffic flow and reduces pressure on the network.
SD-WAN platforms create hybrid networks that integrate broadband and other network services into the corporate WAN
while maintaining the performance and security of real-time and sensitive applications.
SD-WAN with Application Aware Routing can measure and monitor the performance of multiple services in a hybrid
network. It uses application routing to offer more granular control of where and when an application uses a specific
service, allowing better use of the overall network.
Some of the key benefits of SD-WAN include:
l Reduced cost with transport independence across MPLS, 3G/4G LTE, and others.
l Improve business application performance thanks to increased availability and agility.
l Optimized user experience and efficiency with SaaS and public cloud applications.
SD-WAN has 3 objects:
l SD-WAN interface
Also called members, SD-WAN interfaces are the ports and interfaces that are used to run traffic. At least one
interface must be configured for SD-WAN to function; up to 255 member interfaces can be configured. See
Creating the SD-WAN interface on page 99.
l Performance-SLA
Also called health-check, performance SLAs are used to monitor member interface link quality, and to detect link
failures. They can be used to remove routes, and to reroute traffic when an SD-WAN member cannot detect the
server. They can also be used in SD-WAN rules to select the preferred member interface for forwarding traffic. See
Performace SLA - link monitoring on page 106.
l SD-WAN rule
Also called service, SD-WAN rules are used to control path selection. Specific traffic can be dynamically sent to the
best link, or use a specific route. There are five modes:
l auto: Assign interfaces a priority based on quality.
l manual: Assign interfaces a priority manually.
l priority: Assign interfaces a priority based on the link-cost-factor quality of the interface.
l sla: Assign interfaces a priority based on selected SLA settings.
l load-balance: Distribute traffic among all available links based on the load balance algorithm.
See SD-WAN rules - best quality on page 108, SD-WAN rules - lowest cost (SLA) on page 111, and SD-WAN rules -
maximize bandwidth (SLA) on page 113.
This recipe provides an example of how to start using SD-WAN for load balancing and redundancy.
In this example, two ISP internet connections (wan1 and wan2) use SD-WAN to balance traffic between them at 50%
each.
1. On the FortiGate, enable SD-WAN and add interfaces wan1 and wan2 as members:
a. Go to Network > SD-WAN.
b. Set the Status to Enable.
c. Click the plus icon to add members, using the ISPs' proper gateways for each member.
Implicit rule
Examples
The following four examples demonstrate how to use the implicit rules (load-balance mode).
Example 1
Outgoing traffic is equally balanced between wan1 and wan2, using source-ip-based or source-dest-ip-based mode.
1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static
route. See Creating the SD-WAN interface on page 99 for details.
2. Go to Network > SD-WAN Rules.
3. Edit the sd-wan rule (the last default rule).
4. For the Load Balancing Algorithm, select either Source IP or Source-Destination IP.
5. Click OK.
1. Enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See Creating
the SD-WAN interface on page 99 for details.
2. Set the load balancing algorithm:
Source IP based:
config system virtual-wan-link
set load-balance-mode source-ip-based
end
Source-Destination IP based:
config system virtual-wan-link
set load-balance-mode source-dest-ip-based
end
Example 2
Outgoing traffic is balanced between wan1 and wan2 with a customized ratio, using weight-based mode: wan1 runs
80% of the sessions, and wan2 runs 20% of the sessions.
5. Click OK.
Example 3
Outgoing traffic is balanced between wan1 and wan2 with a customized ratio, using measured-volume-based mode:
wan1 runs 80% of the volume, and wan2 runs 20% of the volume.
edit 2
set interface "wan2"
set volume-ratio 20
next
end
end
Example 4
Load balancing can be used to reduce costs when internet connections are charged at different rates. For example, if
wan2 charges based on volume usage and wan1 charges a fixed monthly fee, we can use wan1 at its maximum
bandwidth, and use wan2 for overflow.
In this example, wan1's bandwidth is 10Mbps down and 2Mbps up. Traffic will use wan1 until it reaches its spillover
limit, then it will start to use wan2. Not that auto-asic-offload must be disabled in the firewall policy.
1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static
route. See Creating the SD-WAN interface on page 99 for details.
2. Go to Network > SD-WAN Rules.
3. Edit the sd-wan rule (the last default rule).
4. For the Load Balancing Algorithm, select Spillover.
5. Enter 10000 in the wan1 Ingress Spillover Threshold field, and 2000 in the wan1 Egress Spillover Threshold field.
6. Click OK.
Performance SLA link monitoring measures the health of links that are connected to SD-WAN member interfaces by
sending probing signals through each link to a server and measuring the link quality based on latency, jitter, and packet
loss. If a link is broken, the routes on that link are removed, and traffic is routed through other links. When the link is
working again, the routes are reenabbled. This prevents traffic being sent to a broken link and lost.
In this example:
l Interfaces wan1 and wan2 connect to the internet through separate ISPs
l The detection server IP address is 208.91.114.182
A performance SLA is created so that, if one link fails, its routes are removed and traffic is detoured to the other link.
1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static
route. See Creating the SD-WAN interface on page 99 for details.
2. Go to Network > Performance SLA.
3. Click Create New. The Performance SLA page opens.
4. Enter a name for the SLA and select a protocol.
5. In the Server field, enter the detection server IP address (208.91.114.182 in this example).
6. In the Participants field, select both wan1 and wan2.
SLA targets are a set of constraints that are used in SD-WAN rules to control the paths that traffic take.
The available constraints are:
l Latency threshold: Latency for SLA to make decision, in milliseconds (0 - 10000000, default = 5).
l Jitter threshold: Jitter for SLA to make decision, in milliseconds (0 - 10000000, default = 5).
l Packet loss threshold: Packet loss for SLA to make decision, in percentage (0 - 100, default = 0).
1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static
route. See Creating the SD-WAN interface on page 99 for details.
2. Go to Network > Performance SLA.
3. Create a new Performance SLA or edit an existing one. See Performace SLA - link monitoring on page 106.
4. Under SLA Targets, click the plus icon to add a target.
SD-WAN rules are used to control how sessions are distributed to SD-WAN members. Rules can be configured in one of
five modes:
l auto: Interfaces are assigned a priority based on quality.
l Manual (manual): Interfaces are manually assigned a priority.
l Best Quality (priority): Interface are assigned a priority based on the link-cost-factor of the interface.
l Lowest Cost (SLA) (sla): Interfaces are assigned a priority based on selected SLA settings. See SD-WAN rules -
lowest cost (SLA) on page 111.
l Maximize Bandwith (SLA) (load-balance): Traffic is distributed among all available links based on the selected
load balancing algorithm. See SD-WAN rules - maximize bandwidth (SLA) on page 113.
When using Best Quality mode, SD-WAN will choose the best link to forward traffic by comparing the link-cost-factor,
selected from one of the following:
custom-profile-1 custom-profile-1 Select link based on customized profile. If selected, set the following
weights:
l packet-loss-weight: Coefficient of packet-loss.
l latency-weight: Coefficient of latency.
l jitter-weight: Coefficient of jitter.
l bandwidth-weight: Coefficient of reciprocal of available
bidirectional bandwidth.
In this example, your wan1 and wan2 SD-WAN interfaces connect to two ISPs that both go to the public internet, and
you want Gmail services to use the link with the least latency.
1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static
route. See Creating the SD-WAN interface on page 99 for details.
2. Create a new Performance SLA named google. See Performace SLA - link monitoring on page 106.
3. Go to Network > SD-WAN Rules.
4. Click Create New. The Priority Rule page opens.
5. Enter a name for the rule, such as gmail.
Field Setting
As wan2 has a smaller latency, SD-WAN will put Seq_num(2) on top of Seq_num(1) and wan2 will be used to forward
Gmail traffic.
SD-WAN rules are used to control how sessions are distributed to SD-WAN members. Rules can be configured in one of
five modes:
l auto: Interfaces are assigned a priority based on quality.
l Manual (manual): Interfaces are manually assigned a priority.
l Best Quality (priority): Interface are assigned a priority based on the link-cost-factor of the interface. See SD-
WAN rules - best quality on page 108.
l Lowest Cost (SLA) (sla): Interfaces are assigned a priority based on selected SLA settings.
l Maximize Bandwidth (SLA) (load-balance): Traffic is distributed among all available links based on the selected
load balancing algorithm. See SD-WAN rules - maximize bandwidth (SLA) on page 113.
When using Lowest Cost (SLA) mode (sla in the CLI), SD-WAN will choose the lowest cost link that satisfies SLA to
forward traffic.
In this example, your wan1 and wan2 SD-WAN interfaces connect to two ISPs that both go to the public internet. The
cost of wan2 is less than that of wan1. You want to configure Gmail services to use the lowest cost interface, but the link
quality must meet a standard of latency: 10ms, and jitter: 5ms.
1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static
route. See Creating the SD-WAN interface on page 99 for details.
2. Create a new Performance SLA named google that includes an SLA Target 1 with Latency threshold = 10ms and
Jitter threshold = 5ms. See Performace SLA - link monitoring on page 106.
3. Go to Network > SD-WAN Rules.
4. Click Create New. The Priority Rule page opens.
5. Enter a name for the rule, such as gmail.
6. Configure the following settings:
Field Setting
config health-check
edit "google"
set server "google.com"
set members 1 2
config sla
edit 1
set latency-threshold 10
set jitter-threshold 5
next
end
next
end
config service
edit 1
set name "gmail"
set mode sla
set internet-service enable
set internet-service-id 65646
config sla
edit "google"
set id 1
next
end
set priority-members 1 2
next
end
end
When both wan1 and wan2 meet the SLA requirements, Gmail traffic will only use wan2. If only wan1 meets the SLA
requirements, Gmail traffic will only use wan1, even though it has a higher cost. If neither interface meets the
requirements, wan2 will be used.
If both interface had the same cost and both met the SLA requirements, the first link configured in set priority-
members would be used.
SD-WAN rules are used to control how sessions are distributed to SD-WAN members. Rules can be configured in one of
five modes:
l auto: Interfaces are assigned a priority based on quality.
l Manual (manual): Interfaces are manually assigned a priority.
l Best Quality (priority): Interface are assigned a priority based on the link-cost-factor of the interface. See SD-
WAN rules - best quality on page 108.
l Lowest Cost (SLA) (sla): Interfaces are assigned a priority based on selected SLA settings. See SD-WAN rules -
lowest cost (SLA) on page 111.
l Maximize Bandwidth (SLA) (load-balance): Traffic is distributed among all available links based on the selected
load balancing algorithm.
When using Maximize Bandwidth mode (load balance in the CLI), SD-WAN will all of the links that satisfies SLA to
forward traffic based on a round-robin load balancing algorithm.
In this example, your wan1 and wan2 SD-WAN interfaces connect to two ISPs that both go to the public internet. You
want to configure Gmail services to use both of the interface, but the link quality must meet a standard of latency:
10ms, and jitter: 5ms. This can maximize the bandwidth usage.
1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static
route. See Creating the SD-WAN interface on page 99 for details.
2. Create a new Performance SLA named google that includes an SLA Target 1 with Latency threshold = 10ms and
Jitter threshold = 5ms. See Performace SLA - link monitoring on page 106.
3. Go to Network > SD-WAN Rules.
4. Click Create New. The Priority Rule page opens.
5. Enter a name for the rule, such as gmail.
6. Configure the following settings:
Field Setting
When both wan1 and wan2 meet the SLA requirements, Gmail traffic will use both wan1 and wan2. If only one of the
interfaces meets the SLA requirements, Gmail traffic will only use that interface.
If neither interface meets the requirements, the rule is not matched and traffic will try to use a following rule, but if no
rules match, traffic will still be processed with the implicit rule algorithm, see Implicit rule on page 102.
This topic covers a typical customer usage scenario where the customer's SD-WAN has two members: MPLS and DIA.
DIA is mostly used for direct Internet access to Internet applications, for example, Office365, Google applications,
Amazon, Dropbox, etc. MPLS is mostly used for SIP and works as a backup when DIA is not working.
Sample topology
Sample configuration
This sample configures all SIP traffic to use MPLS while all other traffic uses DIA. If DIA is not working, the traffic will
use MPLS.
To configure an SD-WAN rule to use SIP and DIA using the GUI:
1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static
route.
See Creating the SD-WAN interface on page 99.
2. When you add a firewall policy, enable Application Control.
3. Go to Network > SD-WAN Rules.
4. Click Create New. The Priority Rule page opens.
5. Enter a name for the rule, such as SIP.
6. Click the Application box to display the popup dialog box; then select the applicable SIP applications.
7. For Strategy, select Manual.
8. For Interface preference, select MPLS.
9. Click OK.
10. Click Create New to create another rule.
11. Enter a name for the rule, such as Internet.
12. Click the Address box to display the popup dialog box and select all.
To configure an SD-WAN rule to use SIP and DIA using the CLI:
To use the diagnose command to check performance SLA status using the CLI:
FGT_A (root) #
FGT_A (root) #
Use traffic shaper in a firewall shaping policy to control traffic flow. You can use it to control maximum and guaranteed
bandwidth, or put certain traffic to one of the three different traffic priorities: high, medium, or low.
An advanced shaping policy can classify traffic into 30 groups. Use a shaping profile to define the percentage of the
interface bandwidth that is allocated to each group. Each group of traffic is shaped to the assigned speed limit based on
the outgoing bandwidth limit configured on the interface.
For more information, see the online help on shared policy traffic shaping and interface-based traffic shaping.
Sample topology
Sample configuration
This example shows a typical customer usage where the customer's SD-WAN has two member: wan1 and wan2 and
each is 10Mb/s.
An overview of the procedures to configure SD-WAN traffic shaping and QoS with SD-WAN includes:
1. Give HTTP/HTTPS traffic high priority and give FTP low priority so that if there are conflicts, FortiGate will forward
HTTP/HTTPS traffic first.
2. Even though FTP has low priority, configure FortiGate to give it a 1Mb/s guaranteed bandwidth on each SD-WAN
member so that if there is no FTP traffic, other traffic can use all the bandwidth. If there is heavy FTP traffic, it can
still be guaranteed a 1Mb/s bandwidth.
3. Traffic going to specific destinations such as a VOIP server uses wan1 to forward, and SD-WAN forwards with an
Expedited Forwarding (EF) DSCP tag 101110.
To configure SD-WAN traffic shaping and QoS with SD-WAN in the GUI:
1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static
route.
See Creating the SD-WAN interface on page 99.
2. When you add a firewall policy, enable Application Control.
3. Go to Policy & Objects > Traffic Shapers and edit low-priority.
a. Enable Guaranteed Bandwidth and set it to 1000 kbps.
4. Go to Policy & Objects > Traffic Shaping Policy and click Create New.
a. Name the traffic shaping policy, for example, HTTP-HTTPS.
b. Click the Source box and select all.
c. Click the Destination box and select all.
d. Click the Service box and select HTTP and HTTPS.
e. Click the Outgoing Interface box and select SD-WAN.
f. Enable both Shared Shaper and Reverse Shaper and select high-priority for both options.
g. Click OK.
5. Go to Policy & Objects > Traffic Shaping Policy and click Create New.
a. Name the traffic shaping policy, for example, FTP.
b. Click the Source box and select all.
c. Click the Destination box and select all.
d. Click the Service box and select FTP, FTP_GET, and FTP_PUT.
e. Click the Outgoing Interface box and select SD-WAN.
f. Enable both Shared Shaper and Reverse Shaper and select low-priority for both options.
g. Click OK
6. Go to Network > SD-WAN Rules and click Create New.
a. Enter a name for the rule, such as Internet.
b. In the Destination section, click the Address box and select the VOIP server you created in the firewall
address.
c. For Strategy, select Manual.
d. For Interface preference, select wan1.
e. Click OK.
7. Use CLI commands to modify DSCP settings. See the DSCP CLI commands below.
next
edit 2
set name "FTP"
set service "FTP" "FTP_GET" "FTP_PUT"
set dstintf "virtual-wan-link"
set traffic-shaper "low-priority"
set traffic-shaper-reverse "low-priority"
set srcaddr "all"
set dstaddr "all"
next
end
To configure SD-WAN traffic shaping and QoS with SD-WAN in the CLI:
To use the diagnose command to check if specific traffic is attached to the correct traffic shaper:
flag (0):
shapers: orig=low-priority(4/128000/134217728) reply=low-priority(4/128000/134217728)
cos_fwd=0 cos_rev=0
group=00100015 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0 dd_type=0 dd_mode=0
zone(1): 0 -> zone(2): 36 38
source(1): 0.0.0.0-255.255.255.255, uuid_idx=6,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=6,
service(3):
[6:0x0:0/(1,65535)->(21,21)] helper:auto
[6:0x0:0/(1,65535)->(21,21)] helper:auto
[6:0x0:0/(1,65535)->(21,21)] helper:auto
FGT_A (root) #
To use the diagnose command to check if the correct traffic shaper is applied to the session:
To use the diagnose command to check the status of a shared traffic shaper:
name high-priority
maximum-bandwidth 131072 KB/sec
guaranteed-bandwidth 0 KB/sec
current-bandwidth 0 B/sec
priority 2
tos ff
packets dropped 0
bytes dropped 0
name low-priority
name high-priority
maximum-bandwidth 131072 KB/sec
guaranteed-bandwidth 0 KB/sec
current-bandwidth 0 B/sec
priority 2
policy 1
tos ff
packets dropped 0
bytes dropped 0
name low-priority
maximum-bandwidth 131072 KB/sec
guaranteed-bandwidth 125 KB/sec
current-bandwidth 0 B/sec
priority 4
policy 2
tos ff
packets dropped 0
bytes dropped 0
Advanced configuration
This topic shows an example of how to aggregate IPSec tunnels. This example shows how to make per-packet load-
balancing among IPSec tunnels.
For example, a customer has two ISP connections, wan1 and wan2. Using these two connections, we create two VPN
interfaces and configure traffic for per-packet load-balancing among IPSec tunnels.
Sample topology
Sample configuration
On the FortiGate, first create two IPsec VPN interfaces. Then create an ipsec-aggregate interface and add this
interface as an SD-WAN member.
FortiGate 1 configuration
FortiGate 2 configuration
edit 1
set interface "agg2"
set gateway 172.16.11.1
next
end
end
This topic shows an SD-WAN with forward error correction (FEC) on VPN overlay networks. FEC can be used to lower
packet loss ratio by consuming more bandwidth. It uses six parameters in IPsec phase1/phase1-interface setting.
l fec-ingress. Disabled by default.
l fec-egress. Disabled by default.
l fec-base. <1-100>. Default=20.
l fec-redundant. <1-100>. Default=10.
l fec-send-timeout. <1-1000>. Default=8.
l fec-receive-timeout.<1-10000>. Default=5000.
For example, a customer has tow ISP connections, wan1 and wan2. Using these two connections, create two IPsec
VPN interfaces as SD-WAN members. Configure FEC on each VPN interface to lower packet loss ratio by re-
transmitting the packets using its backend algorithm.
Sample topology
To configure SD-WAN:
edit 1
set interface "vd2-p2"
set gateway 172.16.212.2
next
end
end
SD-WAN rules can use Border Gateway Protocol (BGP) learned routes as dynamic destinations.
In this example, a customer has two ISP connections, wan1 and wan2. wan1 is used primarily for direct access to
internet applications, and wan2 is used primarily for traffic to the customer's data center.
The customer could create an SD-WAN rule using the data center's IP address range as the destination to force that
traffic to use wan2, but the data center's IP range is not static. Instead, a BGP tag can be used.
For this example, wan2's BGP neighbor advertises the data center's network range with a community number of 30:5.
This example assumes that SD-WAN is enable on the FortiGate, wan1 and wan2 are added as SD-WAN members, and
a policy and static route have been created. See Creating the SD-WAN interface on page 99 for details.
3. Configure BGP:
config router bgp
set as xxxxx
set router-id xxxx
config neighbor
edit "10.100.20.2"
set soft-reconfiguration enable
set remote-as xxxxx
set route-map-in "comm1"
next
end
end
Troubleshooting
Use the get router info bgp network command to check the network community:
# get router info bgp network
BGP table version is 5, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Use the get router info route-map-address command to check dynamic BGP addresses:
# get router info route-map-address
Extend-tag: 15, interface(wan2:16)
10.100.11.0/255.255.255.0
Use the diagnose firewall proute list command to check dynamic BGP addresses used in policy routes:
# diagnose firewall proute list
list route policy info(vf=root):
Administrators
Administrator profiles
Introduction
By default, the FortiGate has a super administrator account, called admin. Additional administrators can be added for
various functions, each with a unique username, password, and set of access privileges.
Administrator profiles define what the administrator can do when logged into the FortiGate. When you set up an
administrator account, you also assign an administrator profile which dictates what the administrator sees. Depending
on the nature of the administrator’s work, access level or seniority, you can allow them to view and configure as much or
as little as is required.
Super_admin profile
This profile has access to all components of FortiOS, including the ability to add and remove other system
administrators. For certain administrative functions, such as backing up and restoring the configuration, super_admin
access is required. To ensure that there is always a method to administer the FortiGate, the super_admin profile can't
be deleted or modified.
The super_admin profile is used by the default admin account. It is recommended that you add a password and rename
this account once you have set up your FortiGate. In order to rename the default account, a second admin account is
required.
Edit profiles
Delete profiles
By default, FortiGate has one super admin named admin. You can create more administrator accounts with difference
privileges.
Don't use the characters < > ( ) # " ' in the administrator username.
Using these characters in an administrator username might have a cross site scripting
(XSS) vulnerability.
end
Administrators can use remote authentication, such as LDAP, to connect to the FortiGate.
Setting up remote authentication for administrators includes the following steps:
1. Configure the LDAP server on page 136
2. Add the LDAP server to a user group on page 137
3. Configure the administrator account on page 137
1. Go to User & Device > LDAP Servers and select Create New.
2. Enter the server Name, Server IP address or Name.
3. Enter the Common Name Identifier and Distinguished Name.
4. Set the Bind Type to Regular and enter the Username and Password.
5. Click OK.
After configuring the LDAP server, create a user group that include the LDAP server you configured.
1. Go to User & Device > User Groups and select Create New.
2. Enter a Name for the group.
3. In the Remote groups section, select Create New.
4. Select the Remote Server from the dropdown list.
5. Click OK.
end
After configuring the LDAP server and adding it to a user group, create a new administrator. For this administrator,
instead of entering a password, use the new user group and the wildcard option for authentication.
6. Select Wildcard.
The Wildcard option allows LDAP users to connect as this administrator.
7. Select an Administrator Profile.
8. Click OK.
Administrator accounts can use different methods for authentication, including RADIUS, TACACS+, and PKI.
Password policy
Brute force password software can launch more than just dictionary attacks. It can discover common passwords where a
letter is replaced by a number. For example, if p4ssw0rd is used as a password, it can be cracked.
Using secure passwords is vital for preventing unauthorized access to your FortiGate. When changing the password,
consider the following to ensure better security:
l Do not use passwords that are obvious, such as the company name, administrator names, or other obvious words
or phrases.
l Use numbers in place of letters, for example, passw0rd.
l Administrator passwords can be up to 64 characters.
l Include a mixture of numbers, and upper and lower case letters.
l Use multiple words together, or possibly even a sentence, for example keytothehighway.
l Use a password generator.
l Change the password regularly and always make the new password unique and not a variation of the existing
password, such as changing from password to password1.
l Make note of the password and store it in a safe place away from the management computer, in case you forget it;
or ensure at least two people know the password in the event one person becomes unavailable. Alternatively, have
two different admin logins.
FortiGate allows you to create a password policy for administrators and IPsec pre-shared keys. With this policy, you can
enforce regular changes and specific criteria for a password policy including:
l Minimum length between 8 and 64 characters.
l If the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters.
l If the password must contain numbers (1, 2, 3).
l If the password must contain special or non-alphanumeric characters (!, @, #, $, %, ^, &, *, (, and )).
l Where the password applies (admin or IPsec or both).
l The duration of the password before a new one must be specified.
If you add a password policy or change the requirements on an existing policy, the next time that administrator logs into
the FortiGate, the administrator is prompted to update the password to meet the new requirements before proceeding
to log in.
Interface
Interface settings
Administrator can configure both physical and virtual FortiGate interfaces in Network > Interfaces. There are different
options for configuring interfaces when FortiGate is in NAT mode or transparent mode.
Alias Enter an alternate name for a physical interface on the FortiGate unit. This field appears when
you edit an existing physical interface. The alias does not appear in logs.
The maximum length of the alias is 25 characters.
Link Status Indicates whether the interface is connected to a network or not (link status is up or down). This
field appears when you edit an existing physical interface.
Interface This section can have two different formats depending on the interface type:
Members Software Switch: This section is a display-only field showing the interfaces that belong to the
virtual interface of the software switch.
802.3ad Aggregate or Redundant Interface: This section includes the available interface list
and the selected interface list.
IP/Netmask If Addressing Mode is set to Manual, enter an IPv4 address and subnet mask for the interface.
FortiGate interfaces cannot have IP addresses on the same subnet.
IPv6 Address If Addressing Mode is set to Manual and IPv6 support is enabled, enter an IPv6 address and
subnet mask for the interface. A single interface can have an IPv4 address, IPv6 address, or
both.
You can configure the protocols that administrators can use to access interfaces on the FortiGate. This helps secure
access to the FortiGate by restricting access to a limited number of protocols. It helps prevent users from accessing
interfaces that you don't want them to access, such as public-facing ports.
As a best practice, you should configure administrative access when you're setting the IP address for a port.
HTTPS Allow secure HTTPS connections to the FortiGate GUI through this interface. If configured, this
option is enabled automatically.
PING The interface responds to pings. Use this setting to verify your installation and for testing.
HTTP Allow HTTP connections to the FortiGate GUI through this interface. If configured, this option
also enables the HTTPS option.
SNMP Allow a remote SNMP manager to request SNMP information by connecting to this interface.
FMG-Access Allow FortiManager authorization automatically during the communication exchanges between
FortiManager and FortiGate devices.
CAPWAP Allow the FortiGate wireless controller to manage a wireless access point such as a FortiAP
device.
VLANs
Virtual Local Area Networks (VLANs) multiply the capabilities of your FortiGate unit and can also provide added network
security. VLANs use ID tags to logically separate devices on a network into smaller broadcast domains. These smaller
domains forward packets only to devices that are part of that VLAN domain. This reduces traffic and increases network
security.
In NAT mode, the FortiGate unit functions as a layer-3 device. In this mode, the FortiGate unit controls the flow of
packets between VLANs and can also remove VLAN tags from incoming VLAN packets. The FortiGate unit can also
forward untagged packets to other networks such as the Internet.
In NAT mode, the FortiGate unit supports VLAN trunk links with IEEE 802.1Q-compliant switches or routers. The trunk
link transports VLAN-tagged packets between physical subnets or networks. When you add VLAN subinterfaces to the
FortiGate's physical interfaces, the VLANs have IDs that match the VLAN IDs of packets on the trunk link. The FortiGate
unit directs packets with VLAN IDs to subinterfaces with matching IDs.
You can define VLAN subinterfaces on all FortiGate physical interfaces. However, if multiple virtual domains are
configured on the FortiGate unit, you only have access to the physical interfaces on your virtual domain. The FortiGate
unit can tag packets leaving on a VLAN subinterface. It can also remove VLAN tags from incoming packets and add a
different VLAN tag to outgoing packets.
Normally in VLAN configurations, the FortiGate unit's internal interface is connected to a VLAN trunk, and the external
interface connects to an Internet router that is not configured for VLANs. In this configuration, the FortiGate unit can
apply different policies for traffic on each VLAN interface connected to the internal interface, which results in less
network traffic and better security.
Sample topology
In this example, two different internal VLAN networks share one interface on the FortiGate unit and share the
connection to the Internet. This example shows that two networks can have separate traffic streams while sharing a
single interface. This configuration can apply to two departments in a single company or to different companies.
There are two different internal network VLANs in this example. VLAN_100 is on the 10.1.1.0/255.255.255.0 subnet,
and VLAN_200 is on the 10.1.2.0/255.255.255.0 subnet. These VLANs are connected to the VLAN switch.
The FortiGate internal interface connects to the VLAN switch through an 802.1Q trunk. The internal interface has an IP
address of 192.168.110.126 and is configured with two VLAN subinterfaces (VLAN_100 and VLAN_200). The external
interface has an IP address of 172.16.21.2 and connects to the Internet. The external interface has no VLAN
subinterfaces.
When the VLAN switch receives packets from VLAN_100 and VLAN_200, it applies VLAN ID tags and forwards the
packets of each VLAN both to local ports and to the FortiGate unit across the trunk link. The FortiGate unit has policies
that allow traffic to flow between the VLANs, and from the VLANs to the external network.
Sample configuration
In this example, both the FortiGate unit and the Cisco 2950 switch are installed and connected and basic configuration
has been completed. On the switch, you need access to the CLI to enter commands. No VDOMs are enabled in this
example.
General configuration steps include:
1. Configure the external interface.
2. Add two VLAN subinterfaces to the internal network interface.
3. Add firewall addresses and address ranges for the internal and external networks.
4. Add security policies to allow:
l the VLAN networks to access each other.
l the VLAN networks to access the external network.
In transparent mode, the FortiGate unit behaves like a layer-2 bridge but can still provide services such as antivirus
scanning, web filtering, spam filtering, and intrusion protection to traffic. Some limitations of transparent mode is that
you cannot use SSL VPN, PPTP/L2TP VPN, DHCP server, or easily perform NAT on traffic. The limits in transparent
mode apply to IEEE 802.1Q VLAN trunks passing through the unit.
You can insert the FortiGate unit operating in transparent mode into the VLAN trunk without making changes to your
network. In a typical configuration, the FortiGate unit internal interface accepts VLAN packets on a VLAN trunk from a
VLAN switch or router connected to internal network VLANs. The FortiGate external interface forwards VLAN-tagged
packets through another VLAN trunk to an external VLAN switch or router and on to external networks such as the
Internet. You can configure the unit to apply different policies for traffic on each VLAN in the trunk.
To pass VLAN traffic through the FortiGate unit, you add two VLAN subinterfaces with the same VLAN ID, one to the
internal interface and the other to the external interface. You then create a security policy to permit packets to flow from
the internal VLAN interface to the external VLAN interface. If required, create another security policy to permit packets
to flow from the external VLAN interface to the internal VLAN interface. Typically in transparent mode, you do not permit
packets to move between different VLANs. Network protection features such as spam filtering, web filtering, and anti-
virus scanning, are applied through the UTM profiles specified in each security policy, enabling very detailed control over
traffic.
When the FortiGate unit receives a VLAN-tagged packet on a physical interface, it directs the packet to the VLAN
subinterface with the matching VLAN ID. The VLAN tag is removed from the packet and the FortiGate unit then applies
security policies using the same method it uses for non-VLAN packets. If the packet exits the FortiGate unit through a
VLAN subinterface, the VLAN ID for that subinterface is added to the packet and the packet is sent to the corresponding
physical interface.
Sample topology
In this example, the FortiGate unit is operating in transparent mode and is configured with two VLANs: one with an ID of
100 and the other with ID 200. The internal and external physical interfaces each have two VLAN subinterfaces, one for
VLAN_100 and one for VLAN_200.
The IP range for the internal VLAN_100 network is 10.100.0.0/255.255.0.0, and for the internal VLAN_200 network is
10.200.0.0/255.255.0.0.
The internal networks are connected to a Cisco 2950 VLAN switch which combines traffic from the two VLANs onto one
in the FortiGate unit's internal interface. The VLAN traffic leaves the FortiGate unit on the external network interface,
goes on to the VLAN switch, and on to the Internet. When the FortiGate units receives a tagged packet, it directs it from
the incoming VLAN subinterface to the outgoing VLAN subinterface for that VLAN.
In this example, we create a VLAN subinterface on the internal interface and another one on the external interface, both
with the same VLAN ID. Then we create security policies that allow packets to travel between the VLAN_100_int
interface and the VLAN_100_ext interface. Two policies are required: one for each direction of traffic. The same is
required between the VLAN_200_int interface and the VLAN_200_ext interface, for a total of four security policies.
Sample configuration
There are two main steps to configure your FortiGate unit to work with VLANs in transparent mode:
1. Add VLAN subinterfaces.
2. Add security policies.
You can also configure the protection profiles that manage antivirus scanning, web filtering, and spam filtering.
The Media Access Control (MAC) Virtual Local Area Network (VLAN) feature in Linux allows you to configure multiple
virtual interfaces with different MAC addresses (and therefore different IP addresses) on a physical interface.
FortiGate implements an enhanced MAC VLAN consisting of a MAC VLAN with bridge functionality. Because each MAC
VLAN has a unique MAC address, virtual IP addresses (VIPs) and IP pools are supported, and you can disable Source
Network Address Translation (SNAT) in policies.
MAC VLAN cannot be used in a Transparent mode virtual domain (VDOM). In a Transparent mode VDOM, a packet
leaves an interface with the MAC address of the original source instead of the interface’s MAC address. FortiGate
implements an enhanced version of MAC VLAN where it adds a MAC table in the MAC VLAN which learns the MAC
addresses when traffic passes through.
If you configure a VLAN ID for an enhanced MAC VLAN, it won’t join the switch of the underlying interface. When a
packet is sent to this interface, a VLAN tag is inserted in the packet and the packet is sent to the driver of the underlying
interface. When the underlying interface receives a packet, if the VLAN ID doesn’t match, it won’t deliver the packet to
this enhanced MAC VLAN interface.
If you use an interface in an enhanced MAC VLAN, do not use it for other purposes such as a management interface,
HA heartbeat interface, or in Transparent VDOMs.
If a physical interface is used by an EMAC VLAN interface, you cannot use it in a Virtual Wire Pair.
In high availability (HA) configurations, enhanced MAC VLAN is treated as a physical interface. It’s assigned a unique
physical interface ID and the MAC table is synchronized with the slaves in the same HA cluster.
Example 1: Enhanced MAC VLAN configuration for multiple VDOMs that use the same interface
or VLAN
In this example, a FortiGate is connected, through port 1 to a router that’s connected to the Internet. Three VDOMs
share the same interface (port 1) which connects to the same router that’s connected to the Internet. Three enhanced
MAC VLAN interfaces are configured on port 1 for the three VDOMs. The enhanced MAC VLAN interfaces are in the
same IP subnet segment and each have unique MAC addresses.
The underlying interface (port 1) can be a physical interface, an aggregate interface, or a VLAN interface on a physical
or aggregate interface.
Example 2: Enhanced MAC VLAN configuration for shared VDOM links among multiple VDOMs
In this example, multiple VDOMs can connect to each other using enhanced MAC VLAN on network processing unit
(NPU) virtual link (Vlink) interfaces.
FortiGate VDOM links (NPU-Vlink) are designed to be peer-to-peer connections and VLAN interfaces on NPU Vlink ports
use the same MAC address. Connecting more than two VDOMs using NPU Vlinks and VLAN interfaces is not
recommended.
Example 3: Enhanced MAC VLAN configuration for unique MAC addresses for each VLAN
interface on the same physical port
Some networks require a unique MAC address for each VLAN interface when the VLAN interfaces share the same
physical port. In this case, the enhanced MAC VLAN interface is used the same way as normal VLAN interfaces.
To configure this, use the set vlanid command for the VLAN tag.
Inter-VDOM routing
In the past, virtual domains (VDOMs) were separate from each other and there was no internal communication. Any
communication between VDOMs involved traffic leaving on a physical interface belonging to one VDOM and re-entering
the FortiGate unit on another physical interface belonging to another VDOM to be inspected by firewall policies in both
directions.
Inter-VDOM routing changes this. With VDOM links, VDOMs can communicate internally without using additional
physical interfaces.
Inter-VDOM routing is the communication between VDOMs. VDOM links are virtual interfaces that connect VDOMs. A
VDOM link contains a pair of interfaces, each one connected to a VDOM and forming either end of the inter-VDOM
connection.
When VDOMs are configured on your FortiGate unit, configuring inter-VDOM routing and VDOM-links is very much like
creating a VLAN interface. VDOM-links are managed through the web-based manager or CLI. In the web-based
manager, VDOM link interfaces are managed in the network interface list.
VDOM link does not support traffic offload. If you want to use traffic offload, use NPU-VDOM-
LINK.
This example shows how to configure a FortiGate unit to use inter-VDOM routing.
Two departments of a company, Accounting and Sales, are connected to one FortiGate. The company uses a single
ISP to connect to the Internet.
This example includes the following general steps. We recommend following the steps in the order below.
Next, configure the physical interfaces. This example uses three interfaces on the FortiGate unit: port2 (internal), port3
(DMZ), and port1 (external). Port2 and port3 interfaces each have a department’s network connected. Port1 is for all
traffic to and from the Internet and uses DHCP to configure its IP address, which is common with many ISPs.
config global
config system interface
edit port2
set alias AccountingLocal
set vdom Accounting
set mode static
set ip 172.100.1.1 255.255.0.0
set allowaccess https ping ssh
set description "The accounting dept internal interface"
next
edit port3
To complete the connection between each VDOM and the management VDOM, add the two VDOM links. One pair is
the Accounting – management link and the other is the Sales – management link.
When configuring inter-VDOM links, you do not have to assign IP addresses to the links unless you are using advanced
features such as dynamic routing that require them. Not assigning IP addresses results in faster configuration and more
available IP addresses on your networks.
config global
config system vdom-link
edit AccountVlnk
next
end
config system interface
edit AccountVlnk0
set vdom Accounting
set ip 11.11.11.2 255.255.255.0
set allowaccess https ping ssh
set description “Accounting side of the VDOM link“
next
edit AccountVlnk1
set vdom root
set ip 11.11.11.1 255.255.255.0
set allowaccess https ping ssh
set description “Management side of the VDOM link“
end
end
config global
config system vdom-link
edit SalesVlnk
end
config system interface
edit SalesVlnk0
set vdom Accounting
set ip 12.12.12.2 255.255.255.0
set allowaccess https ping ssh
set description "Sales side of the VDOM link"
next
edit SalesVlnk1
set vdom root
set ip 12.12.12.1 255.255.255.0
set allowaccess https ping ssh
set description "Management side of the VDOM link"
end
end
With the VDOMs, physical interfaces, and VDOM links configured, the firewall must now be configured to allow the
proper traffic. Firewalls are configured per-VDOM, and firewall objects and routes must be created for each VDOM
separately.
config vdom
edit Accounting
config firewall policy
edit 1
set name "Accounting-Local-to-Management"
set srcintf port2
set dstintf AccountVlnk
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set nat enable
end
end
config vdom
edit root
config firewall policy
edit 2
set name "Accounting-VDOM-to-Internet"
set srcintf AccountVlnk
set dstintf port1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set nat enable
end
end
config vdom
edit root
config firewall policy
edit 6
set name "Sales-local-to-Management"
set srcintf port2
set srcaddr all
set dstintf SalesVlnk
set dstaddr all
set schedule always
set service ALL
set action accept
set logtraffic enable
end
end
config vdom
edit Sales
config firewall policy
edit 7
set name "Sales-VDOM-to-Internet"
set srcintf SalesVlnk
set srcaddr SalesManagement
set dstintf external
set dstaddr all
set schedule always
set service OfficeServices
set action accept
set logtraffic enable
end
end
When the inter-VDOM routing has been configured, test the configuration to confirm proper operation.
Testing connectivity ensures that physical networking connections, FortiGate unit interface configurations, and firewall
policies are properly configured.
The easiest way to test connectivity is to use the ping and traceroute command to confirm the connectivity of
different routes on the network.
Test both from AccountingLocal to Internet and from SalesLocal to Internet.
Software switch
A software switch, or soft switch, is a virtual switch that is implemented at the software or firmware level and not at the
hardware level. A software switch can be used to simplify communication between devices connected to different
FortiGate interfaces. For example, using a software switch, you can place the FortiGate interface connected to an
internal network on the same subnet as your wireless interfaces. Then devices on the internal network can communicate
with devices on the wireless network without any additional configuration on the FortiGate unit, such as additional
security policies.
A software switch can also be useful if you require more hardware ports for the switch on a FortiGate unit. For example,
if your FortiGate unit has a 4-port switch, WAN1, WAN2, and DMZ interfaces, and you need one more port, you can
create a soft switch that can include the four-port switch and the DMZ interface, all on the same subnet. These types of
applications also apply to wireless interfaces, virtual wireless interfaces, and physical interfaces such as those in
FortiWiFi and FortiAP units.
Similar to a hardware switch, a software switch functions like a single interface. A soft switch has one IP address and all
the interfaces in the software switch are on the same subnet. Traffic between devices connected to each interface are
not regulated by security policies, and traffic passing in and out of the switch are controlled by the same policy.
When setting up a software switch, consider the following:
l Ensure you have a back up of the configuration.
l Ensure you have at least one port or connection such as the console port to connect to the FortiGate unit. If you
accidentally combine too many ports, you need a way to undo errors.
l The ports that you include must not have any link or relation to any other aspect of the FortiGate unit, such as
DHCP servers, security policies, and so on.
l For increased security, you can create a captive portal for the switch to allow only specific user groups access to the
resources connected to the switch.
For this example, the wireless interface (WiFi) needs to be on the same subnet as the DMZ1 interface to facilitate
wireless syncing from an iPhone and a local computer. Because synching between two subnets is problematic, putting
both interfaces on the same subnet the synching will work. The software switch will accomplish this.
1. Clear the interfaces and back up the configuration.
a. Ensure the interfaces are not used for other security policy or for other use on the FortiGate unit.
b. Check the WiFi and DMZ1 ports to ensure DHCP is not enabled on the interface and that there are no other
dependencies on these interfaces.
c. Save the current configuration so that if something doesn’t work, recovery can be quick.
When the soft switch is set up, you now add security policies, DHCP servers, and any other configuration you
normally do to configure interfaces on the FortiGate unit.
Zone
Zones are a group of one or more physical or virtual FortiGate interfaces that you can apply security policies to control
inbound and outbound traffic. Grouping interfaces and VLAN subinterfaces into zones simplifies the creation of security
policies where a number of network segments can use the same policy settings and protection profiles.
When you add a zone, you select the names of the interfaces and VLAN subinterfaces to add to the zone. Each
interface still has its own address. Routing is still done between interfaces, that is, routing is not affected by zones. You
can use security policies to control the flow of intra-zone traffic.
For example, in the sample configuration below, the network includes three separate groups of users representing
different entities on the company network. While each group has its own set of ports and VLANs in each area, they can
all use the same security policy and protection profiles to access the Internet. Rather than the administrator making nine
separate security policies, he can make administration simpler by adding the required interfaces to a zone and creating
three policies.
Sample configuration
You can configure policies for connections to and from a zone but not between interfaces in a zone. For this example,
you can create a security policy to go between zone 1 and zone 3, but not between WAN2 and WAN1, or WAN1 and
DMZ1.
To configure a zone to include the internal interface and a VLAN using the CLI:
To configure a firewall policy to allow any interface to access the Internet using the CLI:
Intra-zone traffic
In the zone configuration you can set intrazone deny to prohibit the different interfaces in the same zone to talk
to each other.
For example, if you have ten interfaces in your zone and the intrazone setting is deny. You now want to allow traffic
between a very small number of networks on different interfaces that are part of the zone but you do not want to disable
the intra-zone blocking.
In this example, the zone VLANs are defined as: 192.168.1.0/24, 192.168.2.0/24, ... 192.168.10.0/24.
This policy allows traffic from 192.168.1.x to 192.168.2.x even though they are in the same zone and intra-zone
blocking is enabled. The intra-zone blocking acts as a default deny rule and you have to specifically override it by
creating a policy within the zone.
A virtual wire pair consists of two interfaces that do not have IP addressing and are treated like a transparent mode
VDOM. All traffic received by one interface in the virtual wire pair can only be forwarded to the other interface, provided
a virtual wire pair firewall policy allows this traffic. Traffic from other interfaces cannot be routed to the interfaces in a
virtual wire pair.
Virtual wire pairs are useful for a typical topology where MAC addresses do not behave normally. For example, port
pairing can be used in a Direct Server Return (DSR) topology where the response MAC address pair may not match the
request’s MAC address pair.
Sample topology
In this example, a virtual wire pair (port3 and port4) makes it easier to protect a web server that is behind a FortiGate
operating as an Internal Segmentation Firewall (ISFW). Users on the internal network access the web server through
the ISFW over the virtual wire pair.
Interfaces used in a virtual wire pair cannot be used to access the ISFW FortiGate. Before
creating a virtual wire pair, make sure you have a different port configured to allow admin
access using your preferred protocol.
next
end
Virtual Domains
Virtual Domains (VDOMs) are used to divide a FortiGate into two or more virtual units that function independently.
VDOMs can provide separate security policies and, in NAT mode, completely separate configurations for routing and
VPN services for each connected network.
There are two VDOM modes:
l Split-task VDOM mode: One VDOM is used only for management, and the other is used to manage traffic. See
Split-task VDOM mode on page 160.
l Multi VDOM mode: Multiple VDOMs can be created and managed as independent units. See Multi VDOM mode
on page 164.
By default, most FortiGate units support 10 VDOMs, and many FortiGate models support purchasing a license key to
increase the maximum number.
Global settings are configured outside of a VDOM. They effect the entire FortiGate, and include settings such as
interfaces, firmware, DNS, some logging and sandboxing options, and others. Global settings should only be changed
by top level administrators.
Multi VDOM Split-task VDOM Not Allowed. User must first switch to No
VDOM
In split-task VDOM mode, the FortiGate has two VDOMs: the management VDOM (root) and the traffic VDOM (FG-
traffic).
The management VDOM is used to manage the FortiGate, and cannot be used to process traffic.
The following GUI sections are available when in the management VDOM:
l The Status dashboard
l Security Fabric topology and settings (read-only, except for HTTP Service settings)
l Interface and static route configuration
l FortiClient configuration
l Replacement messages
l Advanced system settings
l Certificates
l System events
l Log and email alert settings
l Threat weight definitions
The traffic VDOM provides separate security policies, and is used to process all network traffic.
The following GUI sections are available when in the traffic VDOM:
l The Status, Top Usage LAN/DMZ, and Security dashboards
l Security Fabric topology, settings (read-only, except for HTTP Service settings), and Fabric Connectors
(SSO/Identity connectors only)
l FortiView
l Interface configuration
l Packet capture
l SD-WAN, SD-WAN Rules, and Performance SLA
l Static and policy routes
l RIP, OSPF, BGP, and Multicast
l Replacement messages
l Advanced system settings
l Feature visibility
l Tags
l Certificates
l Policies and objects
l Security profiles
l VPNs
l User and device authentication
l Wifi and switch controller
l Logging
l Monitoring
Split-task VDOM mode is not available on all FortiGate models. The Fortinet Security Fabric supports split-task VDOM
mode.
Split-task VDOM mode can be enabled in the GUI or CLI. Enabling it does not require a reboot, but does log you out of
the FortiGate.
When split-task VDOM mode is enabled, all current management configuration is assigned to
the root VDOM, and all non-management settings, such as firewall policies and security
profiles, are deleted.
An interface can only be assigned to one of the VDOMs. When split-task VDOM mode is enabled, all interfaces are
assigned to the root VDOM. To use an interface in a policy, it must first be assigned to the traffic VDOM.
An interface cannot be moved if it is referenced in an existing configuration.
In the GUI, the interface list Ref. column shows if the interface is referenced in an existing
configuration, and allows you to quickly access and edit those references.
3. Select the VDOM that the interface will be assigned to from the Virtual Domain list.
4. Click OK.
config global
config system interface
edit <interface>
set vdom <VDOM_name>
next
end
end
Per-VDOM administrators can be created that can access only the management or traffic VDOM. These administrators
must use either the prof_admin administrator profile, or a custom profile.
A per-VDOM administrator can only access the FortiGate through a network interface that is assigned to the VDOM that
they are assigned to. The interface must also be configured to allow management access. They can also connect to the
FortiGate using the console port.
To assign an administrator to multiple VDOMs, they must be created at the global level. When creating an administrator
at the VDOM level, the super_admin administrator profile cannot be used.
5. Click OK.
config global
config system admin
edit <name>
set vdom <VDOM_name>
set password <password>
set accprofile <admin_profile>
...
next
end
end
In multi VDOM mode, the FortiGate can have multiple VDOMs that function as independent units. One VDOM is used
to manage global settings.
Multi VDOM mode isn't available on all FortiGate models. The Fortinet Security Fabric does not support multi VDOM
mode.
There are three main configuration types in multi VDOM mode:
Independent VDOMs:
Multiple, completely separate VDOMs are created. Any VDOM can be the management VDOM, as long as it has
Internet access. There are no inter-VDOM links, and each VDOM is independently managed.
Management VDOM:
A management VDOM is located between the other VDOMs and the Internet, and the other VDOMs connect to the
management VDOM with inter-VDOM links. The management VDOM has complete control over Internet access,
including the types of traffic that are allowed in both directions. This can improve security, as there is only one point of
ingress and egress.
There is no communication between the other VDOMs.
Meshed VDOMs:
VDOMs can communicate with inter-VDOM links. In full-mesh configurations, all the VDOMs are interconnected. In
partial-mesh configurations, only some of the VDOMs are interconnected.
In this configuration, proper security must be achieved by using firewall policies and ensuring secure account access for
administrators and users.
The following examples show how to configure per-VDOM settings, such as operation mode, routing, and security
policies, in a network that includes the following VDOMs:
l VDOM-A: allows the internal network to access the Internet.
l VDOM-B: allows external connections to an FTP server.
l root: the management VDOM.
You can use VDOMs in either NAT or transparent mode on the same FortiGate. By default, VDOMs operate in NAT
mode.
For both examples, multi VDOM mode must be enabled, and VDOM-A and VDOM-B must be created.
Multi VDOM mode can be enabled in the GUI or CLI. Enabling it does not require a reboot, but does log you out of the
device. The current configuration is assigned to the root VDOM.
1. In the Global VDOM, go to System > VDOM, and click Create New. The New Virtual Domain page opens.
config vdom
edit <VDOM-A>
next
edit <VDOM-B>
next
end
end
NAT mode
In this example, both VDOM-A and VDOM-B use NAT mode. A VDOM link is created that allows users on the internal
network to access the FTP server.
This configuration requires the following steps:
1. Configure VDOM-A on page 167
2. Configure VDOM-B on page 169
3. Configure the VDOM link on page 171
Configure VDOM-A
VDOM-A allows connections from devices on the internal network to the Internet. WAN 1 and port 1 are assigned to this
VDOM.
The per-VDOM configuration for VDOM-A includes the following:
l A firewall address for the internal network
l A static route to the ISP gateway
l A security policy allowing the internal network to access the Internet
All procedures in this section require you to connect to VDOM-A, either using a global or per-VDOM administrator
account.
Name internal-network
Type Subnet
Interface port1
config vdom
edit VDOM-A
config firewall address
edit internal-network
set associated-interface port1
set subnet 192.168.10.0 255.255.255.0
next
end
next
end
Destination Subnet
IP address 0.0.0.0/0.0.0.0
Gateway 172.20.201.7
Interface wan1
Distance 10
config vdom
edit VDOM-A
config router static
edit 0
set gateway 172.20.201.7
set device wan1
next
end
next
end
1. Connect to VDOM-A.
2. Go to Policy & Objects > IPv4 Policy and create a new policy.
3. Enter the following information:
Name VDOM-A-Internet
Schedule always
Service ALL
Action ACCEPT
NAT enabled
config vdom
edit VDOM-A
config firewall policy
edit 0
set name VDOM-A-Internet
set srcintf port1
set dstintf wan1
set srcaddr internal-network
set dstaddr all
set action accept
set schedule always
set service ALL
set nat enable
next
end
next
end
Configure VDOM-B
VDOM-B allows external connections to reach an internal FTP server. WAN 2 and port 2 are assigned to this VDOM.
The per-VDOM configuration for VDOM-B includes the following:
l A firewall address for the FTP server
l A virtual IP address for the FTP server
l A static route to the ISP gateway
l A security policy allowing external traffic to reach the FTP server
All procedures in this section require you to connect to VDOM-B, either using a global or per-VDOM administrator
account.
Type Subnet
Interface port2
config vdom
edit VDOM-B
config firewall address
edit FTP-server
set associated-interface port2
set subnet 192.168.20.10 255.255.255.255
next
end
next
end
Name FTP-server-VIP
Interface wan2
Destination Subnet
IP address 0.0.0.0/0.0.0.0
Gateway 172.20.10.10
Interface wan2
Distance 10
config vdom
edit VDOM-B
config router static
edit 0
set device wan2
set gateway 172.20.10.10
next
end
next
end
Name Access-server
Schedule always
Service FTP
Action ACCEPT
NAT enabled
config vdom
edit VDOM-B
config firewall policy
edit 0
set name Access-server
set srcintf wan2
set dstintf port2
set srcaddr all
set dstaddr FTP-server-VIP
set action accept
set schedule always
set service FTP
set nat enable
next
end
next
end
The VDOM link allows connections from VDOM-A to VDOM-B. This allows users on the internal network to access the
FTP server through the FortiGate.
The configuration for the VDOM link includes the following:
1. Connect to root.
2. Go to Global > Network > Interfaces and select Create New > VDOM link.
3. Enter the following information:
Name VDOM-link
Interface 0
IP/Netmask 0.0.0.0/0.0.0.0
Interface 1
IP/Netmask 0.0.0.0/0.0.0.0
config global
config system vdom-link
edit vlink
end
config system interface
edit VDOM-link0
set vdom VDOM-A
set ip 0.0.0.0 0.0.0.0
next
edit VDOM-link1
set vdom VDOM-B
set ip 0.0.0.0 0.0.0.0
next
end
end
1. Connect to VDOM-A.
2. Go to Policy & Objects > Addresses and create a new address.
3. Enter the following information:
Type Subnet
Interface VDOM-link0
config vdom
edit VDOM-B
config firewall address
edit FTP-server
set associated-interface VDOM-link0
set allow-routing enable
set subnet 192.168.20.10 255.255.255.255
next
end
next
end
1. Connect to VDOM-A.
2. Go to Network > Static Routes and create a new route.
3. Enter the following information:
Gateway 0.0.0.0
Interface VDOM-link0
config vdom
edit VDOM-A
config router static
edit 0
set device VDOM-link0
set dstaddr FTP-server
next
end
next
end
1. Connect to VDOM-A.
2. Go to Policy & Objects > IPv4 Policy and create a new policy.
Name Access-FTP-server
Source internal-network
Destination FTP-server
Schedule always
Service FTP
Action ACCEPT
NAT disabled
config vdom
edit VDOM-A
config firewall policy
edit 0
set name Access-FTP-server
set srcintf port1
set dstintf VDOM-link0
set srcaddr internal-network
set dstaddr FTP-server
set action accept
set schedule always
set service FTP
next
end
next
end
1. Connect to VDOM-B.
2. Go to Policy & Objects > Addresses and create a new address.
3. Enter the following information:
Type Subnet
Interface VDOM-link1
config vdom
edit VDOM-B
config firewall address
edit internal-network
set associated-interface VDOM-link1
set allow-routing enable
set subnet 192.168.10.0 255.255.255.0
next
end
next
end
1. Connect to VDOM-B.
2. Go to Network > Static Routes and create a new route.
3. Enter the following information:
Gateway 0.0.0.0
Interface VDOM-link1
config vdom
edit VDOM-B
config router static
edit 0
set device VDOM-link1
set dstaddr internal-network
next
end
next
end
1. Connect to VDOM-B.
2. Go to Policy & Objects > IPv4 Policy and create a new policy.
3. Enter the following information:
Name Internal-server-access
Source internal-network
Destination FTP-server
Schedule always
Service FTP
Action ACCEPT
NAT disabled
config vdom
edit VDOM-B
config firewall policy
edit 0
set name Internal-server-access
set srcintf VDOM-link1
set dstintf port2
set srcaddr internal-network
set dstaddr FTP-server
set action accept
set schedule always
set service FTP
next
end
next
end
In this example, VDOM-A uses NAT mode and VDOM-B uses transparent mode.
This configuration requires the following steps:
1. Configure VDOM-A on page 176
2. Configure VDOM-B on page 178
Configure VDOM-A
VDOM-A allows connections from devices on the internal network to the Internet. WAN 1 and port 1 are assigned to this
VDOM.
The per-VDOM configuration for VDOM-A includes the following:
l A firewall address for the internal network
l A static route to the ISP gateway
l A security policy allowing the internal network to access the Internet
All procedures in this section require you to connect to VDOM-A, either using a global or per-VDOM administrator
account.
Name internal-network
Type Subnet
Interface port1
config vdom
edit VDOM-A
config firewall address
edit internal-network
set associated-interface port1
set subnet 192.168.10.0 255.255.255.0
next
end
next
end
Destination Subnet
IP address 0.0.0.0/0.0.0.0
Gateway 172.20.201.7
Interface wan1
Distance 10
config vdom
edit VDOM-A
config router static
edit 0
set gateway 172.20.201.7
set device wan1
next
end
next
end
1. Connect to VDOM-A.
2. Go to Policy & Objects > IPv4 Policy and create a new policy.
3. Enter the following information:
Name VDOM-A-Internet
Schedule always
Service ALL
Action ACCEPT
NAT enabled
config vdom
edit VDOM-A
config firewall policy
edit 0
set name VDOM-A-Internet
set srcintf port1
set dstintf wan1
set srcaddr internal-network
set dstaddr all
set action accept
set schedule always
set service ALL
set nat enable
next
end
next
end
Configure VDOM-B
VDOM-B allows external connections to reach an internal FTP server. WAN 2 and port 2 are assigned to this VDOM.
The per-VDOM configuration for VDOM-B includes the following:
l A firewall address for the FTP server
l A static route to the ISP gateway
l A security policy allowing external traffic to reach the FTP server
All procedures in this section require you to connect to VDOM-B, either using a global or per-VDOM administrator
account.
Type Subnet
Interface port2
config vdom
edit VDOM-B
config firewall address
edit FTP-server
set associated-interface port2
set subnet 172.25.177.42 255.255.255.255
next
end
next
end
Destination Subnet
IP address 0.0.0.0/0.0.0.0
Gateway 172.20.10.10
config vdom
edit VDOM-B
config router static
edit 0
set gateway 172.20.10.10
next
end
next
end
1. Connect to VDOM-B.
2. Go to Policy & Objects > IPv4 Policy and create a new policy.
Name Access-server
Schedule always
Service FTP
Action ACCEPT
config vdom
edit VDOM-B
config firewall policy
edit 0
set name Access-server
set srcintf wan2
set dstintf port2
set srcaddr all
set dstaddr FTP-server-VIP
set action accept
set schedule always
set service FTP
next
end
next
end
SNMP
The Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network. You can
configure the hardware, such as the FortiGate SNMP agent, to report system information and send traps (alarms or
event messages) to SNMP managers.
SNMP v1/v2c
SNMPWALK is a Simple Network Management Protocol (SNMP) application present on the Security Management
System (SMS) CLI that uses SNMP GETNEXT requests to query a network device for information. An object identifier
(OID) may be given on the command line. This OID specifies which portion of the object identifier space will be
searched using GETNEXT requests. All variables in the subtree below the given OID are queried and their values
presented to the user.
SNMP v3
Authentication is used to ensure the identity of users. Privacy allows for encryption of SNMP v3 messages to ensure
confidentiality of data. These protocols provide a higher level of security than is available in SNMP v1 and v2c, which
use community strings for security. Both authentication and privacy are optional.
IF-MIB::ifIndex.8 = INTEGER: 8
IF-MIB::ifIndex.9 = INTEGER: 9
IF-MIB::ifIndex.10 = INTEGER: 10
IF-MIB::ifIndex.11 = INTEGER: 11
IF-MIB::ifIndex.12 = INTEGER: 12
IF-MIB::ifIndex.13 = INTEGER: 13
IF-MIB::ifIndex.14 = INTEGER: 14
IF-MIB::ifIndex.15 = INTEGER: 15
IF-MIB::ifIndex.16 = INTEGER: 16
IF-MIB::ifIndex.17 = INTEGER: 17
IF-MIB::ifIndex.18 = INTEGER: 18
IF-MIB::ifIndex.19 = INTEGER: 19
IF-MIB::ifIndex.20 = INTEGER: 20
IF-MIB::ifIndex.21 = INTEGER: 21
IF-MIB::ifIndex.22 = INTEGER: 22
IF-MIB::ifIndex.23 = INTEGER: 23
IF-MIB::ifIndex.24 = INTEGER: 24
IF-MIB::ifIndex.25 = INTEGER: 25
IF-MIB::ifIndex.26 = INTEGER: 26
IF-MIB::ifIndex.27 = INTEGER: 27
IF-MIB::ifIndex.28 = INTEGER: 28
IF-MIB::ifIndex.29 = INTEGER: 29
IF-MIB::ifIndex.30 = INTEGER: 30
IF-MIB::ifIndex.31 = INTEGER: 31
IF-MIB::ifIndex.32 = INTEGER: 32
IF-MIB::ifIndex.33 = INTEGER: 33
IF-MIB::ifIndex.34 = INTEGER: 34
IF-MIB::ifIndex.35 = INTEGER: 35
IF-MIB::ifIndex.36 = INTEGER: 36
IF-MIB::ifIndex.37 = INTEGER: 37
IF-MIB::ifIndex.38 = INTEGER: 38
IF-MIB::ifIndex.39 = INTEGER: 39
IF-MIB::ifIndex.40 = INTEGER: 40
IF-MIB::ifIndex.41 = INTEGER: 41
IF-MIB::ifIndex.42 = INTEGER: 42
IF-MIB::ifIndex.43 = INTEGER: 43
IF-MIB::ifIndex.44 = INTEGER: 44
IF-MIB::ifIndex.45 = INTEGER: 45
=====================Truncated=========================
Important SNMP traps
This trap is sent when a FortiGate port goes down or is brought up. For example, the below traps are generated when
the state of port34 is set to down using set status down and then brought up using set status up.
NET-SNMP version 5.7.3 2019-01-31 14:11:48 10.1.100.1(via UDP: [10.1.100.1]:162->
[10.1.100.11]:162) TRAP, SNMP v1, community REGR-SYS SNMPv2-MIB::snmpTraps Link Down Trap (0)
Uptime: 0:14:44.95 IF-MIB::ifIndex.42 = INTEGER: 42 IF-MIB::ifAdminStatus.42 = INTEGER: down
(2) IF-MIB::ifOperStatus.42 = INTEGER: down(2) FORTINET-CORE-MIB::fnSysSerial.0 = STRING:
FG140P3G15800330 SNMPv2-MIB::sysName.0 = STRING: FortiGate-140D-POE
fgFmTrapIfChange trap
This trap is sent when any changes are detected on the interface. The change can be very simple, such as giving an
IPV4 address. For example, the user has given the IP address of 1.2.3.4/24 to port 1 and the EMS Manager has
detected the below trap.
DISMAN-EXPRESSION-MIB::sysUpTimeInstance = Timeticks: (7975058) 22:09:10.58 SNMPv2-MIB::s-
nmpTrapOID.0 = OID: FORTINET-FORTIGATE-MIB::fgFmTrapIfChange FORTINET-CORE-MIB::fnSysSerial.0
= STRING: FG140P3G15800330 IF-MIB::ifName.45 = STRING: port1 FORTINET-FORTIGATE-
MIB::fgManIfIp.0 = IpAddress: 1.2.3.4 FORTINET-FORTIGATE-MIB::fgManIfMask.0 = IpAddress:
255.255.255.0 FORTINET-FORTIGATE-MIB::fgManIfIp6.0 = STRING: 0:0:0:0:0:0:0:0
entConfigChange trap
The change to the interface in the example above has also triggered the ConfChange Trap which is sent along with the
fgFmTrapIfChange trap.
2018-11-15 09:30:23 FGT_A [UDP: [172.16.200.1]:162->[172.16.200.55]:162]: DISMAN-EXPRESSION-
MIB::sysUpTimeInstance = Timeticks: (8035097) 22:19:10.97 SNMPv2-MIB::snmpTrapOID.0 = OID:
ENTITY-MIB::entConfigChange
fgTrapDeviceNew trap
This trap is triggered when a new device like FortiAP/FortiSwitch is connected to the FortiGate. For example, the below
scenario has given the device a new trap for adding FortiAP on a POE interface of FGT140D-POE. The trap has
important information about the device name, device MAC address, and when it was last seen.
2018-11-15 11:17:43 UDP/IPv6: [2000:172:16:200::1]:162 [UDP/IPv6: [2000:172:16:200::1]:162]:
DISMAN-EXPRESSION-MIB::sysUpTimeInstance = Timeticks: (520817) 1:26:48.17 SNMPv2-MIB::s-
nmpTrapOID.0 = OID: FORTINET-FORTIGATE-MIB::fgTrapDeviceNew FORTINET-CORE-MIB::fnSysSerial.0 =
STRING: FG140P3G15800330 SNMPv2-MIB::sysName.0 = STRING: FGT_A IF-MIB::ifIndex.0 = INTEGER: 0
FORTINET-FORTIGATE-MIB::fgVdEntIndex.0 = INTEGER: 0 FORTINET-FORTIGATE-MIB::fgDeviceCreated.0
= Gauge32: 5 FORTINET-FORTIGATE-MIB::fgDeviceLastSeen.0 = Gauge32: 5 FORTINET-FORTIGATE-
MIB::fgDeviceMacAddress.0 = STRING: 90:6c:ac:f9:97:a0
fgTrapAvOversize trap
The fgTrapAvOversize trap is generated when Antivirus Scanner detects an Oversized File.
019-01-31 13:22:04 10.1.100.1(via UDP: [10.1.100.1]:162->[10.1.100.11]:162) TRAP, SNMP v1, com-
munity REGR-SYS FORTINET-FORTIGATE-MIB::fgt140P Enterprise Specific Trap (602) Uptime: 1 day,
3:41:10.31 FORTINET-CORE-MIB::fnSysSerial.0 = STRING: FG140P3G15800330 SNMPv2-MIB::sysName.0 =
STRING: FortiGate-140D-POE 2019-01-31 13:22:29 <UNKNOWN> [UDP: [10.1.100.1]:162->
[10.1.100.11]:162]: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (9967031) 1 day,
3:41:10.31 SNMPv2-MIB::snmpTrapOID.0 = OID: FORTINET-FORTIGATE-MIB::fgTrapAvOversize FORTINET-
CORE-MIB::fnSysSerial.0 = STRING: FG140P3G15800330 SNMPv2-MIB::sysName.0 = STRING: FortiGate-
140D-POE
The replacement message list in System > Replacement Messages enables you to view and customize replacement
messages. Highlight the replacement messages you want to edit and customize the message content to your
requirements. Hit Save when done. If you do not see the message you want to edit, select the Extended View option in
the upper right-hand corner of the screen.
If you make a mistake, select Restore Default to return to the original message and code base.
Supported image formats are GIF, JPEG, TIFF, and PNG. The maximum file size
supported is 24KB.
Replacement messages can be modified to include an HTML message or content that suits your organization. A list of
common replacement messages appear in the main window. Select Extended View to see the entire list and all
categories for replacement messages.
Replacement message groups enable you to view common messages in groups for large carriers. Message groups can
be configured by going to Config > Replacement Message Group.
Using the defined groups, you can manage specific replacement messages from a single location, rather than searching
through the entire replacement message list.
If you enable virtual domains (VDOMs) on the FortiGate unit, replacement message groups are configured separately
for each virtual domain. Each VDOM has its own default replacement message group, configured from System
> Replacement Message Group.
When you modify a message in a replacement message group, a reset icon appears beside the message in the group.
Select the reset icon to reset the message in the replacement message group to the default version.
Cluster setup
Mode Active-Passive
Except for the device priority, these settings must be the same on all FortiGates in the cluster.
4. Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
5. Click OK.
The FortiGate negotiates to establish an HA cluster. Connectivity with the FortiGate may be temporarily lost as the
HA cluster negotiates and the FGCP changes the MAC addresses of the FortiGate's interfaces.
6. Factory reset the other FortiGate that will be in the cluster, configure GUI access, then repeat steps 1 to 5, omitting
setting the device priority, to join the cluster.
Changing the host name makes it easier to identify individual cluster units in the cluster operations.
4. Enable HA:
config system ha
set mode a-p
set group-name Example_cluster
set hbdev ha1 10 ha2 20
end
5. Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
6. Repeat steps 1 to 5 on the other FortiGate devices to join the cluster.
Mode Active-Active
Except for the device priority, these settings must be the same on all FortiGates in the cluster.
4. Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
5. Click OK.
The FortiGate negotiates to establish an HA cluster. Connectivity with the FortiGate may be temporarily lost as the
HA cluster negotiates and the FGCP changes the MAC addresses of the FortiGate's interfaces.
6. Factory reset the other FortiGate that will be in the cluster, configure GUI access, then repeat steps 1 to 5, omitting
setting the device priority, to join the cluster.
Changing the host name makes it easier to identify individual cluster units in the cluster operations.
4. Enable HA:
config system ha
set mode a-a
set group-name Example_cluster
set hbdev ha1 10 ha2 20
end
5. Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
6. Repeat steps 1 to 5 on the other FortiGate devices to join the cluster.
HA virtual clusters are based on VDOMs and are more complicated than regular clusters.
Mode Active-Passive
Except for the device priority, these settings must be the same on all FortiGates in the cluster.
4. Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
5. Click OK.
The FortiGate negotiates to establish an HA cluster. Connectivity with the FortiGate may be temporarily lost as the
HA cluster negotiates and the FGCP changes the MAC addresses of the FortiGate's interfaces.
6. Factory reset the other FortiGate that will be in the cluster, configure GUI access, then repeat steps 1 to 5, omitting
setting the device priority, to join the cluster.
7. Go to System > Settings and enable Virtual Domains.
8. Click Apply. You will be logged out of the FortiGate.
9. Log back into the FortiGate, ensure that you are in the global VDOM, and go to System > VDOM.
10. Create two new VDOMs, such as VD1 and VD2:
a. Click Create New. The New Virtual Domain page opens.
b. Enter a name for the VDOM in the Virtual Domain field, then click OK to create the VDOM.
c. Repeat these steps to create a second new VDOM.
11. Implement a virtual cluster by moving the new VDOMs to Virtual cluster 2:
a. Go to System > HA.
b. Enable VDOM Partitioning.
c. Click on the Virtual cluster 2 field and select the new VDOMs.
d. Click OK.
Fail protection
The FortiGate Clustering Protocol (FGCP) provides failover protection, meaning that a cluster can provide FortiGate
services even when one of the devices in the cluster encounters a problem that would result in the complete loss of
connectivity for a stand-alone FortiGate unit. Fail protection provides a backup mechanism that can be used to reduce
the risk of unexpected downtime, especially in mission-critical environments.
FGCP supports failover protection in two ways:
1. Link failover maintains traffic flow if a link fails, and
2. If a device loses power, it automatically fails over to a backup unit with minimal impact on the network.
When session-pickup is enabled in the HA settings, existing TCP session are kept, and users on the network are not
impacted by downtime as the traffic can be passed without reestablishing the sessions.
1. link fails
Before triggering a failover when a link fails, the administrator must ensure that monitor interfaces are configured.
Normally, the internal interface that connects to the internal network, and an outgoing interface for traffic to the internet
or outside the network, should be monitored. Any of those links going down will trigger a failover.
When an active (master) unit loses power, a backup (slave) unit automatically becomes the master, and the impact on
traffic is minimal. There are no settings for this kind of fail over.
Connect all necessary interfaces as per the topology diagram below. Interfaces may be changed depending on the
models in use. Interface names in the topology diagram are for example purposes only.
These instructions assume that the device has been connected to the console and the CLI is accessible, and that all
boxes have been factory reset.
1. Connect all necessary interfaces as per the topology diagram.
2. Enter the following command to change the FortiGate unit host name:
config system global
set hostname Example1_host(Example2_host, etc)
end
Troubleshoot an HA formation
The requirement to have the same generation is done as a best practice as it avoids issues
that can occur later on. If you are unsure if the boxes you have are from the same generation,
please contact customer service.
One box keeps shutting down during HA setup (hard drive failure):
If one box has a hard drive failure but the other does not, the one with the hard drive failure will be shut down during
HA setup. In this case, RMA the box to resolve the issue.
When all members join together as a cluster, a process called a negotiation begins in order to decide which box will
become the Master. It is decided by the following criteria:
The first factor is the amount of connected good interfaces. If Box A has two monitored interfaces up and Box B has only
one, then Box A will become the Master. Ensure all monitored connections to members are good.
All members are Masters and members can't see other members:
Typically, this is a heartbeat issue. It is recommended that for a two-member cluster, you use a back-to-back connection
for heartbeat communication. If there are more than three members in the cluster, a separate switch should be used to
connect all heartbeat interfaces.
The HA sync status can be viewed in the GUI through either a widget on the Dashboard or on the System > HA page. It
can also be confirmed through the CLI. When a cluster is out of sync, administrators should correct the issue as soon as
possible as it affects the configuration integrity and can cause issues to occur.
l Dashboard widget:
l Following HA setup, the HA Status widget can be added to the Dashboard. The widget shows the HA sync
status by displaying a green checkmark next to each member in sync. A red mark indicates the member is out
of sync.
l In the CLI, run the command get sys ha status to see if the cluster is in sync. The sync status is reported
under Configuration Status. In the following example, both members are in sync:
FGT_A # get sys ha status
HA Health Status: OK Model: FortiGate-300D Mode: HA A-P Group: 146 Debug: 0 Cluster Uptime:
0 days 21:42:53 Cluster state change time: 2019-03-09 11:40:51 Master selected using:
Policies
Policy introduction
Firewall policies
The firewall policy is the axis around which most features of the FortiGate firewall revolve. Many settings in the firewall
end up relating to or being associated with the firewall policies and the traffic that they govern. Any traffic going through
a FortiGate unit has to be associated with a policy. These policies are essentially discrete compartmentalized sets of
instructions that control the traffic flow going through the firewall. These instructions control where the traffic goes, how
it’s processed, if it’s processed, and even whether or not it’s allowed to pass through the FortiGate.
When the firewall receives a connection packet, it analyzes the packet’s source address, destination address, and
service (by port number). It also registers the incoming interface, the outgoing interface it will need to use, and the time
of day. Using this information, the FortiGate firewall attempts to locate a security policy that matches the packet. If it
finds a policy that matches the parameters, it then looks at the action for that policy. If it is Accept, the traffic is allowed
to proceed to the next step. If the Action is Deny or a match cannot be found, the traffic is not allowed to proceed.
The two basic actions at the initial connection are either Accept or Deny:
l If the Action is Accept, the policy action permits communication sessions. There may be other packet processing
instructions, such as requiring authentication to use the policy or restrictions on the source and destination of the
traffic.
l If the Action is Deny, the policy action blocks communication sessions, and you can optionally log the denied
traffic. If no security policy matches the traffic, the packets are dropped. A Deny security policy is needed when it is
required to log the denied traffic, also referred to as violation traffic.
There are two other actions that can be associated with the policy:
l Learn - This is a specialized variation on the Accept action. That is set up to allow traffic and retain traffic logs so
that the administrator can review them to learn what kind of traffic has to be dealt with.
l IPsec - This is an Accept action that is specifically for policy-based IPsec tunnels. By default, FortiGate creates
interface, route-based VPN so you don't need to create policies with action IPsec.
There can also be a number of instructions associated with a FortiGate firewall in addition to the Accept or Deny
actions, some of which are optional. Instructions on how to process the traffic can also include such things as:
l Log Allowed Traffic - Select to log only Security Events or All Sessions.
l Authentication - Identifying users and other computers is a key part of network security.
l Network Address Translation or Port Address Translation.
l Use Virtual IPs or IP Pools.
l Caching.
l Whether the source of the traffic is based on address, user, device, or a combination.
l Whether to treat as regular traffic or IPsec traffic.
l What certificates to use.
For traffic to flow through the FortiGate firewall, there must be a policy that matches its parameters:
l Incoming interface(s)
l Outgoing interface(s)
l Source address(es)
l User(s) identity
l Destination address(es)
l Internet service(s)
l Schedule
l Service
Without all six (possibly eight) of these things matching, the traffic is declined.
Traffic flow initiated from each direction requires a policy, that is, if sessions can be initiated from both directions, each
direction requires a policy.
Just because packets can go from point A to point B on port X does not mean that the traffic can flow from point B to
point A on port X. If sessions can be initiated from both directions, then there must be a policy for each direction. For
session traffic in the reply direction only (not the initiating direction), a policy is not needed.
When designing a policy, there is often reference to the traffic flow, but most communication is two-way so trying to
determine the direction of the flow might be confusing. If traffic is HTTP web traffic, the user sends a request to the
website, but most of the traffic flow will be coming from the website to the user or in both directions? For the purposes
of determining the direction for a policy, the important factor is the direction of the initiating communication. The user is
sending a request to the website, so this is the initial communication; the website is responding so the traffic will be
from the user's network to the Internet.
From version 5.6, we added a new policy mode called Next Generation Firewall (NGFW). This mode is only available
when the VDOM inspection-mode is flow. This model is divided into two working modes — profile-based and policy-
based. Profile-based NGFW is the traditional mode where a user needs to create an AV/web/IPS profile which is applied
to the policy.
Policy-based mode is new. In this mode, users can add applications and web filtering categories directly to a policy
without having to first create and configure Application Control or Web Filtering profiles. If a URL category is set, the
applications that are added to the policy must be within the browser-based technology category. NGFW is per VDOM
setting. This means users can operate their FortiGate or individual VDOMs on their FortiGate in NGFW policy-based
mode when they select flow-based inspection.
Switching NGFW mode from profile-based to policy-based converts your profile-based security policies to policy-based
security policies. If you don’t want this to happen or you just want to experiment with policy-based NGFW mode,
consider creating a new VDOM for policy-based NGFW mode. You can also backup your configuration before switching
modes.
NGFW policy-based firewall policies might have unintended consequences to the passing or blocking of traffic. For
example, if you add new firewall policies that are designed to DENY social media traffic based on applications or URLs,
having a traditional “catch all” firewall policy to DENY all other traffic at the bottom of the firewall policy list may have the
unintended consequence of blocking legitimate traffic. Also note that NGFW policy-based mode applies the NAT
settings from matching Central SNAT policies. If you don’t already have a Central SNAT policy in place, you must create
one.
After version 6.2, we removed the inspection-mode from VDOM to firewall policy, and the default inspection-mode is
flow so we can change NGFW mode from profile-based (default) to policy-based directly in the VDOM's System >
Settings.
You can operate your FortiGate or individual VDOMs in Next Generation Firewall (NGFW) policy mode.
1. Go to System > Settings.
2. In NGFW Mode, select Policy-based.
3. In SSL/SSH Inspection, select the SSL/SSH inspection mode to be applied to all policies.
If your FortiGate is operating in NAT mode, rather than enabling source NAT in individual NGFW policies, go to Policy
& Objects > Central SNAT and add source NAT policies that apply to all matching traffic. In many cases, you may only
need one SNAT policy for each interface pair. For example, if you allow users on the internal network (connected to
LAN) to browse the Internet (connected to wan1), you can add a LAN to wan1 Central SNAT policy similar to the
following.
Configure Application Control by adding individual applications to security policies. You can set the action to ACCEPT
or DENY to allow or block applications.
In the above example, if you browse to www.facebook.com, your connection will time out.
You can combine both application control and web filtering in the same NGFW policy mode policy. If the policy accepts
applications or URL categories, you can apply Antivirus, DNS Filtering, and IPS profiles in NGFW mode policies as well
as logging and policy learning mode.
This topic provides a sample of firewall policy views and firewall policy lookup.
Policy views
In Policy & Objects policy list page, there are two policy views: Interface Pair View and By Sequence view.
Interface Pair View displays the policies in the order that they are checked for matching traffic, grouped by the pairs of
Incoming and Outgoing interfaces. For example, all policies referencing traffic from WAN1 to DMZ are in one section.
The policies referencing traffic from DMZ to WAN1 are in another section. The sections are collapsible so that you only
need to look at the sections you want.
By Sequence displays policies in the order that they are checked for matching traffic without any grouping.
The default display is Interface Pair View . You can switch between the two views except if any or multiple-interfaces
are applied in the policy.
How Any or multiple-interfaces policy can change the Interface Pair View
The FortiGate unit automatically changes the view on the policy list page to By Sequence whenever there is a policy
containing any or multiple-interfaces as the Source or Destination interface. If the Interface Pair View is grayed out, it
is likely that one or more policies have used the any or multiple-interfaces.
When you use the any or multiple-interfaces, the policy goes into multiple sections because it might be any one of a
number of interface pairings. Policies are divided into sectioned using the interface pairings, for example, port1 to port2.
Each section has its own policy order. The order in which a policy is checked for matching criteria to a packet’s
information is based solely on the position of the policy within its section or within the entire list of policies. If the policy
is in multiple sections, FortiGate cannot place the policy in order in multiple sections. Therefore the view can only be By
Sequence.
Policy lookup
Sample configuration
This example uses the TCP protocol to show how policy lookup works:
1. In Policy & Objects policy list page, click Policy Lookup and enter the traffic parameters.
Static SNAT
NAT or Network Address Translation is the process that enables a single device such as a router or firewall to act as an
agent between the Internet or Public Network and a local or private network. This agent acts in real time to translate the
source or destination IP address of a client or server on the network interface. For the source IP translation, this enables
a single public address to represent a significantly larger number of private addresses. For the destination IP translation,
the firewall can translate a public destination address to a private address. So we don't have to configure a real public IP
address for the server deployed in a private network.
We can subdivide NAT into two types: source NAT (SNAT) and destination NAT (DNAT). This topic is about SNAT, We
support three NAT working modes: static SNAT, dynamic SNAT, and central SNAT.
In static SNAT all internal IP addresses are always mapped to the same public IP address. This is a port address
translation, Since we have 60416 available port numbers, this one public IP address can handle the conversion of
60,416 internal IP addresses. See example below.
Sample configuration
The following example of static SNAT uses an internal network with subnet 10.1.100.0/24 (vlan20) and an external/ISP
network with subnet 172.16.200.0/24 (vlan30).
When the clients in internal network need to access the servers in external network, We need to translate IP addresses
from 10.1.100.0/24 to an IP address 172.16.200.0/24, In this example, we implement static SNAT by creating a firewall
policy.
For packets that match this policy, its source IP address is translated to the IP address of the outgoing interface.
Dynamic SNAT
Dynamic SNAT maps the private IP addresses to the first available public address from a pool of addresses. In the
FortiGate firewall, this can be done by using IP pools. IP pools is a mechanism that allows sessions leaving the
FortiGate firewall to use NAT. An IP pool defines a single IP address or a range of IP addresses to be used as the source
address for the duration of the session. These assigned addresses are used instead of the IP address assigned to that
FortiGate interface.
IP pool types
FortiGate uses four types of IPv4 IP pools. This recipe focuses on some of the differences between them.
Overload
This type of IP pool is similar to static SNAT mode. We just need to define an external IP range, This range can contain
one or multiple IP addresses, When there is only one IP address, it almost as same as static SNAT – use Outgoing
Interface address. When it contains multiple IP addresses, It is equivalent to an extended mode of static SNAT.
For instance, if we define an overload type IP pool with two external IP addresses (172.16.200.1—172.16.200.2), since
there are 60,416 available port numbers per IP, this IP pool can handle 60,416*2 internal IP addresses. See example
below.
One-to-one
This type of IP pool means that the internal IP address and the external (translated) IP address match one-to-one. The
port address translation (PAT) is disabled when using this type of IP pool. For example, if we define a one-to-one type IP
pool with two external IP addresses (172.16.200.1-172.16.200.2), this IP pool only can handle two internal IP
addresses.
For the overload and one-to-one IP pool types, we do not need to define the internal IP range. For the fixed port range
type of IP pool, we can define both internal IP range and external IP range. Since each external IP address and the
number of available port numbers is a specific number, if the number of internal IP addresses is also determined, we
can calculate the port range for each address translation combination. So we call this type fixed port range. This type of
IP pool is a type of port address translation (PAT).
For instance, if we define one external IP address (172.16.200.1) and ten internal IP addresses (10.1.100.1-
10.1.100.10), we have translation IP+Port combination like following table:
This type of IP pool is also a type of port address translation (PAT). It gives users a more flexible way to control the way
external IPs and ports are allocated. Users need to define Block Size/Block Per User and external IP range. Block
Size means how many ports each Block contains. Block per User means how many blocks each user (internal IP) can
use.
Following is a simple example:
External IP Range: 172.16.200.1—172.16.200.1
Block Size: 128
Block Per User: 8
Result:
Total-PBAs: 472 (60416/128)
Maximum ports can be used per User (Internal IP Address): 1024 (128*8)
How many Internal IP can be handled: 59 (60416/1024 or 472/8)
Sample configuration
next
end
Central SNAT
The central SNAT table enables you to define and control (with more granularity) the address translation performed by
FortiGate. With the NAT table, you can define the rules for the source address or address group, and which IP pool the
destination address uses.
While similar in functionality to IP pools where a single address is translated to an alternate address from a range of IP
addresses, with IP pools there is no control over the translated port. When using the IP pool for source NAT, you can
define a fixed port to ensure the source port number is unchanged. If no fixed port is defined, the port translation is
randomly chosen by FortiGate. With the central NAT table, you have full control over both the IP address and port
translation.
FortiGate reads the NAT rules from the top down until it hits a matching rule for the incoming address. This enables you
to create multiple NAT policies that dictate which IP pool is used based on the source address. NAT policies can be
rearranged within the policy list. NAT policies are applied to network traffic after a security policy.
The central SNAT table allows you to create, edit, delete, and clone central SNAT entries.
Sample configuration
When central NAT is enabled, Policy & Objects displays the Central SNAT section.
Usually we use VIP to implement Destination Address Translation. Mapping a specific IP address to another specific IP
address is usually referred to as Destination NAT. When the Central NAT Table is not used, FortiOS calls this a Virtual
IP Address (VIP). FortiOS uses a DNAT or Virtual IP address to map an external IP address to an IP address. This
address does not have to be an individual host, it can also be an address range. This mapping can include all TCP/UDP
ports or, if Port Forwarding is enabled, it only refers to the configured ports. Because, the Central NAT table is disabled
by default, the term Virtual IP address or VIP is predominantly used.
Virtual IP addresses are typically used to NAT external or public IP addresses to internal or private IP addresses. Using a
Virtual IP address between two internal interfaces made up of private IP addresses is possible but there is rarely a
reason to do so as the two networks can just use the IP addresses of the networks without the need for any address
translation. Using a Virtual IP address for traffic going from the inside to the Internet is even less likely to be a
requirement, but it is supported.
Sample configuration
4. Enter a unique name for the virtual IP and fill in the other fields.
Virtual IP with services is a more flexible virtual IP mode. This mode allows users to define services to a single port
number mapping.
This recipe shows how to use virtual IP with services enabled. This example has one public external IP address. We
map TCP ports 8080, 8081, and 8082 to an internal WebServer TCP port 80. This allows remote connections to
communicate with a server behind the firewall.
Sample configuration
l Access 10.1.100.199:8082 from external network and FortiGate maps to 172.16.200.55:80 in internal
network.
If you need to hide the internal server port number or need to map several internal servers to the same public IP
address, enable port-forwarding for Virtual IP.
This recipe shows how to use virtual IPs to configure port forwarding on a FortiGate unit. This example has one public
external IP address. We map TCP ports 8080, 8081, and 8082 to different internal WebServers' TCP port 80. This
allows remote connections to communicate with a server behind the firewall.
Sample configuration
9. Click OK.
10. Follow the above steps to create two additional virtual IPs.
a. For one virtual IP:
l Use a different Mapped IP Address/Range, for example, 172.16.200.56.
l Set External Service Port to 8081 - 8081.
l Use the same Map to Port numbers: 80 - 80.
b. For the other virtual IP:
l Use a different Mapped IP Address/Range, for example, 172.16.200.57.
l Set External Service Port to 8082 - 8082.
l Use the same Map to Port numbers: 80 - 80.
11. Create a Virtual IP Group and put the above three virtual IPs into that group.
network.
l Access 10.1.100.199:8082 from external network and FortiGate maps to 172.16.200.57:80 in internal network
Virtual server
This topic shows a special virtual IP type: virtual server, Use this type of VIP to implement server load balancing.
The FortiOS server load balancing contains all the features of a server load balancing solution. You can balance traffic
across multiple backend servers based on multiple load balancing schedules including:
l Static (failover).
l Round robin.
l Weighted (to account for different sized servers or based on the health and performance of the server including
round trip time and number of connections).
The load balancer supports HTTP, HTTPS, IMAPS, POP3S, SMTPS, SSL/TLS, and generic TCP/UDP and IP protocols.
Session persistence is supported based on the SSL session ID based on an injected HTTP cookie, or based on the
HTTP or HTTPS host. SSL/TLS load balancing includes protection from protocol downgrade attacks. Server load
balancing is supported on most FortiGate devices and includes up to 10,000 virtual servers on high end systems.
Sample topology
SSL/TLS offloading
FortiGate SSL/TLS offloading is designed for the proliferation of SSL/TLS applications. The key exchange and
encryption/decryption tasks are offloaded to the FortiGate unit where they are accelerated using FortiASIC technology
which provides significantly more performance than a standard server or load balancer. This frees up valuable resources
on the server farm to give better response to business operations. Server load balancing offloads most SSL/TLS
versions including SSL 3.0, TLS 1.0, and TLS 1.2; and supports full mode or half mode SSL offloading with DH key sizes
up to 4096 bits.
FortiGate SSL offloading allows the application payload to be inspected before it reaches your servers. This prevents
intrusion attempts, blocks viruses, stops unwanted applications, and prevents data leakage. SSL/TLS content
inspection supports TLS versions 1.0, 1.1, and 1.2 and SSL versions 1.0, 1.1, 1.2, and 3.0.
When creating a new virtual server, you must configure the following options:
l Virtual Server Type.
l Load Balancing Methods.
l Health check monitoring (optional).
l Session persistence (optional).
l Virtual Server IP (External IP Address).
l Virtual Server Port (External Port).
l Real Servers (Mapped IP Address & Port).
Select the protocol to be load balanced by the virtual server. If you select a general protocol such as IP, TCP, or UDP,
the virtual server load balances all IP, TCP, or UDP sessions. If you select specific protocols such as HTTP, HTTPS, or
SSL, you can apply additional server load balancing features such as Persistence and HTTP Multiplexing.
HTTP Select HTTP to load balance only HTTP sessions with the destination port number that matches
the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the
sessions to be load balanced (usually port 80 for HTTP sessions). You can also select HTTP
Multiplexing. You can also set Persistence to HTTP Cookie to enable cookie-based persistence.
HTTPS Select IMAPS to load balance only IMAPS sessions with the destination port number that matches
the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the
sessions to be load balanced (usually port 993 for IMAPS sessions). You can also set Persistence
to SSL Session ID.
IMAPS Select IMAPS to load balance only IMAPS sessions with the destination port number that matches
the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the
sessions to be load balanced (usually port 993 for IMAPS sessions). You can also set Persistence
to SSL Session ID.
POP3S Select POP3S to load balance only POP3S sessions with the destination port number that matches
the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the
sessions to be load balanced (usually port 995 for POP3S sessions). You can also set Persistence
to SSL Session ID.
SMTPS Select SMTPS to load balance only SMTPS sessions with the destination port number that
matches the Virtual Server Port setting. Change Virtual Server Port to match the destination port
of the sessions to be load balanced (usually port 465 for SMTPS sessions). You can also set
Persistence to SSL Session ID.
SSL Select SSL to load balance only SSL sessions with the destination port number that matches the
Virtual Server Port setting. Change Virtual Server Port to match the destination port of the
sessions to be load balanced.
TCP Select TCP to load balance only TCP sessions with the destination port number that matches the
Virtual Server Port setting. Change Virtual Server Port to match the destination port of the
sessions to be load balanced.
UDP Select UDP to load balance only UDP sessions with the destination port number that matches the
Virtual Server Port setting. Change Virtual Server Port to match the destination port of the
sessions to be load balanced.
IP Select IP to load balance all sessions accepted by the security policy that contains this virtual
server.
The load balancing method defines how sessions are load balanced to real servers.
All load balancing methods do not send traffic to real servers that are down or not responding. FortiGate can only
determine if a real server is not responding by using a health check monitor. You should always add at least one health
check monitor to a virtual server or to real servers; otherwise load balancing might try to distribute sessions to real
servers that are not functioning.
Static The traffic load is statically spread evenly across all real servers. Sessions are not assigned
according to how busy individual real servers are. This load balancing method provides some
persistence because all sessions from the same source address always go to the same real server.
Because the distribution is stateless, so if a real server is added, removed, or goes up or down, the
distribution is changed and persistence might be lost.
Round Robin Directs new requests to the next real server. This method treats all real servers as equals
regardless of response time or the number of connections. This method does not direct requests to
real servers that down or non responsive.
Weighted Real servers with a higher weight value receive a larger percentage of connections. Set the real
server weight when adding a real server.
Least Session Directs requests to the real server that has the least number of current connections. This method
works best in environments where the real servers or other equipment you are load balancing all
have similar capabilities. This load balancing method uses the FortiGate session table to track the
number of sessions being processed by each real server. The FortiGate unit cannot detect the
number of sessions actually being processed by a real server.
Least RTT Directs sessions to the real server with the lowest round trip time. The round trip time is determined
by a ping health check monitor. The default is 0 if no ping health check monitors are added to the
virtual server.
First Alive Directs sessions to the first live real server. This load balancing schedule provides real server
failover protection by sending all sessions to the first live real server. If a real server fails, all
sessions are sent to the next live real server. Sessions are not distributed to all real servers so all
sessions are processed by the first real server only.
HTTP Host Load balances HTTP host connections across multiple real servers using the host’s HTTP header to
guide the connection to the correct real server.
In the FortiGate GUI, you can configure health check monitoring so that the FortiGate unit can verify that real servers
are able respond to network connection attempts. If a real server responds to connection attempts, the load balancer
continues to send sessions to it. If a real server stops responding to connection attempts, the load balancer assumes
that the server is down and does not send sessions to it. The health check monitor configuration determines how the
load balancer tests real servers. You can use a single health check monitor for multiple load balancing configurations.
You can configure TCP, HTTP, and Ping health check monitors. You usually set the health check monitor to use the
same protocol as the traffic being load balanced to it. For example, for an HTTP load balancing configuration, you
would normally use an HTTP health check monitor.
Session persistence
Use persistence to ensure a user is connected to the same real server every time the user makes an HTTP, HTTPS, or
SSL request that is part of the same user session. For example, if you are load balancing HTTP and HTTPS sessions to
a collection of eCommerce web servers, when users make a purchase, they will be starting multiple sessions as they
navigate the eCommerce site. In most cases, all the sessions started by this user during one eCommerce session
should be processed by the same real server. Typically, the HTTP protocol keeps track of these related sessions using
cookies. HTTP cookie persistence ensure all sessions that are part of the same user session are processed by the same
real server.
When you configure persistence, the FortiGate unit load balances a new session to a real server according to the load
balance method. If the session has an HTTP cookie or an SSL session ID, the FortiGate unit sends all subsequent
sessions with the same HTTP cookie or SSL session ID to the same real server.
Real servers
Add real servers to a load balancing virtual server to provide information the virtual server requires to send sessions to
the server. A real server configuration includes the IP address of the real server and port number the real server receives
sessions on. The FortiGate unit sends sessions to the real server’s IP address using the destination port number in the
real server configuration.
When configuring a real server, you can also specify the weight (if the load balance method is set to Weighted) and you
can limit the maximum number of open connections between the FortiGate unit and the real server. If the maximum
number of connections is reached for the real server, the FortiGate unit automatically switches all further connection
requests to other real servers until the connection number drops below the limit. Setting Maximum Connections to 0
means that the FortiGate unit does not limit the number of connections to the real server.
This example describes the steps to configure the load balancing configuration below. In this configuration, a FortiGate
unit is load balancing HTTP traffic from the Internet to three HTTP servers on the internal network. HTTP sessions are
accepted at the wan1 interface with destination IP address 172.20.120.121 on TCP port 8080, and forwarded from the
internal interface to the web servers. When forwarded, the destination address of the session is translated to the IP
address of one of the web servers.
This load balancing configuration also includes session persistence using HTTP cookies, round-robin load balancing,
and TCP health monitoring for the real servers. Ping health monitoring consists of the FortiGate unit using ICMP ping to
ensure the web servers can respond to network traffic.
6. Add a security policy that includes the load balance virtual server as the destination address.
This recipe shows how to apply a predefined Internet Service entry into a policy.
The Internet Service Database is a comprehensive public IP address database that combines IP address range, IP
owner, service port number, and IP security credibility. The data comes from the FortiGuard service system. Information
is regularly added to this database, for example, geographic location, IP reputation, popularity & DNS, and so on. All
this information helps users define Internet security more effectively.
From FortiOS version 5.6 on, the Internet Service is included in the firewall policy, It can be applied to a policy only as a
Destination object. From version 6.0, Internet Services can be applied both as Source and Destination objects in policy.
You can also apply Internet Services to shaping policy.
There are three types of Internet Services we can apply to firewall policy:
l Predefined Internet Services.
l Custom Internet Services.
l Extension Internet Services.
Sample configuration
To apply a predefined Internet Service entry into a policy using the GUI:
To apply a predefined Internet Service entry into a policy using the CLI:
In the CLI, enable the internet-service first and then use its ID to apply the policy.
This example uses Google Gmail and its ID is 65646. Each Internet Service has a unique ID.
config firewall policy
edit 9
set name "Internet Service in Policy"
set srcintf "wan2"
set dstintf "wan1"
set srcaddr "all"
set internet-service enable
set internet-service-id 65646
set action accept
set schedule "always"
set utm-status enable
set av-profile "g-default"
set ssl-ssh-profile "certificate-inspection"
set nat enable
next
end
Result
Because the IP and services related to Google Gmail on the Internet are included in this Internet Service (65646), all
traffic to Google Gmail is forwarded by this policy.
Even though there are about 1,395 predefined Internet Services entries and a total of 444,727 IP ranges, we sometimes
still need to create our own Internet Service entries. FortiOS supports custom Internet Service in a firewall policy.
When creating a custom Internet Service, you must set following elements:
l IP or IP Ranges
l Protocol number
l Port or Port Ranges
l Reputation
You must use CLI to create a custom Internet Service.
Sample configuration
Result
In addition to the IP/IP-Ranges and services allowed by Google.Gmail, this policy also allows the traffic which access to
10.1.100.0/24 and TCP/80-443 and 172.16.200.0/24 and TCP/80.
Extension Internet Service lets you add custom IP_Range(s)+Port_Range(s) to an existing prpedefined Internet Servic,
or remove IP_Range(s)+Port_Range(s) from an existing predefined Internet Service entry.
Using an extension type Internet Service is actually editing a predefined type Internet Service entry and add IP_Range
(s)+ Port_Range(s) to it.
When creating an extension Internet Service and adding custom IP_Range(s)+Port_Range(s), you must set following
elements:
l IP or IP Ranges
l Protocol number
l Port or Port Ranges
You must use CLI to add custom IP(s)+Port(s) entries into a predefined Internet Service.
You must use GUI to remove entries from a predefined Internet Service.
Sample configuration
5. Click Return.
6. When you complete the actions in the GUI, the CLI automatically generates the configuration from your GUI
actions:
next
edit 8
set start-port 993
set end-port 993
next
edit 9
set start-port 995
set end-port 995
next
edit 10
set start-port 2525
set end-port 2525
next
end
config ip-range
edit 1
set start-ip 2.20.183.160
set end-ip 2.20.183.160
next
end
next
end
next
end
Result
In addition to the IP(s)/IP-Range(s) and services allowed by Google.Gmail, this policy also allows the traffic which
accesses 10.1.100.0/24 and UDP/53 and 172.16.200.0/24 and TCP/80-443. At the same time, the traffic which
accesses 2.20.183.160 is dropped because this IP+Port(s) is disabled from Google.Gmail.
NAT64 policy translates IPv6 addresses to IPv4 addresses so that a client on an IPv6 network can communicate
transparently with a server on an IPv4 network.
NAT64 policy is usually implemented in combination with the DNS proxy called DNS64. DNS64 synthesizes AAAA
records from A records and is used to synthesize IPv6 addresses for hosts that only have IPv4 addresses. DNS proxy
and DNS64 are interchangeable terms.
Sample topology
In this example, a host on the internal IPv6 network communicates with ControlPC.qa.fortinet.com that only
has IPv4 address on the Internet.
1. The host on the internal network does a DNS lookup for ControlPC.qa.fortinet.com by sending a DNS
query for an AAAA record for ControlPC.qa.fortinet.com.
2. The DNS query is intercepted by the FortiGate DNS proxy. The DNS proxy performs an A-record query for
ControlPC.qa.fortinet.com and gets back an RRSet containing a single A record with the IPv4 address
172.16.200.55.
3. The DNS proxy then synthesizes an AAAA record. The IPv6 address in the AAAA record begins with the configured
NAT64 prefix in the upper 96 bits and the received IPv4 address in the lower 32 bits. By default, the resulting IPv6
address is 64:ff9b::172.16.200.55.
4. The host on the internal network receives the synthetic AAAA record and sends a packet to the destination address
64:ff9b::172.16.200.55.
5. The packet is routed to the FortiGate internal interface (port10) where it is accepted by the NAT64 security policy.
6. The FortiGate unit translates the destination address of the packets from IPv6 address
64:ff9b::172.16.200.55 to IPv4 address 172.16.200.55 and translates the source address of the
packets to 172.16.200.200 (or another address in the IP pool range) and forwards the packets out the port9
interface to the Internet.
Sample configuration
To enable display for IPv6, NAT46/NAT64, and DNS Database using the GUI:
To enable display for IPv6, NAT46/NAT64, and DNS Database using the CLI:
end
config system settings
set gui-nat46-64 enable
set gui-dns-database enable
end
Enabling NAT64 with the config system nat64 command means that all IPv6 traffic received by the current
VDOM can be subject to NAT64 if the source and destination address matches an NAT64 security policy.
By default, the setting always-synthesize-aaaa-record is enabled. If you disable this setting, the DNS proxy
(DNS64) will attempt to find an AAAA records for queries to domain names and therefore resolve the host names to IPv6
addresses. If the DNS proxy cannot find an AAAA record, it synthesizes one by adding the NAT64 prefix to the A record.
nat64-prefix setting is the nat64 prefix. By default, it is 64:ff9b::/96.
config system nat64
set status enable
end
NAT64 policy
NAT46 refers to the mechanism that allows IPv4 addressed hosts to communicate with IPv6 hosts. Without such a
mechanism, IPv4 environments cannot connect to IPv6 networks.
Sample topology
In this example, an IPv4 client tries to connect to an IPv6 server. A VIP is configured on FortiGate to map the server
IPv6 IP address 2000:172:16:200:55 to an IPv4 address 10.1.100.55. On the other side, an IPv6 IP pool is
configured and the source address of packets from client are changed to the defined IPv6 address. In this setup, the
client PC can access the server by using IP address 10.1.100.55.
Sample configuration
next
end
end
Sample troubleshooting
You need to add firewall policies to allow packets to pass from one interface to another. Multicast packets require
multicast security policies. Similar to firewall policies, in a multicast policy, the administrator specifies the source
interface, destination interfaces, the allowed source address ranges, and destination addresses of the multicast traffic.
You can also use multicast policies to configure source NAT and destination NAT for multicast packets.
When multicast-forward is enabled, the FortiGate forwards any multicast IP packets in which the TTL is 2 or
higher to all interfaces and VLAN interfaces except the receiving interface. The TTL in the IP header is reduced by 1.
Even though the multicast packets are forwarded to all interfaces, you must add multicast policies to allow multicast
packets through the FortiGate.
If multicast-forward is disabled, then FortiGate unit drops packets that have multicast source or destination
addresses.
In NAT mode, there is a per-VDOM configuration to disable forwarding any multicast traffic. This command is only
available in NAT mode.
config system settings
set multicast-forward <disable|enable(default)>
end
You can also use the multicast-ttl-notchange option so that FortiGate doesn't increase the TTL value for
forwarded multicast packets. Use this option only if packets are expiring before reaching the multicast router.
When multicast-skip-policy is enabled, no check is performed based on multicast policy. A multicast packet
received on an interface is flooded unconditionally to all interfaces (except the incoming interface) belonging to the
same forwarding domain. Multicast packets are forwarded even when there is no multicast policy or the multicast policy
is set to deny. To forward multicast traffic based on multicast policy, multicast-skip-policy must be disabled.
In transparent mode, there is a per-VDOM configuration to skip policy check and forward all multicast traffics. This
command is only available in transparent mode.
config system settings
set multicast-skip-policy <disable(default)|enable>
end
Sample configuration
Access control lists (ACL) in the FortiOS firmware is a granular or more specifically targeted blacklist. ACL drop IPv4 and
IPv6 packets at the physical network interface before the packets are analyzed by the CPU. On a busy appliance, this
can really improve performance.
ACL is available on FortiGates with NP6-accelerated interfaces. ACL checking is one of the first things that happens to
the packet and checking is done by the NP6 processor. The result is very efficient protection that does not use CPU or
memory resources.
The following platforms support ACL:
l FGT_100D, FGT_100E, FGT_100EF, FGT_101E.
l FGT_140D, FGT_140D_POE, FGT_140E, FGT_140E_POE.
l FGT_301E, FGT_500E, FGT_501E.
l FGT_1200D, FGT_1500D, FGT_1500DT.
l FGT_2000E, FGT_2500E.
l FGT_3000D, FGT_3100D, FGT_3200D, FGT_3700D.
l FGT_3800D, FGT_3810D, FGT_3815D.
l FGT_3960E, FGT_3980E.
Limitation
The configuration of ACL allows you to specify which interface the ACL is applied to. You should be aware of a hardware
limitation. The ACL is a Layer 2 function and is offloaded to the ISF hardware. Therefore no CPU resources are used in
the processing of the ACL. It is handled by the inside switch chip which can do hardware acceleration, which increases
the performance of the FortiGate. The drawback is that the ACL function is only supported on switch fabric driven
interfaces. It also cannot be applied to hardware switch interfaces or their members. Ports such as WAN1 or WAN2 on
some models that use network cards that connect to the CPU through a PCIe bus do support ACL.
Sample configuration
To block all IPv4 and IPv6 Telnet traffic from port2 to Company_Servers using the CLI:
Sample troubleshooting
Traffic shaping
You can limit interface bandwidth for arriving and departing traffic. In some cases, the traffic received on an interfaces
could exceed the maximum bandwidth limit defined in the security policy. Rather than waste processing power on
packets that will get dropped later in the process, you can configure FortiGate to preemptively drop excess packets
when they're received at the source interface. A similar command is available to the outgoing interface.
The following diagram shows how excess packets going from LAN to WAN1 can be intercepted and dropped at the
source interface.
1. Go to Interface.
2. Click interface port1, and click Edit on top menu bar.
3. Go to the Traffic Shaping section, and set the following options:
a. Enable Inbound Bandwidth and type 200.
The default bandwidth unit is kbps.
This traffic prioritization method puts packets into the following queues based on its Type of Service (ToS) value:
l High
l Medium
l Low
ToS-based traffic prioritization cannot be used to apply bandwidth limits and guarantees, but it can be used to prioritize
traffic at per-packet levels.
You can use the following command to configure the default system-wide level of priority:
config system global
set traffic-priority-level {high | low | medium}
end
You can also prioritize packets according to the ToS bit value in the packet’s IP header by using the following command:
config system tos-based-priority
edit <id_int>
set tos [0-15]
set priority {high | low | medium}
next
end
Example
The following configuration shows that packets with ToS bit values of 10 are prioritized as medium and packets with
ToS bit values of 20 are prioritized as high. All the other traffic is prioritized as low.
end
config system tos-based-priority
edit 1
set tos 10
set priority medium
next
edit 2
set tos 20
set priority high
next
end
Shared traffic shaper is used in a firewall shaping policy to indicate the priority and guaranteed and maximum bandwidth
for a specified type of traffic use.
The maximum bandwidth indicates the largest amount of traffic allowed when using the policy. You can set the
maximum bandwidth to a value between 1 and 16776000 Kbps. The GUI displays an error if any value outside this
range is used. If you want to allow unlimited bandwidth, use the CLI to enter a value of 0.
The guaranteed bandwidth ensures that there is a consistent reserved bandwidth available. When setting the
guaranteed bandwidth, ensure that the value is significantly less than the interface's bandwidth capacity. Otherwise, the
interface will allow very little or no other traffic to pass through, potentially causing unwanted latency.
In a shared traffic shaper, the administrator can prioritize certain traffic as high, medium, or low. FortiOS provides
bandwidth to low priority connections only when high priority connections do not need the bandwidth. For example, you
should assign a high traffic priority to a policy for connecting a secure web server that needs to support e-commerce
traffic. You should assign less important services a low priority.
When you configure a shared traffic shaper, you can apply bandwidth shaping per policy or for all policies. By default, a
shared traffic shaper applies traffic shaping evenly to all policies that use the shared traffic shaper.
When configuring a per-policy traffic shaper, FortiOS applies the traffic shaping rules defined for each security policy
individually. For example, if a per-policy traffic shaper is configured with a maximum bandwidth of 1000 Kbps, any
security policies that have that traffic shaper enabled get 1000 Kbps of bandwidth each.
If a traffic shaper for all policies is configured with a maximum bandwidth of 1000 Kbps, all policies share the 1000 Kbps
on a first-come, first-served basis.
The configuration is as follows:
config firewall shaper traffic-shaper
edit "traffic_shaper_name"
set per-policy enable
next
end
The shared traffic shaper selected in the traffic shaping policy affects traffic in the direction defined in the policy. For
example, if the source port is LAN and the destination is WAN1, the traffic shaping affects the flow in this direction only,
affecting the outbound traffic's upload speed. You can define the traffic shaper for the policy in the opposite direction
(reverse shaper) to affect the inbound traffic's download speed. In this example, that would be from WAN1 to LAN.
The following example shows how to apply different speeds to different types of service. The example configures two
shared traffic shapers to use in two firewall shaping policies. One policy guarantees a speed of 10 Mbps for VoIP traffic.
The other policy guarantees a speed of 1 Mbps for other traffic. In the example, FortiOS communicates with a PC using
port10 and the Internet using port9.
1. To check if specific traffic is attached to the correct traffic shaper, run the diagnose firewall iprope list
100015 command. The example output shows the traffic attached to the 10Mbps and 1Mbps shapers:
# diagnose firewall iprope list 100015
service(15):
[6:0x0:0/(1,65535)->(1720,1720)] helper:auto
[6:0x0:0/(1,65535)->(1503,1503)] helper:auto
[17:0x0:0/(1,65535)->(1719,1719)] helper:auto
[6:0x0:0/(1,65535)->(6660,6669)] helper:auto
[6:0x0:0/(1,65535)->(1433,1433)] helper:auto
[6:0x0:0/(1,65535)->(1434,1434)] helper:auto
[6:0x0:0/(1,65535)->(3306,3306)] helper:auto
[6:0x0:0/(1,65535)->(554,554)] helper:auto
[6:0x0:0/(1,65535)->(7070,7070)] helper:auto
[6:0x0:0/(1,65535)->(8554,8554)] helper:auto
[17:0x0:0/(1,65535)->(554,554)] helper:auto
[6:0x0:0/(1,65535)->(2000,2000)] helper:auto
[6:0x0:0/(1,65535)->(5060,5060)] helper:auto
[17:0x0:0/(1,65535)->(5060,5060)] helper:auto
[6:0x0:0/(1,65535)->(1863,1863)] helper:auto
3. To check statuses of shared traffic shapers, run the diagnose firewall shaper traffic-shaper list
command. The output should resemble the following:
# dia firewall shaper traffic-shaper list
name 10Mbps
maximum-bandwidth 2500 KB/sec
guaranteed-bandwidth 1250 KB/sec
current-bandwidth 0 B/sec
priority 2
tos ff
packets dropped 0
bytes dropped 0
name 1Mbps
maximum-bandwidth 1250 KB/sec
guaranteed-bandwidth 125 KB/sec
current-bandwidth 0 B/sec
priority 4
tos ff
packets dropped 0
bytes dropped 0
With per-IP traffic shaping, you can limit each IP address's behavior to avoid a situation where one user uses all of the
available bandwidth. In addition to controlling the maximum bandwidth used per IP address, you can also define the
maximum number of concurrent sessions for an IP address. For example, if you apply a per-IP shaper of 1 Mbps to your
entire network, FortiOS allocates each user/IP address 1 Mbps of bandwidth. Even if the network consists of a single
user, FortiOS allocates them 1 Mbps. If there are ten users, each user gets 1 Mbps of bandwidth, totaling 10 Mbps of
outgoing traffic.
For shared shapers, all users share the set guaranteed and maximum bandwidths. For example, if you set a shared
shaper for all PCs using an FTP service to 10 Mbps, all users uploading to the FTP server share the 10 Mbps.
Shared shapers affect upload speed. If you want to limit the download speed from the FTP server in the example, you
must configure the shared shaper as a reverse shaper. Per-IP shapers apply the speed limit on both upload and
download operations.
The following example shows how to apply a per-IP shaper to a traffic shaping policy. This shaper assigns each user a
maximum bandwidth of 1 Mbps and allows each user to have a maximum of ten concurrent connections to the FTP
server. In the example, FortiOS communicates with users using port10 and the FTP server using port9.
1. To check if specific traffic is attached to the correct traffic shaper, run the diagnose firewall iprope list
100015 command. The example output shows the traffic attached to the FTP_Max_1M shaper:
# diagnose firewall iprope list 100015
name FTP_Max_1M
maximum-bandwidth 125 KB/sec
maximum-concurrent-session 10
tos ff/ff
packets dropped 0
bytes dropped 0
addr=10.1.100.11 status: bps=0 ses=3
Priority queues
After packet acceptance, FortiOS classifies traffic and may apply Quality of Service techniques such as prioritization and
traffic shaping. Traffic shaping consists of a mixture of traffic policing to enforce bandwidth limits and priority queue
adjustment to assist packets in achieving the guaranteed rate.
If you have configured prioritization, FortiOS prioritizes egressing packets by distributing them among first in first out
queues associated with each possible priority number. Each physical interface has six priority queues. Virtual interfaces
use the priority queues of the physical interface to which they are bound.
Each physical interface's six queues are queue 0 to queue 5, where queue 0 is the highest priority queue. However, you
may observe that your traffic uses only a subset of those six queues. For example, some traffic may always use a
certain queue number. Queuing may also vary by the packet rate or mixture of services. Some queue numbers may only
be used by through traffic for which you have configured traffic shaping in the security policy that applies to that traffic
session.
Priority types
ToS priority
The first and second types, ingress priority and priority for generated packets, are controlled via two different CLI
settings, as shown below:
config system global
set traffic-priority-level {high|medium|low}
end
config system tos-based-priority
edit 1
set tos [0-15] -> type of service bit in the IP datagram header with a value between 0
and 15
set priority (high|medium|low)-> priority of this type of service
next
end
High 0
Medium 1
Low 2
In a firewall shaping policy, you can enable traffic shaping. In the shared traffic shaper, you can set the firewall priority to
high, medium, or low, as shown below:
config firewall shaper traffic-shaper
edit "1"
set priority (high|medium|low)
next
end
Since the priority in a traffic shaper is set to high by default, you must set some traffic at a lower priority to see results.
Each priority level is mapped to a value as follows:
High (default) 1
Medium 2
Low 3
To combine the two priority types, the global or ingress ToS-based priority value is combined with the firewall policy
priority value:
ToS priority (0, 1, 2) + policy priority (1, 2, 3) = total priority (queue number)
Consider the following scenarios:
l If the current packet rate is less than the guaranteed bandwidth, packets use priority queue 0. Packet priority is 0.
l If the current packet rate exceeds the maximum bandwidth, excess packets are dropped.
l If the current packet rate is greater than the guaranteed bandwidth but less than the maximum bandwidth, FortiOS
assigns a priority queue by adding the ToS-based priority and the firewall priority. For example, if you have enabled
traffic shaping in the security policy and the security policy's traffic priority is low (value 3), and the priority normally
applied to packets with that ToS bit is medium (value 1), the packets have a total packet priority of 4, and use
priority queue 4.
Priority Queues
After packet acceptance, FortiGate classifies traffic and might apply Quality of Service (QoS) techniques, such as
prioritization and traffic shaping. Traffic shaping consists of a mixture of traffic policing to enforce bandwidth limits and
priority queue adjustment to assist packets in achieving the guaranteed rate.
If you have configured prioritization, the FortiGate unit prioritizes egressing packets by distributing them among FIFO
(first in, first out) queues associated with each possible priority number. Each physical interface has six priority queues.
Virtual interfaces use the priority queues of the physical interface to which they are bound.
Each physical interface’s six queues are queue 0 to queue 5, where queue 0 is the highest priority queue. However, you
might observe that your traffic uses only a subset of those six queues. For example, some traffic might always use a
certain queue number. Queuing may also vary by the packet rate or mixture of services. Some queue numbers might
only be used by through traffic for which you have configured traffic shaping in the security policy that applies to that
traffic session.
Types of priority
The first and second types (ingress priority and priority for generated packets) are controlled via two different CLI
settings:
config system global
set traffic-priority-level {high|medium|low}
end
And
config system tos-based-priority
edit 1
set tos [0-15] -> type of service bit in the IP datagram header with a value between 0
and 15
set priority (high|medium|low)-> priority of this type of service
next
end
High 0
Medium 1
Low 2
In a firewall shaping policy, you can enable traffic shaping. In the shared traffic shaper, you can set the firewall priority to
high, medium, or low:
Since priority in traffic shaper are set to “high” priority by default, it is necessary to set some traffic at a lower priority to
get results. Each priority level is mapped to a value like following:
High (default) 1
Medium 2
Low 3
Combination priority
The global or ingress ToS-based priority value is combined with the firewall policy priority value:
Tos priority (0, 1, 2) + policy priority (1, 2, 3) = total priority (queue number)
Let’s take a look at some scenarios:
Case 1: If the current packet rate is less than the guaranteed bandwidth, packets use priority queue 0. In other words,
packet priority = 0.
Case 2:If the current packet rate exceeds the maximum bandwidth, excess packets are dropped.
Case 3:If the current packet rate is greater than the guaranteed bandwidth, but less than maximum bandwidth, the
FortiGate unit assigns a priority queue by adding the ToS-based priority and the firewall priority.
For example, if you have enabled Traffic Shaping in the security policy, and the security policy’s Traffic Priority is Low
(value 3), and the priority normally applied to packets with that ToS bit is medium (value 1), then packets have a total
packet priority of 4, and use priority queue 4.
AntiVirus
Introduction
Content Disarm and Reconstruction (CDR) allows the FortiGate to sanitize Microsoft documents and PDF (disarm) by
removing active content such as hyperlinks, embedded media, javascript, macros, etc. from the office document files
without affecting the integrity of it's textual content (reconstruction).
This feature allows network admins to protect their users from malicious office document files.
Files processed by CDR can have the original copy quarantined on the FortiGate, allowing admins to observe them.
These original copies can also be obtained in the event of a false positive.
l CDR can only be performed on Microsoft Office Document and PDF files.
l Local Disk CDR quarantine is only possible on FortiGate models that contain a hard disk.
l CDR is only supported on HTTP, SMTP, POP3, IMAP.
l SMTP splice and client-comfort mode is not supported.
l CDR does not work on flow based inspection modes.
l CDR can only work on files in .ZIP type archives.
In order to configure AntiVirus to work with CDR, you must enable CDR on your AntiVirus profile, set the quarantine
location, and then fine tune the CDR detection parameters.
Discard The default setting which discards the original document file.
File Quarantine Saves the original document file to disk (if possible) or a connected
FortiAnalyzer based on the FortiGate's log settings, visible through Config
Global > Config Log FortiAnalyzer Setting.
FGT_PROXY (content-disarm) #
Introduction
FortiGuard Outbreak Prevention was introduced in FortiOS 6.0.0 and allows the FortiGate's AntiVirus database to be
subsidized with third-party malware hash signatures curated by the FortiGuard.
Those hash signatures are obtained from external sources such as VirusTotal, Symantec, Kaspersky, and other third-
party websites and services.
This feature provides the mechanism for AntiVirus to query the FortiGuard with the hash of a scanned file. If the
FortiGuard returns a match from its many curated signature sources, the scanned file is deemed to be malicious.
The concept of FortiGuard Outbreak Prevention is to detect zero-day malware in a collaborative approach.
l FortiGuard Outbreak Prevention can be used in both proxy-based and flow-based policy inspections across all
supported protocols.
l FortiGuard Outbreak Prevention does not support AV in quick scan mode.
l FortiGate must be registered with a valid FortiGuard Outbreak Prevention license before this feature can be used.
In order for AntiVirus to work with an external block list, you must register the FortiGate with a FortiGuard Outbreak
Prevention license and enable FortiGuard Outbreak Prevention in the AntiVirus profile.
1. See the following link for instructions on how to purchase or renew a FortiGuard Outbreak Prevention license:
https://video.fortinet.com/products/fortigate/6.0/how-to-purchase-or-renew-fortiguard-services-6-0
2. Once the license has been activated, you can verify its status by going to Global > System > FortiGuard.
1. Go to Security Profiles > AntiVirus.
2. Select the toggle to enable Use FortiGuard Outbreak Prevention Database.
3. Select Apply.
Service : Web-filter
Status : Enable
License : Contract
Service : Antispam
Status : Disable
Introduction
External Malware Blocklist is a new feature introduced in FortiOS 6.2.0 which falls under the umbrella Outbreak
Prevention.
This feature provides another means of supporting the AV Database by allowing users to add their own malware
signatures in the form of MD5, SHA1, and SHA256 hashes.
This feature provides a mechanism for Antivirus to retrieve an external malware hash list from a remote server and polls
the hash list every n minutes for updates.
Malware detection using External Malware Blocklist can be used in both proxy-based and flow-based policy inspections.
Just like FortiGuard Outbreak Prevention, External Dynamic Block List is not supported in AV quick scan mode.
Using different types of hash simultaneously may slow down the performance of malware scanning. For this reason,
users are recommended to only using one type of hash (either MD5, SHA1, or SHA256), not all three simultaneously.
# Invalid entries
7688499dc71b932feb126347289c0b8a_md5_sample2
7614e98badca10b5e2d08f8664c519b7a906fbd5180ea5d04a82fce9796a4b87sha256_sample3
l Create new external source on Global > Security Fabric > Fabric Connectors page:
l Fill out the fields as shown below. URI should point to the malware hashlist on the remote server:
l User can view entries inside the malware blocklist by clicking the View Entries button:
l Enable External Malware Blocklist on the AntiVirus profile and apply the change:
Check if scanunit daemon has updated itself with the external hashes:
FGT_PROXY # config global
FGT_PROXY (global) # diagnose sys scanunit malware-list list
md5 'aa67243f746e5d76f68ec809355ec234' profile 'hash_list' description 'md5_sample1'
sha1 'a57983cb39e25ab80d7d3dc05695dd0ee0e49766' profile 'hash_list' description 'sha1_sample2'
sha256 '0289b0d967cb7b1fb1451339c7b9818a621903090e0020366ab415c549212521' profile 'hash_list'
description ''
sha256 'ae9bc0b4c5639d977d720e4271da06b50f7c60d1e2070e9c75cc59ab30e49379' profile 'hash_list'
description 'sha256_sample1'
Web filter
Introduction
External Resources is a new feature introduced in FortiOS 6.0, which provides a capability to import an external blacklist
which sits on an HTTP server. This feature helps FortiGate retrieve a dynamic URL/Domain Name/IP Address/Malware
hash list from an external HTTP server periodically. FortiGate uses these external resources as web filter's remote
categories, DNS filter's remote categories, policy address objects or AntiVirus profile's malware definitions. If the
external resource is updated, FortiGate objects will update dynamically.
External Resource are categorized into 4 types:
IDN (International Domain Name) and UTF encoding URL is supported (from 6.2).
IPv4,IPv6 format URL is supported. IPv6 in URL list must in [ ] form.
We can use CLI to configure the external resources files that is located on external HTTP Server. Under Global,
configure the external resource file location and specify the resource type.
Web Filter will use category type external resources as Remote Categories. In the following example, it is configured a
file Ext-Resource-Type-as-Category-1.txt as type as category, it will be treated in Web Filter as Remote Category, the
category name configured as Ext-Resource-Type-as-Category-1 and category-id as 192:
config system external-resource
edit "Ext-Resource-Type-as-Category-1"
set type category <----
set category 192 <----
set resource "http://172.16.200.66/external-resources/Ext-Resource-Type-as-Category-
1.txt"
set refresh-rate 1
next
end
Now in each VDOM, category type external resource can be used in Web Filter as Remote Cateogry. In the example
above, URL list in "Ext-Resource-Type-as-Category-1.txt" file will be treated as remote category (category-id 192).
Configure the action for this remote category in Web Filter profile and apply it in the policy:
config webfilter profile
edit "webfilter"
config ftgd-wf
unset options
config filters
edit 1
set category 2
set action warning
next
......
edit 24
set category 192 <----
set action block
next
edit 25
set category 221
set action warning
next
edit 26
set category 193
next
end
end
set log-all-url enable
next
end
Configure, edit or view the Entries for external resources from GUI.
1. GUI > Global > Fabric Connectors page:
2. GUI > Global > Fabric Connectors page > Create New. Click Create New button, and select Threat Feeds Type
FortiGuard Category.
3. GUI > Global > Fabric Connectors page. Enter the Resource Name, URL Location of the resource file, resource
authentication credential, Refresh Rate or comment, and click OK to finish the Threat Feeds configuration.
4. GUI > Global > Fabric Connectors page. After a few minutes, double-click the Threat Feeds Object you just
configured. It is shown in the Edit page. Click View Entries to view the entry list in the external resources file:
5. GUI > VDOM > Web Filter Profile page. The configured external resources is shown and configured in each Web
Filter Profile:
Log Example
If a HTTP/HTTPS request URL matched in Remote Category's entry list, it will override its original FGD URL rating and
it is treated as Remote Category.
GUI > VDOM > Log & Report > Web Filter:
CLI Example:
HTTPS Request URL matched in this Remote Category will be exempted from SSL Deep Inspection.
Log example:
As we can see, Web Filter can have local category and remote category at the same time. There's no duplicate check
between local category URL override and remote category resource file. For example, a URL, like www.example.com
may be shown in remote category entry list, and at the same time, in FortiGate's local category URL override
configuration. It is recommended to prevent this scenario since FortiGate itself does not have this duplicate validation.
However, if a URL is duplicated in local category and remote category, it will be rated as local category.
Introduction
File Filter is a new feature introduced in FortiOS 6.2, and provides the Web filter profile with the capability to block files
passing through a FortiGate based on file type. In addition, the configuration for file type filtering has been greatly
simplified. In previous FortiOS versions, File Filtering could only be achieved by configuring a DLP (Data Leak
Prevention) Sensor.
In FortiOS 6.2, HTTP and FTP File Filtering is configurable in Web filter profile, and SMTP, POP3, IMAP file-filtering is
configurable in Email filter profile. Currently, File Filtering in Web filter profile is based on file type (file's meta data)
only, and not on file size or file content. Users will still need to configure a DLP sensor to block files based on size or
content such as SSN numbers, credit card numbers or regexp.
FTP inspection and GUI configuration have yet to be implemented. In addition, Web filter File Filtering will only work on
proxy mode policies.
File Filter in Web filter profile supports the following file types:
xz Match xz files
msoffice Match MS-Office files. For example, doc, xls, ppt, and so on.
msofficex Match MS-Office XML files. For example, docx, xlsx, pptx, and so on.
rm Match rm files
Using CLI, configuration for File Filtering is nested inside Web filter profile's configuration.
In File filtering configuration, file filtering functionality and logging is independent of the Web filter profile.
To block or log a file type, configure file filter entries. Within each entry, specify a file-type, action (log|block), protocol to
inspect (http|ftp), direction we want to inspect traffic (incoming|outgoing|any), and match only encrypted files. In
addition, in each file filter entry we can specify multiple file types. File filter entries are ordered, however, blocked will
take precedence over log.
In the CLI example below, we want to file filter the following using Web filter profile:
1. Block PDFs from entering our leaving our network (filter1).
2. Log the download of some graphics file-types via HTTP (filter2).
3. Block EXE files from leaving to our network via FTP (filter3).
config webfilter profile
edit "webfilter-file-filter"
config file-filter
set status enable <--- Allow user to disable/enable
file filtering
set log enable <--- Allow user to disable/enable
logging for file filtering
set scan-archive-contents enable <--- Allow scanning of files inside
archives such as ZIP, RAR etc.
config entries
edit "filter1"
set comment "Block PDF files"
set protocol http ftp <--- Inspect HTTP and FTP traffic
set action block <--- Block file once file type is
matched
set direction any <--- Inspect both incoming and
outgoing traffic
set encryption any <--- Inspect both encrypted and un-
encrypted files
set file-type "pdf" <--- Choosing the file type to match
next
edit "filter2"
set comment "Log graphics files"
set protocol http <--- Inspect only HTTP traffic
set action log <--- Log file once file type is
matched
set direction incoming <--- Only inspect incoming traffic
set encryption any
set file-type "jpeg" "png" "gif" <--- Multiple file types can be
configured in a single entry
next
edit "filter3"
set comment "Block upload of EXE files"
set protocol ftp <--- Inspect only FTP traffic
set action log
set direction outgoing <--- Inspect only outgoing traffic
set encryption any
set file-type "exe"
next
end
end
end
After configuring File Filter in Webfilter profile we must apply it to a firewall policy using the following command:
config firewall policy
edit 1
set name "client-to-internet"
set srcintf "dmz"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set utm-inspection-mode proxy
set logtraffic all
set webfilter profile "webfilter-filefilter"
set profile-protocol-options "protocol"
set ssl-ssh-profile "protocols"
set nat enable
next
end
Log Example
GUI > VDOM > Log & Report > Web Filter:
Introduction
FortiOS 6.2.0 provides command line tools to view the web filtering statistics report. These command line tools
currently fall into either proxy-based or flow-based web filter statistics commands.
l The proxy-based web filtering statistics command line tools are as follows. These commands are available in both
global or per-VDOM command lines.
#diagnose wad filter <----define the interested objects for output
(global) # diag wad ?
console-log Send WAD log messages to the console.
debug Debug setting.
stats Show statistics.
filter Filter for listing sessions or tunnels. <----use filter to filter-out
interested object and output
kxp SSL KXP diagnostics.
user User diagnostics.
memory WAD memory diagnostics.
restore Restore configuration defaults.
history Statistics history.
session Session diagnostics.
tunnel Tunnel diagnostics.
webcache Web cache statistics.
worker Worker diagnostics.
csvc Cache service diagnostics.
l In the example below, there are two VDOMs using proxy-based policies which have web filter profiles enabled. The
command line can be used to view the proxy-based web filtering statistics report.
(global) # diag wad filter ?
list Display current filter.
clear Erase current filter settings.
src Source address range to filter by.
dst Destination address range to filter by.
sport Source port range to filter by.
dport Destination port range to filter by.
vd Virtual Domain Name. <----filter for per-vdom or global
statistics report
explicit-policy Index of explicit-policy. -1 matches all.
firewall-policy Index of firewall-policy. -1 matches all.
drop-unknown-session Enable drop message unknown sessions.
negate Negate the specified filter parameter.
protocol Select protocols to filter by.
l The flow-based web filtering statistics command line tools are as follows. These commands are available in global
command lines only.
(global) # diag test app ipsmonitor
l In the example below, there are two VDOMs using flow-based policies which have web filter profiles enabled. The
command line can be used to view the flow-based web filtering statistics report.
(global) # diag test app ipsmonitor 29
Global URLF states:
request: 14 <----Number of Requests that Flow Web-Filter(all ips engines) received;
DNS filter
Introduction
External Resources is a new feature introduced in FortiOS 6.0, providing a capability to dynamically import an external
blacklist which sits on an HTTP server. This feature helps FortiGate retrieve a dynamic URL/Domain Name/IP
Address/Malware hash list from an external HTTP server periodically. FortiGate uses these external resources as Web
Filter's remote categories, DNS filter's remote categories, policy address objects or Antivirus profile's malware
definitions. If external resource is updated, FortiGate objects will update dynamically.
External Resource is divided into four categories:
l URL list (Type=category)
l Domain Name List (Type=domain)
l IP Address list (Type=address)
l Malware hash list (Type=malware)
For DNS Filter profile, it can use two types of external resources: domain type and address type . Domain type
resources file is a domain name list and address type resources file is an IP address list.
When a domain type external resource is configured, in DNS Filter profile, it will be treated as a Remote Category. If
domain name in DNS Query matches the entry in this external resource file, it will be treated as the Remote Category
and follow the action configured for this category in DNS Filter profile.
When a address type external resource configured, in DNS Filter profile, it can be enabled as external-ip-blocklist. If
DNS resolved IP address in DNS response matched the entry in the external-ip-blocklist, this DNS Query will be blocked
by DNS Filter.
We can use CLI to configure the external resources files that sits on external HTTP Server. Under Global, configure the
external resource file location and specify the resource type. DNS Filter can use domain type and address type external
resources. In the following example, configure a file "Ext-Resource-Type-as-Domain-1.txt" as type as domain, it will be
treated in DNS Filter as Remote Category name as "Ext-Resource-Type-as-Domain-1" and category-id is 194. Configure
another external resource file "Ext-Resource-Type-as-Address-1.txt" as type address, and this address object name will
be "Ext-Resource-Type-as-Address-1":
config system external-resource
edit "Ext-Resource-Type-as-Domain-1"
set type domain <----
set category 194 <----
set resource "http://172.16.200.66/external-resources/Ext-Resource-Type-as-Domain-
1.txt"
set refresh-rate 1
next
edit "Ext-Resource-Type-as-Address-1"
set status enable
set type address <----
set username ''
set password
set comments ''
set resource "http://172.16.200.66/external-resources/Ext-Resource-Type-as-Address-
1.txt"
set refresh-rate 1
next
end
In each VDOM, domain type external resource can be used in DNS Filter as Remote Category. In the above example,
Domain Name list in "Ext-Resource-Type-as-Domain-1.txt" file will be treated as remote category (category-id 194). IP
address list in "Ext-Resource-Type-as-Address-1.txt" file can be applied in DNS Filter as external-ip-blocklist. If DNS
resolved IP address matches any entry in the list in that file, the DNS query will be blocked. We should configure the
action for this remote category and enable "external-ip-block-list" in a DNS Filter profile and apply it in the policy:
config dnsfilter profile
edit "default"
set comment "Default dns filtering."
config ftgd-dns
config filters
edit 1
set category 194 <----domain list in Ext-Resource-Type-as-Domain-1.txt
treated as remote category 194
set action block
next
edit 2
set category 12
next
edit 3
next
end
end
set block-botnet enable
set external-ip-blocklist "Ext-Resource-Type-as-Address-1" <----IP address in "Ext-
Resource-Type-as-Address-1" file.
next
end
Configure, Edit or View the Entries for external resources from GUI:
2. GUI > Global > Fabric Connectors page > Create New: Click Create New and select Threat Feeds type Domain
Name or IP Address.
3. GUI > Global > Fabric Connectors page: Enter the Resource Name, URL, location of the resource file, resource
authentication credential, refresh rate or comment, and click OK to finish the Threat Feeds configuration.
4. GUI > Global > Fabric Connectors page: Double-click the Threat Feeds Object you just configured. In the Edit
page, click View Entries to view the entry list in the external resources file.
5. GUI > VDOM > DNS Filter Profile page: The configured external resources is shown and applied in each DNS Filter
Profile.
Log Example
DNS Query some domain that matches the Remote Category list. It will rated as Remote Category. Override its original
domain rating.
GUI > VDOM > Log & Report > DNS Query:
CLI Example:
CLI Example:
Email filter
Introduction
File Filter is a new feature introduced in FortiOS 6.2, and provides the Email filter profile with the capability to block files
passing through a FortiGate based on file type. In addition, the configuration for file type filtering has been greatly
simplified. In previous FortiOS versions, File Filtering could only be achieved by configuring a DLP (Data Leak
Prevention) Sensor.
In FortiOS 6.2, HTTP and FTP File Filtering is configurable in Web filter profile, and SMTP, POP3, IMAP file-filtering is
configurable in Email filter profile. In this article we will discuss Email filter File Filtering.
Currently, File Filtering in Email filter profile is based on file type (file's meta data) only, and not on file size or file
content. Users will still need to configure a DLP sensor to block files based on size or content such as SSN numbers,
credit card numbers or regexp.
GUI configuration have yet to be implemented. In addition, Email filter File Filtering will only work on proxy mode
policies.
File Filter in Email filter profile supports the following file types:
xz Match xz files
msoffice Match MS-Office files. For example, doc, xls, ppt, and so on.
msofficex Match MS-Office XML files. For example, docx, xlsx, pptx, and so on.
rm Match rm files
Using CLI, configuration for File Filtering is nested inside Email filter profile's configuration.
In File filtering configuration, file filtering functionality and logging is independent of the Email filter profile.
To block or log a file type, we must configure file filter entries. Within each entry we can specify a file-type, action
(log|block), protocol to inspect (http|ftp), direction we want to inspect traffic (incoming|outgoing|any), and if we should
match only encrypted files. In addition, in each file filter entry we can specify multiple file types. File filter entries are
ordered, however, blocked will take precedence over log.
In the example CLI below we want to file filter the following using Email filter profile:
1. Block EXE files from received or sent out (filter1).
2. Log the sending of document files (filter2).
config emailfilter profile
edit "emailfilter-file-filter"
config file-filter
set status enable <--- Allow user to dis-
able/enable file filtering
set log enable <--- Allow user to dis-
able/enable logging for file filtering
set scan-archive-contents enable <--- Allow scanning of files
inside archives such as ZIP, RAR
config entries
edit "filter1"
set comment "Block executable files"
set protocol smtp imap pop3 <--- Inspect all email
traffic
set action block <--- Block file once file
type is matched
set encryption any <--- Inspect both encrypted
and un-encrypted files
set file-type "exe" <--- Choosing the file type
to match
next
edit "filter2"
set comment "Log document files"
set protocol smtp <--- Inspect only SMTP
traffic
set action log <--- Log file once file type
is matched
set encryption any
set file-type "pdf" "msoffice" "msofficex" <--- Multiple file types can
be configured in a single entry
next
end
end
end
After configuring File Filter in Email filter profile, we must apply it to a firewall policy.
config firewall policy
edit 1
set name "client-to-internet"
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set utm-inspection-mode proxy
set logtraffic all
set emailfilter profile "email-file-filter"
set profile-protocol-options "protocol"
set ssl-ssh-profile "protocols"
set nat enable
next
end
CLI Example:
FortiGate supports multiple authentication methods. This topic explains using an external authentication server with
Kerberos as primary and NTLM as fallback.
2. Configure authentication server and create user group on GUI: Since we are using an external authentication server
with Kerberos authentication as Primary and NTLM as fallback. Configure kerberos authentication followed by
FSSO NTLM Authentication.
a. Configure kerberos authentication on FortiGate from GUI: Create LDAP Server instance. Go to User & Device
> LDAP Servers. Click Create New and name it as ldap-kerberos, Server IP as 172.18.62.220, Server Port as
389, Common Name Identifier as cn, Distinguished Name as dc=fortinetqa,dc=local and click OK. Define
Kerberos as an authentication service. This is only supported from CLI. Configure kerberos authentication on
FortiGate from CLI:
config user ldap
edit "ldap-kerberos"
set server "172.18.62.220"
set cnid "cn"
set dn "dc=fortinetqa,dc=local"
set type regular
set username "CN=root,CN=Users,DC=fortinetqa,DC=local
set password ENC
6q9ZE0QNH4tp3mnL83IS/BlMob/M5jW3cAbgOqzTBsNTrGD5Adef8BZTquu46NNZ8KWoIoclAMlrGTR0z1IqT8n
7FIDV/nqWKdU0ehgwlqMvPmOW0+S2+kYMhbEj7ZgxiIRrculJIKoZ2gjqCorO3P0BkumbyIW1jAdPTOQb749n4O
cEwRYuZ2odHTwWE8NJ3ejGOg==
next
end
b. Configure FSSO NTLM Authentication : FSSO NTLM authentication support in a Windows AD network, FSSO
can also provide NTLM authentication service to the FortiGate unit. When the user makes a request that
requires authentication, the FortiGate unit initiates NTLM negotiation with the client browser. The FortiGate
unit does not process the NTLM packets itself. Instead, it forwards all the NTLM packets to the FSSO service
to process. Configure FSSO NTLM Authentication on GUI. Go to Security Fabric > Fabric Connectors. Click
Create New and select Fortinet Single Sign-On Agent. Name it as FSSO, Primary FSSO Agent as
172.16.200.220 and specify the Password and click OK.Configure FSSO NTLM Authentication on CLI:
config user fsso
edit "1"
set server "172.18.62.220"
set password ENC
4e2IiorhPCYvSWw4DbthmLdpJuvIFXpayG0gk1DHZ6TYQPMLjuiG9k7/+qRneCtztBfbzRr1pcyC6Zj3det2pvW
dKchMShyz67v4c7s6sIRf8GooPBRZJtg03cmPg0vd/fT1xD393hiiMecVGCHXOBHAJMkoKmPNjc3Ga/e78rWYeH
uWK1lu2Bk64EXxKFt799UgBA==
next
end
c. Configure Groups: For successful authorization, FortiGate checks if a user belongs to one of the groups
permitted in the security policy.
l Create user group for Kerberos authentication on GUI. Go to User & Device > User Groups. Click Create
New. Provide the name as Ldap-Group, Type as Firewall. Click Add Remote Groups and specify ldap-
kerberos created in step 2 and Click OK. Create user group for Kerberos authentication on CLI as follows:
l Create user group for NTLM authentication on GUI: Go to User & Device > User Groups. Click Create
New. Name it as FSSO_Group, Members as FORTINETQA/FSSO and click OK. Create user group for
NTLM authentication on CLI:
config user group
edit "NTLM-FSSO-Group"
set group-type fsso-service
set member "FORTINETQA/FSSO"
next
end
3. Explicit Proxy Authentication is managed by authentication scheme and rules. Create authentication scheme
followed by authentication rule. Both can be created from GUI as well as from CLI.
a. Create Authentication Scheme:
Go to Policy & Objects > Authentication Rules. Click Create New and select Authentication Scheme.
Specify the name Auth-scheme-Negotiate and select the method. For this example, we can select Negotiate.
b. Create Authentication Rule:
Go to Policy & Object > Authentication Rules. Click Create New and select Authentication Rules. Specify
the name as Auth-Rule, select source address as all, Protocol as HTTP, Authentication Scheme as Auth-
scheme-Negotiate created in step 3.
Configure Explicit Proxy with Authentication using CLI:
config authentication scheme
edit "Auth-scheme-Negotiate"
set method negotiate <<< Accepts both Kerberos
next
end
4. To create explicit proxy policy and assign user group to the policy on GUI:
a. Go to Policy & Object > Proxy Policy. Click Create New. Specify the Proxy Type as Explicit Web, Outgoing
Interface as Port1, source as all and NTLM-FSSO-Grp and ldap-kerberos created in step 2. Specify the
Destination as all, Service as Webproxy, and Schedule as always.
b. Configure explicit proxy policy and assign user group to the policy on CLI:
config firewall proxy-policy
edit 1
set uuid 722b6130-13aa-51e9-195b-c4196568d667
5. Diagnostics
Log in using domain and system authenticated using kerberos. Once logged in use command diagnose wad user
list to verify.
ID: 8, IP: 10.1.100.71, VDOM: vdom1
user name : [email protected]
duration : 389
auth_type : IP
auth_method : Negotiate
pol_id : 1
g_id : 1
user_based : 0
expire : no
LAN:
bytes_in=4862 bytes_out=11893
WAN:
bytes_in=7844 bytes_out=1023
Try with system which is not part of the domain. NTLM as fallback will be used. Use command diagnose wad user
list to verify once the user is logged in.
ID: 2, IP: 10.1.100.202, VDOM: vdom1
user name : TEST31@FORTINETQA
duration : 7
auth_type : IP
auth_method : NTLM
pol_id : 1
g_id : 5
user_based : 0
expire : no
LAN:
bytes_in=6156 bytes_out=16149
WAN:
bytes_in=7618 bytes_out=1917
This recipe provides sample configuration of site-to-site IPsec VPN in an HA environment. You must enable two options
to ensure IPsec VPN traffic does not interrupt during an HA failover:
l session-pickup under HA settings
l ha-sync-esp-seqno under IPsec phase1-interface settings
The following shows the sample network topology for this recipe:
You can configure IPsec VPN in an HA environment using the FortiOS GUI or CLI.
In this examples below, the VPN name for HQ1 is "to_HQ2", and the VPN name for HQ2 is "to_HQ1".
1. Configure HA. In this example, two FortiGates work in active-passive mode. The HA heartbeat interfaces are
WAN1 and WAN2:
config system ha
set group-name "FGT-HA"
set mode a-p
set password sample
set hbdev "wan1" 50 "wan2" 50
set session-pickup enable
set priority 200
set override-wait-time 10
end
2. Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. It can
work in static mode (as shown in the example), DHCP, or PPPoE mode. The IPsec tunnel is established over the
WAN interface.
a. Configure HQ1:
config system interface
edit "port1"
set vdom "root"
set ip 172.16.200.1 255.255.255.0
next
end
8. Run diagnose commands. These diagnose commands are useful to check IPsec phase1/phase2 interface
statuses, including the sequence number on the secondary FortiGate. The diagnose debug application
ike -1 command is the key to figure out why the IPsec tunnel failed to establish.
a. Run the HQ1 # diagnose vpn ike gateway list command. The system should return the following:
vd: root/0
name: to_HQ2
version: 1
interface: port1 11
addr: 172.16.200.1:500 -> 172.16.202.1:500
created: 5s ago
IKE SA: created 1/1 established 1/1 time 0/0/0 ms
IPsec SA: created 2/2 established 2/2 time 0/0/0 ms
This recipe provides sample configuration of using OSPF with IPsec VPN to achieve network redundancy. Route
selection is based on OSPF cost calculation. It is easy to achieve ECMP or primary/secondary routes by adjusting OSPF
path cost.
The following shows the sample network topology for this recipe:
As only partial configuration can be completed from the GUI, it is recommended to achieve this configuration via the
CLI commands as shown below.
To configure OSPF with IPsec VPN to achieve network redundancy using the CLI:
1. Configure the WAN interface and static route. Each FortiGate has two WAN interfaces connected to different ISPs.
The ISP1 link is for the primary FortiGate and the IPS2 link is for the secondary FortiGate:
a. Configure HQ1:
config system interface
edit "port1"
set alias to_ISP1
set ip 172.16.200.1 255.255.255.0
next
edit "port2"
set alias to_ISP2
set ip 172.17.200.1 255.255.255.0
next
end
config router static
edit 1
set gateway 172.16.200.3
set device "port1"
next
edit 2
set gateway 172.17.200.3
set device "port2"
set priority 100
next
end
b. Configure HQ2:
config system interface
edit "port25"
set alias to_ISP1
set ip 172.16.202.1 255.255.255.0
next
edit "port26"
set alias to_ISP2
set ip 172.17.202.1 255.255.255.0
next
end
config router static
edit 1
set gateway 172.16.202.2
b. Configure HQ2:
config vpn ipsec phase1-interface
edit "pri_HQ1"
set interface "port25"
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set remote-gw 172.16.200.1
set psksecret sample1
next
edit "sec_HQ1"
set interface "port26"
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set remote-gw 172.17.200.1
set psksecret sample2
next
end
config vpn ipsec phase2-interface
edit "pri_HQ1"
set phase1name "pri_HQ1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
set auto-negotiate enable
next
edit "sec_HQ1"
set phase1name "sec_HQ1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
set auto-negotiate enable
next
end
4. Configure an inbound and outbound firewall policy for each IPsec tunnel:
a. Configure HQ1:
config firewall policy
edit 1
set name "pri_inbound"
set srcintf "pri_HQ2"
set dstintf "dmz"
set srcaddr "172.16.101.0"
set dstaddr "10.1.100.0"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "pri_outbound"
set srcintf "dmz"
set dstintf "pri_HQ2"
set srcaddr "10.1.100.0"
set dstaddr "172.16.101.0"
set action accept
set schedule "always"
set service "ALL"
next
edit 3
set name "sec_inbound"
set srcintf "sec_HQ2"
set dstintf "dmz"
set srcaddr "172.16.101.0"
set dstaddr "10.1.100.0"
set action accept
set schedule "always"
set service "ALL"
next
edit 4
set name "sec_outbound"
set srcintf "dmz"
set dstintf "sec_HQ2"
set srcaddr "10.1.100.0"
set dstaddr "172.16.101.0"
set action accept
set schedule "always"
set service "ALL"
next
end
b. Configure HQ2:
config firewall policy
edit 1
set name "pri_inbound"
set srcintf "pri_HQ1"
set dstintf "port9"
set srcaddr "10.1.100.0"
set dstaddr "172.16.101.0"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "pri_outbound"
set srcintf "port9"
set dstintf "pri_HQ1"
set srcaddr "10.1.100.0"
set dstaddr "172.16.101.0"
set action accept
set schedule "always"
set service "ALL"
next
edit 3
set name "sec_inbound"
set srcintf "sec_HQ1"
set dstintf "port9"
set srcaddr "10.1.100.0"
set dstaddr "172.16.101.0"
set action accept
set schedule "always"
set service "ALL"
next
edit 4
set name "sec_outbound"
set srcintf "port9"
set dstintf "sec_HQ1"
next
edit 3
set prefix 10.1.100.0 255.255.255.0
next
end
end
b. Configure HQ2:
config router ospf
set router-id 2.2.2.2
config area
edit 0.0.0.0
next
end
config ospf-interface
edit "pri_HQ1"
set interface "pri_HQ1"
set cost 10
set network-type point-to-point
next
edit "sec_HQ1"
set interface "sec_HQ1"
set cost 20
set network-type point-to-point
next
end
config network
edit 1
set prefix 10.10.10.0 255.255.255.0
next
edit 2
set prefix 10.10.11.0 255.255.255.0
next
edit 3
set prefix 172.16.101.0 255.255.255.0
next
end
end
7. Run diagnose/get commands to check VPN and OSPF states:
a. Run the HQ1 # diagnose vpn ike gateway list command. The system should return the following:
vd: root/0
name: pri_HQ2
version: 1
interface: port1 11
addr: 172.16.200.1:500 -> 172.16.202.1:500
virtual-interface-addr: 10.10.10.1 -> 10.10.10.2
created: 1024s ago
IKE SA: created 1/1 established 1/1 time 0/0/0 ms
IPsec SA: created 1/3 established 1/2 time 0/5/10 ms
id/spi: 45 d184777257b4e692/e2432f834aaf5658 direction: responder status:
established 1024-1024s ago = 0ms proposal: aes128-sha256 key: 9ed41fb06c983344-
189538046f5ad204 lifetime/rekey: 86400/85105 DPD sent/recv: 00000003/00000000
vd: root/0
name: sec_HQ2
version: 1
interface: port2 12
e. Run the HQ1 # get router info routing-table ospf command. The system should return the
following:
Routing table for VRF=0
O 172.16.101.0/24 [110/110] via 10.10.11.2, sec_HQ2 , 00:00:01
The recipe gives a sample configuration of using IPsec aggregate to achieve redundancy and traffic load-balancing:
l Multiple site-to-site IPsec VPN (net-device disable) tunnel interfaces as member of ipsec-aggregate
l Four load-balancing algorithms: round-robin (default), L3, L4, redundant
The following shows the sample network topology for this recipe:
As only partial configuration can be completed from the GUI, it is recommended to achieve this configuration via the
CLI commands as shown below.
To configure IPsec aggregate to achieve redundancy and traffic load-balancing using the CLI:
1. Configure the WAN interface and static route. Each FortiGate has two WAN interfaces connected to different ISPs.
The ISP1 link is for the primary FortiGate and the IPS2 link is for the secondary FortiGate:
a. Configure HQ1:
config system interface
edit "port1"
set alias to_ISP1
set ip 172.16.200.1 255.255.255.0
next
edit "port2"
set alias to_ISP2
set ip 172.17.200.1 255.255.255.0
next
end
config router static
edit 1
set gateway 172.16.200.3
set device "port1"
next
edit 2
set gateway 172.17.200.3
set device "port2"
set priority 100
next
end
b. Configure HQ2:
config system interface
edit "port25"
next
end
5. Configure the firewall policy:
a. Configure HQ1:
config firewall policy
edit 1
set name "inbound"
set srcintf "agg_HQ2"
set dstintf "dmz"
set srcaddr "172.16.101.0"
set dstaddr "10.1.100.0"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "outbound"
set srcintf "dmz"
set dstintf "agg_HQ2"
set srcaddr "10.1.100.0"
set dstaddr "172.16.101.0"
set action accept
set schedule "always"
set service "ALL"
next
end
b. Configure HQ2:
config firewall policy
edit 1
set name "inbound"
set srcintf "agg_HQ1"
set dstintf "port9"
set srcaddr "10.1.100.0"
set dstaddr "172.16.101.0"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "outbound"
set srcintf "port9"
set dstintf "agg_HQ1"
set srcaddr "172.16.101.0"
set dstaddr "10.1.100.0"
set action accept
set schedule "always"
set service "ALL"
next
end
6. Assign an IP address to the ipsec-aggregate interface. In this example, OSPF runs over the ipsec-
aggregate interface. No IP address is required for the static route HQ1:
a. Configure HQ1:
config system interface
edit "agg_HQ2"
set ip 10.10.10.1 255.255.255.255
This recipe provides sample configuration of hub and spoke IPsec VPN. The following applies for this scenario:
l The spokes have two WAN interfaces and two IPsec VPN tunnels for redundancy.
l The secondary VPN tunnel is up only when the primary tunnel is down by dead peer detection.
The following shows the sample network topology for this recipe:
As only partial configuration can be completed from the GUI, it is recommended to achieve this configuration via the
CLI commands as shown below.
To configure redundant hub and spoke VPN using the FortiOS CLI:
Dialup VPN
This recipe provides sample configuration of dialup IPsec VPN and the dialup client. In this example, a branch office
FortiGate connects via dialup IPsec VPN to the HQ FortiGate.
The following shows the sample network topology for this recipe:
You can configure dialup IPsec VPN with FortiGate as the dialup client using the FortiOSGUI or CLI.
To configure IPsec VPN with FortiClient as the dialup client on the GUI:
To configure IPsec VPN with FortiClient as the dialup client using the CLI:
1. In the FortiOS CLI, configure the user, user group, and firewall address by running the following commands. Only
the HQ dialup server FortiGate needs this configuration. The address is an IP pool to assign an IP address for the
dialup client FortiGate.
config user local
edit "vpnuser1"
set type password
set passwd your-password
next
end
config user group
edit "vpngroup"
set member"vpnuser1"
next
end
config firewall address
edit "client_range"
set type iprange
set start-ip 10.10.10.1
set end-ip 10.10.10.200
next
end
2. Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. It can
work in static mode (as shown in the example), DHCP, or PPPoE mode. The IPsec tunnel is established over the
WAN interface:
a. Configure the HQ FortiGate:
config system interface
edit "wan1"
set vdom "root"
set ip 11.101.1 255.255.255.0
next
end
config router static
edit 1
set gateway 11.101.1.2
set device "wan1"
next
end
3. Configure the internal interface and protected subnet. The internal interface connects to the internal network.
Traffic from this interface will route out the IPsec VPN tunnel:
a. Configure the HQ FortiGate:
config system interface
edit "dmz"
set vdom "root"
set ip 10.1.100.1 255.255.255.0
next
end
config firewall address
edit "10.1.100.0"
set subnet 10.1.100.0 255.255.255.0
next
end
4. Configure the IPsec phase1-interface. In this example, PSK is used as the authentication method. Signature
authentication is also an option:
a. Configure the HQ FortiGate:
config vpn ipsec phase1-interface
edit "for_Branch"
set type dynamic
set interface "wan1"
set mode aggressive
set peertype any
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set xauthtype auto
set authusrgrp "vpngroup"
set net-device enable
set assign-ip-from name
set dns-mode auto
set ipv4-split-include "10.1.100.0"
set ipv4-name "client_range"
set save-password enable
set psksecret sample
set dpd-retryinterval 60
next
end
6. Configure the static routes on the branch office FortiGate. The blackhole route is important to ensure that IPsec
traffic does not match the default route when the IPsec tunnel is down:
config router static
edit 2
set dst 10.1.100.0 255.255.255.0
set device "to_HQ"
next
edit 3
set dst 10.1.100.0 255.255.255.0
set blackhole enable
set distance 254
next
end
7. Configure the firewall policy to allow the branch office to HQ network flow over the IPsec tunnel. This configuration
only supports traffic from the branch office FortiGate to the HQ FortiGate. Traffic is dropped from the HQ FortiGate
to the branch office FortiGate:
a. Configure the HQ FortiGate:
config firewall policy
edit 1
set name "inbound"
set srcintf "for_Branch"
set dstintf "dmz"
set srcaddr "172.16.101.0"
set dstaddr "10.1.100.0"
set action accept
set schedule "always"
set service "ALL"
next
end
8. Run diagnose commands. These diagnose commands are useful to check the IPsec phase1/phase2 interface
status. The diagnose debug application ike -1 command is the key to figure out why the IPsec tunnel
failed to establish.
a. Run the diagnose vpn ike gateway list command on the HQ FortiGate. The system should return
the following:
vd: root/0
name: for_Branch_0
version: 1
interface: wan1 5
xauth-user: vpnuser1
direction: responder
proposal: aes128-sha256
key: 8046488e92499247-fbbb4f6dfa4952d0
lifetime/rekey: 86400/84157
b. Run the diagnose vpn tunnel list command on the HQ FortiGate. The system should return the
following:
list all ipsec tunnel in vd 0
parent=for_Branch index=0
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
dec:pkts/bytes=8/672, enc:pkts/bytes=8/1216
run_tally=0
c. Run the diagnose vpn ike gateway list command on the branch office FortiGate. The system
should return the following:
vd: root/0
name: to_HQ
version: 1
interface: port13 42
id/spi: 93 5b1c59fab2029e43/bf517e686d3943d2
direction: initiator
proposal: aes128-sha256
key: 8046488e92499247-fbbb4f6dfa4952d0
lifetime/rekey: 86400/84083
d. Run the diagnose vpn tunnel list command on the branch office FortiGate. The system should
return the following:
list all ipsec tunnel in vd 0
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
dec:pkts/bytes=1/84, enc:pkts/bytes=2/304
This recipe provides sample configuration of dialup IPsec VPN with FortiClient as the dialup client.
The following shows the sample network topology for this recipe:
You can configure dialup IPsec VPN with FortiClient as the dialup client using the FortiOS GUI or CLI.
To configure IPsec VPN with FortiClient as the dialup client on the GUI:
1. In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
a. Enter a proper VPN name.
b. For Template Type, choose Remote Access.
c. For Remote Device Type, select Client-based > FortiClient.
d. Click Next.
2. Configure the following settings for Authentication:
a. For Incoming Interface, select wan1.
b. For Authentication Method, select Pre-shared Key.
c. In the Pre-shared Key field, enter your-psk as the key.
d. From the User Group dropdown list, select vpngroup.
e. Click Next.
3. Configure the following settings for Policy & Routing:
a. From the Local Interface dropdown menu, select lan.
b. Configure the Local Address as local_network.
c. Configure the Client Address Range as 10.10.2.1-10.10.2.200.
d. Keep the default values for the Subnet Mask, DNS Server, Enable IPv4 Split tunnel, and Allow Endpoint
Registration options.
e. Click Create.
To configure IPsec VPN with FortiClient as the dialup client using the CLI:
1. In the FortiOS CLI, configure the user and group by running the following commands:
config user local
edit "vpnuser1"
set type password
set passwd your-password
next
end
config user group
edit "vpngroup"
set member "vpnuser1"
next
end
2. Configure the internal interface. The LAN interface connects to the corporate internal network. Traffic from this
interface will route out the IPsec VPN tunnel. Creating an address group for the protected network behind this
FortiGate will cause traffic to this network group to go through the IPsec tunnel:
config system interface
edit "lan"
set vdom "root"
set ip 10.10.111.1 255.255.255.0
next
end
3. Configure the WAN interface. The WAN interface is the interface connected to the ISP. It can work in static mode
(as shown in the example), DHCP, or PPPoE mode. The IPsec tunnel is established over the WAN interface.
config system interface
edit "wan1"
set vdom "root"
set ip 172.20.120.123 255.255.255.0
next
end
4. Configure the client address pool. You must create a firewall address to assign an IP address to a client from the
address pool.
config firewall address
edit "client_range"
set type iprange
set comment "VPN client range"
set start-ip 10.10.2.1
set end-ip 10.10.2.200
next
end
5. Configure the IPsec phase1-interface. In this example, PSK is used as the authentication method. Signature
authentication is also an option.
config vpn ipsec phase1-interface
edit "for_client"
set type dynamic
set interface "wan1"
set mode aggressive
set peertype any
set net-device enable
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set dpd on-idle
set xauthtype auto
set authusrgrp "vpngroup"
set assign-ip-from name
set ipv4-name "client_range"
set dns-mode auto
set ipv4-split-include "local_network"
set save-password enable
set psksecret your-psk
set dpd-retryinterval 60
next
end
7. Configure the firewall policy to allow client traffic flow over the IPsec VPN tunnel:
config firewall policy
edit 1
set name "inbound"
set srcintf "for_client"
set dstintf "lan"
set srcaddr "client_range"
set dstaddr "local_network"
set action accept
set schedule "always"
set service "ALL"
next
end
8. Configure FortiClient. In this example, FortiClient (Windows) 6.0.3 build 0155 is used:
a. In FortiClient, go to Remote Access and select Add a new connection.
b. Set the Type to IPsec VPN and the Remote Gateway to the FortiGate IP address.
c. Set the Authentication Method to Pre-Shared Key and enter the key. Click Save.
d. Select the VPN, enter the username and password, then select Connect.
9. Run diagnose commands. These diagnose commands are useful to check the IPsec phase1/phase2 interface
status. The diagnose debug application ike -1 command is the key to figure out why the IPsec tunnel
failed to establish.
a. Run the diagnose vpn ike gateway list command. The system should return the following:
vd: root/0
name: for_client_0
version: 1
interface: port1 15
xauth-user: vpnuser1
nat: me peer
id/spi: 1 b40a32d878d5e262/8bba553563a498f4
direction: responder
proposal: aes256-sha256
key: f4ad7ec3a4fcfd09-787e2e9b7bceb9a7-0dfa183240d838ba-41539863e5378381
lifetime/rekey: 86400/86092
b. Run the diagnose vpn tunnel list command. The system should return the following:
list all ipsec tunnel in vd 0
parent=for_client index=0
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:10.10.1.1-10.10.1.1:0
dec:pkts/bytes=1/16330, enc:pkts/bytes=0/0
This recipe provides sample configuration of dialup IPsec VPN with an iPhone or iPad as the dialup client.
The following shows the sample network topology for this recipe:
You can configure dialup IPsec VPN with an iOS device as the dialup client using the FortiOS GUI or CLI.
To configure IPsec VPN with an iOS device as the dialup client on the GUI:
1. In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
a. Enter a proper VPN name.
b. For Template Type, choose Remote Access.
c. For Remote Device Type, select Native > iOS Native.
d. For NAT Configuration, set No NAT Between Sites.
e. Click Next.
2. Configure the following settings for Authentication:
a. For Incoming Interface, select wan1.
b. For Authentication Method, select Pre-shared Key.
c. In the Pre-shared Key field, enter your-psk as the key.
d. From the User Group dropdown list, select vpngroup.
e. Deselect Require 'Group Name' on VPN client.
f. Click Next.
3. Configure the following settings for Policy & Routing:
a. From the Local Interface dropdown menu, select lan.
b. Configure the Local Address as local_network.
c. Configure the Client Address Range as 10.10.2.1-10.10.2.200.
d. Keep the default values for the Subnet Mask, DNS Server, and Enable IPv4 Split tunnel options.
e. Click Create.
To configure IPsec VPN with an iOS device as the dialup client using the CLI:
1. In the FortiOS CLI, configure the user and group by running the following commands:
config user local
edit "vpnuser1"
set type password
set passwd your-password
next
end
config user group
edit "vpngroup"
2. Configure the internal interface. The LAN interface connects to the corporate internal network. Traffic from this
interface will route out the IPsec VPN tunnel. Creating an address group for the protected network behind this
FortiGate will cause traffic to this network group to go through the IPsec tunnel:
config system interface
edit "lan"
set vdom "root"
set ip 10.10.111.1 255.255.255.0
next
end
3. Configure the WAN interface. The WAN interface is the interface connected to the ISP. It can work in static mode
(as shown in the example), DHCP, or PPPoE mode. The IPsec tunnel is established over the WAN interface.
config system interface
edit "wan1"
set vdom "root"
set ip 172.20.120.123 255.255.255.0
next
end
4. Configure the client address pool. You must create a firewall address to assign an IP address to a client from the
address pool.
config firewall address
edit "client_range"
set type iprange
set comment "VPN client range"
set start-ip 10.10.2.1
set end-ip 10.10.2.200
next
end
5. Configure the IPsec phase1-interface. In this example, PSK is used as the authentication method. Signature
authentication is also an option.
7. Configure the firewall policy to allow client traffic flow over the IPsec VPN tunnel:
config firewall policy
edit 1
set name "ios_vpn"
set srcintf "for_ios_p1"
set dstintf "lan"
set srcaddr "ios_range"
set dstaddr "local_network"
set action accept
set schedule "always"
set service "ALL"
next
end
9. Run diagnose commands. These diagnose commands are useful to check the IPsec phase1/phase2 interface
status. The diagnose debug application ike -1 command is the key to figure out why the IPsec tunnel
failed to establish.
a. Run the diagnose vpn ike gateway list command. The system should return the following:
vd: root/0
name: for_ios_p1_0
version: 1
interface: port1 15
xauth-user: u1
nat: me peer
b. Run the diagnose vpn tunnel list command. The system should return the following:
list all ipsec tunnel in vd 0
parent=for_ios_p1 index=0
ADVPN
This recipe provides sample configuration of ADVPN with BGP as the routing protocol. The following options must be
enabled for this configuration:
l On the hub FortiGate, IPsec phase1-interface net-device disable must be run.
l IBGP must be used between the hub and spoke FortiGates.
l bgp neighbor-group/neighbor-range must be rused.
The following shows the sample network topology for this recipe:
As only partial configuration can be completed from the GUI, it is recommended to achieve this configuration via the
CLI commands as shown below.
To configure ADVPN with RIP as the routing protocol using the FortiOS CLI:
1. In the FortiOS CLI, configure hub FortiGate's WAN, internal interface, and static route:
config system interface
edit "port9"
set alias "WAN"
set ip 22.1.1.1 255.255.255.0
next
edit "port10"
aes256gcm chacha20poly1305
set auto-negotiate enable
next
edit "spoke2_backup"
set phase1name "spoke2_backup"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
set auto-negotiate enable
next
end
next
end
config network
edit 1
set prefix 192.168.4.0 255.255.255.0
next
end
end
4. Run diagnose and get commands to check VPN and BGP states. All following commands should be run on
Spoke1:
a. Run the diagnose vpn tunnel list command on Spoke1. The system should return the following:
list all ipsec tunnel in vd 0
----
name=spoke1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu
create_dev frag-rfc accept_traffic=1
b. Run the get router info bgp summary command on Spoke1. The system should return the following:
Neighbor V AS [[QualityAssurance62/MsgRcvd]]
c. Run the get router info routing-table bgp command on Spoke1. The system should return the
following:
Routing table for VRF=0
B 172.16.101.0/24 [200/0] via 10.10.10.254, spoke1, 00:23:57
B 192.168.4.0/24 [200/0] via 10.10.10.254, spoke1, 00:22:03
d. Generate traffic between the spokes, then check the shortcut tunnel and routing table. Run the diagnose
vpn tunnel list command on Spoke1. The system should return the following:
list all ipsec tunnel in vd 0
----
name=spoke1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu
create_dev frag-rfc accept_traffic=1
parent=spoke1 index=0
proxyid_num=1 child_num=0 refcnt=17 ilast=4 olast=4 ad=r/2
e. Run the get router info routing-tale bgp command. The system should return the following:
Routing table for VRF=0
B 172.16.101.0/24 [200/0] via 10.10.10.254, spoke1, 00:23:57
B 192.168.4.0/24 [200/0] via 10.10.10.3, spoke1_0 , 00:22:03
This recipe provides sample configuration of ADVPN with OSPF as the routing protocol. The following options must be
enabled for this configuration:
l On the hub FortiGate, IPsec phase1-interface net-device enable must be run.
l OSPF must be used between the hub and spoke FortiGates.
The following shows the sample network topology for this recipe:
As only partial configuration can be completed from the GUI, it is recommended to achieve this configuration via the
CLI commands as shown below.
To configure ADVPN with RIP as the routing protocol using the FortiOS CLI:
1. In the FortiOS CLI, configure hub FortiGate's WAN, internal interface, and static route:
config system interface
edit "port9"
set distance 15
next
edit 2
set gateway 15.1.1.1
set device "wan1"
next
end
next
edit "spoke2_backup"
set phase1name "spoke2_backup"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
set auto-negotiate enable
next
end
next
end
4. Run diagnose and get commands to check VPN and OSPF states. All following commands should be run on
Spoke1:
a. Run the diagnose vpn tunnel list command on Spoke1. The system should return the following:
list all ipsec tunnel in vd 0
----
name=spoke1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu
create_dev frag-rfc accept_traffic=1
b. Run the get router info ospf neighbor command on Spoke1. The system should return the
following:
OSPF process 0, VRF 0: Neighbor ID Pri State Dead Time Address Interface 8.8.8.8 1.
Full/ - 00:00:35 10.10.10.254 spoke1 1.1.1.1 1. Full/ - 00:00:35 10.10.10.254 spoke1
c. Run the get router info routing-table ospf command on Spoke1. The system should return the
following:
d. Generate traffic between the spokes, then check the shortcut tunnel and routing table. Run the diagnose
vpn tunnel list command on Spoke1. The system should return the following:
list all ipsec tunnel in vd 0
----
----
name=spoke1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu
create_dev frag-rfc accept_traffic=1
parent=spoke1 index=0
proxyid_num=1 child_num=0 refcnt=19 ilast=4 olast=2 ad=r/2
stat: rxp=641 txp=1254 rxb=278648 txb=161536
dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=184
natt: mode=keepalive draft=32 interval=10 remote_port=4500
proxyid=spoke1_backup proto=0 sa=1 ref=10 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=1a227 type=00 soft=0 mtu=1422 expire=922/0B replaywin=1024
seqno=452 esn=0 replaywin_lastseq=00000280 itn=0
e. Run the get router info routing-tale ospf command. The system should return the following:
Routing table for VRF=0
O 172.16.101.0/24 [110/110] via 10.10.10.254, spoke1, 00:27:14
O 192.168.4.0/24 [110/110] via 10.10.10.3, spoke1_0, 00:26:26
This recipe provides sample configuration of ADVPN with RIP as routing protocol. The following options must be
enabled for this configuration:
l On the hub FortiGate, IPsec phase1-interface net-device disable must be run.
l RIP must be used between the hub and spoke FortiGates.
l split-horizon-status enable must be run on the hub FortiGate.
The following shows the sample network topology for this recipe:
As only partial configuration can be completed from the GUI, it is recommended to achieve this configuration via the
CLI commands as shown below.
To configure ADVPN with RIP as the routing protocol using the FortiOS CLI:
1. In the FortiOS CLI, configure hub FortiGate's WAN, internal interface, and static route:
config system interface
edit "port9"
set alias "WAN"
set ip 22.1.1.1 255.255.255.0
next
edit "port10"
set alias "Internal"
set ip 172.16.101.1 255.255.255.0
next
end
config router static
edit 1
set gateway 22.1.1.2
set device "port9"
next
end
next
end
next
end
next
end
config vpn ipsec phase2-interface
edit "spoke1"
set phase1name "spoke1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
set auto-negotiate enable
next
edit "spoke1_backup"
set phase1name "spoke1_backup"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
set auto-negotiate enable
next
end
4. Run diagnose and get commands. All following commands should be run on Spoke1:
a. Run the diagnose vpn tunnel list command on Spoke1. The system should return the following:
list all ipsec tunnel in vd 0
----
b. Run the get router info rip database command on Spoke1. The system should return the
following:
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP
c. Run the get router info routing-table rip command on Spoke1. The system should return the
following:
Routing table for VRF=0
R 172.16.101.0/24 [120/2] via 10.10.10.254, spoke1, 00:08:38
R 192.168.4.0/24 [120/3] via 10.10.10.254, spoke1, 00:08:38
d. Generate traffic between the spokes, then check the shortcut tunnel and routing table. Run the diagnose
vpn tunnel list command on Spoke1. The system should return the following:
list all ipsec tunnel in vd 0
----
name=spoke1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0
parent=spoke1 index=0
proxyid_num=1 child_num=0 refcnt=20 ilast=2 olast=0 ad=r/2
stat: rxp=1 txp=7 rxb=112 txb=480
dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=0
natt: mode=keepalive draft=32 interval=10 remote_port=4500
proxyid=spoke1 proto=0 sa=1 ref=8 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=1a227 type=00 soft=0 mtu=1422 expire=2358/0B replaywin=1024
seqno=8 esn=0 replaywin_lastseq=00000002 itn=0
life: type=01 bytes=0/0 timeout=2367/2400
dec: spi=c53a8f61 esp=aes key=16 c66aa7ae9657068108ed47c048ff56b6
ah=sha1 key=20 60661c68e20bbc913c2564ade85e01ea3769e703
enc: spi=79cb0f30 esp=aes key=16 bf6c898c2e1c64baaa679ed5d79c3b58
ah=sha1 key=20 146ca78be6c34eedb9cd66cc328216e08682ecb1
dec:pkts/bytes=1/46, enc:pkts/bytes=7/992
npu_flag=03 npu_rgwy=13.1.1.2 npu_lgwy=15.1.1.2 npu_selid=6 dec_npuid=1 enc_npuid=1
e. Run the get router info routing-tale rip command. The system should return the following:
Routing table for VRF=0
R 172.16.101.0/24 [120/2] via 10.10.10.254, spoke1, 00:09:04
R 192.168.4.0/24 [120/2] via 10.10.10.3, spoke1_0, 00:00:02
This recipe provides an example configuration of full mesh Overlay Controller VPN (OCVPN).
OCVPN is a cloud based solution to simplify IPsec VPN setup. When Overlay Controller VPN is enabled, IPsec phase1-
interfaces, phase2-interfaces, static routes, and firewall policies are generated automatically on all FortiGates that
belong to the same community network. A community network is defined as all FortiGates registered to FortiCare by
using the same FortiCare account.
If the network topology changes on any FortiGates in the community (such as changing a public IP address in DHCP
mode, adding or removing protected subnets, failing over in dual WAN), the IPsec-related configuration for all devices is
updated with Cloud assistance in self-learning mode. No intervention is required.
Full mesh IPsec tunnels are established between all FortiGates.
License
Prerequisites
Restrictions
Terminology
Poll-interval Use this option to define how often FortiGate tries to fetch OCVPN-related data
from OCVPN Cloud.
Role Used to specify the device OCVPN role of spoke, primary-hub, or secondary-hub.
Subnet Internal network subnet (IPsec protected subnet). Traffic source from or
destination to this subnet will enter IPsec tunnel encrypted by IPsec SA.
Sample Topology
The following shows an example of three FortiGate units registered on FortiCare by using the same FortiCare account.
Each FortiGate unit has one internal subnet, and no NAT exists between these three FortiGate units.
Sample configuration
The steps below use the following overlays and subnets for the sample configuration:
l Branch1:
l Overlay name: QA. Local subnets: 10.1.100.0/24
l Overlay name: PM. Local subnets: 10.2.100.0/24
l Branch2:
l Overlay name: QA. Local interfaces: lan1
l Overlay name: PM. Local interfaces: lan2
l Branch3:
l Overlay name: QA. Local subnets: 172.16.101.0/24
l Overlay name: PM. Local subnets: 172.16.102.0/24
Before you begin, ensure all FortiGates are registered on FortiCare.
2. Create the first overlay by setting the following options and clicking OK:
a. Beside Status, click Enabled.
b. Beside Role, click Spoke.
c. In the Overlays section, click Create New to create a network overlay.
d. In the Name box, type a name, and input the correct subnets and/or choose internal interfaces.
The local subnet must be routable, and interfaces must have assigned IP addresses. Otherwise an error
message is displayed.
3. Repeat this procedure until you create all the needed overlays.
3. Configure Branch2:
config vpn ocvpn
set status enable
config overlays
edit 1
set name "QA"
config subnets
edit 1
set type interface
set interface "lan1"
next
end
next
edit 2
set name "PM"
config subnets
edit 1
set type interface
set interface "lan2"
next
end
next
end
end
4. Configure Branch3:
config vpn ocvpn
set status enable
config overlays
edit 1
set name "QA"
config subnets
edit 1
set subnet 172.16.101.0 255.255.255.0
next
end
next
edit 1
set name "OM"
config subnets
edit 1
set subnet 172.16.102.0 255.255.255.0
next
end
next
end
end
This document provides a sample configuration of a hub-spoke One-Click VPN (OCVPN) with an Auto Discovery VPN
(ADVPN) shortcut. OCVPN will automatically detect network topology based on members' information. To form a hub-
spoke OCVPN, at least one device must announce its role as the primary hub, another device can work as the secondary
hub (for redundancy), while others function as spokes.
License
Prerequisites
Restrictions
OCVPN device roles
l Primary hub
l Secondary hub
l Spoke (OCVPN default role)
Sample topology
Sample Configuration
The steps below use the following overlays and subnets for the sample configuration:
l Primary hub:
l Overlay name: QA. Local subnets: 172.16.101.0/24
l Overlay name: PM. Local subnets: 172.16.102.0/24
l Secondary hub:
l Overlays are synced from primary hub.
l Spoke1:
l Overlay name: QA. Local subnets: 10.1.100.0/24
l Overlay name: PM. Local subnets: 10.2.100.0/24
l Spoke2:
l Overlay name: QA. Local interfaces lan1
l Overlay name: PM. Local interfaces lan2
Before you begin, ensure all FortiGates are registered on FortiCare.
config overlays
edit 1
set name "QA"
config subnets
edit 1
set subnet 10.1.100.0 255.255.255.0
next
end
next
edit 2
set name "PM"
config subnets
edit 1
set subnet 10.2.100.0 255.255.255.0
next
end
next
end
end
This document provide a sample configuration of Hub-Spoke OCVPN with inter-overlay source NAT. OCVPN isolate
traffic between overlays by default, with NAT enabled on Spokes and assign-ip enabled on Hub, can achieve inter-
overlay communication.
Inter-overlay communication means, devices from any source addresses and any source interfaces can communicate
with any devices in overlays' subnets which overlay option assign-ip enabled.
License
Prerequisites
Restrictions
l Primary-hub
l Secondary-hub
l Spoke (OCVPN default role)
Sample configuration
1. Configure the Primary-Hub, enable overlay QA, and configure assign-ip and IP range:
config vpn ocvpn
set status enable
set role primary-hub
config overlays
edit 1
set name "QA"
set assign-ip enable
set ipv4-start-ip 172.16.101.100
set ipv4-end-ip 172.16.101.200
config subnets
edit 1
set subnet 172.16.101.0 255.255.255.0
next
end
next
edit 2
set name "PM"
set assign-ip enable
config subnets
edit 1
set subnet 172.16.102.0 255.255.255.0
next
end
next
end
end
next
end
next
end
end
OCVPN portal
After you log into the OCVPN portal, the OCVPN license type and device information display. The device information
includes the device serial number, OCVPN role, hostname, public IP address, port number, and overlays.
You can unregister an OCVPN device from the OCVPN portal under Device on the right pane.
OCVPN troubleshooting
This document includes troubleshooting steps for the following OCVPN network topologies:
l Full mesh.
l Hub-spoke with ADVPN shortcut.
l Hub-spoke with inter-overlay source NAT.
For OCVPN configurations in different network topologies, please refer to the other OCVPN topics.
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
proxyid=_OCVPN2-4.2 proto=0 sa=0 ref=2 serial=1 auto-negotiate
src: 0:10.2.100.0/255.255.255.0:0
dst: 0:0.0.0.0/0.0.0.0:0
------------------------------------------------------
name=_OCVPN2-0.1 ver=2 serial=5 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500
bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev
frag-rfc accept_traffic=1
l Generate traffic from Spoke1 to Spoke2 to trigger the ADVPN shortcut and check the VPN tunnel and routing-table
again on Spoke1.
parent=_OCVPN2-0.0 index=0
proxyid_num=1 child_num=0 refcnt=14 ilast=0 olast=0 ad=r/2
stat: rxp=7 txp=7 rxb=1064 txb=588
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=_OCVPN2-0.0 proto=0 sa=1 ref=2 serial=1 auto-negotiate add-route adr
src: 0:10.1.100.0-10.1.100.255:0
dst: 0:192.168.4.0-192.168.4.255:0
SA: ref=3 options=1a227 type=00 soft=0 mtu=1438 expire=43180/0B replaywin=2048
seqno=8 esn=0 replaywin_lastseq=00000008 itn=0 qat=0
life: type=01 bytes=0/0 timeout=43187/43200
dec: spi=048477c9 esp=aes key=16 27c35d53793013ef24cf887561e9f313
ah=sha1 key=20 2c8cfd328c3b29104db0ca74a00c6063f46cafe4
enc: spi=fb9e13fd esp=aes key=16 9d0d3bf6c84b7ddaf9d9196fe74002ed
ah=sha1 key=20 d1f541db787dea384c6a4df16fc228abeb7ae334
dec:pkts/bytes=7/588, enc:pkts/bytes=7/1064
------------------------------------------------------
name=_OCVPN2-0.0 ver=2 serial=6 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500
bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev
frag-rfc accept_traffic=1
l Simulate the primary hub being unavailable where all spoke's dialup VPN tunnels will switch to the secondary hub,
to check VPN tunnel status and routing-table.
list all ipsec tunnel in vd 0
------------------------------------------------------
------------------------------------------------------
name=_OCVPN2-1.1 ver=2 serial=d 172.16.200.1:0->172.16.200.2:0 dst_mtu=0
bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev
frag-rfc accept_traffic=1
edit 9
set name "_OCVPN2-1.1_nat"
set uuid 3f7a84b8-3d36-51e9-ee97-8f418c91e666
set srcintf "any"
set dstintf "_OCVPN2-1.1"
set srcaddr "all"
set dstaddr "_OCVPN2-1.1_remote_networks"
set action accept
set schedule "always"
set service "ALL"
set comments "Generated by OCVPN Cloud Service."
set nat enable
next
edit 12
Authentication in VPN
This recipe provides sample configuration of IPsec VPN authenticating a remote FortiGate peer with a pre-shared key.
The following shows the sample network topology for this recipe:
You can configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOSGUI or
CLI.
To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key on the FortiOS GUI:
To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOS
CLI:
1. Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. The IPsec
tunnel is established over the WAN interface:
a. Configure HQ1:
config system interface
edit "port1"
set vdom "root"
set ip 172.16.200.1 255.255.255.0
next
end
config router static
edit 1
set gateway 172.16.200.3
set device "port1"
next
end
b. Configure HQ2:
config system interface
edit "port25"
set vdom "root"
set ip 172.16.202.1 255.255.255.0
next
end
config router static
edit 1
set gateway 172.16.202.2
set device "port25"
next
end
2. Configure the internal (protected subnet) interface. The internal interface connects to the corporate internal
network. Traffic from this interface routes out the IPsec VPN tunnel:
a. Configure HQ1:
config system interface
edit "dmz"
set vdom "root"
set ip 10.1.100.1 255.255.255.0
next
end
b. Configure HQ2:
config system interface
edit "port9"
set vdom "root"
set ip 172.16.101.1 255.255.255.0
next
end
b. Configure HQ2:
config vpn ipsec phase1-interface
edit "to_HQ1"
set interface "port25"
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set remote-gw 172.16.200.1
set psksecret sample
next
end
b. Configure HQ2:
config vpn ipsec phase2-interface
edit "to_HQ2"
set phase1name "to_HQ1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
set auto-negotiate enable
next
end
5. Configure the static routes. Two static routes are added to reach the remote protected subnet. The blackhole route
is important to ensure that IPsec traffic does not match the default route when the IPsec tunnel is down:
a. Configure HQ1:
config router static
edit 2
set dst 172.16.101.0 255.255.255.0
set device "to_HQ2"
next
edit 3
set dst 172.16.101.0 255.255.255.0
set blackhole enable
set distance 254
next
end
b. Configure HQ2:
config router static
edit 2
set dst 10.1.100.0 255.255.255.0
set device "to_HQ1"
next
edit 3
set dst 10.1.100.0 255.255.255.0
set blackhole enable
set distance 254
next
end
6. Configure two firewall policies to allow bidirectional IPsec traffic flow over the IPsec VPN tunnel:
a. Configure HQ1:
config firewall policy
edit 1
set name "inbound"
set srcintf "to_HQ2"
set dstintf "dmz"
set srcaddr "172.16.101.0"
set dstaddr "10.1.100.0"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "outbound"
set srcintf "dmz"
set dstintf "to_HQ2"
set srcaddr "10.1.100.0"
set dstaddr "172.16.101.0"
set action accept
set schedule "always"
set service "ALL"
next
end
b. Configure HQ2:
config firewall policy
edit 1
set name "inbound"
set srcintf "to_HQ1"
set dstintf "port9"
set srcaddr "10.1.1.00.0"
set dstaddr "172.16.101.0"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "outbound"
set srcintf "port9"
set dstintf "to_HQ1"
set srcaddr "172.16.101.0"
set dstaddr "10.1.100.0"
set action accept
set schedule "always"
set service "ALL"
next
end
7. Run diagnose commands. The diagnose debug application ike -1 command is the key to figure out
why the IPsec tunnel failed to establish. If the PSK failed to match, the following error shows up in the debug
output:
The following commands are useful to check IPsec phase1/phase2 interface status.
a. Run the diagnose vpn ike gateway list command on HQ1. The system should return the following:
vd: root/0
name: to_HQ2
version: 1
interface: port1 11
created: 5s ago
id/spi: 12 6e8d0532e7fe8d84/3694ac323138a024
direction: responder
proposal: aes128-sha256
key: b3efb46d0d385aff-7bb9ee241362ee8d
lifetime/rekey: 86400/86124
b. Run the diagnose vpn tunnel list command on HQ1. The system should return the following:
list all ipsec tunnel in vd 0
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
This recipe provides sample configuration of IPsec VPN authenticating a remote FortiGate peer with a certificate. The
certificate on one peer is validated by the presence of the CA certificate installed on the other peer.
The following shows the sample network topology for this recipe:
You can configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOSGUI or
CLI.
To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key on the FortiOS GUI:
To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOS
CLI:
1. Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. The IPsec
tunnel is established over the WAN interface:
a. Configure HQ1:
config system interface
edit "port1"
set vdom "root"
set ip 172.16.200.1 255.255.255.0
next
end
config router static
edit 1
b. Configure HQ2:
config system interface
edit "port25"
set vdom "root"
set ip 172.16.202.1 255.255.255.0
next
end
config router static
edit 1
set gateway 172.16.202.2
set device "port25"
next
end
2. Configure the internal (protected subnet) interface. The internal interface connects to the corporate internal
network. Traffic from this interface routes out the IPsec VPN tunnel:
a. Configure HQ1:
config system interface
edit "dmz"
set vdom "root"
set ip 10.1.100.1 255.255.255.0
next
end
b. Configure HQ2:
config system interface
edit "port9"
set vdom "root"
set ip 172.16.101.1 255.255.255.0
next
end
3. Configure the import certificate and its CA certificate information. The certificate and its CA certificate must be
imported on the remote peer FortiGate and on the primary FortiGate before configuring IPsec VPN tunnels. If the
built-in Fortinet_Factory certificate and the Fortinet_CA CA certificate are used for authentication, you can skip this
step:
a. Configure HQ1:
config vpn certificate local
edit "test1"
...
set range global
next
end
config vpn certificate ca
edit "CA_Cert_1"
...
set range global
next
end
b. Configure HQ2:
config vpn certificate local
edit "test2"
...
set range global
next
end
config vpn certificate ca
edit "CA_Cert_1"
...
set range global
next
end
4. Configure the peer user. The peer user is used in the IPsec VPN tunnel peer setting to authenticate the remote
peer FortiGate.
a. If not using the built-in Fortinet_Factory certificate and Fortinet_CA CA certificate, do the following:
i. Configure HQ1:
config user peer
edit "peer1"
set ca "CA_Cert_1"
next
end
b. If the built-in Fortinet_Factory certificate and Fortinet_CA CA certificate are used for authentication, the peer
user must be configured based on Fortinet_CA:
i. Configure HQ1:
config user peer
edit "peer1"
set ca "Fortinet_CA"
next
end
b. Configure HQ2:
config vpn ipsec phase1-interface
edit "to_HQ1"
set interface "port25"
set authmethod signature
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set remote-gw 172.16.200.1
set certificate "test2"
set peer "peer2"
next
end
b. Configure HQ2:
config vpn ipsec phase2-interface
edit "to_HQ2"
set phase1name "to_HQ1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
set auto-negotiate enable
next
end
7. Configure the static routes. Two static routes are added to reach the remote protected subnet. The blackhole route
is important to ensure that IPsec traffic does not match the default route when the IPsec tunnel is down:
a. Configure HQ1:
config router static
edit 2
set dst 172.16.101.0 255.255.255.0
set device "to_HQ2"
next
edit 3
set dst 172.16.101.0 255.255.255.0
set blackhole enable
set distance 254
next
end
b. Configure HQ2:
config router static
edit 2
set dst 10.1.100.0 255.255.255.0
set device "to_HQ1"
next
edit 3
set dst 10.1.100.0 255.255.255.0
set blackhole enable
set distance 254
next
end
8. Configure two firewall policies to allow bidirectional IPsec traffic flow over the IPsec VPN tunnel:
a. Configure HQ1:
config firewall policy
edit 1
set name "inbound"
set srcintf "to_HQ2"
set dstintf "dmz"
set srcaddr "172.16.101.0"
set dstaddr "10.1.100.0"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "outbound"
set srcintf "dmz"
set dstintf "to_HQ2"
set srcaddr "10.1.100.0"
set dstaddr "172.16.101.0"
set action accept
set schedule "always"
set service "ALL"
next
end
b. Configure HQ2:
config firewall policy
edit 1
set name "inbound"
set srcintf "to_HQ1"
set dstintf "port9"
set srcaddr "10.1.1.00.0"
set dstaddr "172.16.101.0"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "outbound"
9. Run diagnose commands. The diagnose debug application ike -1 command is the key to figure out
why the IPsec tunnel failed to establish. If the remote FortiGate certificate cannot be validated, the following error
shows up in the debug output:
ike 0: to_HQ2:15314: certificate validation failed
The following commands are useful to check IPsec phase1/phase2 interface status.
a. Run the diagnose vpn ike gateway list command on HQ1. The system should return the following:
vd: root/0
name: to_HQ2
version: 1
interface: port1 11
created: 7s ago
peer-id-auth: yes
b. Run the diagnose vpn tunnel list command on HQ1. The system should return the following:
list all ipsec tunnel in vd 0
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
Troubleshooting
id/spi: 92 5639f7f8a5dc54c0/809a6c9bbd266a4b
direction: initiator
status: established 4313-4313s ago = 10ms
proposal: aes128-sha256
key: 74aa3d63d88e10ea-8a1c73b296b06578
lifetime/rekey: 86400/81786
DPD sent/recv: 00000000/00000000
vd: root/0
name: to_HQ
version: 1
interface: port13 42
addr: 173.1.1.1:500 -> 11.101.1.1:500
created: 1013s ago
assigned IPv4 address: 11.11.11.1/255.255.255.252
IKE SA: created 1/1 established 1/1 time 0/0/0 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
id/spi: 95 255791bd30c749f4/c2505db65210258b
direction: initiator
status: established 1013-1013s ago = 0ms
proposal: aes128-sha256
key: bb101b9127ed5844-1582fd614d5a8a33
lifetime/rekey: 86400/85086
DPD sent/recv: 00000000/00000010
NP6_1:
Encryption (encrypted/decrypted)
null : 0 1.
des : 0 1.
3des : 0 1.
aes : 337152 46069
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
chacha20poly1305 : 0 1.
Integrity (generated/validated)
null : 0 1.
md5 : 0 1.
sha1 : 337152 46069
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
CP8:
Encryption (encrypted/decrypted)
null : 0 1.
des : 0 1.
3des : 1337 1582
aes : 71 11426
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
chacha20poly1305 : 0 1.
Integrity (generated/validated)
null : 0 1.
md5 : 48 28
sha1 : 1360 12980
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
SOFTWARE:
Encryption (encrypted/decrypted)
null : 0 1.
des : 0 1.
3des : 0 1.
aes : 0 1.
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
chacha20poly1305 : 0 1.
Integrity (generated/validated)
null : 0 1.
md5 : 0 1.
sha1 : 0 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
This recipe provides an example configuration of tunneled internet browsing using a dialup VPN. To centralize network
management and control, all branch office traffic is tunneling to HQ, including Internet browsing.
The following shows the sample network topology for this example:
1. Configure the WAN interface and static route on the FortiGate at HQ:
config system interface
edit "port9"
set alias "WAN"
set ip 22.1.1.1 255.255.255.0
next
edit "port10"
set alias "Internal"
set ip 172.16.101.1 255.255.255.0
next
end
config router static
edit 1
set gateway 22.1.1.2
set device "port9"
next
end
end
config vpn ipsec phase2-interface
edit "HQ"
set phase1name "HQ"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
next
end
4. Configure the WAN interface and static route on the FortiGate at the branches:
a. Branch1:
config system interface
edit "wan1"
set ip 15.1.1.2 255.255.255.0
next
edit "internal"
set ip 10.1.100.1 255.255.255.0
next
end
config router static
edit 1
set gateway 15.1.1.1
set device "wan1"
next
end
b. Branch2:
config system interface
edit "wan1"
set ip 13.1.1.2 255.255.255.0
next
edit "internal"
set ip 192.168.4.1 255.255.255.0
next
end
config router static
edit 1
set gateway 13.1.1.1
set device "wan1"
next
end
b. Branch2:
config vpn ipsec phase1-interface
edit "branch2"
set interface "wan1"
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set dpd on-idle
set remote-gw 22.1.1.1
set psksecret sample
set dpd-retryinterval 5
next
end
config vpn ipsec phase2-interface
edit "branch2"
set phase1name "branch2"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
set auto-negotiate enable
set src-subnet 192.168.4.0 255.255.255.0
next
end
b. Branch2:
config firewall policy
edit 1
set name "outbound"
set srcintf "internal"
set dstintf "branch2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "inbound"
set srcintf "branch2"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
b. Branch2:
config router static
edit 2
set dst 22.1.1.1/32
set gateway 13.1.1.1
set device "wan1"
set distance 1
next
edit 3
set device "branch2"
set distance 5
next
end
8. Optionally, view the VPN tunnel list on a branch with the diagnose vpn tunnel list command:
list all ipsec tunnel in vd 0
----
name=branch1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev
frag-rfc accept_traffic=1
9. Optionally, view static routing table on a branch with the get router info routing-table static
command:
Routing table for VRF=0
S* 0.0.0.0/0 [5/0] is directly connected, branch1
S* 22.1.1.1/32 [1/0] via 15.1.1.1, wan1
1. Check the device ASIC information. For example, a FortiGate 900D has an NP6 and a CP8.
# get hardware status
Model name: [[QualityAssurance62/FortiGate]]-900D
ASIC version: CP8
ASIC SRAM: 64M
CPU: Intel(R) Xeon(R) CPU E3-1225 v3 @ 3.20GHz
Number of CPUs: 4
RAM: 16065 MB
Compact Flash: 1925 MB /dev/sda
Hard disk: 244198 MB /dev/sdb
USB Flash: not available
Network Card chipset: [[QualityAssurance62/FortiASIC]] NP6 Adapter (rev.)
1. port13 1G Yes
1. port14 1G Yes
1. portA 10G Yes
1.
----
3. Configure the option in IPsec phase1 settings to control NPU encrypt/decrypt IPsec packets (enabled by default).
config vpn ipsec phase1/phase1-interface
edit "vpn_name"
set npu-offload enable/disable
next
end
4. Check NPU offloading. The NPU encrypted/decrypted counter should tick. The npu_flag 03 flag means that the
traffic processed by the NPU is bi-directional.
# diagnose vpn tunnel list
list all ipsec tunnel in vd 0
----
name=test ver=2 serial=1 173.1.1.1:0->11.101.1.1:0
bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu
proxyid_num=1 child_num=0 refcnt=14 ilast=2 olast=2 ad=/0
stat: rxp=12231 txp=12617 rxb=1316052 txb=674314
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=test proto=0 sa=1 ref=4 serial=7
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=10626 type=00 soft=0 mtu=1438 expire=42921/0B replaywin=2048
seqno=802 esn=0 replaywin_lastseq=00000680 itn=0
life: type=01 bytes=0/0 timeout=42930/43200
dec: spi=e313ac46 esp=aes key=16 0dcb52642eed18b852b5c65a7dc62958
ah=md5 key=16 c61d9fe60242b9a30e60b1d01da77660
enc: spi=706ffe03 esp=aes key=16 6ad98c204fa70545dbf3d2e33fb7b529
ah=md5 key=16 dcc3b866da155ef73c0aba15ec530e2e
dec:pkts/bytes=1665/16352, enc:pkts/bytes=2051/16826
npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=6 dec_npuid=2 enc_npuid=2
sha512 : 0 1.
NP6_1:
Encryption (encrypted/decrypted)
null : 14976 15357
des : 0 1.
3des : 0 1.
aes : 1664 2047
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
chacha20poly1305 : 0 1.
Integrity (generated/validated)
null : 0 1.
md5 : 1664 2047
sha1 : 14976 15357
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
CP8:
Encryption (encrypted/decrypted)
null : 1 1.
des : 0 1.
3des : 0 1.
aes : 1 1.
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
chacha20poly1305 : 0 1.
Integrity (generated/validated)
null : 0 1.
md5 : 1 1.
sha1 : 1 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
SOFTWARE:
Encryption (encrypted/decrypted)
null : 0 1.
des : 0 1.
3des : 0 1.
aes : 0 1.
aes-gcm : 29882 29882
aria : 21688 21688
seed : 153774 153774
chacha20poly1305 : 29521 29521
Integrity (generated/validated)
null : 59403 59403
md5 : 0 1.
sha1 : 175462 175462
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
5. If traffic cannot be offloaded by the NPU, the CP will try to encrypt/decrypt the IPsec packets.
seed : 0 1.
chacha20poly1305 : 0 1.
Integrity (generated/validated)
null : 0 1.
md5 : 0 1.
sha1 : 0 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
NP6_1:
Encryption (encrypted/decrypted)
null : 14976 15357
des : 0 1.
3des : 0 1.
aes : 1664 2047
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
chacha20poly1305 : 0 1.
Integrity (generated/validated)
null : 0 1.
md5 : 1664 2047
sha1 : 14976 15357
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
CP8:
Encryption (encrypted/decrypted)
null : 1 1.
des : 0 1.
3des : 0 1.
aes : 8499 8499
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
chacha20poly1305 : 0 1.
Integrity (generated/validated)
null : 0 1.
md5 : 8499 8499
sha1 : 1 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
SOFTWARE:
Encryption (encrypted/decrypted)
null : 0 1.
des : 0 1.
3des : 0 1.
aes : 0 1.
aes-gcm : 29882 29882
aria : 21688 21688
seed : 153774 153774
chacha20poly1305 : 29521 29521
Integrity (generated/validated)
null : 59403 59403
md5 : 0 1.
sha1 : 175462 175462
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
2. Two options are used to control if the CP processes packets. If disabled, packets are processed by the CPU.
config system global
set ipsec-asic-offload disable
set ipsec-hmac-offload disable
end
NP6_1:
Encryption (encrypted/decrypted)
null : 14976 15357
des : 0 1.
3des : 0 1.
aes : 1664 2047
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
chacha20poly1305 : 0 1.
Integrity (generated/validated)
null : 0 1.
md5 : 1664 2047
sha1 : 14976 15357
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
seed : 0 1.
chacha20poly1305 : 0 1.
Integrity (generated/validated)
null : 0 1.
md5 : 3 1.
sha1 : 3 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
CP8:
Encryption (encrypted/decrypted)
null : 1 1.
des : 0 1.
3des : 0 1.
aes : 8865 8865
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
chacha20poly1305 : 0 1.
Integrity (generated/validated)
null : 0 1.
md5 : 8865 8865
sha1 : 1 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
SOFTWARE:
Encryption (encrypted/decrypted)
null : 0 1.
des : 0 1.
3des : 0 1.
aes : 531 531
aes-gcm : 29882 29882
aria : 21688 21688
seed : 153774 153774
chacha20poly1305 : 41156 41156
Integrity (generated/validated)
null : 71038 71038
md5 : 531 531
sha1 : 175462 175462
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
When auto-asic-offload is set to disable in the firewall policy, traffic is nt offloaded and the NPU hosting
counter is ticked.
# diagnose vpn ipsec status
All ipsec crypto devices in use:
NP6_0:
Encryption (encrypted/decrypted)
null : 0 1.
des : 0 1.
3des : 0 1.
aes : 0 1.
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
chacha20poly1305 : 0 1.
Integrity (generated/validated)
null : 0 1.
md5 : 0 1.
sha1 : 0 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
NP6_1:
Encryption (encrypted/decrypted)
null : 14976 15357
des : 0 1.
3des : 0 1.
aes : 110080 2175
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
chacha20poly1305 : 0 1.
Integrity (generated/validated)
null : 0 1.
md5 : 110080 2175
sha1 : 14976 15357
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
CP8:
Encryption (encrypted/decrypted)
null : 1 1.
des : 0 1.
3des : 0 1.
aes : 8865 8865
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
chacha20poly1305 : 0 1.
Integrity (generated/validated)
null : 0 1.
md5 : 8865 8865
sha1 : 1 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
SOFTWARE:
Encryption (encrypted/decrypted)
null : 0 1.
des : 0 1.
3des : 0 1.
aes : 539 539
aes-gcm : 29882 29882
aria : 21688 21688
seed : 153774 153774
chacha20poly1305 : 41259 41259
Integrity (generated/validated)
null : 71141 71141
md5 : 539 539
sha1 : 175462 175462
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
This recipe provides an example configuration of GRE over an IPsec tunnel. A static route over GRE tunnel is used, and
tunnel-mode is used in the phase2-interface settings.
The following shows the network topology for this example:
b. HQ2:
config system interface
edit "port25"
set ip 172.16.202.1 255.255.255.0
next
edit "port9"
set ip 172.16.101.1 255.255.255.0
next
end
config router static
edit 1
set gateway 172.16.202.2
set device "port25"
next
end
b. HQ2:
config vpn ipsec phase1-interface
edit "greipsec"
set interface "port25"
set peertype any
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set remote-gw 172.16.200.1
set psksecret sample
next
end
config vpn ipsec phase2-interface
edit "greipsec"
set phase1name "greipsec"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
set protocol 47
next
end
b. HQ2:
config system interface
edit "greipsec"
set ip 10.10.10.2 255.255.255.255
set remote-ip 10.10.10.1 255.255.255.255
next
end
b. HQ2:
config system gre-tunnel
edit "gre_to_HQ1"
set interface "greipsec"
set remote-gw 10.10.10.1
set local-gw 10.10.10.2
next
end
b. HQ2:
config firewall policy
edit 1
set srcintf "port9"
set dstintf "gre_to_HQ1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set srcintf "gre_to_HQ1"
set dstintf "port9"
b. HQ2:
config router static
edit 2
set dst 10.1.100.0 255.255.255.0
set device "gre_to_HQ1"
next
end
8. Optionally, view the VPN tunnel list on HQ1 with the diagnose vpn tunnel list command:
list all ipsec tunnel in vd 0
----
name=greipsec ver=1 serial=1 172.16.200.1:0->172.16.202.1:0
bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/16 options[0010]=create_dev
proxyid_num=1 child_num=0 refcnt=12 ilast=19 olast=861 ad=/0
stat: rxp=347 txp=476 rxb=58296 txb=51408
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=8
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=greipsec proto=47 sa=1 ref=2 serial=2
src: 47:0.0.0.0/0.0.0.0:0
dst: 47:0.0.0.0/0.0.0.0:0
SA: ref=3 options=10226 type=00 soft=0 mtu=1438 expire=41689/0B replaywin=2048
seqno=15c esn=0 replaywin_lastseq=0000015c itn=0
life: type=01 bytes=0/0 timeout=42898/43200
dec: spi=9897bd09 esp=aes key=16 5a60e67bf68379309715bd83931680bf
ah=sha1 key=20 ff35a329056d0d506c0bfc17ef269978a4a57dd3
enc: spi=e362f336 esp=aes key=16 5574acd8587c5751a88950e1bf8fbf57
ah=sha1 key=20 d57ec76ac3c543ac89b2e4d0545518aa2d06669b
dec:pkts/bytes=347/37476, enc:pkts/bytes=347/58296
9. Optionally, view static routing table on HQ1 with the get router info routing-table static
command:
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 172.16.200.3, port1
S 172.16.101.0/24 [10/0] is directly connected, gre_to_HQ2
This recipe provides an example configuration of LT2P over IPsec. A locally defined user is used for authentication, a
Windows PC or Android tablet is acting as the client, and net-device is set to enable in the phase1-interface
settings. If net-device is set to disable, only one device can establish an L2TP over IPsec tunnel behind the same
NAT device.
The following shows the network topology for this example:
5. Configure a firewall address, that is applied in L2TP settings to assign IP addresses to clients once the L2TP tunnel
is established:
config firewall address
edit "L2TPclients"
set type iprange
set start-ip 10.10.10.1
set end-ip 10.10.10.100
next
end
7. Optionally, view the VPN tunnel list on HQ with the diagnose vpn tunnel list command:
list all ipsec tunnel in vd 0
----
name=L2tpoIPsec_0 ver=1 serial=8 22.1.1.1:0->10.1.100.15:0
bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/216 options[00d8]=npu
create_dev no-sysctl rgwy-chg
parent=L2tpoIPsec index=0
proxyid_num=1 child_num=0 refcnt=13 ilast=0 olast=0 ad=/0
stat: rxp=470 txp=267 rxb=57192 txb=12679
dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=L2tpoIPsec proto=17 sa=1 ref=3 serial=1 transport-mode add-route
src: 17:22.1.1.1-22.1.1.1:1701
dst: 17:10.1.100.15-10.1.100.15:0
SA: ref=3 options=1a6 type=00 soft=0 mtu=1470 expire=2339/0B replaywin=2048
seqno=10c esn=0 replaywin_lastseq=000001d6 itn=0
life: type=01 bytes=0/0 timeout=3585/3600
dec: spi=ca646443 esp=3des key=24 af62a0fffe85d3d534b5bfba29307aafc8bfda5c3f4650dc
ah=sha1 key=20 89b4b67688bed9be49fb86449bb83f8c8d8d7432
enc: spi=700d28a0 esp=3des key=24 5f68906eca8d37d853814188b9e29ac4913420a9c87362c9
ah=sha1 key=20 d37f901ffd0e6ee1e4fdccebc7fdcc7ad44f0a0a
dec:pkts/bytes=470/31698, enc:pkts/bytes=267/21744
npu_flag=00 npu_rgwy=10.1.100.15 npu_lgwy=22.1.1.1 npu_selid=6 dec_npuid=0 enc_npuid=0
----
name=L2tpoIPsec_1 ver=1 serial=a 22.1.1.1:4500->22.1.1.2:64916
bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/472 options[01d8]=npu
create_dev no-sysctl rgwy-chg rport-chg
parent=L2tpoIPsec index=1
proxyid_num=1 child_num=0 refcnt=17 ilast=2 olast=2 ad=/0
stat: rxp=5 txp=4 rxb=592 txb=249
dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0
8. Optionally, view the L2TP VPN status, by enabling debug (diagnose debug enable), then using the
diagnose vpn l2tp status command:
----
----
HQ # Num of tunnels: 2
----
Tunnel ID = 1 (local id), 42 (remote id) to 10.1.100.15:1701
control_seq_num = 2, control_rec_seq_num = 4,
last recv pkt = 2
Call ID = 1 (local id), 1 (remote id), serno = 0, dev=ppp1,
assigned ip = 10.10.10.2
data_seq_num = 0,
tx = 152 bytes (2), rx= 21179 bytes (205)
Tunnel ID = 3 (local id), 34183 (remote id) to 22.1.1.2:58825
control_seq_num = 2, control_rec_seq_num = 4,
last recv pkt = 2
Call ID = 3 (local id), 18820 (remote id), serno = 2032472593, dev=ppp2,
assigned ip = 10.10.10.3
data_seq_num = 0,
tx = 152 bytes (2), rx= 0 bytes (0)
----
--VD 0: Startip = 10.10.10.1, Endip = 10.10.10.100
enforece-ipsec = false
----
2. Enter a name for the VPN in the Name field. In this example L2tpoIPsec is used.
3. Set the following, then click Next:
l Template Type to Remote Access
l Remote Device Type to Native and Windows Native
4. Set the following, then click Next:
l Incoming Interface to port9
l Authentication Method to Pre-shared Key
l Pre-shared Key to your-psk
l User Group to L2tpusergroup
5. Set the following, then click Create:
l Local Interface as port10
l Local Address as 172.16.101.0
l Client Address Range as 10.10.10.1-10.10.10.100
l Subnet Mask is left as its default value.
This recipe provides an example configuration of VxLAN over IPsec tunnel. VxLAN encapsulation is used in the
phase1-interface setting and virtual-switch is used to bridge the internal with VxLAN over IPsec tunnel.
b. HQ2:
config system interface
edit "port25"
set ip 172.16.202.1 255.255.255.0
next
end
config router static
edit 1
set gateway 172.16.202.2
set device "port25"
next
end
b. HQ2:
config vpn ipsec phase1-interface
edit "to_HQ1"
set interface "port25"
set peertype any
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set encapsulation vxlan
set encapsulation-address ipv4
set encap-local-gw4 172.16.202.1
set encap-remote-gw4 172.16.200.1
set remote-gw 172.16.200.1
set psksecret sample
next
end
config vpn ipsec phase2-interface
edit "to_HQ1"
set phase1name "to_HQ1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
next
end
b. HQ2:
config firewall policy
edit 1
set srcintf "port9"
set dstintf "to_HQ1"
set srcaddr "10.1.100.0"
set dstaddr "10.1.100.0"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set srcintf "to_HQ1"
set dstintf "port9"
set srcaddr "10.1.100.0"
set dstaddr "10.1.100.0"
set action accept
set schedule "always"
set service "ALL"
next
end
b. HQ2:
config system switch-interface
edit "vxlan-HQ1"
set member "port9" "to_HQ1"
set intra-switch-policy explicit
next
end
5. Optionally, view the VPN tunnel list on HQ1 with the diagnose vpn tunnel list command:
list all ipsec tunnel in vd 0
----
name=to_HQ2 ver=1 serial=2 172.16.200.1:0->172.16.202.1:0
bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=VXLAN/2 options[0002]=
encap-addr: 172.16.200.1->172.16.202.1
proxyid_num=1 child_num=0 refcnt=11 ilast=8 olast=0 ad=/0
stat: rxp=13 txp=3693 rxb=5512 txb=224900
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=45
natt: mode=none draft=0 interval=0 remote_port=0
6. Optionally, view the bridge control interface on HQ1 with the diagnose netlink brctl name host
vxlan-HQ1 command:
show bridge control interface vxlan-HQ1 host.
fdb: size=2048, used=17, num=17, depth=1
Bridge vxlan-a host table
port no device devname mac addr ttl attributes
1 1. dmz 00:0c:29:4e:33:c9 1. Hit(1)
1 1. dmz 00:0c:29:a8:c3:ea 105 Hit(105)
1 1. dmz 90:6c:ac:53:76:29 18 Hit(18)
1 1. dmz 08:5b:0e:dd:69:cb 1. Local Static
1 1. dmz 90:6c:ac:84:3e:5d 1. Hit(5)
1 1. dmz 00:0b:fd:eb:21:d6 1. Hit(0)
2 38 to_HQ2 56:45:c3:3f:57:b4 1. Local Static
1 1. dmz 00:0c:29:d2:66:40 78 Hit(78)
2 38 to_HQ2 90:6c:ac:5b:a6:eb 124 Hit(124)
1 1. dmz 00:0c:29:a6:bc:e6 19 Hit(19)
1 1. dmz 00:0c:29:f0:a2:e7 1. Hit(0)
1 1. dmz 00:0c:29:d6:c4:66 164 Hit(164)
1 1. dmz 00:0c:29:e7:68:19 1. Hit(0)
1 1. dmz 00:0c:29:bf:79:30 19 Hit(19)
1 1. dmz 00:0c:29:e0:64:7d 1. Hit(0)
1 1. dmz 36:ea:c7:30:c0:f1 25 Hit(25)
1 1. dmz 36:ea:c7:30:cc:71 1. Hit(0)
Encryption algorithms
This recipe provides a brief introduction to IPsec phase1 and phase2 encryption algorithms and includes the following
sections:
l IKEv1 phase1 encryption algorithm on page 440
l IKEv1 phase2 encryption algorithm on page 442
l IKEv2 phase1 encryption algorithm on page 444
l IKEv2 phase2 encryption algorithm on page 445
DES is a symmetric-key algorithm which means the same key is used for encrypting and decrypting data. FortiGate
supports:
l des-md5
l des-sha1
l des-sha256
l des-sha384
l des-sha512
3DES apply DES algorithm three times to each data. FortiGate supports:
l 3des-md5
l 3des-sha1
l 3des-sha256
l 3des-sha384
l 3des-sha512
AES is a symmetric-key algorithm with different key length: 128, 192, and 256 bits. FortiGate supports:
l aes128-md5
l aes128-sha1
l aes128-sha256
l aes128-sha384
l aes128-sha512
l aes192-md5
l aes192-sha1
l aes192-sha256
l aes192-sha384
l aes192-sha512
l aes256-md5
l aes256-sha1
l aes256-sha256
l aes256-sha384
l aes256-sha512
The ARIA algorithm is based on AES with different key length: 128, 192, and 256 bits. FortiGate supports:
l aria128-md5
l aria128-sha1
l aria128-sha256
l aria128-sha384
l aria128-sha512
l aria192-md5
l aria192-sha1
l aria192-sha256
l aria192-sha384
l aria192-sha512
l aria256-md5
l aria256-sha1
l aria256-sha256
l aria256-sha384
l aria256-sha512
SEED is a symmetric-key algorithm. FortiGate supports:
l seed128-md5
l seed128-sha1
l seed128-sha256
l seed128-sha384
l seed128-sha512
Suite-B is a set of encryption algorithm, AES encryption with ICV in GCM mode. FortiGate supports Suite-B on new
kernel platforms only. IPsec traffic cannot offload to NPU. CP9 supports Suite-B offloading, otherwise packets are
encrypted and decrypted by software. FortiGate supports:
l suite-b-gcm-128
l suite-b-gcm-256
l aes128-sha256
l aes128-sha384
l aes128-sha512
l aes192-null
l aes192-md5
l aes192-sha1
l aes192-sha256
l aes192-sha384
l aes192-sha512
l aes256-null
l aes256-md5
l aes256-sha1
l aes256-sha256
l aes256-sha384
l aes256-sha512
In AESGCM encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:
l aes128gcm
l aes256gcm
In chacha20poly1305 encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:
l chacha20poly1305
In ARIA encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:
l aria128-null
l aria128-md5
l aria128-sha1
l aria128-sha256
l aria128-sha384
l aria128-sha512
l aria192-null
l aria192-md5
l aria192-sha1
l aria192-sha256
l aria192-sha384
l aria192-sha512
l aria256-null
l aria256-md5
l aria256-sha1
l aria256-sha256
l aria256-sha384
l aria256-sha512
In SEED encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:
l seed-null
l seed-md5
l seed-sha1
l seed-sha256
l seed-sha384
l seed-sha512
DES is a symmetric-key algorithm which means the same key is used for encrypting and decrypting data. FortiGate
supports:
l des-md5
l des-sha1
l des-sha256
l des-sha384
l des-sha512
3DES apply DES algorithm three times to each data. FortiGate supports:
l 3des-md5
l 3des-sha1
l 3des-sha256
l 3des-sha384
l 3des-sha512
AES is a symmetric-key algorithm with different key length: 128, 192, and 256 bits. FortiGate supports:
l aes128-md5
l aes128-sha1
l aes128-sha256
l aes128-sha384
l aes128-sha512
l aes128gcm-prfsha1
l aes128gcm-prfsha256
l aes128gcm-prfsha384
l aes128gcm-prfsha512
l aes192-md5
l aes192-sha1
l aes192-sha256
l aes192-sha384
l aes192-sha512
l aes256-md5
l aes256-sha1
l aes256-sha256
l aes256-sha384
l aes256-sha512
l aes256gcm-prfsha1
l aes256gcm-prfsha256
l aes256gcm-prfsha384
l aes256gcm-prfsha512
The ARIA algorithm is based on AES with different key length: 128, 192, and 256 bits. FortiGate supports:
l aria128-md5
l aria128-sha1
l aria128-sha256
l aria128-sha384
l aria128-sha512
l aria192-md5
l aria192-sha1
l aria192-sha256
l aria192-sha384
l aria192-sha512
l aria256-md5
l aria256-sha1
l aria256-sha256
l aria256-sha384
l aria256-sha512
In chacha20poly1305 encryption algorithm, FortiGate supports:
l chacha20poly1305-prfsha1
l chacha20poly1305-prfsha256
l chacha20poly1305-prfsha384
l chacha20poly1305-prfsha512
SEED is a symmetric-key algorithm. FortiGate supports:
l seed128-md5
l seed128-sha1
l seed128-sha256
l seed128-sha384
l seed128-sha512
Suite-B is a set of encryption algorithm, AES encryption with ICV in GCM mode. FortiGate supports Suite-B on new
kernel platforms only. IPsec traffic cannot offload to NPU. CP9 supports Suite-B offloading, otherwise packets are
encrypted and decrypted by software. FortiGate supports:
l suite-b-gcm-128
l suite-b-gcm-256
l null-sha384
l null-sha512
In DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:
l des-null
l des-md5
l des-sha1
l des-sha256
l des-sha384
l des-sha512
In 3DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:
l 3des-null
l 3des-md5
l 3des-sha1
l 3des-sha256
l 3des-sha384
l 3des-sha512
In AES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:
l aes128-null
l aes128-md5
l aes128-sha1
l aes128-sha256
l aes128-sha384
l aes128-sha512
l aes192-null
l aes192-md5
l aes192-sha1
l aes192-sha256
l aes192-sha384
l aes192-sha512
l aes256-null
l aes256-md5
l aes256-sha1
l aes256-sha256
l aes256-sha384
l aes256-sha512
In AESGCM encryption algorithm, IPsec traffic cannot offload NPU. CP9 supports AESGCM offloading. FortiGate
supports:
l aes128gcm
l aes256gcm
In chacha20poly1305 encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:
l chacha20poly1305
In ARIA encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:
l aria128-null
l aria128-md5
l aria128-sha1
l aria128-sha256
l aria128-sha384
l aria128-sha512
l aria192-null
l aria192-md5
l aria192-sha1
l aria192-sha256
l aria192-sha384
l aria192-sha512
l aria256-null
l aria256-md5
l aria256-sha1
l aria256-sha256
l aria256-sha384
l aria256-sha512
In SEED encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:
l seed-null
l seed-md5
l seed-sha1
l seed-sha256
l seed-sha384
l seed-sha512
This recipe provides an example configuration of policy-based IPsec tunnel. Site-to-site VPN between branch and HQ is
used and HQ is the IPsec concentrator.
c. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
d. Select the VPN Tunnel, in this example, Branch1/Branch2.
e. In this example, turn on Allow traffic to be initiated from the remote site.
f. Click OK.
4. Configure IPsec VPN at branch 1:
a. Go to VPN > IPsec Wizard, enter a VPN name, (to_HQ in this example) choose Custom and then click Next.
l Uncheck Enable IPsec Interface Mode.
l Choose Static IP Address as Remote Gateway.
l Enter IP address, in this example, 22.1.1.1.
l Choose wan1 as interface.
l In this example, set Authentication Method to Pre-shared Key. In other cases, use the default.
l Click OK.
5. Configure the firewall policy:
a. Choose the Incoming Interface, in this example, internal.
b. Choose the Outgoing Interface, in this example, wan1.
c. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
d. Select the VPN Tunnel, in this example, to_HQ.
e. In this example, turn on Allow traffic to be initiated from the remote site.
f. Click OK.
6. Configure IPsec VPN at branch 2:
a. Go to VPN > IPsec Wizard, enter a VPN name, (to_HQ in this example) choose Custom and then click Next.
l Uncheck Enable IPsec Interface Mode.
l Choose Static IP Address as Remote Gateway.
l Enter IP address, in this example, 22.1.1.1.
l Choose wan1 as interface.
l In this example, set Authentication Method to Pre-shared Key and the Pre-shared Key is sample. In
other cases, use the default.
l Click OK.
7. Configure the firewall policy:
a. Choose the Incoming Interface, in this example, internal.
b. Choose the Outgoing Interface, in this example, wan1.
c. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
d. Select the VPN Tunnel, in this example, to_HQ.
e. In this example, turn on Allow traffic to be initiated from the remote site.
f. Click OK.
edit "port10"
set alias "Internal"
set ip 172.16.101.1 255.255.255.0
next
end
config router static
edit 1
set gateway 22.1.1.2
set device "port9"
next
end
edit 2
set srcintf "port10"
set dstintf "port9"
set srcaddr "all"
set dstaddr "192.168.4.0"
set action ipsec
set schedule "always"
set service "ALL"
set inbound enable
set vpntunnel "to_branch2"
next
end
b. Branch2:
config system interface
edit "wan1"
set alias "primary_WAN"
set ip 13.1.1.2 255.255.255.0
next
edit "internal"
set ip 192.168.4.1 255.255.255.0
next
end
config router static
edit 1
set gateway 13.1.1.1
set device "wan1"
next
end
b. Branch2:
config vpn ipsec phase1
edit "to_HQ"
set interface "wan1"
set peertype any
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set remote-gw 22.1.1.1
set psksecret sample
next
end
config vpn ipsec phase2
edit "to_HQ"
set phase1name "to_HQ"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
next
end
b. Branch2:
config firewall policy
edit 1
set srcintf "internal"
set dstintf "wan1"
set srcaddr "192.168.4.0"
set dstaddr "all"
set action ipsec
set schedule "always"
set service "ALL"
set inbound enable
set vpntunnel "to_HQ"
next
end
8. Optionally, view the IPsec VPN tunnel list at HQ with the diagnose vpn tunnel list command:
list all ipsec tunnel in vd 0
----
name=to_branch1 ver=1 serial=4 22.1.1.1:0->15.1.1.2:0
bound_if=42 lgwy=static/1 tun=tunnel/1 mode=auto/1 encap=none/8 options[0008]=npu
proxyid_num=1 child_num=0 refcnt=8 ilast=0 olast=0 ad=/0
stat: rxp=305409 txp=41985 rxb=47218630 txb=2130108
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to_branch1 proto=0 sa=1 ref=3 serial=1
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=10226 type=00 soft=0 mtu=1438 expire=42604/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000680 itn=0
life: type=01 bytes=0/0 timeout=42932/43200
dec: spi=ca646442 esp=aes key=16 58c91d4463968dddccc4fd97de90a4b8
ah=sha1 key=20 c9176fe2fbc82ef7e726be9ad4af83eb1b55580a
enc: spi=747c10c4 esp=aes key=16 7cf0f75b784f697bc7f6d8b4bb8a83c1
ah=sha1 key=20 cdddc376a86f5ca0149346604a59af07a33b11c5
dec:pkts/bytes=1664/16310, enc:pkts/bytes=0/16354
npu_flag=03 npu_rgwy=15.1.1.2 npu_lgwy=22.1.1.1 npu_selid=3 dec_npuid=2 enc_npuid=2
----
name=to_branch2 ver=1 serial=5 22.1.1.1:0->13.1.1.2:0
bound_if=42 lgwy=static/1 tun=tunnel/1 mode=auto/1 encap=none/8 options[0008]=npu
proxyid_num=1 child_num=0 refcnt=7 ilast=2 olast=43228 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to_branch2 proto=0 sa=1 ref=2 serial=1
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=10226 type=00 soft=0 mtu=1280 expire=40489/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0
life: type=01 bytes=0/0 timeout=42931/43200
dec: spi=ca646441 esp=aes key=16 57ab680d29d4aad4e373579fb50e9909
ah=sha1 key=20 12a2bc703d2615d917ff544eaff75a6d2c17f1fe
enc: spi=f9cffb61 esp=aes key=16 3d64da9feb893874e007babce0229259
ah=sha1 key=20 f92a3ad5e56cb8e89c47af4dac10bf4b4bebff16
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=13.1.1.2 npu_lgwy=22.1.1.1 npu_selid=4 dec_npuid=0 enc_npuid=0
9. Optionally, view the IPsec VPN concentrator at HQ with the diagnose vpn concentrator list command:
list all ipsec concentrator in vd 0
name=branch ref=3 tuns=2 flags=0
This topic provides a sample configuration of remote users accessing the corporate network through an SSL VPN by
web mode using a web browser.
Sample configuration
WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE
mode. The SSL VPN connection is established over the WAN interface.
3. Configure SSL VPN web portal and predefine RDP bookmark for windows server.
config vpn ssl web portal
edit "my-web-portal"
set web-mode enable
config bookmark-group
edit "gui-bookmarks"
config bookmarks
edit "Windows Server"
set apptype rdp
set host "192.168.1.114"
set port 3389
set logon-user "your-windows-server-user-name"
set logon-password your-windows-server-password
next
end
next
end
next
end
1. Open browser and log into the portal https://172.20.120.123:10443 using the credentials you've set up.
2. In the portal with the predefined bookmark, select the bookmark to begin an RDP session.
3. Go to VPN > Monitor > SSL-VPN Monitor to verify the list of SSL users.
4. Go to Log & Report > Traffic Log > Forward Traffic to view the details for the SSL entry.
This topic provides a sample configuration of remote users accessing the corporate network and internet through an
SSL VPN by tunnel mode using FortiClient.
Sample configuration
WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE
mode. The SSL VPN connection is established over the WAN interface.
3. Configure SSL VPN web portal and predefine RDP bookmark for windows server.
config vpn ssl web portal
edit "my-full-tunnel-portal"
set tunnel-mode enable
set split-tunneling disable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
next
end
This topic provides a sample configuration of remote users accessing the corporate network and internet through an
SSL VPN by tunnel mode using FortiClient but accessing the Internet without going through the SSL VPN tunnel.
Sample configuration
WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE
mode. The SSL VPN connection is established over the WAN interface.
This topic provides a sample configuration of remote users accessing the corporate network through an SSL VPN by
tunnel mode using FortiClient with AV host check.
Sample configuration
WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE
mode. The SSL VPN connection is established over the WAN interface.
This sample recipe shows how to create a multi-realm SSL VPN that provides different portals for different user groups.
Sample configuration
WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE
mode. The SSL VPN connection is established over the WAN interface.
end
config firewall address
edit "QA_subnet"
set subnet 192.168.1.0 255.255.255.0
next
edit "HR_subnet"
set subnet 10.1.100.0 255.255.255.0
next
end
1. In a web browser, log into the portal https://172.20.120.123:10443/hr using the credentials you've set up to
connect to the SSL VPN tunnel.
2. Go to VPN > Monitor > SSL-VPN Monitor to verify the list of SSL users.
3. Go to Log & Report > Traffic Log > Forward Traffic and view the details of the traffic.
This topic provides a sample configuration of SSL VPN that requires users to authenticate using a certificate.
Sample configuration
WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE
mode. The SSL VPN connection is established over the WAN interface.
l Ensure the subject matches the name of the user certificate. In this example, User01.
Now that you have created a PKI user, a new menu is added to the GUI.
a. Go to User & Device > PKI to see the new user.
b. Edit the user account and expand Two-factor authentication.
c. Enable Require two-factor authentication and set a Password for the account.
d. Go to User & Device > User > User Groups and create a group sslvpngroup.
e. Add the PKI user pki01 to the group.
5. Configure SSL VPN web portal.
a. Go to VPN > SSL-VPN Portals to edit the full-access portal.
This portal supports both web and tunnel mode.
b. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.
6. Configure SSL VPN settings.
a. Go to VPN > SSL-VPN Settings.
b. Choose proper Listen on Interface, in this example, wan1.
c. Listen on Port 10443.
d. Set Server Certificate to the authentication certificate.
e. Enable Require Client Certificate.
f. Under Authentication/Portal Mapping, set default Portal web-access for All Other Users/Groups.
g. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal full-access.
7. Configure SSL VPN firewall policy.
a. Go to Policy & Objects > IPv4 Policy.
b. Fill in the firewall policy name. In this example: sslvpn certificate auth.
c. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
d. Set the Source Address to all and Source User to sslvpngroup.
e. Set the Outgoing Interface to the local network interface so that the remote user can access the internal
network. In this example: port1.
f. Set Destination Address to the internal protected subnet 192.168.1.0.
g. Set schedule to always, service to ALL, and Action to Accept.
h. Enable NAT.
i. Configure any remaining firewall and security options as desired.
j. Click OK.
Sample installation
To use the user certificate, you must first install it on the user’s PC. When the user tries to authenticate, the user
certificate is checked against the CA certificate to verify that they match.
Every user should have a unique user certificate. This allows you to distinguish each user and revoke a specific user’s
certificate, such as if a user no longer has VPN access.
1. Go to VPN > Monitor > SSL-VPN Monitor to verify the list of SSL users.
2. Go to Log & Report > VPN Events and view the details for the SSL connection log.
This topic provides a sample configuration of SSL VPN that requires users to authenticate using a certificate with LDAP
UserPrincipalName checking.
This sample uses Windows 2012R2 Active Directory acting as both the user certificate issuer, the certificate authority,
and the LDAP server.
Sample configuration
In this sample, the User Principal Name is included in the subject name of the issued certificate. This is the user field
we use to search LDAP in the connection attempt.
To use the user certificate, you must first install it on the user’s PC. When the user tries to authenticate, the user
certificate is checked against the CA certificate to verify that they match.
Every user should have a unique user certificate. This allows you to distinguish each user and revoke a specific user’s
certificate, such as if a user no longer has VPN access.
The server certificate is used for encrypting SSL VPN traffic and will be used for authentication.
1. Go to System > Feature Visibility and ensure Certificates is enabled.
2. Go to System > Certificates and select Import > Local Certificate.
l Set Type to Certificate.
l Choose the Certificate file and the Key file for your certificate, and enter the Password.
l If desired, you can change the Certificate Name.
The server certificate now appears in the list of Certificates.
The CA certificate is the certificate that signed both the server certificate and the user certificate. In this example, it is
used to authenticate SSL VPN users.
1. Go to System > Certificates and select Import > CA Certificate.
2. Select Local PC and then select the certificate file.
The CA certificate now appears in the list of External CA Certificates. In the example, it is called CA_Cert_1.
Now that you have created a PKI user, a new menu is added to the GUI.
a. Go to User & Device > PKI to see the new user.
b. Go to User & Device > User > User Groups and create a group sslvpn-group.
c. Add the PKI peer object you created as a local member of the group.
d. Add a remote group on the LDAP server and select the group of interest.
You need these users to be members using the LDAP browser window.
4. Configure SSL VPN web portal.
a. Go to VPN > SSL-VPN Portals to edit the full-access portal.
This portal supports both web and tunnel mode.
b. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.
5. Configure SSL VPN settings.
a. Go to VPN > SSL-VPN Settings.
b. Choose proper Listen on Interface, in this example, wan1.
c. Listen on Port 10443.
d. Set Server Certificate to the authentication certificate.
e. Enable Require Client Certificate.
f. Under Authentication/Portal Mapping, set default Portal web-access for All Other Users/Groups.
g. Create new Authentication/Portal Mapping for group sslvpn-group mapping portal full-access.
6. Configure SSL VPN firewall policy.
a. Go to Policy & Objects > IPv4 Policy.
b. Fill in the firewall policy name. In this example: sslvpn certificate auth.
c. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
d. Set the Source Address to all and Source User to sslvpn-group.
e. Set the Outgoing Interface to the local network interface so that the remote user can access the internal
network. In this example: port1.
f. Set Destination Address to the internal protected subnet 192.168.1.0.
g. Set schedule to always, service to ALL, and Action to Accept.
h. Enable NAT.
i. Configure any remaining firewall and security options as desired.
j. Click OK.
next
end
1. Go to VPN > Monitor > SSL-VPN Monitor to verify the list of SSL users.
2. Go to Log & Report > VPN Events to view the details of the SSL VPN connection event log.
3. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.
Below is a sample output of diag debug app fnbamd -1 while the user connects. This is a shortened output
sample of a few locations to show the important parts. This sample shows lookups to find the group memberships (three
groups total) of the user and that the correct group being found results in a match.
[1148] fnbamd_ldap_recv-Response len: 16, svr: 172.18.60.206
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-result
[864] fnbamd_ldap_parse_response-ret=0
[1386] __fnbamd_ldap_primary_grp_next-Auth accepted
[910] __ldap_rxtx-Change state to 'Done'
[843] __ldap_rxtx-state 23(Done)
[925] fnbamd_ldap_send-sending 7 bytes to 172.18.60.206
[937] fnbamd_ldap_send-Request is sent. ID 5
[753] __ldap_stop-svr 'ldap-AD'
[53] ldap_dn_list_del_all-Del CN=test3,OU=Testing,DC=Fortinet-FSSO,DC=COM
[399] ldap_copy_grp_list-copied CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM
[399] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=Fortinet-FSSO,DC=COM
[2088] fnbamd_auth_cert_check-Matching group 'sslvpn-group'
[2007] __match_ldap_group-Matching server 'ldap-AD' - 'ldap-AD'
[2015] __match_ldap_group-Matching group 'CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM' -
'CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM'
[2091] fnbamd_auth_cert_check-Group 'sslvpn-group' matched
[2120] fnbamd_auth_cert_result-Result for ldap svr[0] 'ldap-AD' is SUCCESS
[2126] fnbamd_auth_cert_result-matched user 'test3', matched group 'sslvpn-group'
You can also use diag firewall auth list to validate that a firewall user entry exists for the SSL VPN user and
is part of the right groups.
This topic provides a sample configuration of SSL VPN that uses FortiToken Mobile Push two-factor authentication. If
you enable push notifications, the user can easily accept or deny the authentication request.
Sample configuration
WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE
mode. The SSL VPN connection is established over the WAN interface.
b. Every FortiGate has two free Mobile Tokens. You can download the free token.
execute fortitoken-mobile import 0000-0000-0000-0000-0000
edit "sslvpngroup"
set member "sslvpnuser1"
next
end
1. From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
2. Log in using the sslvpnuser1 credentials.
The FortiGate pushes a login request notification through the FortiToken Mobile application.
1. Go to VPN > Monitor > SSL-VPN Monitor to verify the user’s connection.
2. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.
This topic provides a sample configuration of SSL VPN that uses FortiAuthenticator as a RADIUS authentication server.
Sample configuration
d. Click Test Connectivity to ensure you can connect to the RADIUS server.
e. Select Test User Credentials and enter the credentials for sslvpnuser1.
The FortiGate can now connect to the FortiAuthenticator as the RADIUS client.
f. Go to User & Device > User Groups and click Create New to map authenticated remote users to a user group
on the FortiGate.
g. For Name, use SSLVPNGroup.
h. In Remote Groups, click Add.
i. In the Remote Server dropdown list, select FAC-RADIUS.
j. Leave the Groups field blank.
3. Configure SSL VPN web portal.
a. Go to VPN > SSL-VPN Portals to edit the full-access portal.
This portal supports both web and tunnel mode.
b. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.
4. Configure SSL VPN settings.
a. Go to VPN > SSL-VPN Settings.
b. Choose proper Listen on Interface, in this example, wan1.
c. Listen on Port 10443.
d. Set Server Certificate to the authentication certificate.
e. Under Authentication/Portal Mapping, set default Portal web-access for All Other Users/Groups.
f. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal full-access.
5. Configure SSL VPN firewall policy.
a. Go to Policy & Objects > IPv4 Policy.
b. Fill in the firewall policy name. In this example: sslvpn certificate auth.
c. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
d. Set the Source Address to all and Source User to sslvpngroup.
e. Set the Outgoing Interface to the local network interface so that the remote user can access the internal
network. In this example: port1.
f. Set Destination Address to the internal protected subnet 192.168.1.0.
g. Set schedule to always, service to ALL, and Action to Accept.
h. Enable NAT.
i. Configure any remaining firewall and security options as desired.
j. Click OK.
1. From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
2. Log in using the sslvpnuser1 credentials.
3. On the FortiGate, go to Monitor > SSL-VPN Monitor to confirm the user connection.
1. Go to VPN > Monitor > SSL-VPN Monitor to verify the user’s connection.
2. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.
This topic provides a sample configuration of SSL VPN that uses FortiAuthenticator as a RADIUS authentication server
and FortiToken Mobile Push two-factor authentication. If you enable push notifications, the user can easily accept or
deny the authentication request.
Sample configuration
e. Set Delivery method to Email and fill in the User Information section.
f. Go to Authentication > User Management > User Groups to create a group sslvpngroup.
g. Add sslvpnuser1 to the group by moving the user from Available users to Selected users.
4. Install the FortiToken Mobile application on your smartphone, for Android or iOS.
The FortiAuthenticator sends the FortiToken Mobile activation to the user’s email address.
5. Activate the FortiToken Mobile through the FortiToken Mobile application by either entering the activation code or
by scanning the QR code.
1. From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
2. Log in using the sslvpnuser1 credentials.
The FortiAuthenticator pushes a login request notification through the FortiToken Mobile application.
3. Check your mobile device and select Approve.
When the authentication is approved, sslvpnuser1 is logged into the SSL VPN portal.
4. On the FortiGate, go to Monitor > SSL-VPN Monitor to confirm the user connection.
1. Go to VPN > Monitor > SSL-VPN Monitor to verify the user’s connection.
2. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.
This topic provides a sample configuration of SSL VPN for users with passwords that expire after two days. Users are
warned after one day about the password expiring. The password policy can be applied to any local user password. The
password policy cannot be applied to a user group or a local remote user such as LDAP/RADIUS/TACACS+.
In FortiOS 6.2, users are warned after one day about the password expiring and have one day to renew it. When the
expiration time is reached, the user cannot renew the password and must contact the administrator for assistance.
In FortiOS 6.0/5.6, users are warned after one day about the password expiring and have to renew it. When the
expiration time is reached, the user can still renew the password.
Sample configuration
WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE
mode. The SSL VPN connection is established over the WAN interface.
1. From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
2. Log in using the sslvpnuser1 credentials.
When the warning time is reached , the user is prompted to enter a new password.
In FortiOS 6.2, when the expiration time is reached, the user cannot renew the password and must contact the
administrator.
In FortiOS 6.0/5.6, when the expiration time is reached, the user can still renew the password.
3. On the FortiGate, go to Monitor > SSL-VPN Monitor to confirm the user connection.
1. Go to VPN > Monitor > SSL-VPN Monitor to verify the user’s connection.
2. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.
1. Go to Log & Report > VPN Events to see the SSL VPN alert labeled ssl-login-fail.
2. Click Details to see the log details about the Reason sslvpn_login_password_expired.
This topic provides a sample configuration of SSL VPN for RADIUS users with Force Password Change on next logon.
In this example, the RADIUS server is a FortiAuthenticator. A user test1 is configured on FortiAuthenticator with Force
password change on next logon.
Sample configuration
WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE
mode. The SSL VPN connection is established over the WAN interface.
1. From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
2. Log in using the test1 credentials.
Use a user which is configured on FortiAuthenticator with Force password change on next logon.
3. Click Login. You are prompted to enter a new password.
4. Go to VPN > Monitor > SSL-VPN Monitor to verify the user’s connection.
1. Go to VPN > Monitor > SSL-VPN Monitor to verify the user’s connection.
2. Go to Log & Report > VPN Events to view the details of the SSL VPN connection event log.
3. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.
This topic provides a sample configuration of SSL VPN for LDAP users with Force Password Change on next logon. In
this example, the LDAP server is a Windows 2012 AD server. A user ldu1 is configured on Windows 2012 AD server with
Force password change on next logon.
You must have generated and exported a CA certificate from the AD server and then have imported it as an external CA
certificate into the FortiGate.
Sample configuration
WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE
mode. The SSL VPN connection is established over the WAN interface.
1. From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
2. Log in using the ldu1 credentials.
Use a user which is configured on FortiAuthenticator with Force password change on next logon.
3. Click Login. You are prompted to enter a new password.
4. Go to VPN > Monitor > SSL-VPN Monitor to verify the user’s connection.
1. Go to VPN > Monitor > SSL-VPN Monitor to verify the user’s connection.
2. Go to Log & Report > VPN Events to view the details of the SSL VPN connection event log.
3. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.
Diagnose commands
Use the following diagnose commands to identify SSL VPN issues. These commands enable debugging of SSL VPN
with a debug level of -1. The -1 debug level produces detailed results.
Use the following diagnose commands to identify remote user authentication issues.
diagnose debug application fnbamd -1
diagnose debug reset
Common issues
c. Check that you are using the correct port number in the URL. Ensure FortiGate is reachable from the
computer.
ping <FortiGate IP>
d. Check the browser has TLS 1.1, TLS 1.2, and TLS 1.3 enabled.
1. Check the Release Notes to ensure that the FortiClient version is compatible with your version of FortiOS.
2. FortiClient uses IE security setting, In IE Internet Option > Advanced > Security, check that Use TLS 1.1 and Use
TLS 1.2 are enabled.
3. Check that SSL VPN ip-pools has free IPs to sign out. The default ip-pools SSLVPN_TUNNEL_ADDR1 has 10 IP
addresses.
4. Export and check FortiClient debug logs.
a. Go to File > Settings.
b. In the Logging section, enable Export logs.
c. Set the Log Level to Debug and select Clear logs.
d. Try to connect to the VPN.
e. When you get a connection error, select Export logs.
1. A new SSL VPN driver was added to FortiClient 5.6.0 and later to resolve SSL VPN connection issues. If your
FortiOS version is compatible, upgrade to use one of these versions.
2. Latency or poor network connectivity can cause the default login timeout limit to be reached on the FortiGate. In
FortiOS 5.6.0 and later, use the following commands to allow a user to increase timers related to SSL VPN login.
config vpn ssl settings
set login-timeout 180 (default is 30)
set dtls-hello-timeout 60 (default is 10)
end
This might occur if there are multiple interfaces connected to the Internet, for example, SD-WAN. This can cause the
session to become “dirty”. To allow multiple interfaces to connect, use the following CLI commands.
If you are using a FortiOS 6.0.1 or later:
config system interface
edit <name>
set preserve-session-route enable
next
end
1. Go to VPN > SSL-VPN Portals and VPN > SSL-VPN Settings and ensure the same IP Pool is used in both
places.
Using the same IP Pool prevents conflicts. If there is a conflict, the portal settings are used.
DTLS allows the SSL VPN to encrypt the traffic using TLS and uses UDP as the transport layer instead of TCP. This
avoids retransmission problems that can occur with TCP-in-TCP.
FortiClient 5.4.0 to 5.4.3 uses DTLS by default. FortiClient 5.4.4 and later uses normal TLS, regardless of the DTLS
setting on the FortiGate.
To use DTLS with FortiClient:
1. Go to File > Settings and enable Preferred DTLS Tunnel.
To enable DTLS tunnel on FortiGate, use the following CLI commands:
config vpn ssl settings
set dtls-tunnel enable
end
AliCloud
Private cloud
This guide shows how to configure Fabric connectors and resolve dynamic firewall addresses through the configured
Fabric connector in FortiOS.
FortiOS supports multiple Fabric connectors including public connectors (AWS, Azure, GCP, OCI, AliCloud) and private
connectors (Kubernetes, VMware ESXi, VMware NSX, OpenStack, Cisco ACI, Nuage). FortiOS also supports multiple
instances for each type of Fabric connector.
This guide uses an Azure Fabric connector as an example. The configuration procedure for all supported Fabric
connectors is the same. In the following topology, the FortiGate accesses the Azure public cloud through the Internet:
This process creates two Fabric connector firewall addresses to associate with the configured Fabric connectors.
1. Go to Policy & Objects > Addresses.
2. Click Create New > Address. Configure the first Fabric connector firewall address:
a. In the Name field, enter azure-address-1.
b. From the Type dropdown list, select Fabric Connector address.
c. From the SDN Connector dropdown list, select azure1.
d. For SDN address type, select Private.
e. From the Filter dropdown list, select the desired filter.
f. For Interface, select any.
g. Click OK.
3. Click Create New > Address. Configure the second Fabric connector firewall address:
a. In the Name field, enter azure-address-1.
b. From the Type dropdown list, select Fabric Connector address.
c. From the SDN Connector dropdown list, select azure2.
d. For SDN address type, select Private.
e. From the Filter dropdown list, select the desired filter.
f. For Interface, select any.
g. Click OK.
Run the show sdn connector status command. Both Fabric connectors should appear with a status of
connected.
Run the diagnose debug application azd -1 command. The output should look like the following:
Level2-downstream-D # diagnose debug application azd -1
...
azd sdn connector azure1 start updating IP addresses
To restart the Azure Fabric connector daemon, run the diagnose test application azd 99 command.
WiFi
FortiAP management
Based on the above topology, this example uses port16 as the interface used to manage connection to FortiAPs.
1. You must enable a DHCP server on port16:
a. In FortiOS, go to Network > Interfaces.
b. Double-click port16.
c. In the IP/Network Mask field, enter an IP address for port16.
d. Enable DHCP Server, keeping the default settings.
2. If desired, you can enable the VCI-match feature using the CLI. When VCI-match is enabled, only devices with a
VCI name that matches the preconfigured string can acquire an IP address from the DHCP server. To configure
VCI-match, run the following commands:
config system dhcp server
edit 1
set interface port16
set vci-match enable
set vci-string "FortiAP"
next
end
3. As it is a minimum management requirement that FortiAP establish a CAPWAP tunnel with the FortiGate, you
must enable CAPWAP access on port16 to allow it to manage FortiAPs:
a. Go to Network > Interfaces.
b. Double-click port16.
c. Under Administrative Access, select CAPWAP.
d. Click OK.
4. To create a new FortiAP entry automatically when a new FortiAP unit is discovered, run the following command. By
default, this option is enabled.
config system interface
edit port16
set allow-access capwap
set ap-discover enable|disable
next
end
5. To allow FortiGate to authorize a newly discovered FortiAP to be controlled by the FortiGate, run the following
command. By default, this option is disabled.
For a FortiGate acting as an AP controller (AC) to discover a FortiAP unit, the FortiAP must be able to reach the AC. A
FortiAP with the factory default configuration has various ways of acquiring an AC's IP address to reach it.
Auto The FortiAP attempts to be discovered in the below ways sequentially within an
endless loop.
DHCP The FortiAP acquires the IP address of an AC in DHCP option 138 (the factory
default) of a DHCP offer, which the FortiAP acquires its own IP address from.
DNS The FortiAP acquires the AC's IP address by resolving a preconfigured FQDN.
Enable the ap-discover setting on the AC for the interface designed to manage FortiAPs:
config system interface
edit "lan"
set ap-discover enable
next
end
The set ap-discover enable setting allows the AC to create an entry in the Managed FortiAPs table when it
receives the FortiAP's discovery request. The ap-discover setting is enabled by the factory default settings. When
the FAP entry is created automatically, it is marked as discovered status, and is pending for administrator's
authorization, unless the following setting is present.
config system interface
edit "lan"
set auto-auth-extension-device enable
next
end
The above set auto-auth-extension-device enable setting will allow AC authorize an new discovered FAP
automatically without administrator's manual authorization operation. The auto-auth-extension-device setting
is disabled by factory default.
Once the FAP discovery request is received by AC, an FAP entry will be added to Managed FAP table, and shown on
GUI > Managed FortiAP list page.
To authorize the specific AP, click to select the FAP entry, then click Authorize button on the top of the table or
Authorize entry in the pop-out menu.
Through GUI, authorization can also be done in FAP detail panel, under Action menu.
The authorization can also be done through CLI with follow commands.
To de-authorize a managed FAP, click to select the FAP entry, then click Deauthorize button on the top of the table or
Deauthorize entry in the pop-out menu.
Through GUI, de-authorization can also be done in FAP detail panel, under Action menu.
The de-authorization can also be done through CLI with follow commands.
config wireless-controller wtp
edit "FP423E3X16000320"
set admin discovered
next
end
Configuring the AC
These instructions assume that the MRAP is already being managed by the AC (see Configuring the FortiGate interface
to manage FortiAP units on page 520 and Discovering, authorizing, and deauthorizing FortiAP units on page 521).
1. Go to WiFi & Switch Controller > SSID and create a mesh SSID.
2. Go to WiFi & Switch Controller > Managed FortiAPs, edit the MRAP, and assign the mesh SSID to the MRAP,
and wait for a connection.
The MLAP can be configured to use the mesh link as its Main uplink or a Backup link for Ethernet connections.
Main uplink
When a mesh link is set as the main uplink of the MLAP, the Ethernet port on the MLAP can be set up as a bridge to the
mesh link. This allows downstream wired devices to use the mesh link to connect to the network.
To enable a mesh Ethernet bridge, select Ethernet Bridge in the FortiAP Connectivity section in the GUI, or use the
following console commands:
cfg -a MESH_ETH_BRIDGE=1
cfg -c
When a mesh link is set to be the backup link for an Ethernet connection, the mesh link will not be established unless
the Ethernet connection goes offline. When a mesh link is in this mode, the Ethernet port cannot be used as a bridge to
the mesh link.
SSID authentication
The guide provides simple configuration instructions for developing WPA2-Personal SSID with FortiAP. The steps
include creating an SSID, selecting the SSID for the FortiAP, and creating a policy from the SSID to the Internet.
The following shows a simple network topology for this recipe:
The guide provides simple configuration instructions for developing WPA2-Enterprise SSID with FortiAP. The steps
include creating an SSID, selecting the SSID for the FortiAP, and creating a policy from the SSID to the Internet.
The following shows a simple network topology for this recipe:
vi. Click Test User Credentials to verify that the user account can be authenticated with the
RADIUS server.
vii. Click OK.
ii. Create a WPA2-Enterprise SSID:
i. Go to WiFi & Switch Controller > SSID, select SSID, then click Create New.
ii. Enter the desired interface name. For Traffic mode, select Tunnel.
iii. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default.
You can modify the DHCP IP address range manually.
iv. In the SSID field, enter the desired SSID name. For Security, select WPA2 Enterprise.
v. In the Authentication field, select RADIUS Server. From the dropdown list, select the
RADIUS server created in step i.
vi. Click OK.
b. Create an SSID as WPA2-Enterprise with authentication from a user group:
i. Create a user group:
i. Go to User & Device > User Groups, then click Create New.
ii. Enter the desired group name.
iii. For Type, select Firewall.
iv. For Remote Groups, click the + button. In the dropdown list, select the desired RADIUS server. Click
OK.
v. Click OK.
ii. Create a WPA2-Enterprise SSID:
1. Go to WiFi & Switch Controller > SSID, select SSID, then click Create New.
2. Enter the desired interface name. For Traffic mode, select Tunnel.
3. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default.
You can modify the DHCP IP address range manually.
4. In the SSID field, enter the desired SSID name. For Security, select WPA2 Enterprise.
5. In the Authentication field, select RADIUS Server. From the dropdown list, select the
RADIUS server created in step i.
6. Click OK.
2. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed
FortiAP-320C and a "FAP320C-default" profile that is applied to the FortiAP-320C. Do one of the following:
a. Select the SSID by editing the FortiAP:
i. Go to WiFi & Switch Controller > Managed FortiAPs. Select the FortiAP-320C and click Edit.
ii. Ensure that Managed AP Status is Connected.
iii. Under WiFi Setting, ensure that the configured FortiAP profile is the desired profile, in this case
FAP320C-default. Click Edit entry.
iv. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to select
the Fortinet-PSK SSID.
v. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to select the
Fortinet-PSK SSID.
vi. Click OK.
b. Select the SSID by editing the FortiAP profile:
i. Go to WiFi & Switch Controller > FortiAP Profile. Select the FAP320C-default profile, then click Edit.
ii. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create
the Fortinet-PSK SSID.
iii. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create
the Fortinet-PSK SSID.
iv. Click OK.
3. Create the SSID-to-Internet firewall policy:
a. Go to Policy & Objects > IPv4 Policy, then click Create New.
b. Enter the desired policy name.
c. From the Incoming Interface dropdown list, select the source interface, such as wifi-vap.
d. From the Outgoing Interface dropdown list, select the destination interface, such as wan1.
e. In the Source and Destination fields, select all. In the Service field, select ALL. If desired, you can configure
different values for these fields.
f. Click OK.
The guide provides simple configuration instructions for developing captive portal SSID with FortiAP. The steps include
creating an SSID, selecting the SSID for the FortiAP, and creating a policy from the SSID to the Internet.
The following shows a simple network topology for this recipe:
4. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed
FortiAP-320C and a "FAP320C-default" profile that is applied to the FortiAP-320C. Do one of the following:
a. Select the SSID by editing the FortiAP:
i. Go to WiFi & Switch Controller > Managed FortiAPs. Select the FortiAP-320C and click Edit.
ii. Ensure that Managed AP Status is Connected.
iii. Under WiFi Setting, ensure that the configured FortiAP profile is the desired profile, in this case
FAP320C-default. Click Edit entry.
iv. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create
the Fortinet-PSK SSID.
v. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create
the Fortinet-PSK SSID.
vi. Click OK.
b. Select the SSID by editing the FortiAP profile:
i. Go to WiFi & Switch Controller > FortiAP Profile. Select the FAP320C-default profile, then click Edit.
ii. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create
the Fortinet-PSK SSID.
iii. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create
the Fortinet-PSK SSID.
iv. Click OK.
5. Create the SSID-to-Internet firewall policy:
a. Go to Policy & Objects > IPv4 Policy, then click Create New.
b. Enter the desired policy name.
c. From the Incoming Interface dropdown list, select the source interface, such as wifi-vap.
d. From the Outgoing Interface dropdown list, select the destination interface, such as wan1.
e. In the Source and Destination fields, select all. In the Service field, select ALL. If desired, you can configure
different values for these fields.
f. Click OK.
To deploy captive portal SSID to FortiAP units using the FortiOS CLI:
This guide provides instructions on simple configuration for on SSID. Consider the following for this feature:
l The quarantine function only works with SSID tunnel mode.
l The quarantine function is independent of SSID security mode.
The following shows a simple network topology for this recipe:
1. In FortiOS, go to the policy applied to the SSID and enable All Sessions for Log Allowed Traffic.
2. Edit the SSID:
a. Go to WiFi & Switch Controller > SSID, and select the desired SSID.
b. Enable Device Detection.
c. Enable Quarantine Host.
d. Click OK.
3. Quarantine a wireless client:
a. Do one of the following:
i. Go to Security Fabric > Physical Topology. View the topology by access device.
ii. Go to FortiView > Traffic from LAN/DMZ > Source.
iii. Go to FortiView > Traffic from LAN/DMZ > WiFi Clients.
b. Right-click the wireless client, then click Quarantine Host.
This guide provides instructions on simple configuration for enabling MAC filter on SSID. Consider the following for this
feature:
1. Create a wireless controller address with the same MAC address as the client and set the policy to deny. In this
example, the client's MAC address is b4:ae:2b:cb:d1:72:
config wireless-controller address
edit "client_1"
set mac b4:ae:2b:cb:d1:72
set policy deny
next
end
2. Create a wireless controller address group. Select the above address. Set the default policy to allow:
config wireless-controller addrgrp
edit mac_grp
set addresses "client_1"
set default-policy allow
next
end
3. On the virtual access point, select the created address group:
config wireless-controller vap
edit wifi-vap
set ssid "Fortinet-psk"
set security wpa2-only-personal
set passphrase fortinet
set address-group "mac_grp"
next
end
After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) is denied from connecting to SSID Fortinet-
psk. Other clients, such as a client with MAC address e0:33:8e:e9:65:01, can connect.
1. Create a wireless controller address with the same MAC address as the client and set the policy to deny. In this
example, the client's MAC address is b4:ae:2b:cb:d1:72:
config wireless-controller address
edit "client_1"
set mac b4:ae:2b:cb:d1:72
This feature is implemented on FortiOS 6.2.0 B0816 and FAP-S/W2 6.2.0 b0218. In October 2017, Mathy Vanhoef
published a document that exposed a flaw in WPA2 networks known as Key Reinstallation Attack (KRACK). To avoid the
attack, the Wi-Fi Alliance announced in January that WPA2 enhancements and a new WPA3 standard were coming in
2018.
Configuration
1. WPA3 OWE
a. WPA3 OWE only: only Client which support WPA3 can connect with this SSID.
config wireless-controller vap
edit "80e_owe"
b. WPA3 OWE TRANSITION: Client connected with normal OPEN or OWE depends on its capability. If client
can support WPA3, it will connect with owe standard. If client not support WPA3, it will connect with Open
SSID.
config wireless-controller vap
edit "80e_open"
set ssid "80e_open"
set security open
set owe-transition enable
set owe-transition-ssid "wpa3_open"
set schedule "always"
next
edit "wpa3_owe_tr"
set ssid "wpa3_open"
set broadcast-ssid disable
set security owe
set pmf enable
set owe-transition enable
set owe-transition-ssid "80e_open"
set schedule "always"
next
2. WPA3 SAE
a. WPA3 SAE: Client with WPA3 support can connect with the SSID.
config wireless-controller vap
edit "80e_sae"
set ssid "80e_sae"
set security wpa3-sae
set pmf enable
set schedule "always"
set sae-password 12345678
next
end
b. WPA3 SAE TRANSITION: There are two passwords in the SSID. Client will connect with WPA2 PSK if
passphrase is used. Client will connect with WPA3 SAE if sae-password is used.
config wireless-controller vap
edit "80e_sae-tr"
set ssid "80e_sae-transition"
set security wpa3-sae-transition
set pmf optional
set passphrase 11111111
set schedule "always"
set sae-password 22222222
next
end
3. WPA3 Enterprise: When select security as wpa3-enterprise, the auth type can choose either radius authentication
or local user authentication.
edit "80e_wpa3_user"
set ssid "80e_wpa3_user"
set security wpa3-enterprise
set pmf enable
set auth usergroup
set usergroup "usergroup"
set schedule "always"
next
end
Statistics
The following shows a simple network topology when using FortiAPs with FortiGate:
To view connected WiFi clients on the FortiGate unit, go to Monitor > WiFi Client Monitor. The following columns
display:
Column Description
SSID SSID that the client connected to, such as the tunnel, bridge, or mesh.
FortiAP Serial number of the FortiAP unit that the client connected to.
Column Description
Signal Strength/Noise Signal-to-noise ratio in decibels calculated from signal strength and noise level.
Association Time How long the client has been connected to this AP.
The following shows a simple network topology when using FortiAPs with FortiGate:
The Monitor > WiFi Health Monitor page displays the following charts:
l Active Clients: Currently active clients on each FortiAP
l AP Status: APs by status, sorted by those that have been up for over 24 hours, rebooted in the past 24 hours, and
down/missing
l Channel Utilization: Allow users to view 10-20 most and least utilized channels for each AP radio and a third
histogram view showing utilization counts
l Client Count: Shows client count over time. Can view for the past hour, day, or 30 days.
l Login Failures: Time, SSID, hostname, and username for failed login attempts. The widget also displays the AP
name and group of FortiAP units with failed login attempts.
l Top Wireless Interference: Separate widgets for 2.4 GHz and 5 GHz bands. This requires spectrum analysis to
be enabled on the radios.
WiFi maps
WiFi maps allow you to place FortiAP units on a map, such as an office floor plan. This allows you to know where the
FortiAPs are and get their operating statuses at a glance.
You can only upload the WiFi map image file using the FortiOS CLI.
config wireless-controller region
edit <MAP_NAME>
set grayscale enable|disable
set opacity 100 <0-100>
next
end
config wireless-controller wtp
edit <FAP_SN>
set region <MAP_NAME
set region-x "0.419911" <0-1>
set region-y "0.349466" <0-1>
next
end
The following shows a simple network topology when using FortiAP as part of the Security Fabric:
The Security Fabric > Settings page on the root FortiGate lists all FortiAP devices on the CSF root and leaf.
The Security Fabric > Physical Topology view on the root FortiGate shows the devices in the Security Fabric and the
devices they are connected to.
Wireless security
The guide provides simple configuration instructions for enabling ap-scan on FortiAP. The steps include creating a
WIDS profile and selecting the WIDS profile on the managed FortiAP.
1. Create a WIDS profile:
a. In FortiOS, go to WiFi & Switch Controller > WIDS Profiles. Click Create New.
b. Enable Enable Rogue AP Detection.
c. Complete the configuration, then click OK.
2. Select the WIDS profile for the managed FortiAP:
a. Go to WiFi & Switch Controller > FortiAP Profiles.
b. Select the FortiAP profile applied to the managed FortiAP, then click Edit.
c. Enable WIDS Profile. Select the profile created in step 1. Click OK.
1. Create a WIDS profile:
config wireless-controller wids-profile
edit "example-wids-profile"
set ap-scan enable
next
end
2. Select the WIDS profile for the managed FortiAP:
config wireless-controller wtp-profile
edit "example-FAP-profile"
config platform
set type <FAP-model-number>
end
set handoff-sta-thresh 55
set ap-country US
config radio-1
set band 802.11n
set wids-profile "example-wids-profile"
set vap-all disable
end
config radio-2
set band 802.11ac
set vap-all disable
end
next
end
The guide provides simple configuration instructions for suppressing rogue APs on FortiAP. The steps include creating a
WIDS profile and suppressing rogue APs.
1. Create a WIDS profile:
a. In FortiOS, go to WiFi & Switch Controller > WIDS Profiles. Click Create New.
b. For Sensor Mode, select Foreign and Home Channels.
c. Enable Enable Rogue AP Detection.
d. Complete the configuration, then click OK.
2. Select the WIDS profile for the managed FortiAP. The monitoring radio must be in Dedicated Monitor mode:
a. Go to WiFi & Switch Controller > FortiAP Profiles.
b. Select the FortiAP profile applied to the managed FortiAP, then click Edit.
c. Select Dedicated Monitor on Radio 1 or Radio 2.
d. Enable WIDS Profile. Select the profile created in step 1. Click OK.
3. Suppress FortiAP:
a. Go to Monitor > Rogue AP Monitor.
b. Right-click the desired SSID, then select Mark as Rogue.
c. Right-click the SSID again, then select Suppress AP.
1. Create a WIDS profile:
config wireless-controller wids-profile
edit "example-wids-profile"
set sensor-mode both
set ap-scan enable
next
end
2. Select the WIDS profile for the managed FortiAP:
config wireless-controller wtp-profile
edit "example-FAP-profile"
config platform
set type <FAP-model-number>
end
config radio-1
set mode monitor
set wids-profile "example-wids-profile"
end
next
end
3. Suppress FortiAP:
config wireless-controller ap-status
edit 1
set bssid 90:6c:ac:da:a7:f1
set ssid "example-SSID"
set status suppressed
next
end
The guide provides simple configuration instructions for enabling a Wireless Intrusion Detection System (WIDS) profile
on FortiAP.
1. Create a WIDS profile:
a. In FortiOS, go to WiFi & Switch Controller > WIDS Profiles. Click Create New.
b. In the Name field, enter the desired name.
c. Under Intrusion Detection Settings, enable all intrusion types as desired.
d. Complete the configuration, then click OK.
2. Select the WIDS profile for the managed FortiAP:
a. Go to WiFi & Switch Controller > FortiAP Profiles.
b. Select the FortiAP profile applied to the managed FortiAP, then click Edit.
c. Enable WIDS Profile. Select the profile created in step 1. Click OK.
config platform
set type <FAP-model-number>
end
set handoff-sta-thresh 55
set ap-country US
config radio-1
set band 802.11n
set wids-profile "example-wids-profile"
set vap-all disable
end
config radio-2
set band 802.11ac
set wids-profile "example-wids-profile"
set vap-all disable
end
next
end
Other
This guide provides instructions for simple configuration of security profile groups for FortiAP, including creating security
profile groups and selecting profile groups for the SSID.
c. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the
Fortinet-PSK SSID.
d. Click OK.
The following shows a simple network topology for this recipe. The primary and secondary FortiGates should reach the
FortiAP at the physical level:
1. On the primary FortiGate, run the diag wireless-controller wlac -c ha command. The output should
resemble the following:
WC fast failover info
cfg iter: 1 (age=17995, size=220729, fp=0x5477e28)
dhcpd_db iter: 123 (age=132, size=1163, fp=0x5435930)
dhcpd_ipmac iter: 123 (age=132, size=2860, fp=0x587d848)
mode: 1+1-ffo
pri: primary
NP6 offloading over CAPWAP traffic is supported by all the FortiGate high-level models and most middle-level models.
l check the system session, when dtls-policy=clear-text to verify npu info: flag=0x81/0x89, offload=8/8
FG1K2D3I16800192 (vdom1) # diag sys session list
l check the system session, when dtls-policy=ipsec-vpn to verify npu info: flag=0x81/0x82, offload=8/8
FG1K2D3I16800192 (vdom1) # diag sys session list
The following recipes provide instructions on configuring a standalone FortiGate as a switch controller:
l Standalone FortiGate as switch controller
l Multiple FortiSwitches managed via hardware/software switch on page 557
l Multiple FortiSwitches in tiers via aggregate interface with redundant link enabled on page 561
l Multiple FortiSwitches in tiers via aggregate interface with MCLAG enabled only on distribution on page 564
In this example, one FortiSwitch is managed by a standalone FortiGate. The FortiGate uses an aggregate interface to
operate as a switch controller. This configuration might be used in branch office. It might also be used before increasing
the number of connected FortiSwitch units and evolving to a multi-tier structure.
Prerequisites:
Sample topology
2. If the FortiSwitch ports used for the FortiLink connection have auto-discovery-fortilink enabled already,
executing authorization on FortiGate will trigger the transformation to FortiLink mode automatically.
config switch interface
edit "port1"
set auto-discovery-fortilink enable
……
end
To create aggregate interface and designate it as FortiLink interface using the GUI:
To create aggregate interface and designate it as FortiLink interface using the CLI:
Check the CLI output for Connection: Connected to show that FortiLink is up.
Troubleshooting
If an authorized FortiSwitch is always offline, go to the FortiGate CLI and use the command below to see all the
checkpoints. Inspect each checkpoint to find the cause of the problem.
execute switch-controller diagnose-connection S248EPTF18001384
Fortilink
Status ... SWITCH_AUTHORIZED_READY
Last keepalive ... 1 seconds ago
CAPWAP
Remote Address: 2.2.2.2
Status ... CONNECTED
Last keepalive ... 26 seconds ago
This example provides a recommended configuration of FortiLink where multiple FortiSwitches are managed by a
standalone FortiGate as switch controller via hardware or software switch interface; such as when you need multiple
distribution FortiSwitches but lack supporting aggregate on FortiGate.
Prerequisites:
Sample topology
2. If the FortiSwitch ports used for the FortiLink connection have auto-discovery-fortilink enabled already,
executing authorization on FortiGate will trigger the transformation to FortiLink mode automatically.
config switch interface
edit "port1"
set auto-discovery-fortilink enable
……
end
To create hardware or software switch interface and designate it as FortiLink interface using the GUI:
To create a hardware switch interface and designate it as FortiLink interface using the CLI:
To create a software switch interface and designate it as FortiLink interface using the CLI:
Check the CLI output for Connection: Connected to show that FortiLink is up.
exe switch-controller get-conn-status FSWSerialNum
Troubleshooting
We recommend binding FortiLink on hardware switch interface. Since the hardware switch interface can leverage
hardware chips to forward traffic, it does not consume CPU capacity, unlike a software switch.
If an authorized FortiSwitch is always offline, go to the FortiGate CLI and use the command below to see all the
checkpoints. Inspect each checkpoint to find the cause of the problem.
execute switch-controller diagnose-connection S248EPTF18001384
Fortilink
Status ... SWITCH_AUTHORIZED_READY
Last keepalive ... 1 seconds ago
CAPWAP
This example provides a recommended configuration of FortiLink where multi-tier FortiSwitches are managed by a
standalone FortiGate as switch controller via aggregate interface, where the FortiGate can provide redundant links to
multiple distribution FortiSwitches.
Prerequisites:
Sample topology
2. If the FortiSwitch ports used for the FortiLink connection have auto-discovery-fortilink enabled already,
executing authorization on FortiGate will trigger the transformation to FortiLink mode automatically.
config switch interface
edit "port1"
set auto-discovery-fortilink enable
……
end
To create aggregate interface and designate it as FortiLink interface using the GUI:
To create aggregate interface and designate it as FortiLink interface using the CLI:
Check the CLI output for Connection: Connected to show that FortiLink is up.
exe switch-controller get-conn-status FSWSerialNum
Troubleshooting
If an authorized FortiSwitch is always offline, go to the FortiGate CLI and use the command below to see all the
checkpoints. Inspect each checkpoint to find the cause of the problem.
execute switch-controller diagnose-connection S248EPTF18001384
Fortilink
Status ... SWITCH_AUTHORIZED_READY
Last keepalive ... 1 seconds ago
CAPWAP
Remote Address: 2.2.2.2
Status ... CONNECTED
Last keepalive ... 26 seconds ago
Multiple FortiSwitches in tiers via aggregate interface with MCLAG enabled only
on distribution
This example provides a recommended configuration of FortiLink where multi-tier FortiSwitches are managed by a
standalone FortiGate as switch controller via aggregate interface, where the FortiGate can provide active-active links to
two distribution FortiSwitches connected to each other by MCLAG.
Prerequisites:
Sample topology
1. On FortiSwitch, go to CLI and change switch-mgmt-mode from the default local to fortilink:
conf sys global
set switch-mgmt-mode fortilink
end
This operation will cleanup all of the configuration and reboot the system!
Do you want to continue? (y/n)y
Backing up local mode config before entering FortiLink mode....
2. If the FortiSwitch ports used for the FortiLink connection have auto-discovery-fortilink enabled already,
executing authorization on FortiGate will trigger the transformation to FortiLink mode automatically.
config switch interface
edit "port1"
set auto-discovery-fortilink enable
……
end
To create aggregate interface and designate it as FortiLink interface using the GUI:
To create aggregate interface and designate it as FortiLink interface using the CLI:
Check the CLI output for Connection: Connected to show that FortiLink is up.
exe switch-controller get-conn-status FSWSerialNum
To enable MCLAG on ICL link on each distribution FortiSwitch unit using the CLI:
When you enable mclag-icl, MCLAG on the FortiLink interface is enabled automatically; and active-active backup
links between the distribution FortiSwitches are established.
c. You can also select POE/DHCP Snooping, STP, and other parameters for the FortiSwitch ports to show their
real-time status such as link status, data status, etc.
3. Configure access authentication.
a. Go to WiFi & Switch Controller > FortiSwitch Security Policies.
b. Configure the 802.1X security policies.
c. Select Port-based or MAC-based mode and select User groups from the existing VDOM.
d. Configure other fields as necessary.
e. Go to WiFi & Switch Controller > FortiSwitch Ports.
f. Select one or more FortiSwitch ports and click + in the Security Policy column and make a selection from the
pane.
Troubleshooting
If an authorized FortiSwitch is always offline, go to the FortiGate CLI and use the command below to see all the
checkpoints. Inspect each checkpoint to find the cause of the problem.
execute switch-controller diagnose-connection S248EPTF18001384
Fortilink
Status ... SWITCH_AUTHORIZED_READY
Last keepalive ... 1 seconds ago
CAPWAP
Remote Address: 2.2.2.2
Status ... CONNECTED
The following recipes provide instructions on configuring a FortiGate HA in Active-Passive (A-P) mode as a switch
controller:
l Multiple FortiSwitches managed via hardware/software switch on page 568
l Multiple FortiSwitches in tiers via aggregate interface with redundant link enabled on page 573
l Multiple FortiSwitches in tiers via aggregate interface with MCLAG enabled only on distribution on page 577
This example provides a recommended configuration of FortiLink where multiple FortiSwitches are managed by an A-P
mode HA cluster of FortiGates as switch controller via hardware or software switch interface. An example of common
usage is when you need multiple distribution FortiSwitches but lack supporting aggregate on the FortiGate pairs.
Prerequisites:
Sample topology
2. If the FortiSwitch ports used for the FortiLink connection have auto-discovery-fortilink enabled already,
executing authorization on FortiGate will trigger the transformation to FortiLink mode automatically.
config switch interface
edit "port1"
set auto-discovery-fortilink enable
……
end
To create hardware or software switch interface and designate it as FortiLink interface using the GUI:
To create a hardware switch interface and designate it as FortiLink interface using the CLI:
To create hardware or software switch interface and designate it as FortiLink interface using the GUI:
To create a hardware switch interface and designate it as FortiLink interface using the CLI:
To create a software switch interface and designate it as FortiLink interface using the CLI:
Check the CLI output for Connection: Connected to show that FortiLink is up.
exe switch-controller get-conn-status FSWSerialNum
Troubleshooting
We recommend binding FortiLink on hardware switch interface. Since the hardware switch interface can leverage
hardware chips to forward traffic, it does not consume CPU capacity, unlike a software switch.
If an authorized FortiSwitch is always offline, go to the FortiGate CLI and use the command below to see all the
checkpoints. Inspect each checkpoint to find the cause of the problem.
execute switch-controller diagnose-connection S248EPTF18001384
Fortilink
Status ... SWITCH_AUTHORIZED_READY
Last keepalive ... 1 seconds ago
CAPWAP
If HA sync fails, use the command below to diagnose and locate the cause.
# diagnose sys ha checksum cluster
is_manage_master()=1, is_root_master()=1
debugzone
global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb
vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f
vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a
all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad
checksum
global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb
vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f
vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a
all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad
is_manage_master()=0, is_root_master()=0
debugzone
global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb
vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f
vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a
all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad
checksum
global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb
vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f
vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a
all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad
This example provides a recommended configuration of FortiLink where multi-tier FortiSwitches are managed by an A-P
mode HA cluster of FortiGates as switch controller via aggregate interface, where each FortiGate cluster member can
provide redundant links to multiple (>=2) distribution FortiSwitches.
Prerequisites:
Sample topology
2. If the FortiSwitch ports used for the FortiLink connection have auto-discovery-fortilink enabled already,
executing authorization on FortiGate will trigger the transformation to FortiLink mode automatically.
config switch interface
edit "port1"
set auto-discovery-fortilink enable
……
end
To create aggregate interface and designate it as FortiLink interface using the GUI:
To create aggregate interface and designate it as FortiLink interface using the CLI:
Check the CLI output for Connection: Connected to show that FortiLink is up.
exe switch-controller get-conn-status FSWSerialNum
Troubleshooting
If an authorized FortiSwitch is always offline, go to the FortiGate CLI and use the command below to see all the
checkpoints. Inspect each checkpoint to find the cause of the problem.
execute switch-controller diagnose-connection S248EPTF18001384
server-version=4, stratum=2
reference time is dfe3aec5.744404e6 -- UTC Sat Jan 12 00:09:41 2019
clock offset is -0.448087 sec, root delay is 0.054535 sec
root dispersion is 0.533081 sec, peer dispersion is 12542 msec
Fortilink
Status ... SWITCH_AUTHORIZED_READY
Last keepalive ... 1 seconds ago
CAPWAP
Remote Address: 2.2.2.2
Status ... CONNECTED
Last keepalive ... 26 seconds ago
If HA sync fails, use the command below to diagnose and locate the cause.
# diagnose sys ha checksum cluster
is_manage_master()=1, is_root_master()=1
debugzone
global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb
vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f
vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a
all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad
checksum
global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb
vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f
vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a
all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad
is_manage_master()=0, is_root_master()=0
debugzone
global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb
vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f
vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a
all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad
checksum
global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb
vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f
vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a
all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad
Multiple FortiSwitches in tiers via aggregate interface with MCLAG enabled only
on distribution
This example provides a recommended configuration of FortiLink where multi-tier FortiSwitches are managed by an A-P
mode HA cluster of FortiGates as switch controller via aggregate interface, where FortiGates provide active-active links
to two distribution FortiSwitches connected to each other by MCLAG.
Prerequisites:
Sample topology
1. On FortiSwitch, go to CLI and change switch-mgmt-mode from the default local to fortilink:
conf sys global
set switch-mgmt-mode fortilink
end
This operation will cleanup all of the configuration and reboot the system!
Do you want to continue? (y/n)y
Backing up local mode config before entering FortiLink mode....
2. If the FortiSwitch ports used for the FortiLink connection have auto-discovery-fortilink enabled already,
executing authorization on FortiGate will trigger the transformation to FortiLink mode automatically.
config switch interface
edit "port1"
set auto-discovery-fortilink enable
……
end
To create aggregate interface and designate it as FortiLink interface using the GUI:
To create aggregate interface and designate it as FortiLink interface using the CLI:
Check the CLI output for Connection: Connected to show that FortiLink is up.
To enable MCLAG on ICL link on each distribution FortiSwitch unit using the CLI:
When you enable mclag-icl, MCLAG on the FortiLink interface is enabled automatically; and active-active backup
links between the distribution FortiSwitches are established.
Troubleshooting
If an authorized FortiSwitch is always offline, go to the FortiGate CLI and use the command below to see all the
checkpoints. Inspect each checkpoint to find the cause of the problem.
Fortilink
Status ... SWITCH_AUTHORIZED_READY
Last keepalive ... 1 seconds ago
CAPWAP
Remote Address: 2.2.2.2
Status ... CONNECTED
Last keepalive ... 26 seconds ago
If HA sync fails, use the command below to diagnose and locate the cause.
# diagnose sys ha checksum cluster
is_manage_master()=1, is_root_master()=1
debugzone
global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb
vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f
vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a
all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad
checksum
global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb
vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f
vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a
all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad
is_manage_master()=0, is_root_master()=0
debugzone
global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb
vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f
vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a
all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad
checksum
global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb
vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f
vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a
all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad
This document provides sample configuration for multiple Fortianalyzers on a multi-VDOM Fortigate.
In this example:
l The FortiGate has three VDOMs:
l Root (management VDOM)
l VDOM1
l VDOM2
l There are four FortiAnalyzers.
These IP addresses are used as examples in the instructions below.
l FAZ1: 172.16.200.55
l FAZ2: 172.18.60.25
l FAZ3: 192.168.1.253
l FAZ4: 192.168.1.254
l Set up FAZ1 and FAZ2 under global.
l Used to collect logs from the root VDOM and VDOM2.
l FAZ1 and FAZ2 must be accessible from management VDOM root.
l Set up FAZ3 and FAZ4 under VDOM1.
l Used to collect logs from VDOM1.
l FAZ3 and FAZ4 must be accessible from VDOM1.
queue: qlen=0.
filter: severity=6, sz_exclude_list=0
voip dns ssh ssl
subcategory:
traffic: forward local multicast sniffer
anomaly: anomaly
queue: qlen=0.
filter: severity=6, sz_exclude_list=0
voip dns ssh ssl
subcategory:
traffic: forward local multicast sniffer
anomaly: anomaly
This topic describes which log messages are supported by each logging destination.
CIFS No Yes No
Sandbox inspection is a network process that allows files to be sent to a separate device, such as FortiSandbox, to be
inspected without risking network security. This allows the detection of threats capable of bypassing other security
measures, including zero-day threats.
You can configure your FortiGate device to send suspicious files to FortiSandbox for inspection and analysis. The
FortiGate queries scan results and retrieves scan details. The FortiGate can also download malware packages as a
complementary AV signature database to block future intrusions by the same malware and download URL packages as
complementary web-filtering black lists.
The FortiSandbox uses virtual machines (VMs) running different operating systems to test a file and to determine if it is
malicious. If the file exhibits risky behavior, or is found to contain a virus, a new signature can be added to the
FortiGuard AntiVirus signature database.
When a FortiGate learns from FortiSandbox that an endpoint is infected, the administrator can quarantine the host, if it
is registered to a FortiClient.
FortiSandbox has a VM pool and processes multiple files simultaneously. The amount of time to process a file depends
on hardware and the number of sandbox VMs used to scan the file. For example, it can take 60 seconds to five minutes
to process a file. FortiSandbox has a robust prefiltering process that, if enabled, reduces the need to inspect every file
and reduces processing time. For more information on enabling prefiltering, refer to the FortiSandbox documentation.
The following are some frequently asked questions about using sandbox inspection with FortiSandbox and FortiGate.
Why is the FortiSandbox Cloud option not available when sandbox inspection is enabled?
This option is only available if you have created a FortiCloud account. For more information, see the FortiCloud
documentation.
Why don't results from FortiSandbox Cloud appear in the FortiGate GUI?
Go to Log & Report > Log Settings and make sure Send Logs to FortiCloud is enabled and GUI Preferences is
set to Display Logs from FortiCloud.
Make sure that port 3 on the FortiSandbox has an active Internet connection. This is required in order to activate the
FortiSandbox VMs.
Make sure an AntiVirus profile that sends files to FortiSandbox is enabled for all policies that require sandbox
inspection.
Yes, a FortiGate can be in either NAT or Transparent mode and support FortiSandbox.
Yes, multiple FortiGates can be supported in-line with FortiSandbox. Note that the FortiSandbox will see all FortiGates
only as one device so there is no way to differentiate reports.
If the FortiGate has a dynamic IP, will the FortiSandbox automatically update the FortiGate?
Yes. Dynamic IPs are supported and the FortiGate will not have to be reconfigured on the FortiSandbox each time.
FortiSandbox is available as a physical or virtual appliance (FortiSandbox Appliance), or as a cloud advanced threat
protection service integrated with FortiGate (FortiSandbox Cloud).
To select the settings for Sandbox Inspection, such as the FortiSandbox type, server, and notifier email, go to
Security Fabric > Settings.
The table below highlights the supported features of both types of FortiSandbox:
Sandbox inspection for FortiGate Yes (FortiOS 5.0.4+) Yes (FortiOS 5.2.3+)
Sandbox inspection for FortiMail Yes (FortiMail OS 5.1+) Yes (FortiMail OS 5.3+)
Sandbox inspection for FortiWeb Yes (FortiWeb OS 5.4+) Yes (FortiWeb OS 5.5.3+)
Dynamic Threat Database updates Yes (FortiOS 5.4+) Yes (FortiOS 5.4+)
for FortiGate
Dynamic Threat Database updates Yes (FortiClient 5.4 for Windows Yes (FortiClient 5.6+ for Windows
for FortiClient only) only)
Note that a separate Dynamic Threat Database is maintained for FortiMail. For more information, see the
FortiSandbox documentation.
Recipes about Sandbox inspection are organized into the following categories:
l AntiVirus on page 588
AntiVirus
The following recipes provide information about Sandbox inspection with AntiVirus:
l Use FortiSandbox Appliance with AntiVirus on page 588
l Use FortiSandbox Cloud with AntiVirus on page 600
Feature overview
AntiVirus can use FortiSandbox to supplement its detection capabilities. In real-world situations, networks are always
under the threat of zero-day attacks.
AntiVirus can submit potential zero-day viruses to FortiSandbox for inspection. Based on FortiSandbox's analysis, the
FortiGate can supplement its own antivirus database with FortiSandbox's database to detect files determined as
malicious/risky by FortiSandbox. This helps FortiGate's AntiVirus to detect zero-day virus and malware whose
signatures are not found in the FortiGate's antivirus Database.
l FortiSandbox can be used with AntiVirus in both proxy-based and flow-based inspection modes.
l With FortiSandbox enabled, Full Scan mode AntiVirus can do the following:
l Submit only suspicious files to FortiSandbox for inspection.
l Submit every file to FortiSandbox for inspection.
l Do not submit anything.
l Quick Scan mode AntiVirus cannot submit suspicious files to FortiSandbox. It can only do the following:
l Submit every file to FortiSandbox for inspection.
l Do not submit anything.
To configure AntiVirus to work with an external block list, the following steps are required:
1. Enable FortiSandbox on the FortiGate.
2. Authorize FortiGate on the FortiSandbox.
3. Enable FortiSandbox inspection.
4. Enable use of the FortiSandbox database.
2. Use the FortiGate serial number to quickly locate the desired FortiGate and select the link icon to authorize the
FortiGate.
4. The link icon changes from an open to closed link. This indicates that the FortiSandbox has authorized this
FortiGate.
6. Select Test connectivity. FortiGate is now authorized and the status now displays as Connected.
3. Files can be excluded from being sent to FortiSandbox based on their file types by choosing from a list of supported
file types.
4. Files can also be excluded from being sent to FortiSandbox by using wild card patterns.
5. Select Apply.
3. Select Apply.
l Update daemon:
FGT_PROXY (global) # diagnose debug application quarantined -1
FGT_PROXY (global) # diagnose debug enable
status=1, buflen=12
quar_remote_recv_send()-770: dev-fortisandbox-fsb3, oevent=4, nevent=1, xfer-status=1
quar_remote_recv_send()-731: dev=fortisandbox-fsb5 xfer-status=0
__quar_build_pkt()-408: build req(id=340, type=6) for vdom-vdom1, len=93, oftp_name=
__quar_send()-470: dev buffer -- pos=0, len=93
quar_remote_send()-520: req(id=340, type=6) read response, dev=fortisandbox-fsb5, xfer_
status=1, buflen=12
quar_remote_recv_send()-770: dev-fortisandbox-fsb5, oevent=4, nevent=1, xfer-status=1
quar_remote_recv_send()-731: dev=fortisandbox-fsb2 xfer-status=1
quar_remote_recv()-662: dev(fortisandbox-fsb2) received a packet: len=69, type=1
quar_remote_recv()-718: file-[337] is accepted by server(fortisandbox-fsb2).
quar_put_job_req()-332: Job 337 deleted
quar_remote_recv_send()-731: dev=fortisandbox-fsb4 xfer-status=0
__quar_build_pkt()-408: build req(id=339, type=6) for vdom-vdom1, len=93, oftp_name=
__quar_send()-470: dev buffer -- pos=0, len=93
quar_remote_send()-520: req(id=339, type=6) read response, dev=fortisandbox-fsb4, xfer_
status=1, buflen=12
quar_remote_recv_send()-770: dev-fortisandbox-fsb4, oevent=4, nevent=1, xfer-status=1
quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=0
__quar_build_pkt()-408: build req(id=336, type=4) for vdom-root, len=98, oftp_name=
__quar_send()-470: dev buffer -- pos=0, len=98
...
__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0
__quar_req_handler()-127: Request 0 was handled successfully
__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0
__quar_req_handler()-127: Request 0 was handled successfully
__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0
__quar_req_handler()-127: Request 0 was handled successfully
__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0
__quar_req_handler()-127: Request 0 was handled successfully
quar_fsb_handle_quar()-1439: added a req-6 to fortisandbox-fsb1, vfid=1, oftp-name=[].
__quar_start_connection()-908: start server fortisandbox-fsb1-172.18.52.154 in vdom-1
[103] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca
Fortinet_CA, idx 0 (default)
[551] ssl_ctx_create_new_ex: SSL CTX is created
[578] ssl_new: SSL object is created
upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530
upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043
upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230
upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043
upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-
1901281000
quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=0
__quar_build_pkt()-408: build req(id=2, type=6) for vdom-vdom1, len=93, oftp_name=
__quar_send()-470: dev buffer -- pos=0, len=93
quar_remote_send()-520: req(id=2, type=6) read response, dev=fortisandbox-fsb1, xfer_
status=1, buflen=12
quar_remote_recv_send()-770: dev-fortisandbox-fsb1, oevent=4, nevent=1, xfer-status=1
quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=1
quar_remote_recv()-662: dev(fortisandbox-fsb1) received a packet: len=767, type=1
quar_store_analytics_report()-590: Analytics-report return
file=/tmp/fsb/83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18.json.gz,
buf_sz=735
quar_store_analytics_report()-597: The request
'83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18' score is 1
quar_remote_recv()-718: file-[2] is accepted by server(fortisandbox-fsb1).
global-fas is disabled.
forticloud-fsb is disabled.
fortisandbox-fsb1 is enabled: analytics, realtime=yes, taskfull=no
addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no.
ssl_opt=3, hmac_alg=0
fortisandbox-fsb2 is enabled: analytics, realtime=yes, taskfull=no
addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no.
ssl_opt=3, hmac_alg=0
fortisandbox-fsb3 is enabled: analytics, realtime=yes, taskfull=no
addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no.
ssl_opt=3, hmac_alg=0
fortisandbox-fsb4 is enabled: analytics, realtime=yes, taskfull=no
addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no.
ssl_opt=3, hmac_alg=0
fortisandbox-fsb5 is enabled: analytics, realtime=yes, taskfull=no
addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no.
ssl_opt=3, hmac_alg=0
fortisandbox-fsb6 is enabled: analytics, realtime=yes, taskfull=no
addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no.
ssl_opt=3, hmac_alg=0
global-faz is disabled.
global-faz2 is disabled.
global-faz3 is disabled.
Statistics:
vfid: 0, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_
reached:0
FGT_PROXY (global) #
Feature overview
FortiCloud Sandbox allows users to take advantage of FortiSandbox features without having to purchase, operate, and
maintain a physical appliance.
FortiCloud Sandbox works the same way as the physical FortiSandbox appliance.
Starting from FortiOS 6.2, the FortiCloud Sandbox allows users to control the region where their traffic is sent to for
analysis. This allows users to meet their country's compliances regarding data's storage location.
l Starting from FortiOS 6.2, users no longer require a FortiCloud account to use FortiCloud Sandbox.
l Without a valid AVDB license, FortiGate devices are limited to 100 FortiCloud submissions per day.
l Unlimited FortiCloud submissions are allowed if the FortiGate has a valid AVDB license.
l There is a limit on how many submissions are sent per minute.
l Per minute submission rate is based on the FortiGate model.
l FortiSandbox can be used with AntiVirus in both proxy-based and flow-based policy inspection modes.
l With FortiSandbox enabled, Full Scan mode AntiVirus can do the following:
l Submit only suspicious files to FortiSandbox for inspection.
l Submit every file to FortiSandbox for inspection.
l Do not submit anything.
l Quick Scan mode AntiVirus cannot submit suspicious files to FortiSandbox. It can only do the following:
l Submit every file to FortiSandbox for inspection.
l Do not submit anything.
To configure AntiVirus to work with an external block list, the following steps are required:
1. Through FortiCare/FortinetOne, register the FortiGate device and purchase a FortiGuard AntiVirus license.
2. Enable FortiCloud Sandbox on the FortiGate.
3. Enable FortiSandbox inspection.
4. Enable the use of the FortiSandbox database.
1. Please see the video How to Purchase or Renew FortiGuard Services for FortiGuard AntiVirus license purchase
instructions.
2. Once a FortiGuard license has been purchased or activated, users will be provided with a paid FortiSandbox Cloud
license.
a. Go to Global > Main Dashboard to view the FortiSandbox Cloud license indicator.
1. Go to Global > Security Fabric > Settings and set the Sandbox Inspection toggle to the On position.
2. Select FortiSandbox Cloud and choose a region from the dropdown list.
4. When the FortiGate is connected to the FortiSandbox Cloud, FortiSandbox's current database version is displayed.
3. Files can be excluded from being sent to FortiSandbox based on their file types by choosing from a list of supported
file types.
4. Files can also be excluded from being sent to FortiSandbox by using wild card patterns.
5. Select Apply.
3. Select Apply.
global-fas is disabled.
forticloud-fsb is enabled: analytics, realtime=yes, taskfull=no
addr=172.16.102.51/514, source-ip=0.0.0.0, keep-alive=no.
ssl_opt=1, hmac_alg=0
fortisandbox-fsb1 is disabled.
fortisandbox-fsb2 is disabled.
fortisandbox-fsb3 is disabled.
fortisandbox-fsb4 is disabled.
fortisandbox-fsb5 is disabled.
fortisandbox-fsb6 is disabled.
global-faz is disabled.
global-faz2 is disabled.
global-faz3 is disabled.
Statistics:
vfid: 0, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_
reached:0
vfid: 3, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_
reached:0
vfid: 4, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_
reached:0
FGT_FL_FULL (global) #
global-fas is disabled.
forticloud-fsb is disabled.
fortisandbox-fsb1 is enabled: analytics, realtime=yes, taskfull=no
addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no.
ssl_opt=3, hmac_alg=0
fortisandbox-fsb2 is enabled: analytics, realtime=yes, taskfull=no
addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no.
ssl_opt=3, hmac_alg=0
fortisandbox-fsb3 is enabled: analytics, realtime=yes, taskfull=no
addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no.
ssl_opt=3, hmac_alg=0
fortisandbox-fsb4 is enabled: analytics, realtime=yes, taskfull=no
addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no.
ssl_opt=3, hmac_alg=0
fortisandbox-fsb5 is enabled: analytics, realtime=yes, taskfull=no
addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no.
ssl_opt=3, hmac_alg=0
fortisandbox-fsb6 is enabled: analytics, realtime=yes, taskfull=no
addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no.
ssl_opt=3, hmac_alg=0
global-faz is disabled.
global-faz2 is disabled.
global-faz3 is disabled.
Upcoming recipes
Category Recipe
Security Fabric
SD-WAN
System configuration
HA
Deep inspection
Protecting server
VM
Deploying Auto Scaling on Azure using a mixture of BYOL and PAYG licenses
FortiGate-VM HA on Azure
Category Recipe
SDN Connector
Others Terraform
WiFi
Switch controller
HA (AP)-mode FGT Multiple FortiSwitch devices in tiers via aggregate interface with MCLAG enabled
pairs as switch- only all tiers
controller
Quarantine
Data Statistic
2019-04-03 Added Supported log types to FortiAnalyzer, Syslog, and FortiAnalyzer Cloud and Multiple
FortiSwitches in tiers via aggregate interface with MCLAG enabled only on distribution.
2019-04-05 Updated SD-WAN introduction.
Updated License subsections in Overlay Controller VPN (OCVPN) topics.