FortiOS-6 2 0-Cookbook

FortiOS - Cookbook
Version 6.2.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET VIDEO GUIDE

https://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com
FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/support-and-training/training.html
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://fortiguard.com/
END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: [email protected]
May 31, 2019

FortiOS 6.2.0 Cookbook
01-620-538742-20190531
TABLE OF CONTENTS
Change Log 12
What's New 14
Getting Started 15
Differences between models 15
Using the GUI 15
Connecting using a web browser 15
Menus 16
Dashboard 17
Feature Visibility 19
Tables 20
Text strings 21
Using the CLI 22
Connecting to the CLI 22
CLI-only features 26
Command syntax 26
Sub-commands 30
Permissions 33
Tips 33
FortiExplorer for iOS 39
Getting started with FortiExplorer 40
Running a Security Fabric Rating 42
Connecting FortiExplorer to a FortiGate via WiFi 43
Upgrading to FortiExplorer Pro 43
LED specifications 44
Basic administration 46
Registration 46
System settings 46
Passwords 50
Configuration backups 51
Firmware 54
Downloading 55
Testing 55
Upgrading firmware 57
Reverting 58
Installation from system reboot 59
Restoring from a USB key 60
Controlled upgrade 60
FortiGuard 61
FortiCloud 68
Troubleshooting your installation 70
Security Fabric 73
Components 73
Security Fabric device configuration 75
FortiGate 76
FortiOS Cookbook Fortinet Technologies Inc.

4
FortiAnalyzer 80
FortiSandbox 81
FortiManager 83
FortiClient EMS 84
FortiAP and FortiSwitch 85
Additional devices 86
Using the Security Fabric 86
Dashboard widgets 86
Topology 89
Security rating 93
Automation stitches 96
Fabric connectors 105
Deploy Security Fabric 112
Security Fabric over IPsec VPN 119
Viewing and controlling network risks via topology view 125
FortiView 130
Introduction 130
FortiView from disk 131
Prerequisites 131
Restrictions 131
Configuration 131
Source View 132
Troubleshooting 134
FortiView from FortiAnalyzer 134
Network Configurations 137
DNS 137
Introduction 137
DNS local domain list 140
Using FortiGate as a DNS server 141
FortiGuard DDNS 144
SD-WAN 147
Basic SD-WAN setup 147
Creating the SD-WAN interface 147
Using DHCP interface 150
Implicit rule 152
WAN path control 156
Performace SLA - link monitoring 156
Performace SLA - SLA targets 157
SD-WAN rules - best quality 158
SD-WAN rules - lowest cost (SLA) 161
SD-WAN rules - maximize bandwidth (SLA) 163
MPLS (SIP and backup) + DIA (cloud apps) 166
SD-WAN traffic shaping and QoS with SD-WAN 168
Advanced configuration 173
Per packet distribution and tunnel aggregation 173
Forward error correction on VPN overlay networks 178
Using BGP tags with SD-WAN rules 180

5
Troubleshooting 184
Tracking SD-WAN sessions 184
Understanding SD-WAN related logs 184
SD-WAN related diagnose commands 187
System Configurations 192
System management introduction 192
Administrators 193
Administrator profiles 193
Add a local administrator 195
Remote authentication for administrators 195
Password policy 197
Update FortiGate firmware 199
Interface 200
Interface settings 200
Aggregation and redundancy 202
VLANs 204
Enhanced MAC VLANs 210
Inter-VDOM routing 212
Software switch 217
Zone 219
Virtual Wire Pair 221
Virtual Domains 222
Split-task VDOM mode 223
Multi VDOM mode 227
Configure VDOM-A 229
Configure VDOM-B 231
Configure the VDOM link 234
Configure VDOM-A 239
Configure VDOM-B 241
Advanced configurations 242
VDOM 243
SNMP 245
DHCP server 250
Use Custom Images for Replacement Messages 252
High Availability 254
Cluster setup 254
HA active-passive cluster setup 254
HA active-active cluster setup 255
HA virtual cluster setup 257
Fail protection 260
FGSP (session-sync) peer setup 261
Troubleshoot an HA formation 262
Check HA sync status 263
Policies and Objects 266
Policies 266
Policy introduction 266
Profile-based NGFW vs policy-based NGFW 267

6
Policy views and policy lookup 269

Policy with source NAT 271
Policy with destination NAT 279
Policy with Internet Service 290
NAT64 policy and DNS64 (DNS proxy) 297
NAT46 policy 301
Multicast processing and basic Multicast policy 304
IPv4/IPv6 access control lists 306
Traffic shaping 307
Interface bandwidth limit 307
ToS-based traffic prioritization 308
Shared traffic shaper 309
Per-IP traffic shaper 313
Type of Service-based prioritization and policy-based traffic shaping 316
Interface-based traffic shaping profile 318
Security Profiles 322
Antivirus 322
Content disarm and reconstruction for Antivirus 322
FortiGuard Outbreak Prevention for Antivirus 326
External malware blocklist for Antivirus 329
Application Control 334
Introduction to AppCtrl sensors 334
AppCtrl basic category filters and overrides 335
AppCtrl port enforcement check 339
AppCtrl protocol enforcement check 340
Web Filter 342
Introduction to Web Filter 342
URL filter of webfilter 342
FortiGuard filter of Web Filter 348
Quota of Web Filter 356
Web content filter of Web Filter 358
Advanced Filters 1 362
Advanced Filters 2 366
Web rating override 372
External resources for Web Filter 374
File filter for Web Filter 381
Reliable Web Filter statistics 385
DNS Filter 388
Introduction to DNS Filter 388
How to configure and apply DNS Filter profile 389
FortiGuard category-based DNS domain filtering 392
Botnet C&C domain blocking 396
External Resources for DNS Filter 400
DNS safe search 406
Local domain filter 407
DNS translation 410
Use FortiGate as a DNS server 412
Troubleshooting DNS Filter 414

7
Email filter 417

Email filtering 417
Local-based filters 419
FortiGuard-based filters 423
File-type based filters 424
Protocols and actions 425
Webmail 426
Checking the log 426
File Filter for email filter 427
Data Leak Prevention 431
Basic DLP filter types 432
DLP fingerprinting 438
DLP watermarking 443
Inspection Modes 447
About FortiOS inspection modes 447
Flow mode inspection (default mode) 447
Proxy mode inspection 448
Inspection mode feature comparison 448
Inspection mode differences for Antivirus 449
Inspection mode differences for Data Leak Prevention 450
Inspection mode differences for Email Filter 450
Inspection mode differences for Web Filter 451
Proxy mode inspection use case 452
Flow mode inspection use case 453
SSL Inspection 454
Certificate inspection 454
Deep inspection 455
Protecting SSL Server 458
Endpoint control and compliance 460
Dynamic policies - FortiClient EMS 460
Add a compliance verification rule in EMS 460
Configure an EMS FSSO agent 461
Configure user groups 462
Create a dynamic firewall policy 463
Diagnostics 464
Per-policy disclaimer messages 466
Provisioning on EMS 468
IPsec VPNs 473
Basic site-to-site VPN 473
IPsec VPN in an HA environment 473
OSPF with IPsec VPN to achieve network redundancy 478
IPsec aggregate to achieve redundancy and traffic load-balancing 486
Redundant hub and spoke VPN 492
Dialup VPN 497
FortiGate as dialup client 497
FortiClient as dialup client 503
iOS device as dialup client 507

8
ADVPN 511
ADVPN with BGP as the routing protocol 511
ADVPN with OSPF as the routing protocol 520
ADVPN with RIP as the routing protocol 529
Overlay Controller VPN (OCVPN) 538
Full mesh OCVPN 538
Hub-spoke OCVPN with ADVPN shortcut 543
Hub-Spoke OCVPN with inter-overlay source NAT 548
OCVPN portal 552
OCVPN troubleshooting 554
Authentication in VPN 566
IPsec VPN authenticating a remote FortiGate peer with a pre-shared key 566
IPsec VPN authenticating a remote FortiGate peer with a certificate 572
VXLAN over IPsec 579
VXLAN over IPsec tunnel 579
VXLAN over IPsec using a VTEP 582
Troubleshooting 587
Understanding VPN related logs 587
IPsec related diagnose command 589
Other VPN topics 595
Tunneled Internet Browsing 595
VPN and ASIC offload 601
GRE over IPsec 610
LT2P over IPsec 615
Encryption algorithms 619
Policy-based IPsec tunnel 626
SSL VPN 634
SSL VPN web mode for remote user 634
Sample network topology 634
Sample configuration 634
SSL VPN tunnel mode 637
SSL VPN full tunnel for remote user 637
SSL VPN split tunnel for remote user 640
SSL VPN tunnel mode host check 643
SSL VPN multi-realm 646
Sample network topology 647
Sample configuration 647
SSL VPN authentication 651
SSL VPN with certificate authentication 651
SSL VPN with LDAP-integrated certificate authentication 656
SSL VPN with FortiToken Mobile Push authentication 661
SSL VPN with RADIUS on FortiAuthenticator 666
SSL VPN with RADIUS and FortiToken mobile push on FortiAuthenticator 670
SSL VPN with local user password policy 675
SSL VPN with RADIUS password renew on FortiAuthenticator 680
SSL VPN with LDAP user password renew 686
SSL VPN troubleshooting 690
Diagnose commands 691

9
Common issues 691

VM 694
Amazon Web Services 694
Microsoft Azure 694
Google Cloud Platform 694
Oracle OCI 694
AliCloud 694
Private cloud 694
FortiGate multiple connector support 694
WiFi 698
FortiAP management 698
Configuring the FortiGate interface to manage FortiAP units 698
Discovering, authorizing, and deauthorizing FortiAP units 699
Set up a mesh connection between FortiAP units 703
SSID authentication 706
Replacing the Fortinet_Wifi certificate 706
Deploying WPA2-Personal SSID to FortiAP units 709
Deploying WPA2-Enterprise SSID to FortiAP units 711
Deploying captive portal SSID to FortiAP units 714
Configuring quarantining on SSID 718
Configuring MAC filter on SSID 719
Support for WPA3 on FAP 721
Statistics 723
WiFi client monitor 723
WiFi health monitor 724
WiFi maps 725
Fortinet Security Fabric 726
Wireless security 727
Enabling rogue AP scan 727
Enabling rogue AP suppression 728
Wireless Intrusion Detection System 729
Other 730
UTM security profile groups on FortiAP-S 730
1+1 fast failover between FortiGate WiFi controllers 731
CAPWAP Offloading (NP6 only) 733
Switch Controller 735
Standalone FortiGate as switch controller 735
Standalone FortiGate as switch controller 735
Multiple FortiSwitches managed via hardware/software switch 738
Multiple FortiSwitches in tiers via aggregate interface with redundant link enabled 742
Multiple FortiSwitches in tiers via aggregate interface with MCLAG enabled only on
distribution 746
HA (A-P) mode FortiGate pairs as switch controller 749
Multiple FortiSwitches managed via hardware/software switch 750
Multiple FortiSwitches in tiers via aggregate interface with redundant link enabled 754
distribution 759

10
Multiple FortiSwitches in tiers via aggregate interface with MCLAG enabled on all tiers 763
Authentication and security 768
MAC-based 802.1X authentication 768
Port-based 802.1X authentication 772
MAC layer control - Sticky MAC and MAC Learning-limit 775
Quarantine 776
Flow and Device Detection 777
Data statistic 778
Security Fabric showing 779
Log and report 780
Configure multiple FortiAnalyzers on a multi-VDOM FortiGate 780
Diagnose command to check FortiAnalyzer connectivity 781
Supported log types to FortiAnalyzer, Syslog, and FortiAnalyzer Cloud 783
Sample logs by log type 784
Troubleshooting 802
Log-related diagnose commands 802
Back up log files or dump log messages 808
VoIP solutions 810
General use cases 810
VIP 810
NAT 811
HNT 812
SIP message inspection and filtering 813
SIP message syntax inspection 814
SIP message blocking 814
SIP message rate limiting 815
SIP pinholes 815
SIP pinhole restriction 815
RTP/RTCP pinhole restriction 816
SIP over TLS 816
Explicit and transparent proxies 818
Explicit web proxy 818
Transparent proxy 821
FTP proxy 824
Proxy policy addresses 826
Fast policy match 826
Host regex match 827
URL pattern 827
URL category 828
HTTP method 829
HTTP header 830
User agent 831
Advanced (source) 832
Advanced (destination) 833
Proxy policy security profiles 834
Explicit web proxy policy 834
Transparent proxy 837

11
FTP proxy 839

Explicit proxy authentication 840
Enable and configure the explicit proxy 841
Configure the authentication server and create user groups 841
Create an authentication scheme and rules 844
Create an explicit proxy policy and assign a user group to the policy 844
Verify the configuration 845
Sandbox Inspection 847
What is Sandbox inspection? 847
FAQ for Sandbox inspection 847
FortiSandbox Appliance or FortiSandbox Cloud 848
Recipes for Sandbox inspection 849
AntiVirus 849
Zero touch provisioning 872
Zero touch provisioning with FortiDeploy 872
Zero touch provisioning with FortiManager 874
Upcoming recipes 876

Change Log 12
Change Log
Date Change Description
2019-03-28 Initial release.
2019-04-02 Updated Virtual Domains on page 222.
2019-04-03 Added Supported log types to FortiAnalyzer, Syslog, and FortiAnalyzer Cloud and
distribution.
2019-04-05 Updated introduction SD-WAN on page 147.
Updated License subsections in Overlay Controller VPN (OCVPN) on page 538.
2019-04-15 Updated Email filter on page 417 with additional topics.
2019-04-16 Updated Switch Controller on page 735 with additional topics.
2019-04-17 Added About FortiOS inspection modes on page 447.
2019-04-18 Added SD-WAN Troubleshooting on page 184.
2019-04-24 Added Application Control on page 334.

Added Introduction to Web Filter on page 342.
2019-04-29 Added Aggregation and redundancy on page 202.

Added DHCP server on page 250.
Added Back up log files or dump log messages on page 808.
Added VoIP solutions on page 810.
2019-04-30 Added Data Leak Prevention on page 431.

Added topics for Flow and Device Detection on page 777.
Added System management introduction on page 192 and VDOM on page 243.
Added Log-related diagnose commands on page 802.
Updated MPLS (SIP and backup) + DIA (cloud apps) on page 166.
2019-05-01 Added Explicit and transparent proxies on page 818.
2019-05-07 Updated Using FortiGate as a DNS server on page 141.

Updated VLANs on page 204.
Added topics for Web Filter:
l URL filter of webfilter on page 342.
l FortiGuard filter of Web Filter on page 348.
l Quota of Web Filter on page 356.
l Web content filter of Web Filter on page 358.
l Advanced Filters 1 on page 362.
l Advanced Filters 2 on page 366.
2019-05-08 Added topics for DNS Filter:

Change Log 13
Date Change Description
l Introduction to DNS Filter on page 388.

l How to configure and apply DNS Filter profile on page 389.
l FortiGuard category-based DNS domain filtering on page 392.
l Botnet C&C domain blocking on page 396.
l External Resources for DNS Filter on page 400.
l DNS safe search on page 406.
l Local domain filter on page 407.
l DNS translation on page 410.
l Use FortiGate as a DNS server on page 412.
2019-05-14 Added Using DHCP interface on page 150.

Added Update FortiGate firmware on page 199.
2019-05-22 Added Replacing the Fortinet_Wifi certificate on page 706.
2019-05-23 Added Sample logs by log type on page 784.

Added Zero touch provisioning with FortiDeploy on page 872.
Added Zero touch provisioning with FortiManager on page 874.
2019-05-24 Added FortiView Introduction on page 130.
2019-05-27 Added VXLAN over IPsec using a VTEP on page 582.
2019-05-28 Added FortiView from FortiAnalyzer on page 134.
2019-05-29 Added Web rating override on page 372.

Added Troubleshooting DNS Filter on page 414.
2019-05-30 Updated Log and report on page 780.
2019-05-31 Added Endpoint control and compliance on page 460.

What's New
For details about new features, see the FortiOS 6.2.0 New Features Guide. New features are organized into the
following sections:
l Expanding fabric family
l Fabric connectors
l SD-WAN
l Multi-Cloud
l Automation and dev-ops
l Advanced threats
l IOT & OT
l SOC adoption
l Compliance
l UX / Usability
l Other

Getting Started
This section explains how to get started with a FortiGate and examines basic configuration tasks and best practices.
Differences between models
Not all FortiGates have the same features, particularly entry-level models (models 30 to 90). A number of features on
this models are only available in the CLI.
Consult your model's QuickStart Guide, hardware manual, or the Feature / Platform Matrix
for further information about features that vary by model.
FortiGate models differ principally by the names used and the features available:
l Naming conventions may vary between FortiGate models. For example, on some models the hardware switch
interface used for the local area network is called lan, while on other units it is called internal.
l Certain features are not available on all models. Additionally, a particular feature may be available only through the
CLI on some models, while that same feature may be viewed in the GUI on other models.
If you believe your FortiGate model supports a feature that does not appear in the GUI, go to System > Feature
Visibility and confirm that the feature is enabled. For more information, see Feature Visibility on page 19.
Using the GUI
This section presents an introduction to the graphical user interface (GUI) on your FortiGate, also called the GUI.
The following topics are included in this section:
l Connecting using a web browser
l Menus
l Dashboard
l Feature Visibility
l Tables
l Text strings
Connecting using a web browser
The graphical user interface is best displayed using a 1280 x 1024 resolution. Check the
FortiOS Release Notes for information about browser compatibility.

Getting Started 16
In order to connect to the GUI using a web browser, an interface must be configured to allow administrative access over
HTTPS or over both HTTPS and HTTP. By default, an interface has already been set up that allows HTTPS access, with
the IP address 192.168.1.99.
Browse to https://192.168.1.99 and enter your username and password. If you have not changed the admin account’s
password, use the default user name, admin, and leave the password field blank.
The GUI will now be displayed in your browser.

If you wish to use a different interface to access the GUI, do the following:
1. Go to Network > Interfaces and edit the interface you wish to use for access. Take note of its assigned IP
address.
2. Beside Administrative Access, select HTTPS, and any other protocol you require. You can also select HTTP,
although this is not recommended as the connection will be less secure.
3. Select OK.
4. Browse to the IP address using your chosen protocol.
The GUI will now be displayed in your browser.
Menus
If you believe your FortiGate model supports a menu that does not appear in the GUI as
expected, go to System > Feature Visibility and ensure the feature is enabled. For more
information, see Feature Visibility on page 19.
The GUI contains the following main menus, which provide access to configuration options for most FortiOS features:
Dashboard The dashboard displays various widgets that display important system
information and allow you to configure some system options.
For more information, see Dashboard on page 17.
Security Fabric Access the physical topology, logical topology, audit, and settings features of the
Fortinet Security Fabric.
For more information, see Security Fabric on page 73.
FortiView A collection of dashboards and logs that give insight into network traffic, showing
which users are creating the most traffic, what sort of traffic it is, when the traffic
occurs, and what kind of threat the traffic may pose to the network.
Network Options for networking, including configuring system interfaces and routing
options.
For more information, see Network Configurations on page 137.
System Configure system settings, such as administrators, FortiGuard, and certificates.

For more information, see System Configurations on page 192.
Policy & Objects Configure firewall policies, protocol options, and supporting content for policies,
including schedules, firewall addresses, and traffic shapers.
For more information, see Policies and Objects on page 266.

Getting Started 17
Security Profiles Configure your FortiGate's security features, including AntiVirus, Web Filter, and
Application Control.
For more information, see Security Profiles on page 322.
VPN Configure options for IPsec and SSL virtual private networks (VPNs).
For more information, see IPsec VPNs on page 473 and SSL VPN on page 634.
User & Device Configure user accounts, groups, and authentication methods, including external
authentication and single sign-on (SSO).
WiFi & Switch Controller Configure the unit to act as a wireless network controller, managing the wireless
Access Point (AP) functionality of FortiWiFi and FortiAP units.
On certain FortiGate models, this menu has additional features allowing for
FortiSwitch units to be managed by the FortiGate.
For more information, see WiFi on page 698.
Log & Report Configure logging and alert email as well as reports.

For more information, see Log and report on page 780.
Monitor View a variety of monitors, including the Routing Monitor, VPN monitors for both
IPsec and SSL, monitors relating to wireless networking, and more.
Dashboard
The FortiOS Dashboard consists of a Network Operations Center (NOC) view with a focus on alerts. Widgets are
interactive. By clicking or hovering over most widgets, the user can see additional information or follow links to other
pages.
The dashboard and its widgets include:
l Multiple dashboard support
l VDOM and global dashboards
l Widget resize control
l Notifications on the top header bar
The following widgets are displayed by default:
Widget Description
System Information The System Information widget lists information relevant to the FortiGate system,
including hostname, serial number, and firmware.
Security Fabric The Security Fabric widget displays a visual summary of many of the devices in the
Fortinet Security Fabric.
CPU The real-time CPU usage is displayed for different time frames.

Getting Started 18
Widget Description
Licenses Hovering over the Licenses widget results in the display of status information (and,
where applicable, database information) on the licenses for FortiCare Support,
Firmware & General Updates, AntiVirus, Web Filter, Security Rating, FortiClient,
and FortiToken. Note that Mobile Malware is not a separate service in FortiOS 6.0.0.
The Mobile Malware subscription is included with the AntiVirus subscription. Clicking in
the Licenses widget provides you with links to other pages, such as System
> FortiGuard or contract renewal pages.
FortiCloud This widget displays FortiCloud status and provides a link to activate FortiCloud.
Administrators This widget allows you to view:

l which administrators are logged in and how many sessions are active (a link directs
you to a page displaying active administrator sessions)
l all connected administrators and the protocols used by each
Memory Real-time memory usage is displayed for different time frames. Hovering over any point
on the graph displays percentage of memory used along with a timestamp.
Sessions Hovering over the Sessions widget allows you to view memory usage data over time.
Click on the down arrow to change the timeframe displayed.
Security processing unit, or SPU , percentage is displayed if your FortiGate includes an
SPU. Likewise, nTurbo percentage is displayed if supported by your FortiGate.
Bandwidth Hover over the Bandwidth widget to display bandwidth usage data over time. Click on
the down arrow to change the timeframe displayed. Bandwidth is displayed for both
incoming and outgoing traffic.
Virtual Machine The VM widget (shown by default in the dashboard of a FortiOS VM device) includes:
l License status and type
l CPU allocation usage
l License RAM usage
l VMX license information (if the VM supports VMX)
If the VM license specifies 'unlimited' the progress bar is blank. If the VM is in evaluation
mode, it is yellow (warning style) and the dashboard shows the number of evaluation days
used.
The following optional widgets are also available:

l FortiView
l Host Scan Summary
l Vulnerabilities Summary
l Botnet Activity
l HA Status
l Log Rate
l Session Rate
l Security Fabric Score
l Advanced Threat Protection Statistics
l Interface Bandwidth

Getting Started 19
Modifying dashboard widget titles
Dashboard widget titles can be modified so that widgets with different filters applied can be easily differentiated. The
widget has a default title unless you set a new title.
Syntax
config system admin

edit <name>
config gui-dashboard
config widget
edit 9
set type fortiview
...
set title "test source by bytes"
end
end
end
Feature Visibility
Feature Visibility is used to control which features are visible in the GUI. This allows you to hide features that are not
being used. Some features are also disabled by default and must be enabled in order to configure them through the
GUI.
Feature Visibility only alters the visibility of these features, rather than their functionality. For example, disabling Web
Filter on the Feature Visibility page does not remove web filtering from the FortiGate, but removes the option of
configuring web filtering from the GUI. Configuration options will still be available using the CLI.
Enabling/disabling features
Feature Visibility can be found at System > Feature Visibility. Ensure that all features you wish to configure in the
GUI are turned on, and that features you wish to hide are turned off. When you have finished, select Apply.
Security feature presets
The main security features can be toggled individually, however six system presets (or Feature Sets) are available:
l NGFW should be chosen for networks that require application control and protection from external attacks.
l ATP should be chosen for networks that require protection from viruses and other external threats.
l WF should be chosen for networks that require web filtering.
l NGFW + ATP should be chosen for networks that require protection from external threats and attacks.
l UTM should be chosen for networks that require protection from external threats and wish to use security features
that control network usage. This is the default setting.
l Custom should be chosen for networks that require customization of available features (including the ability to
select all features).

Getting Started 20
Tables
Many of the GUI pages contain tables of information that you can filter to display specific information. Administrators
with read and write access can define the filters.
Navigation
Some tables contain information and lists that span multiple pages. Navigation controls appear at the bottom of the
page.
Filters
Filters are used to locate a specific set of information or content within multiple pages. These are especially useful in
locating specific log entries. The specific filtering options vary, depending on the type of information in the log.
To create a filter, select Add Filter at the top of the page. A list of the available fields for filtering will be shown.
Column settings
Column settings are used to select the types of information displayed on a certain page. Some pages have large
amounts of information available and not all content can be displayed on a single screen. Some pages may even
contain content that is irrelevant to you. Using column settings, you can choose to display only relevant content.
To view configure column settings, right-click the header of a column and select the columns you wish to view and
deselect any you wish to hide. After you have finished making your selections, click Apply (you may need to scroll down
the list to do so).
Any changes that you make to the column settings are stored in the unit’s configuration. To return columns to the
default state for any given page, right-click any header and select Reset Table.
Copying objects
In tables containing configuration objects, such as the policy table found at Policy & Objects > IPv4 Policy, you have
the option to copy an object. This allows you to create a copy of that object, which you can then configure as needed.
You can also reverse copy a policy to change the direction of the traffic impacted by that policy.
To copy an object:
1. Select that object, then right-click to make a menu appear and select the Copy option.
2. Right-click the row in the table that is either above or below where you want the copied object to be placed, select
the Paste option and indicate Above or Below.
Reverse cloning works much the same way. Instead of selecting Copy, select Clone Reverse.
Once the policy is copied, you must give it a name, configure as needed, and enable it.

Getting Started 21
Editing objects
Some tables allow you to edit parts of the configuration directly on the table itself. For example, security features can be
added to an existing firewall policy from the policy list by clicking on the plus sign in the Security Profiles column and
selecting the desired profiles.
If this option is not immediately available, check to see that the column is not hidden (see Column settings). Otherwise,
you must select the object and open the policy by selecting the Edit option found at the top of the page.
Text strings
The configuration of a FortiGate is stored in the FortiOS configuration database. To change the configuration, you can
use the GUI or CLI to add, delete, or change configuration settings. These changes are stored in the database as you
make them. Individual settings in the configuration database can be text strings, numeric values, selections from a list
of allowed options, or on/off (enable/disable) settings.
Entering text strings (names)
Text strings are used to name entities in the configuration. For example, the name of a firewall address, the name of an
administrative user, and so on. You can enter any character in a FortiGate configuration text string, except the following
characters that present cross-site scripting (XSS) vulnerabilities:
l “ (double quote)
l & (ampersand)
l ' (single quote)
l < (less than)
l > (greater than)
Most GUI text string fields make it easy to add an acceptable number of characters and prevent you from adding the
XSS vulnerability characters.
There is a different character limitation for VDOM names and hostnames. The only valid
characters are numbers (0-9), letters (a-z, A-Z), and special characters - (dash) and _
(underscore).
You can also use the tree command in the CLI to view the number of characters allowed in a name field. For example,
firewall address names can contain up to 64 characters. When you add a firewall address to the GUI, you are limited to
entering 64 characters in the firewall address name field. From the CLI you can enter the following tree command to
confirm that the firewall address name field allows 64 characters.
config firewall address
tree
-- [address] --*name (64)
|- uuid
|- subnet
|- type
|- start-ip
|- end-ip
|- fqdn (256)
|- country (3)

Getting Started 22
|- cache-ttl (0,86400)
|- wildcard
|- comment
|- visibility
|- associated-interface (36)
|- color (0,32)
|- [tags] --*name (65)
+- allow-routing
The tree command output also shows the number of characters allowed for other firewall address name settings. For
example, the fully qualified domain name (fqdn) field can contain up to 256 characters.
Entering numeric values
Numeric values set various sizes, rates, addresses, and other numeric values (e.g. a static routing priority of 10, a port
number of 8080, an IP address of 10.10.10.1). Numeric values can be entered as a series of digits without spaces or
commas (for example, 10 or 64400), in dotted decimal format (for example the IP address 10.10.10.1) or, as in the case
of MAC or IPv6 addresses, separated by colons (e.g. the MAC address 00:09:0F:B7:37:00). Most numeric values are
standard base 10 numbers, but some fields, such as MAC addresses, require hexadecimal numbers.
Most GUI numeric value fields make it easy to add the acceptable number of digits within the allowed range. CLI help
text includes information about allowed numeric value ranges. Both the GUI and the CLI prevent you from entering
invalid numbers.
Using the CLI
The command line interface (CLI) is an alternative configuration tool to the GUI or GUI. While the configuration of the
GUI uses a point-and-click method, the CLI requires typing commands or uploading batches of commands from a text
file, like a configuration script.
This section explains common CLI tasks that an administrator performs on a regular basis and includes the topics:
l Connecting to the CLI on page 22
l CLI-only features on page 26
l Command syntax on page 26
l Sub-commands on page 30
l Permissions on page 33
l Tips on page 33
Connecting to the CLI
You can access the CLI in three ways:

l Local console — Connect your computer directly to the console port of your FortiGate. Local access is required in
some cases:
l If you are installing your FortiGate for the first time and it is not yet configured to connect to your network, you
may only be able to connect to the CLI using a local serial console connection, unless you reconfigure your
computer’s network settings for a peer connection.

Getting Started 23
l Restoring the firmware utilizes a boot interrupt. Network access to the CLI is not available until after the boot
process has completed, making local CLI access the only viable option.
l SSH or Telnet access — Connect your computer through any network interface attached to one of the network
ports on your FortiGate. The network interface must have enabled Telnet or SSH administrative access if you
connect using an SSH/Telnet client, or HTTP/HTTPS administrative access if you connect by accessing the CLI
Console in the GUI. The CLI console can be accessed from the upper-right hand corner of the screen and appears
as a slide-out window.
l — Use the FortiExplorer app on your iOS device to configure, manage, and monitor your FortiGate.
Local console
Local console connections to the CLI are formed by directly connecting your management computer or console to the
FortiGate unit, using its DB-9 or RJ-45 console port. To connect to the local console you need:
l A computer with an available serial communications (COM) port.
l The RJ-45-to-DB-9 or null modem cable included in your FortiGate package.
l Terminal emulation software such as HyperTerminal for Microsoft Windows.
The following procedure describes the connection using Microsoft HyperTerminal software; steps may vary with other
terminal emulators.
To connect to the CLI using a local serial console connection
1. Using the null modem or RJ-45-to-DB-9 cable, connect the FortiGate unit’s console port to the serial
communications (COM) port on your management computer.
2. On your management computer, start HyperTerminal.
3. For the Connection Description, enter a Name for the connection, and select OK.
4. On the Connect using drop-down, select the communications (COM) port on your management computer you are
using to connect to the FortiGate unit.
5. Select OK.
6. Select the following Port settings and select OK.
Bits per second 9600
Data bits 8
Parity None
Stop bits 1
Flow control None
7. Press Enter or Return on your keyboard to connect to the CLI.

8. Type a valid administrator account name (such as admin) and press Enter.
9. Type the password for that administrator account and press Enter. (In its default state, there is no password for the
admin account.)
The CLI displays the following text:
Welcome!
Type ? to list available commands.
You can now enter CLI commands, including configuring access to the CLI through SSH or Telnet.

Getting Started 24
SSH or Telnet access
SSH or Telnet access to the CLI is accomplished by connecting your computer to the FortiGate unit using one of its
RJ-45 network ports. You can either connect directly, using a peer connection between the two, or through any
intermediary network.
If you do not want to use an SSH/Telnet client and you have access to the GUI, you can
alternatively access the CLI through the network using the CLI Console widget in the GUI.
You must enable SSH and/or Telnet on the network interface associated with that physical network port. If your
computer is not connected directly or through a switch, you must also configure the FortiGate unit with a static route to a
router that can forward packets from the FortiGate unit to your computer. You can do this using either a local console
connection or the GUI.
Requirements
l A computer with an available serial communications (COM) port and RJ-45 port
l Terminal emulation software such as HyperTerminal for Microsoft Windows
l The RJ-45-to-DB-9 or null modem cable included in your FortiGate package
l A network cable
l Prior configuration of the operating mode, network interface, and static route.
To enable SSH or Telnet access to the CLI using a local console connection
1. Using the network cable, connect the FortiGate unit’s network port either directly to your computer’s network port,
or to a network through which your computer can reach the FortiGate unit.
2. Note the number of the physical network port.
3. Using a local console connection, connect and log into the CLI.
4. Enter the following command:
config system interface
edit <interface_str>
set allowaccess <protocols_list>
end
where:
l <interface_str> is the name of the network interface associated with the physical network port and
containing its number, such as port1.
l <protocols_list> is the complete, space-delimited list of permitted administrative access protocols, such
as https ssh telnet.
5. To confirm the configuration, enter the command to display the network interface’s settings:
show system interface <interface_str>
6. The CLI displays the settings, including the allowed administrative access protocols, for the network interfaces.
Connecting using SSH
Once the FortiGate unit is configured to accept SSH connections, you can use an SSH client on your management
computer to connect to the CLI.

Getting Started 25
Secure Shell (SSH) provides both secure authentication and secure communications to the CLI. FortiGate units support
3DES and Blowfish encryption algorithms for SSH.
Before you can connect to the CLI using SSH, you must first configure a network interface to accept SSH connections.
The following procedure uses PuTTY. Steps may vary with other SSH clients.
To connect to the CLI using SSH
1. On your management computer, start an SSH client.

2. In Host Name (or IP address), enter the IP address of a network interface on which you have enabled SSH
administrative access.
3. Set Port to 22.
4. For the Connection type, select SSH.
5. Select Open. The SSH client connects to the FortiGate unit.
The SSH client may display a warning if this is the first time you are connecting to the FortiGate unit and its SSH
key is not yet recognized by your SSH client, or if you have previously connected to the FortiGate unit but used a
different IP address or SSH key. This is normal if your management computer is directly connected to the FortiGate
unit with no network hosts between them.
6. Click Yes to verify the fingerprint and accept the FortiGate unit’s SSH key. You will not be able to log in until you
have accepted the key.
7. The CLI displays a login prompt.
9. Type the password for this administrator account and press Enter.
The FortiGate unit displays a command prompt (its hostname followed by a #). You can now enter CLI commands.
If three incorrect log in or password attempts occur in a row, you will be disconnected. If this
occurs, wait one minute, then reconnect to attempt the log in again.
Connecting using Telnet
Once the FortiGate unit is configured to accept Telnet connections, you can use a Telnet client on your management
computer to connect to the CLI.
Telnet is not a secure access method. SSH should be used to access the CLI from the
Internet or any other untrusted network.
Before you can connect to the CLI using Telnet, you must first configure a network interface to accept Telnet
connections.
To connect to the CLI using Telnet
1. On your management computer, start a Telnet client.

2. Connect to a FortiGate network interface on which you have enabled Telnet.
4. Type the password for this administrator account and press Enter. The FortiGate unit displays a command prompt
(its hostname followed by a #). You can now enter CLI commands.

Getting Started 26
If three incorrect login or password attempts occur in a row, you will be disconnected. If this
occurs, wait one minute, then reconnect to attempt the login again.
CLI-only features
As you can see in the Feature / Platform Matrix, the entry level models have a number of features that are only
available using the CLI, rather than appearing in the GUI.
You can open the CLI console so that it automatically opens to the object you wish to configure. For example, to edit a
firewall policy, right-click on the policy in the policy list (Policy & Objects > IPv4 Policy) and select Edit in CLI. The
CLI console will appear, with the commands to access this part of the configuration added automatically.
Once you have access to the CLI, you can enter instructions for specific tasks that can be found throughout the FortiOS
Handbook. Options are also available at the top of the CLI Console to Clear console, Download, and Copy to
clipboard.
Refer to the CLI Reference for a list of the available commands.
Command syntax
When entering a command, the CLI console requires that you use valid syntax and conform to expected input
constraints. It will reject invalid commands.
Fortinet documentation uses the conventions below to describe valid command syntax.
Terminology
Each command line consists of a command word that is usually followed by configuration data or other specific item that
the command uses or affects.
To describe the function of each word in the command line, especially if that nature has changed between firmware
versions, Fortinet uses terms with the following definitions:
l Command — A word that begins the command line and indicates an action that the FortiGate should perform on a
part of the configuration or host on the network, such as config or execute. Together with other words, such as
fields or values, that end when you press the Enter key, it forms a command line. Exceptions include multiline
command lines, which can be entered using an escape sequence. Valid command lines must be unambiguous if
abbreviated. Optional words or other command line permutations are indicated by syntax notation.
l Sub-command — A config sub-command that is available only when nested within the scope of another
command. After entering a command, its applicable sub-commands are available to you until you exit the scope of
the command, or until you descend an additional level into another sub-command. Indentation is used to indicate
levels of nested commands.Not all top-level commands have sub-commands. Available sub-commands vary by
their containing scope.
l Object — A part of the configuration that contains tables and /or fields. Valid command lines must be specific
enough to indicate an individual object.
l Table — A set of fields that is one of possibly multiple similar sets which each have a name or number, such as an
administrator account, policy, or network interface. These named or numbered sets are sometimes referenced by
other parts of the configuration that use them.

Getting Started 27
l Field — The name of a setting, such as ip or hostname. Fields in some tables must be configured with values.
Failure to configure a required field will result in an invalid object configuration error message, and the FortiGate
will discard the invalid table.
l Value — A number, letter, IP address, or other type of input that is usually your configuration setting held by a
field. Some commands, however, require multiple input values which may not be named but are simply entered in
sequential order in the same command line. Valid input types are indicated by constraint notation.
l Option — A kind of value that must be one or more words from of a fixed set of options.
Indentation
Indentation indicates levels of nested commands, which indicate what other sub-commands are available from within
the scope. The “next” and “end” lines are used to maintain a hierarchy and flow to CLI commands, especially helping
to distinguish those commands with extensive sub-commands.
The "next" line is entered at the same indentation-level as the previous “edit”, to mark where you would like to finish
that table entry and move on to the next table entry; doing so will not mean that you have “left” that sub-command.
next
Below is an example command, with a sub-command of entries:
After entering settings for <2> and entering next, the <2> table entry has been saved, and you be set back one level of
indentation so you can continue to create more entries (if you wish).
This hierarchy is best indicated in the CLI console, as the example below is what displays in the console after entering
next:
To go-back up an indentation-level from this point on (i.e. to finish configuring the entries
sub-command), you cannot enter next; you must enter end.
end
Below is the same command and sub-command, except end has been entered instead of next after the sub-
command:

Getting Started 28
Entering end will save the <2> table entry, but bring you out of the sub-command entirely; in this example, you would
enter this when you don’t wish to continue creating new entries.
Again, your hierarchy is best indicated by the CLI console. Below is what displays in the console after entering end:
Notation
Brackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as
<address_ipv4>, indicate which data types or string patterns are acceptable value input.
All syntax uses the following conventions:
Convention Description
Square brackets [ ] An optional word or series of words. For example:

[verbose {1 | 2 | 3}]
indicates that you may either omit or type both the word verbose and its
accompanying option/s, such as verbose 3.
See Optional values and ranges below for more information.
Curly braces { } A word or series of words that is constrained to a set of options delimited by either
vertical bars or spaces. You must enter at least one of the options, unless the set
of options is surrounded by square brackets [ ].
Mutually exclusive options - Both mutually and non-mutually exclusive commands will use curly braces, as
delimited by vertical bars | they provide multiple options, however mutually exclusive commands will divide
each option with a pipe. This indicates that you are permitted to enter one option
or the other:
{enable | disable}
Non-mutually exclusive Non-mutually exclusive commands do not use pipes to divide their options. In
options - delimited by spaces those circumstances, multiple options can be entered at once, as long as they are
entered with a space separating each option:
{http https ping snmp ssh telnet}

Getting Started 29
Convention Description
Angle brackets < > A word constrained by data type. The angled brackets contain a descriptive name
followed by an underscore ( _ ) and suffix that indicates the valid data type. For
example, <retries_int>, indicates that you should enter a number of retries
as an integer.
Data types include:
l <xxx_name>: A name referring to another part of the configuration, such as
policy_A.
l <xxx_index>: An index number referring to another part of the
configuration, such as 0 for the first static route.
l <xxx_pattern>: A regular expression or word with wild cards that
matches possible variations, such as *@example.com to match all email
addresses ending in @example.com.
l <xxx_fqdn>: A fully qualified domain name (FQDN), such as
mail.example.com.
l <xxx_email>: An email address, such as [email protected].
l <xxx_ipv4>: An IPv4 address, such as 192.168.1.99.
l <xxx_v4mask>: A dotted decimal IPv4 netmask, such as
255.255.255.0.
l <xxx_ipv4mask>: A dotted decimal IPv4 address and netmask separated
by a space, such as 192.168.1.99 255.255.255.0.
l <xxx_ipv4/mask>: A dotted decimal IPv4 address and CIDR-notation
netmask separated by a slash, such as 192.168.1.1/24
l <xxx_ipv4range> : A hyphen ( - )-delimited inclusive range of IPv4
addresses, such as 192.168.1.1-192.168.1.255.
l <xxx_ipv6>: A colon( : )-delimited hexadecimal IPv6 address, such as
3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.
l <xxx_v6mask>: An IPv6 netmask, such as /96.
l <xxx_ipv6mask>: A dotted decimal IPv6 address and netmask separated
by a space.
l <xxx_str>: A string of characters that is not another data type, such as
P@ssw0rd. Strings containing spaces or special characters must be
surrounded in quotes or use escape sequences.
l <xxx_int>: An integer number that represents a metric, minutes_int
for the number of minutes.
Optional values and ranges
Any field that is optional will use square-brackets, such as set comment. This is because it doesn’t matter whether it’s
set or not. The overall config command will still successfully be taken.
Another example of where square-brackets would be used is to show that multiple options can be set, even intermixed
with ranges. The example below shows a field that can be set to either a specific value or range, or multiple instances:
config firewall service custom
set iprange <range1> [<range2> <range3> ...]
end

Getting Started 30
Sub-commands
Each command line consists of a command word that is usually followed by configuration data or other specific item that
the command uses or affects:
get system admin
Sub-commands are available from within the scope of some commands. When you enter a sub-command level, the
command prompt changes to indicate the name of the current command scope. For example, after entering:
config system admin
the command prompt becomes:

(admin)#
Applicable sub-commands are available to you until you exit the scope of the command, or until you descend an
additional level into another sub-command.
For example, the edit sub-command is available only within a command that affects tables; the next sub-command
is available only from within the edit sub-command:
edit port1
set status up
next
end
Sub-command scope is indicated by indentation.

Available sub-commands vary by command. From a command prompt within config, two types of sub-commands
might become available:
l commands affecting fields
l commands affecting tables
Commands for tables
clone <table> Clone (or make a copy of) a table from the current object.
For example, in config firewall policy, you could enter the following
command to clone security policy 27 to create security policy 30:
clone 27 to 30
In config antivirus profile, you could enter the following command to
clone an antivirus profile named av_pro_1 to create a new antivirus profile
named av_pro_2:
clone av_pro_1 to av_pro_2
clone may not be available for all tables.
delete <table> Remove a table from the current object.
For example, in config system admin, you could delete an administrator
account named newadmin by typing delete newadmin and pressing Enter.
This deletes newadmin and all its fields, such as newadmin’s first-name
and email-address.
delete is only available within objects containing tables.
edit <table> Create or edit a table in the current object.

Getting Started 31
For example, in config system admin:

l edit the settings for the default admin administrator account by typing edit
admin.
l add a new administrator account with the name newadmin and edit
newadmin‘s settings by typing edit newadmin.
edit is an interactive sub-command: further sub-commands are available from
within edit.
edit changes the prompt to reflect the table you are currently editing.
edit is only available within objects containing tables.
In objects such as security policies, <table> is a sequence number. To create a
new entry without the risk of overwriting an existing one, enter edit 0. The CLI
initially confirms the creation of entry 0, but assigns the next unused number after
you finish editing and enter end.
end Save the changes to the current object and exit the config command. This
returns you to the top-level command prompt.
get List the configuration of the current object or table.• In objects, get lists the
table names (if present), or fields and their values.• In a table, get lists the
fields and their values.For more information on get commands, see the CLI
Reference.
purge Remove all tables in the current object.
For example, in config user local, you could type get to see the list of
user names, then type purge and then y to confirm that you want to delete all
users. purge is only available for objects containing tables.
Caution: Back up the FortiGate before performing a purge. purge cannot be
undone. To restore purged tables, the configuration must be restored from a
backup.
Caution: Do not purge system interface or system admin tables.
purge does not provide default tables. This can result in being unable to connect
or log in, requiring the FortiGate to be formatted and restored.
rename <table> to <table> Rename a table.

For example, in config system admin, you could rename admin3 to
fwadmin by typing rename admin3 to fwadmin. rename is only available
within objects containing tables.
show Display changes to the default configuration. Changes are listed in the form of
configuration commands.
Example of table commands
From within the system admin object, you might enter:

edit admin_1
The CLI acknowledges the new table, and changes the command prompt to show that you are now within the admin_1
table:
new entry 'admin_1' added
(admin_1)#

Getting Started 32
Commands for fields
abort Exit both the edit and/or config commands without saving the fields.
append Add an option to an existing list.
end Save the changes made to the current table or object fields, and exit the config
command (to exit without saving, use abort instead).
get List the configuration of the current object or table.

l In objects, get lists the table names (if present), or fields and their values.
l In a table, get lists the fields and their values.
move Move an object within a list, when list order is important. For example,
rearranging security policies within the policy list.
next Save the changes you have made in the current table’s fields, and exit the edit
command to the object prompt (to save and exit completely to the root prompt,
use end instead).
next is useful when you want to create or edit several tables in the same object,
without leaving and re-entering the config command each time.
next is only available from a table prompt; it is not available from an object
prompt.
select Clear all options except for those specified.

For example, if a group contains members A, B, C, and D and you remove all
users except for B, use the command select member B.
set <field> <value> Set a field’s value.

For example, in config system admin, after typing edit admin, you
could type set password newpass to change the password of the admin
administrator to newpass.
Note: When using set to change a field containing a space-delimited list, type
the whole new list. For example, set <field> <new-value> will replace
the list with the <new-value> rather than appending <new-value> to the list.
show Display changes to the default configuration. Changes are listed in the form of
configuration commands.
unselect Remove an option from an existing list.
unset <field> Reset the table or object’s fields to default values.

For example, in config system admin, after typing edit admin, typing
unset password resets the password of the admin administrator account to
the default (in this case, no password).
Example of field commands
To assign the value my1stExamplePassword to the password field, enter the following command from within the
admin_1 table:
set password my1stExamplePassword
Next, to save the changes and edit the next administrator's table, enter the next command.

Getting Started 33
Permissions
Access profiles control which CLI commands an administrator account can access. Access profiles assign either read,
write, or no access to each area of FortiOS. To view configurations, you must have read access. To make changes, you
must have write access. So, depending on the account used to log in to the FortiGate, you may not have complete
access to all CLI commands. For complete access to all commands, you must log in with an administrator account that
has the super_admin access profile. By default the admin administrator account has the super_admin access
profile.
Administrator accounts, with the super_admin access profile are similar to a root administrator account that always
has full permission to view and change all FortiGate configuration options, including viewing and changing all other
administrator accounts and including changing other administrator account passwords.
Increasing the security of administrator accounts
Set strong passwords for all administrator accounts (including the admin account) and change passwords regularly.
Tips
Basic features and characteristics of the CLI environment provide support and ease of use for many CLI tasks.
Help
To display brief help during command entry, press the question mark (?) key.
l Press the question mark (?) key at the command prompt to display a list of the commands available and a
description of each command.
l Type a word or part of a word, then press the question mark (?) key to display a list of valid word completions or
subsequent words, and to display a description of each.
Shortcuts and key commands
Keys Action
? List valid word completions or subsequent words.

If multiple words could complete your entry, display all possible completions with
helpful descriptions of each.
Tab Complete the word with the next available match.

Press the Tab key multiple times to cycle through available matches.
Up arrow, or Ctrl + P Recall the previous command.

Command memory is limited to the current session.
Down arrow, or Ctrl + N Recall the next command.
Left or Right arrow Move the cursor left or right within the command line.
Ctrl + A Move the cursor to the beginning of the command line.
Ctrl + E Move the cursor to the end of the command line.

Getting Started 34
Keys Action
Ctrl + B Move the cursor backwards one word.
Ctrl + F Move the cursor forwards one word.
Ctrl + D Delete the current character.
Ctrl + C Abort current interactive commands, such as when entering multiple lines.
If you are not currently within an interactive command such as config or edit,
this closes the CLI connection.
\ then Enter Continue typing a command on the next line for a multiline command.
For each line that you want to continue, terminate it with a backslash ( \ ). To
complete the command line, terminate it by pressing the spacebar and then the
Enter key, without an immediately preceding backslash.
Command abbreviation
You can abbreviate words in the command line to their smallest number of non-ambiguous characters.
For example, the command get system status could be abbreviated to g sy stat.
Adding and removing options from lists
When adding options to a list, such as a user group, using the set command will remove the previous configuration.
For example, if you wish to add user D to a user group that already contains members A, B, and C, the command would
need to be set member A B C D. If only set member D was used, then all former members would be removed
from the group.
However, there are additional commands which can be used instead of set for changing options in a list.
Additional commands for lists
append Add an option to an existing list.

For example, append member would add user D to a user group while all
previous group members are retained
select Clear all options except for those specified.

For example, if a group contains members A, B, C, and D and you remove all
users except for B, use the command select member B.
unselect Remove an option from an existing list.

For example, unselect member A would remove member A from a group will
all previous group members are retained.
Environment variables
The CLI supports the following environment variables. Variable names are case-sensitive.

Getting Started 35
Environment variables
$USERFROM The management access type (ssh, telnet, jsconsole for the CLI
Console widget in the GUI, and so on) and the IP address of the administrator
that configured the item.
$USERNAME The account name of the administrator that configured the item.
$SerialNum The serial number of the FortiGate unit.
For example, the FortiGate unit’s host name can be set to its serial number:
config system global
set hostname $SerialNum
end
Special characters
The following special characters, also known as reserved characters, are not permitted in most CLI fields: <, >, (, ), #,
', and ". You may be able to enter special characters as part of a string’s value by using a special command, enclosing
it in quotes, or preceding it with an escape sequence — in this case, a backslash ( \ ) character.
In other cases, different keystrokes are required to input a special character. If you need to enter ? as part of config, you
first need to input CTRL-V. If you enter ? without first using CTRL-V, the question mark has a different meaning in the
CLI; it will show available command options in that section.
For example, if you enter ? without CTRL-V:
edit "*.xe
token line: Unmatched double quote.
If you enter ? with CTRL-V:

edit "*.xe?"
new entry '*.xe?' added
Entering special characters
Character Keys
? Ctrl + V then ?
Tab Ctrl + V then Tab
Space Enclose the string in quotation marks: "Security

(to be interpreted as part of a string value, Administrator”.
not to end the string) Enclose the string in single quotes: 'Security
Administrator'.
Precede the space with a backslash: Security\
Administrator.
' \'
(to be interpreted as part of a string value,
not to end the string)
" \"

Getting Started 36
Character Keys
(to be interpreted as part of a string value,

not to end the string)
\ \\
Using grep to filter get and show command output
In many cases, the get and show (and diagnose) commands may produce a large amount of output. If you are
looking for specific information in a large get or show command output, you can use the grep command to filter the
output to only display what you are looking for. The grep command is based on the standard UNIX grep, used for
searching text output based on regular expressions.
Use the following command to display the MAC address of the FortiGate unit internal interface:
get hardware nic internal | grep Current_HWaddr
Current_HWaddr 00:09:0f:cb:c2:75
Use the following command to display all TCP sessions in the session list and include the session list line number in the
output:
get system session list | grep -n tcp
Use the following command to display all lines in HTTP replacement message commands that contain URL (upper or
lower case):
show system replacemsg http | grep -i url
There are three additional options that can be applied to grep:

-A <num> After
-B <num> Before
-C <num> Context
The option -f is also available to support contextual output, in order to show the complete configuration. The following
example shows the difference in output when -f option is used versus when it is not.
Using -f:
show | grep -f ldap-group1

config user group
edit "ldap-group1"
set member "pc40-LDAP"
next
end
config firewall policy
edit 2
set srcintf "port31"
set dstintf "port32"
set srcaddr "all"
set action accept
set identity-based enable
set nat enable
config identity-based-policy
edit 1
set schedule "always"
set groups "ldap-group1"
set dstaddr "all"

Getting Started 37
set service "ALL"

next
end
next
end
Without using -f:
show | grep ldap-group1

edit "ldap-group1"
set groups "ldap-group1"
Language support and regular expressions
Characters such as ñ, é, symbols, and ideographs are sometimes acceptable input. Support varies by the nature of the
item being configured. CLI commands, objects, field names, and options must use their exact ASCII characters, but
some items with arbitrary names or values may be input using your language of choice. To use other languages in those
cases, you must use the correct encoding.
Input is stored using Unicode UTF-8 encoding but is not normalized from other encodings into UTF-8 before it is stored.
If your input method encodes some characters differently than in UTF-8, your configured items may not display or
operate as expected.
Regular expressions are especially impacted. Matching uses the UTF-8 character values. If you enter a regular
expression using another encoding, or if an HTTP client sends a request in an encoding other than UTF-8, matches may
not be what you expect.
For example, with Shift-JIS, backslashes ( \ ) could be inadvertently interpreted as the symbol for the Japanese yen ( ¥ )
and vice versa. A regular expression intended to match HTTP requests containing money values with a yen symbol
therefore may not work it if the symbol is entered using the wrong encoding.
For best results, you should:
l use UTF-8 encoding, or
l use only the characters whose numerically encoded values are the same in UTF-8, such as the US-ASCII
characters that are also encoded using the same values in ISO 8859-1, Windows code page 1252, Shift-JIS and
other encodings, or
l for regular expressions that must match HTTP requests, use the same encoding as your HTTP clients.
HTTP clients may send requests in encodings other than UTF-8. Encodings usually vary by
the client’s operating system or input language. If you cannot predict the client’s encoding,
you may only be able to match any parts of the request that are in English, because
regardless of the encoding, the values for English characters tend to be encoded identically.
For example, English words may be legible regardless of interpreting a web page as either
ISO 8859-1 or as GB2312, whereas simplified Chinese characters might only be legible if the
page is interpreted as GB2312.
If you configure your FortiGate unit using other encodings, you may need to switch language settings on your
management computer, including for your web browser or Telnet/SSH client. For instructions on how to configure your
management computer’s operating system language, locale, or input method, see its documentation.
If you choose to configure parts of the FortiGate unit using non-ASCII characters, verify that all systems interacting with
the FortiGate unit also support the same encodings. You should also use the same encoding throughout the

Getting Started 38
configuration if possible in order to avoid needing to switch the language settings of the GUI and your web browser or
Telnet/SSH client while you work.
Similarly to input, your web browser or CLI client should normally interpret display output as encoded using UTF-8. If it
does not, your configured items may not display correctly in the GUI or CLI. Exceptions include items such as regular
expressions that you may have configured using other encodings in order to match the encoding of HTTP requests that
the FortiGate unit receives.
To enter non-ASCII characters in the CLI console:
1. On your management computer, start your web browser and go to the URL for the FortiGate unit’s GUI.
2. Configure your web browser to interpret the page as UTF-8 encoded.
3. Log in to the FortiGate unit.
4. Open the CLI Console from the upper right-hand corner.
5. In the title bar of the CLI Console widget, click Edit (the pencil icon).
6. Enable Use external command input box and select OK.
7. The Command field appears below the usual input and display area of the CLI Console .
8. Type a command in this field and press Enter.
In the display area, the CLI Console widget displays your previous command interpreted into its character code
equivalent, such as:
edit \743\601\613\743\601\652
and the command’s output.
To enter non-ASCII characters in a Telnet/SSH client
1. On your management computer, start your Telnet or SSH client.

2. Configure your Telnet or SSH client to send and receive characters using UTF-8 encoding.
Support for sending and receiving international characters varies by each Telnet/SSH client. Consult the
documentation for your Telnet/SSH client.
3. Log in to the FortiGate unit.
4. At the command prompt, type your command and press Enter.
You may need to surround words that use encoded characters with single quotes ( ' ).
Depending on your Telnet/SSH client’s support for your language’s input methods and for sending international
characters, you may need to interpret them into character codes before pressing Enter.
For example, you might need to enter:
edit '\743\601\613\743\601\652'
5. The CLI displays your previous command and its output.
Screen paging
You can configure the CLI to pause after displaying each page’s worth of text when displaying multiple pages of output.
When the display pauses, the last line displays --More--. You can then either:
l press the spacebar to display the next page.
l type Q to truncate the output and return to the command prompt.
This may be useful when displaying lengthy output, such as the list of possible matching commands for command
completion, or a long list of settings. Rather than scrolling through or possibly exceeding the buffer of your terminal
emulator, you can simply display one page at a time.

Getting Started 39
To configure the CLI Console to pause display when the screen is full:
config system console
set output more
end
Baud rate
You can change the default baud rate of the local console connection.
To change the baud rate enter the following commands:
config system console
set baudrate {9600 | 19200 | 38400 | 57600 | 115200}
end
Editing the configuration file on an external host
You can edit the FortiGate configuration on an external host by first backing up the configuration file to a TFTP server.
Then edit the configuration file and restore it to the FortiGate unit.
Editing the configuration on an external host can be timesaving if you have many changes to make, especially if your
plain text editor provides advanced features such as batch changes.
To edit the configuration on your computer:
1. Use execute backup to download the configuration file to a TFTP server, such as your management computer.
2. Edit the configuration file using a plain text editor that supports Unix-style line endings.
Do not edit the first line. The first line(s) of the configuration file (preceded by a #
character) contains information about the firmware version and FortiGate model. If you
change the model number, the FortiGate unit will reject the configuration file when you
attempt to restore it.
3. Use execute restore to upload the modified configuration file back to your FortiGate.
The FortiGate downloads the configuration file and checks that the model information is correct. If it is correct, the
FortiGate unit loads the configuration file and checks each command for errors. If a command is invalid, the
FortiGate unit ignores the command. If the configuration file is valid, the FortiGate unit restarts and loads the new
configuration.
FortiExplorer for iOS
FortiExplorer for iOS is a user-friendly application that helps you to quickly and easily configure, manage, and monitor
FortiGate appliances using an iOS device. FortiExplorer lets you rapidly provision, deploy, and monitor Security Fabric
components including FortiGate, FortiWiFi, and FortiAP devices.
FortiExplorer for iOS requires iOS 9.3 or later and is compatible with iPhone, iPad, and iPod Touch. It is supported by
FortiOS 5.6+ and is only available on the App Store for iOS devices.
Advanced features are available with the purchase of FortiExplorer Pro. Paid features include the ability to add more
than two devices and the ability to download firmware images from FortiCare.

Getting Started 40
Up to six members can use this app with 'Family Sharing' enabled in the App Store.
Getting started with FortiExplorer
If your FortiGate is accessible on the wireless network, you can connect to it using FortiExplorer provided that your
iOS device is on the same network (see Connecting FortiExplorer to a FortiGate via WiFi). Otherwise, you will need to
physically connect your iOS device to the FortiGate using a USB cable.
Connecting FortiExplorer to a FortiGate via USB
For the purpose of this document, we assume that you are just getting started; you do not have access to the FortiGate
over the wireless network, and the FortiGate is in its factory configuration.
1. Connect your iOS device to your FortiGate’s USB management port.If prompted on your iOS device, Trust this
'computer'.
2. Open the FortiExplorer app and select your FortiGate from the list under USB Attached Device.
3. On the Login screen, select USB.
4. Enter the default Username (admin) and leave the Password field blank.
5. You can opt to Remember Password. Tap Done when you are ready.
6. FortiExplorer opens the FortiGate management interface to the Device Status page:
7. Go to Network > Interfaces and configure the WAN interface(s).In the example, the wan1 interface Address
mode is set to DHCP by default. Set it to Manual and enter its Address, Netmask, and Default Gateway, and
then Apply your changes.

Getting Started 41
8. (Optional) Configure Administrative Access to allow HTTP and HTTPS access.This will allow administrators to
access the FortiGate GUI using a web browser.
9. Go to Network > Interfaces and configure the local network (internal) interface.Set the Address mode as before
and configure Administrative Access if desired.
10. Configure a DHCP Server for the internal network subnet.
11. Return to the internal interface using the < button at the top of the screen.

Getting Started 42
12. Go to Network > Static Routes and configure the static route to the gateway.
13. Go to Policy & Objects > IPv4 Policy and edit the Internet access policy. As a best practice, provide a Name for
the policy, enable the desired Security Profiles, and configure Logging Options. Select OK to finalize.
Running a Security Fabric Rating
The FortiGate is now configured in a very basic state. Once you've configured the other potential elements of your
network, such as other Interfaces, Schedules, or Managed FortiAPs, it is recommended that you run a Security
Fabric Rating to identify potential vulnerabilities and highlight best practices that could be used to improve your
network’s overall security and performance.
Go to Security Fabric > Security Rating and follow the steps to determine a Security Score for the selected device
(s). The results should identify issues ranging from Medium to Critical importance, and may provide recommended
actions where possible.

Getting Started 43
Connecting FortiExplorer to a FortiGate via WiFi
If your FortiGate is accessible on the wireless network, you can connect to it using FortiExplorer provided that your
iOS device is on the same network. Assuming this is the case:
1. Open the FortiExplorer app and select Add from the Devices page.
2. Enter the Host information and appropriate Username and Password credentials. If necessary, change the
default Port number, and opt to Remember Password.
3. If the FortiGate device identity cannot be verified, click Connect at the prompt. FortiExplorer opens the FortiGate
management interface to the Device Status page.
Upgrading to FortiExplorer Pro
Paid features provided with the purchase of FortiExplorer Pro include the ability to add more than two devices and the
ability to download firmware images from FortiCare.
To upgrade to FortiExplorer Pro, open the FortiExplorer app, go to Settings and select Upgrade to FortiExplorer
Pro. Follow the on-screen prompts.

Getting Started 44
LED specifications
The following section includes information regarding FortiGate LED status indicators.
l Sample FortiGate faceplates on page 44
l LED status codes on page 44
l About alarm levels on page 45
l LED status codes for ports on page 45
Sample FortiGate faceplates
The faceplates indicate where the LEDs are typically found on desktop and mid-range FortiGate models.
FortiGate 100D
FortiGate 30E
LED status codes
For more information about alarms, see About Alarm Levels.
LABEL STATE MEANING
PWR Green Power is on.
Off Power is off.

Getting Started 45
LABEL STATE MEANING
STA Green Normal status.
Flashing Green Booting up. If the FortiGate has a reset button, this could also means that
the reset button was used.
Red The FortiGate has a critical alarm.
ALARM Off No alarms or the FortiGate has a minor alarm.
Amber The FortiGate has a major alarm.
Red The FortiGate has a critical alarm. The status LED will also be red.
HA Green FortiGate is operating in an FGCP HA cluster.
Red A failover has occurred. The failover operation feature is not available in all
models.
Off HA not configured.
WIFI Green Wireless port is active.
Flashing Green Wireless interface is transmitting and receiving data.
Off Wireless interface is down.
About alarm levels
Minor, major, and critical alarms are defined based on IPMI, ATCA, and Telco standards for naming alarms.
l A minor alarm (also called an IPMI non-critical (NC) alarm) indicates a temperature or a power level outside of the
normal operating range that is not considered a problem. In the case of a minor temperature alarm, the system
could respond by increasing fan speed. A non-critical threshold can be an upper non-critical (UNC) threshold (for
example, a high temperature or a high power level) or a lower non-critical (LNC) threshold (for example, a low
power level). The LEDs do not indicate minor alarms since user intervention is not required.
l A major alarm (also called an IPMI critical or critical recoverable (CR) alarm) indicates that the system itself cannot
correct the cause for the alarm and that intervention is required. For example, the cooling system cannot provide
enough cooling to reduce the temperature. It could also mean that conditions (e.g. temperature) are approaching
the outside limit of the allowed operating range. A critical threshold can also be an upper critical (UC) threshold
(e.g. a high temperature or a high power level) or a lower critical (LC) threshold (e.g. a low power level).
l A critical alarm (also called an IPMI non-recoverable (NR) alarm) indicates detection of a temperature or power
level that is outside of the allowed operating range and could potentially cause physical damage.
LED status codes for ports
TYPE OF PORT STATE MEANING
Ethernet Ports Link Green Connected.

/ Activity On FortiGate models with front-facing ports, this LED is to the left of
the port. On FortiGate models with ports at the back of the device,
this LED is in the upper row.

Getting Started 46
TYPE OF PORT STATE MEANING
Flashing Green Transmitting and receiving data.
Off No link established.
Ethernet Ports Green Connected at 1Gbps.

Speed On FortiGate models with front-facing ports, this LED is to the right
of the port. On FortiGate models with ports at the back of the device,
this LED is in the lower row.
Amber Connected at 100Mbps.
Off Not connected or connected at 10Mbps.
SFP Ports Green Connected.
Flashing Green Transmitting and receiving data.
Off No link established.
Basic administration
This section contains information about basic FortiGate administration that you can do after you installing the unit in
your network.
Registration
In order to have full access to Fortinet Support and FortiGuard Services, you must register your FortiGate.
Registering your FortiGate:
1. Go to the Dashboard and locate the Licenses widget.

2. Click on FortiCare Support to display a pop-up window and Register.
3. In the pop-up window, either use an existing Fortinet Support account or create a new one. Select your Country
and Reseller.
4. Select OK.
FortiGate platforms don't impose any limitations on the number or type of customers, users, devices, IP addresses, or
number of VPN clients being served by the platform. Such factors are limited solely by the hardware capacity of each
given model.
System settings
There are several system settings that should be configured once your FortiGate is installed:
l Default administrator password on page 47
l Settings on page 47
l Changing the host name on page 47

Getting Started 47
l System time on page 47

l Administration settings on page 48
l Password policy on page 49
l View settings on page 49
l Administrator password retries and lockout time on page 49
Default administrator password
By default, your FortiGate has an administrator account set up with the username admin and no password. In order to
prevent unauthorized access to the FortiGate, it is highly recommended that you add a password to this account.
To change the default password:
1. Go to System > Administrators.

2. Edit the admin account.
3. Select Change Password.
4. Enter the New Password and re-enter the password for confirmation.
5. Select OK.
It is also recommended to change the user name of this account; however, since you cannot change the user name of
an account that is currently in use, a second administrator account will need to be created in order to do this.
Settings
Settings can be accessed by going to System > Settings. On this page, you can change the Host name, set the
system time and identify time zone in System Time, configure HTTP, HTTPS, SSH, and Telnet ports as well as idle
timeout in Administration Settings, designate the Password Policy, and manage display options and designate
inspection mode in View Settings.
Changing the host name
The host name of your FortiGate appears in the Hostname row in the System Information widget on the
Dashboard. The host name also appears at the CLI prompt when you are logged in to the CLI, and as the SNMP
system name.
To change the host name on the FortiGate
Go to System > Settings and type in the new name in the Host name row. The only administrators that can change a
FortiGate’s host name are administrators whose admin profiles permit system configuration write access. If the
FortiGate is part of an HA cluster, you should use a unique host name to distinguish the FortiGate from others in the
cluster.
System time
For effective scheduling and logging, the FortiGate system time and date should be accurate. You can either manually
set the system time and date or configure the FortiGate to automatically synchronize with a Network Time Protocol
(NTP) server.

Getting Started 48
NTP enables you to keep the FortiGate time synchronized with other network systems. By enabling NTP on the
FortiGate, FortiOS will check with the NTP server you select at the configured intervals. This will also ensure that logs
and other time-sensitive settings on the FortiGate are correct.
The FortiGate maintains its internal clock using a built-in battery. At start up, the time reported by the FortiGate will
indicate the hardware clock time, which may not be accurate. When using NTP, the system time might change after the
FortiGate has successfully obtained the time from a configured NTP server.
By default, FortiOS has the daylight savings time configuration enabled. The system time
must be manually adjusted after daylight saving time ends. To disable DST, enter the
following commands in the CLI:
set dst disable
end
To set the date and time
1. Go to the System > Settings.

2. Under System Time, select your Time Zone by using the drop-down menu.
3. Set Time by either selecting Synchronize with NTP Server or Manual settings. If you select synchronization,
you can either use the default FortiGuard servers or specify a custom server. You can also set the Sync interval.
4. If you use an NTP server, you can identify a specific interface for this self-originating traffic by enabling Setup
device as local NTP server.
5. Select Apply.
Administration settings
In order to improve security, you can change the default port configurations for administrative connections to the
FortiGate. When connecting to the FortiGate when the port has changed, the port must be included, such as
https://<ip_address>:<port>. For example, if you are connecting to the FortiGate using port 99, the URL
would be https://192.168.1.99:99.
To configure the port settings:
1. Go to System > Settings.
2. Under Administration Settings, change the port numbers for HTTP, HTTPS, SSH, and/or Telnet as needed. You
can also select Redirect to HTTPS in order to avoid HTTP being used for the administrators.
3. Select Apply.
When you change the default port number for HTTP, HTTPS, SSH, or Telnet, ensure that the port number is unique. If
a conflict exists with a particular port, a warning message will appear.
By default, the GUI disconnects administrative sessions if no activity occurs for five minutes. This prevents someone
from using the GUI if the management PC is left unattended.
To change the idle timeout
2. In the Administration Settings section, enter the time in minutes in the Idle timeout field.
3. Select Apply.

Getting Started 49
Password policy
The FortiGate includes the ability to create a password policy for administrators and IPsec pre-shared keys. With this
policy, you can enforce regular changes and specific criteria for a password including:
l minimum length between 8 and 64 characters.
l if the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters.
l if the password must contain numbers (1, 2, 3).
l if the password must contain special or non-alphanumeric characters (!, @, #, $, %, ^, &, *, (, and )).
l where the password applies (admin or IPsec or both).
l the duration of the password before a new one must be specified.
To create a password policy - GUI
2. Configure Password Policy settings as required.
3. Click Apply.
If you add a password policy or change the requirements on an existing policy, the next time that administrator logs into
the FortiGate, they are prompted to update their password to meet the new requirements before proceeding to log in.
View settings
Three settings can change the presentation of information in the GUI: Language, Lines per page, and Theme.
To change the language, go to System > Settings. Select the language you want from the Language drop-down list:
English (the default), French, Spanish, Portuguese, Japanese, Traditional Chinese, Simplified Chinese, or Korean. For
best results, you should select the language that is used by the management computer.
To change the number of lines per page displayed in the GUI tables, set Lines per page to a value between 20 and
1,000. The default is 50 lines per page.
Five color themes are currently available: Green (the default), Red, Blue, Melongene, and Mariner. To change your
theme, select the color from the Theme drop-down list.
This is also where you select either Flow-based or Proxy Inspection Mode . If you select Flow-based mode, then you
need to specify if it is NGFW Profile-based or NGFW Policy-based inspection.
Administrator password retries and lockout time
By default, the FortiGate sets the number of password retries at three, allowing the administrator a maximum of three
attempts to log into their account before locking the account for a set amount of time.
Both the number of attempts (admin-lockout-threshold) and the wait time before the administrator can try to
enter a password again (admin-lockout-duration) can be configured within the CLI.
To configure the lockout options:

set admin-lockout-threshold <failed_attempts>
set admin-lockout-duration <seconds>
end

Getting Started 50
The default value of admin-lockout-threshold is 3 and the range of values is between 1 and 10. The admin-
lockout-duration is set to 60 seconds by default and the range of values is between 1 and 4294967295 seconds.
Keep in mind that the higher the lockout threshold, the higher the risk that someone may be able to break into the
FortiGate.
Example:
To set the admin-lockout-threshold to one attempt and the admin-lockout-duration to a five minute
duration before the administrator can try to log in again, enter the commands:
set admin-lockout-threshold 1
set admin-lockout-duration 300
end
If the time span between the first failed login attempt and the admin-lockout-
threshold failed login attempt is less than admin-lockout-duration, the lockout will
be triggered.
Passwords
Using secure passwords are vital for preventing unauthorized access to your FortiGate. When changing the password,
consider the following to ensure better security:
l Do not make passwords that are obvious, such as the company name, administrator names, or other obvious words
or phrases.
l Use numbers in place of letters, for example, passw0rd.
l Administrator passwords can be up to 64 characters.
l Include a mixture of letters, numbers, and upper and lower case.
l Use multiple words together, or possibly even a sentence, for example keytothehighway.
l Use a password generator.
l Change the password regularly and always make the new password unique and not a variation of the existing
password, such as changing from password to password1.
l Make note of the password and store it in a safe place away from the management computer, in case you forget it
or ensure that at least two people know the password in the event that one person becomes ill, is away on vacation,
or leaves the company. Alternatively, have two different admin logins.
Downgrades will typically maintain the administrator password. If you need to downgrade to FortiOS 4.3, remove the
password before the downgrade, then log in after the downgrade and re-configure the password.
Password policy
The FortiGate includes the ability to create a password policy for administrators and IPsec pre-shared keys. With this
policy, you can enforce regular changes and specific criteria for a password including:
l minimum length between 8 and 64 characters.
l if the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters.
l if the password must contain numbers (1, 2, 3).
l if the password must contain special or non-alphanumeric characters (!, @, #, $, %, ^, &, *, (, and )).

Getting Started 51
l where the password applies (admin or IPsec or both).

l the duration of the password before a new one must be specified.
To create a password policy - GUI
2. Configure Password Policy settings as required.
3. Click Apply.
the FortiGate, they are prompted to update their password to meet the new requirements before proceeding to log in.
Configuration backups
Once you successfully configure the FortiGate, it is extremely important that you backup the configuration. In some
cases, you may need to reset the FortiGate to factory defaults or perform a TFTP upload of the firmware, which will
erase the existing configuration. In these instances, the configuration on the device will have to be recreated, unless a
backup can be used to restore it. You should also backup the local certificates, as the unique SSL inspection CA and
server certificates that are generated by your FortiGate by default are not saved in a system backup.
We also recommend that you backup the configuration after any changes are made, to ensure you have the most
current configuration available. Also, backup the configuration before any upgrades of the FortiGate’s firmware. Should
anything happen to the configuration during the upgrade, you can easily restore the saved configuration.
Always backup the configuration and store it on the management computer or off-site. You have the option to save the
configuration file to various locations including the local PC, USB key, FTP, and TFTP server. The last two are
configurable through the CLI only.
If you have VDOMs, you can back up the configuration of the entire FortiGate or only a specific VDOM. Note that if you
are using FortiManager or FortiCloud, full backups are performed and the option to backup individual VDOMs will not
appear.
You can also backup and restore your configuration using Secure File Copy (SCP). See How
to download/upload a FortiGate configuration file using secure file copy (SCP).
You enable SCP support using the following command:
set admin-scp enable
end
For more information about this command and about SCP support, see config system global.
Backing up the configuration
To backup the configuration using the GUI:
1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Backup.
2. Direct the backup to your Local PCor to a USB Disk.
The USB Disk option will not be available if no USB drive is inserted in the USB port. You can also backup to the
FortiManager using the CLI.
3. If VDOMs are enabled, indicate whether the scope of the backup is the entire FortiGate configuration (Global) or
only a specific VDOM configuration (VDOM).

Getting Started 52
If backing up a VDOM configuration, select the VDOM name from the list.
4. Enable Encryption. Encryption must be enabled on the backup file to back up VPN certificates.
5. Enter a password, and enter it again to confirm it. This password will be required to restore the configuration.
6. Click OK.
7. When prompted, select a location on the PC or USB disk to save the configuration file. The configuration file will
have a .conf extension.
To backup the configuration using the CLI:
Use one of the following commands:

execute backup config management-station <comment>
or:
execute backup config usb <backup_filename> [<backup_password>]
or for FTP, note that port number, username are optional depending on the FTP site:
execute backup config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]
or for TFTP:
execute backup config tftp <backup_filename> <tftp_servers> <password>
Use the same commands to backup a VDOM configuration by first entering the commands:
config vdom
edit <vdom_name>
Restoring a configuration
To restore the FortiGate configuration using the GUI:
1. Click on the user name in the upper right-hand corner of the screen and select Configuration > Restore.
2. Identify the source of the configuration file to be restored: your Local PCor a USB Disk.
The USB Disk option will not be available if no USB drive is inserted in the USB port. You can restore from the
FortiManager using the CLI.
3. Click Upload, locate the configuration file, and click Open.
4. Enter the password if required.
5. Click OK.
To restore the FortiGate configuration using the CLI:
execute restore config management-station normal 0
or:
execute restore config usb <filename> [<password>]
or for FTP, note that port number, username are optional depending on the FTP site:
execute restore config ftp <backup_filename> <ftp_server> [<port>] [<user_name>]
[<password>]
or for TFTP:
execute restore config tftp <backup_filename> <tftp_server> <password>

Getting Started 53
The FortiGate will load the configuration file and restart. Once the restart has completed, verify that the configuration
has been restored.
Troubleshooting
When restoring a configuration, errors may occur, but the solutions are usually straightforward.
Error message Reason and Solution
Configuration file error This error occurs when attempting to upload a configuration file that is
incompatible with the device. This may be due to the configuration file being for a
different model or being saved from a different version of firmware.
Solution: Upload a configuration file that is for the correct model of FortiGate
device and the correct version of the firmware.
Invalid password When the configuration file is saved, it can be protected by a password. The
password entered during the upload process is not matching the one associated
with the configuration file.
Solution: Use the correct password if the file is password protected.
Configuration revision
You can manage multiple versions of configuration files on models that have a 512MB flash memory and higher.
Revision control requires either a configured central management server or the local hard drive, if your FortiGate has
this feature. Typically, configuration backup to local drive is not available on lower-end models.
The central management server can either be a FortiManager unit or FortiCloud.
If central management is not configured on your FortiGate unit, a message appears instructing you to either
l Enable central management, or
l Obtain a valid license.
When revision control is enabled on your FortiGate unit, and configuration backups have been made, a list of saved
revisions of those backed-up configurations appears.
Configuration revisions are viewed by clicking on the user name in the upper right-hand corner of the screen and
selecting Configuration > Revisions.
Backup and restore the local certificates
This procedure exports a server (local) certificate and private key together as a password protected PKCS12 file. The
export file is created through a customer-supplied TFTP server. Ensure that your TFTP server is running and accessible
to the FortiGate before you enter the command.
To back up the local certificates:
Connect to the CLI and use the following command:

execute vpn certificate local export tftp <cert_name> <filename> <tftp_ip>
where:
l <cert_name> is the name of the server certificate.
l <filename> is a name for the output file.

Getting Started 54
l <tftp_ip> is the IP address assigned to the TFTP server host interface.
To restore the local certificates using the GUI:
1. Move the output file from the TFTP server location to the management computer.
2. Go to System > Certificates and click Import > Local.
3. Select the certificate type, then click Upload in the Certificate file field.
4. On the management computer, browse to the file location, select it, and click Open.
5. If the Type is Certificate, upload the Key file as well.
6. If required, enter the Password that is required to upload the file or files.
7. Click OK.
To restore the local certificates using the CLI:
Connect to the CLI and use the following command:

execute vpn certificate local import tftp <filename> <tftp_ip>
Restore factory defaults
There may be a need to reset the FortiGate to its original defaults; for example, to begin with a fresh configuration.
There are two options when restoring factory defaults. The first resets the entire device to the original out-of-the-box
configuration.
You can reset the device with the following CLI command:
execute factoryreset
When prompted, type y to confirm the reset.
Alternatively, in the CLI you can reset the factory defaults but retain the interface and VDOM configuration with the
following command:
execute factoryreset2
Firmware
Fortinet periodically updates the FortiGate firmware to include new features and resolve important issues. After you
have registered your FortiGate unit, you can download firmware updates from the Fortinet Support web site,
Before you install any new firmware, be sure to follow the steps below:
l Review the Release Notes for a new firmware release.
l Review the Supported Upgrade Paths to prepare for the upgrade of FortiOS on your FortiGate.
l Backup the current configuration, including local certificates.
l Test the new firmware until you are satisfied that it applies to your configuration.
Installing new firmware without reviewing release notes or testing the firmware may result in changes to settings or
unexpected issues.

Getting Started 55
Only FortiGate admin users and administrators whose access profiles contain system read
and write privileges can change the FortiGate firmware.
Backing up the current configuration
You should always back up the configuration before installing new firmware, in case you need to restore your FortiGate
configuration.
For more information and instructions on backing up and restoring your configuration, see Configuration backups on
page 51.
Downloading
Firmware images for all FortiGate units are available on the Fortinet Support website.
To download firmware:
1. Log into the site using your user name and password.
2. Go to Download > Firmware Images.
3. A list of Release Notes is shown. If you have not already done so, download and review the Release Notes for the
firmware you wish to upgrade your FortiGate unit to.
4. Select Download.
Firmware can also be downloaded using FTP; however, as FTP is not an encrypted file
transferring protocol, HTTPS downloading is recommended.
5. Navigate to the folder for the firmware version you wish to use.
6. Select your FortiGate model from the list. If your unit is a FortiWiFi, the firmware will have a filename starting with
'FWF'.
7. Save the firmware image to your computer.
Testing
The integrity of firmware images downloaded from Fortinet's support portal can be verified using a file checksum. A file
checksum that does not match the expected value indicates a corrupt file. The corruption could be caused by errors in
transfer or by file modification. A list of expected checksum values for each build of released code is available on
Fortinet’s support portal.
Image integrity is also verified when the FortiGate is booting up. This integrity check is done through a cyclic
redundancy check (CRC). If the CRC fails, the FortiGate unit will encounter an error during the boot process.
Lastly, firmware images are signed and the signature is attached to the code as it is built. When upgrading an image,
the running OS will generate a signature and compare it with the signature attached to the image. If the signatures do
not match, the new OS will not load.

Getting Started 56
Testing before installation
FortiOS lets you test a new firmware image by installing the firmware image from a system reboot and saving it to
system memory. After completing this procedure, the FortiGate unit operates using the new firmware image with the
current configuration. This new firmware image is not permanently installed. The next time the FortiGate unit restarts, it
operates with the originally installed firmware image using the current configuration. If the new firmware image
operates successfully, you can install it permanently using the procedure explained in Upgrading firmware.
To use this procedure, you must connect to the CLI using the FortiGate console port and an RJ-45 to DB-9 or null
modem cable. This procedure temporarily installs a new firmware image using your current configuration.
For this procedure, you must install a TFTP server that you can connect to from the FortiGate internal interface. The
TFTP server should be on the same subnet as the internal interface.
To test the new firmware image:
1. Connect to the CLI using an RJ-45 to DB-9 or null modem cable.

2. Make sure the TFTP server is running.
3. Copy the new firmware image file to the root directory of the TFTP server.
4. Make sure the FortiGate unit can connect to the TFTP server using the execute ping command.
5. Enter the following command to restart the FortiGate unit: execute reboot
6. As the FortiGate unit reboots, press any key to interrupt the system startup. As the FortiGate unit starts, a series of
system startup messages appears: Press any key to display configuration menu....
7. Immediately press any key to interrupt the system startup.
You have only three (3) seconds to press any key. If you do not press a key quickly
enough, the FortiGate unit reboots and you must log in and repeat the execute
reboot command.
8. If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default
[C]: Configuration and information
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G, F, Q, or H:
9. Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP
server address [192.168.1.168]:
10. Type the address of the TFTP server and press Enter. The following message appears: Enter Local
Address [192.168.1.188]:
11. Type an IP address of the FortiGate unit to connect to the TFTP server. The IP address must be on the same
network as the TFTP server.
Make sure you do not enter the IP address of another device on this network.
12. The following message appears: Enter File Name [image.out]:

Getting Started 57
13. Enter the firmware image file name and press Enter. The TFTP server uploads the firmware image file to the
FortiGate unit and the following appears: Save as Default firmware/Backup firmware/Run image
without saving: [D/B/R]
14. Type R. The FortiGate image is installed to system memory and the FortiGate unit starts running the new firmware
image, but with its current configuration.
You can test the new firmware image as required. When done testing, you can reboot the FortiGate unit, and the
FortiGate unit will resume using the firmware that was running before you installed the test firmware.
Upgrading firmware
Installing firmware replaces your current antivirus and attack definitions, along with the definitions included with the
firmware release you are installing. After you install new firmware, make sure that antivirus and attack definitions are up
to date. You can also use the CLI command execute update-now to update the antivirus and attack definitions.
Always remember to back up your configuration before making any changes to the firmware.
To upgrade the firmware - GUI:
1. Log into the GUI as the admin administrative user.

2. Go to System > Firmware.
3. Under Upload Firmware, select Browse and locate the firmware image file.
4. Select OK.
The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, restarts, and displays
the FortiGate login. This process takes a few minutes.
You can also backup and restore your configuration using Secure File Copy (SCP).
You enable SCP support using the following command:
set admin-scp enable
end
To upgrade the firmware - CLI:
Before you begin, ensure you have a TFTP server running and accessible to the FortiGate unit.
3. Log into the CLI.
4. Make sure the FortiGate unit can connect to the TFTP server. You can use the following command to ping the
computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168
execute ping 192.168.1.168
5. Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit:
execute restore image tftp <filename> <tftp_ipv4>
6. The FortiGate unit responds with the message:
This operation will replace the current firmware version!

Getting Started 58
Do you want to continue? (y/n)

7. Type y. The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, and restarts.
This process takes a few minutes.
8. Reconnect to the CLI.
9. Update antivirus and attack definitions:
execute update-now.
Reverting
The following procedure reverts the FortiGate unit to its factory default configuration and deletes any configuration
settings. If you are reverting to a previous FortiOS version, you might not be able to restore the previous configuration
from the backup configuration file.
Always remember to back up your configuration before making any changes to the firmware.
To revert to a previous firmware version - GUI:
1. Log into the GUI as the admin user.

2. Go to System > Firmware
3. Under Upload Firmware, select Browse and locate the firmware image file.
4. Select OK.
The FortiGate unit uploads the firmware image file, reverts to the old firmware version, resets the configuration,
restarts, and displays the FortiGate login. This process takes a few minutes.
To revert to a previous firmware version - CLI:
Before beginning this procedure, it is recommended that you:

l Backup the FortiGate unit system configuration using the command
execute backup config
l Backup the IPS custom signatures using the command
execute backup ipsuserdefsig
l Backup web content and email filtering lists.
To use the following procedure, you must have a TFTP server the FortiGate unit can connect to.
1. Make sure that the TFTP server is running.
2. Copy the firmware image file to the root directory of the TFTP server.
3. Log in to the FortiGate CLI.
4. Make sure the FortiGate unit can connect to the TFTP server by using the execute ping command.
5. Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit:
execute restore image tftp <name_str> <tftp_ipv4>
6. The FortiGate unit responds with this message:
This operation will replace the current firmware version!
7. Type y. The FortiGate unit uploads the firmware image file. After the file uploads, a message similar to the

Getting Started 59
following appears:
Get image from tftp server OK.
Check image OK.
This operation will downgrade the current firmware version!
8. Type y. The FortiGate unit reverts to the old firmware version, resets the configuration to factory defaults, and
restarts. This process takes a few minutes.
9. Reconnect to the CLI.
10. To restore your previous configuration, if needed, use the command:
execute restore config <name_str> <tftp_ipv4>
11. Update antivirus and attack definitions using the command:
execute update-now
Installation from system reboot
In the event that the firmware upgrade does not load properly and the FortiGate unit will not boot, or continuously
reboots, it is best to perform a fresh install of the firmware from a reboot using the CLI.
This procedure installs a firmware image and resets the FortiGate unit to default settings. You can use this procedure to
upgrade to a new firmware version, revert to an older firmware version, or re-install the current firmware.
To use this procedure, you must connect to the CLI using the FortiGate console port and a RJ-45 to DB-9, or null
modem cable. This procedure reverts the FortiGate unit to its factory default configuration.
For this procedure you install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP
server should be on the same subnet as the internal interface.
Before beginning this procedure, ensure you backup the FortiGate unit configuration.
If you are reverting to a previous FortiOS version, you might not be able to restore the previous configuration from the
backup configuration file.
Installing firmware replaces your current antivirus and attack definitions, along with the definitions included with the
firmware release you are installing. After you install new firmware, make sure that antivirus and attack definitions are up
to date.
To install firmware from a system reboot:
1. Connect to the CLI using the RJ-45 to DB-9 or null modem cable.
4. Make sure the internal interface is connected to the same network as the TFTP server.
5. To confirm the FortiGate unit can connect to the TFTP server, use the following command to ping the computer
running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168: execute ping
192.168.1.168
6. Enter the following command to restart the FortiGate unit: execute reboot
7. The FortiGate unit responds with the following message:
This operation will reboot the system!
8. Type y. As the FortiGate unit starts, a series of system startup messages appears. When the following messages
appears:
Press any key to display configuration menu..........

Getting Started 60
9. Immediately press any key to interrupt the system startup.
You have only three (3) seconds to press any key. If you do not press a key quickly
enough, the FortiGate unit reboots and you must log in and repeat the execute
reboot command.
10. If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default
[C]: Configuration and information
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
Enter G, F, Q, or H
11. Type G to get to the new firmware image form the TFTP server. The following message appears: Enter TFTP
server address [192.168.1.168]:
12. Type the address of the TFTP server and press Enter. The following message appears: Enter Local
Address [192.168.1.188]:
13. Type an IP address the FortiGate unit can use to connect to the TFTP server. The IP address can be any IP
address that is valid for the network to which the interface is connected.
Make sure you do not enter the IP address of another device on this network.
14. The following message appears: Enter File Name [image.out]:

15. Enter the firmware image filename and press Enter.The TFTP server uploads the firmware image file to the
FortiGate unit and a message similar to the following appears: Save as Default firmware/Backup
firmware/Run image without saving: [D/B/R]
16. Type D. The FortiGate unit installs the new firmware image and restarts. The installation might take a few minutes
to complete.
Restoring from a USB key
1. Log into the CLI.

2. Enter the following command to restore an unencrypted configuration file:
execute restore image usb Restore image from USB disk.
{string} Image file name on the USB disk.
3. The FortiGate unit responds with the following message:

This operation will replace the current firmware version! Do you want to continue? (y/n)
4. Type y.
Controlled upgrade
Using a controlled upgrade, you can upload a new version of the FortiOS firmware to a separate partition in the
FortiGate memory for later upgrade. The FortiGate unit can also be configured so that when it is rebooted, it will

Getting Started 61
automatically load the new firmware (CLI only). Using this option, you can stage a number of FortiGate units to do an
upgrade simultaneously to all devices using FortiManager or script.
To load the firmware for later installation:
execute restore secondary-image {ftp | tftp | usb} <filename_str>
To set the FortiGate unit so that when it reboots, the new firmware is loaded:
execute set-next-reboot {primary | secondary}
where {primary | secondary} is the partition with the preloaded firmware.
FortiGuard
The FortiGuard Distribution Network (FDN) of servers provides updates to antivirus, antispam, and IPS definitions to
your FortiGate. FortiGuard Subscription Services provides comprehensive Unified Threat Management (UTM) security
solutions to enable protection against content and network level threats.
The FortiGuard team can be found around the globe, monitoring virus, spyware and vulnerability activities. As
vulnerabilities are found, signatures are created and pushed to the subscribed FortiGates. The Global Threat Research
Team enables Fortinet to deliver a combination of multi-layered security intelligence and provide true zero-day
protection from new and emerging threats. The FortiGuard Network has data centers around the world located in
secure, high availability locations that automatically deliver updates to the Fortinet security platforms to protect the
network with the latest information.
FortiGuard provides a number of services to monitor world-wide activity and provide the best possible security,
including:
l Intrusion Prevention System (IPS) - IPS uses a customizable database of more than 4000 known threats to
stop attacks that evade conventional firewall defenses. It also provides behavior-based heuristics, enabling the
system to recognize threats when no signature has yet been developed. It also provides more than 1000
application identity signatures for complete application control.
l Application Control- Application Control allows you to identify and control applications on networks and
endpoints regardless of port, protocol, and IP address used. It gives you unmatched visibility and control over
application traffic, even traffic from unknown applications and sources. Application Control is a free FortiGuard
service and the database for Application Control signatures is separate from the IPS database (Botnet Application
signatures are still part of the IPS signature database since these are more closely related with security issues and
less about application detection). Application Control signature database information is displayed under the
System > FortiGuard page in the FortiCare section.
Please note that while the Application Control profile can be used for free, signature
database updates require a valid FortiGuard subscription.
l AntiVirus - The FortiGuard AntiVirus Service provides fully automated updates to ensure protection against the
latest content level threats. It employs advanced virus, spyware, and heuristic detection engines to prevent both
new and evolving threats from gaining access to your network and protects against vulnerabilities.
l Web Filter - Web Filter provides Web URL filtering to block access to harmful, inappropriate, and dangerous web
sites that may contain phishing/pharming attacks, malware such as spyware, or objectionable content that can

Getting Started 62
expose your organization to legal liability. Based on automatic research tools and targeted research analysis, real-
time updates enable you to apply highly-granular policies that filter web access based on six major categories and
nearly 80 micro-categories, over 45 million rated web sites, and more than two billion web pages - all continuously
updated.
l Email Filtering - The FortiGuard Antispam Service uses both a sender IP reputation database and a spam
signature database, along with sophisticated spam filtering tools on Fortinet appliances and agents, to detect and
block a wide range of spam messages. Updates to the IP reputation and spam signature databases are provided
continuously via the FDN.
l Messaging Services - Messaging Services allow a secure email server to be automatically enabled on your
FortiGate to send alert email or send email authentication tokens. With the SMS gateway, you can enter phone
numbers where the FortiGate will send the SMS messages. Note that depending on your carrier, there may be a
slight time delay on receiving messages.
l DNS and DDNS - The FortiGuard DNS and DDNS services provide an efficient method of DNS lookups once
subscribed to the FortiGuard network. This is the default option. The FortiGate connects automatically to the
FortiGuard DNS server. If you do not register, you need to configure an alternate DNS server.
Configure the DDNS server settings using the CLI command:
config system fortiguard
set ddns-server-ip
set ddns-server-port
end
Support contract and FortiGuard subscription services
The FDN support Contract is available under System > FortiGuard.

The License Information area displays the status of your FortiGate’s support contract.
You can also manually update the AntiVirus and IPS engines.
Verifying your connection to FortiGuard
If you are not getting FortiGuard web filtering or antispam services, there are a few things to verify that communication
to the FDN is working. Before any troubleshooting, ensure that the FortiGate has been registered and subscribed to the
FortiGuard services.
Verification - GUI:
The simplest method to check that the FortiGate is communicating with the FDN, is to check the License Information
dashboard widget. Any subscribed services should have a green check mark beside them indicating that connections are
successful. Any other icon indicates a problem with the connection, or you are not subscribed to the FortiGuard services.
You can also view the FortiGuard connection status by going to System > FortiGuard.
Verification - CLI:
You can also use the CLI to see what FortiGuard servers are available to your FortiGate. Use the following CLI
command to ping the FDN for a connection:
execute ping guard.fortinet.net
You can also use the following diagnose command to find out what FortiGuard servers are available:
diagnose debug rating

Getting Started 63
From this command, you will see output similar to the following:
Locale : english
License : Contract
Expiration : Sun Jul 24 20:00:00 2011
Hostname : service.fortiguard.net
-=- Server List (Tue Nov 2 11:12:28 2010) -=-
IP Weight RTT Flags TZ Packets Curr Lost Total Lost

69.20.236.180 0 10 -5 77200 0 42
69.20.236.179 0 12 -5 52514 0 34
66.117.56.42 0 32 -5 34390 0 62
80.85.69.38 50 164 0 34430 0 11763
208.91.112.194 81 223 D -8 42530 0 8129
216.156.209.26 286 241 DI -8 55602 0 21555
An extensive list of servers are available. Should you see a list of three to five available servers, the FortiGuard servers
are responding to DNS replies to service FortiGuard.net, but the INIT requests are not reaching FDS services on the
servers.
The rating flags indicate the server status:
D Indicates the server was found via the DNS lookup of the hostname. If the hostname returns more than
one IP address, all of them will be flagged with 'D' and will be used first for INIT requests before falling
back to the other servers.
I Indicates the server to which the last INIT request was sent.
F The server has not responded to requests and is considered to have failed.
T The server is currently being timed.
The server list is sorted first by weight and then the server with the smallest RTT is put at the top of the list, regardless
of weight. When a packet is lost, it will be resent to the next server in the list.
The weight for each server increases with failed packets and decreases with successful packets. To lower the possibility
of using a distant server, the weight is not allowed to dip below a base weight, which is calculated as the difference in
hours between the FortiGate and the server, multiplied by 10. The further away the server, the higher its base weight
and the lower in the list it will appear.
Port assignment
The FortiGate contacts FDN for the latest list of FDN servers by sending UDP packets with typical source ports of 1027
or 1031, and destination port 8888. The FDN reply packets have a destination port of 1027 or 1031.
If your ISP blocks UDP packets in this port range, the FortiGate cannot receive the FDN reply packets. As a result, the
FortiGate will not receive the complete FDN server list.
If your ISP blocks the lower range of UDP ports (around 1024), you can configure your FortiGate to use higher-
numbered ports, using the CLI command:
set ip-src-port-range <start port>-<end port>
end
where the <start port> and <end port> are numbers ranging of 1024 to 25000.

Getting Started 64
For example, you could configure the FortiGate to not use ports lower than 2048 or ports higher than the following
range:
set ip-src-port-range 2048-20000
end
Trial and error may be required to select the best source port range. You can also contact your ISP to determine the best
range to use. Push updates might be unavailable if:
l there is a NAT device installed between the unit and the FDN, and/or
l your unit connects to the Internet using a proxy server.
Configuring Antivirus and IPS options
Go to System > FortiGuard, and scroll down to the AntiVirus & IPS Updates section to configure the antivirus and
IPS options for connecting and downloading definition files.
Accept push updates Select to allow updates to be sent automatically to your FortiGate. New
definitions will be added as soon as they are released by FortiGuard.
Use override push Appears only if Accept push updates is enabled.

Enable to configure an override server if you cannot connect to the FDN or if your
organization provides updates using their own FortiGuard server. Once enabled,
enter the following:
l Enter the IP address and port of the NAT device in front of your FortiGate.
FDS will connect to this device when attempting to reach the FortiGate.
l The NAT device must be configured to forward the FDS traffic to the
FortiGate on UDP port 9443.
Scheduled Updates Enable for updates to be sent to your FortiGate at a specific time. For example,
to minimize traffic lag times, you can schedule the update to occur on weekends
or after work hours.
Note that a schedule of once a week means any urgent updates will not be
pushed until the scheduled time. However, if there is an urgent update required,
select the Update Now button.
Improve IPS quality Enable to help Fortinet maintain and improve IPS signatures. The information
sent to the FortiGuard servers when an attack occurs can be used to keep the
database current as variants of attacks evolve.
Use extended IPS signature Regular IPS database protects against the latest common and in-the-wild
package attacks. Extended IPS database includes protection from legacy attacks.
Update AV & IPS Definitions Select to manually initiate an FDN update.
Manual updates
To manually update the signature definitions file, you need to first go to the Fortinet Support web site. Once logged in,
select Download > FortiGuard Service Updates. The browser will present you the most current IPS and AntiVirus
signature definitions which you can download.
Once downloaded to your computer, log into the FortiGate to load the definition file.

Getting Started 65
To load the definition file onto the FortiGate:
1. Go to System > FortiGuard.
2. In the License Information table, select the Upgrade Database link in either the Application Control
Signature, IPS, or AntiVirus row.
3. In the pop-up window, select Upload and locate the downloaded file and select Open.
The upload may take a few minutes to complete.
Automatic updates
The FortiGate can be configured to request updates from FDN on a scheduled basis, or via push notification.
Scheduling updates
Scheduling updates ensures that the virus and IPS definitions are downloaded to your FortiGate on a regular basis,
ensuring that you do not forget to check for the definition files yourself.
Updating definitions can cause a very short disruption in traffic currently being scanned while the FortiGate unit applies
the new signature database, Ideally, schedule updates during off-peak hours, such as evenings or weekends, when
network usage is minimal, to ensure that the network activity will not suffer from the added traffic of downloading the
definition files.
To enable scheduled updates - GUI:
1. Go to System > FortiGuard and scroll down to AntiVirus & IPS Updates.

2. Enable Scheduled Updates.
3. Select the frequency of updates.
4. Select Apply.
To enable scheduled updates - CLI:
config system autoupdate schedule

set status enable
set frequency {every | daily | weekly}
set time <hh:mm>
set day <day_of_week>
end
Push updates
Push updates enable you to get immediate updates when new viruses or intrusions have been discovered and new
signatures created. This ensures that the latest signature will be sent to the FortiGate as soon as possible.
When a push notification occurs, the FortiGuard server sends a notice to the FortiGate that there is a new signature
definition file available. The FortiGate then initiates a download of the definition file, similar to the scheduled update.
To ensure maximum security for your network, you should have a scheduled update as well as enable the push update,
in case an urgent signature is created, and your cycle of the updates only occurs weekly.

Getting Started 66
To enable push updates - GUI:

2. Enable Accept push updates.
3. Select Apply.
To enable push updates - CLI:
config system autoupdate push-update

set status enable
end
Push IP override
If the FortiGate is behind another NAT device (or another FortiGate), to ensure it receives the push update notifications,
you need to use an override IP address for the notifications. To do this, you create a virtual IP to map to the external port
of the NAT device.
Generally speaking, if there are two FortiGate devices, the following steps need to be completed on the FortiGate NAT
device to ensure the FortiGate on the internal network receives the updates:
l Add a port forwarding virtual IP to the FortiGate NAT device that connects to the Internet by going to Policy
& Objects > Virtual IPs.
l Add a security policy to the FortiGate NAT device that connects to the Internet that includes the port forwarding
virtual IP.
l Configure the FortiGate on the internal network with an override push IP and port.
On the FortiGate internal device, the virtual IP is entered as the Use push override IP address.
To enable push update override- GUI:

2. Enable Accept push updates.
3. Enable Use override push.
4. Enter the virtual IP address configured on the NAT device.
5. Select Apply.
To enable push updates - CLI:
config system autoupdate push-update

set status enable
set override enable
set address <vip_address>
end
Sending malware statistics to FortiGuard
To support following malware trends and making zero-day discoveries, FortiGate units send encrypted statistics to
FortiGuard about IPS, Application Control, and AntiVirus events detected by the FortiGuard services running on your
FortiGate. FortiGuard uses the statistics collected to achieve a balance between performance and security
effectiveness by moving inactive signatures to an extended signature database.

Getting Started 67
The statistics include some non-personal information that identifies your FortiGate and its country. The information is
never shared with external parties. You can choose to disable the sharing of this information by entering the following
CLI command:
set fds-statistics disable
end
Configuring Web Filter and email filter options
Go to System > FortiGuard, and scroll down to Filtering to set the size of the caches and ports.
Web Filter Cache Set the Time To Live (TTL) value. This is the number of seconds the FortiGate
will store a blocked IP or URL locally, saving time and network access traffic,
checking the FortiGuard server. Once the TTL has expired, the FortiGate will
contact an FDN server to verify a web address. The TTL must be between 300
and 86400 seconds.
Anti-Spam Cache Set the TTL value (see above).
FortiGuard Filtering Port Select the port assignments for contacting the FortiGuard servers.
Filtering Service Availability Indicates the status of the filtering service. Select Check Again if the filtering
service is not available.
Request re-evaluation of a Select to re-evaluate a URL’s category rating on the FortiGuard Web Filter
URL's category service.
Email filter
The FortiGuard data centers monitor and update email databases of known spam sources. With FortiGuard Anti-Spam
filtering enabled, the FortiGate verifies incoming email sender addresses and IPs against the database, and takes the
necessary actions as defined within the antivirus profiles.
Spam source IP addresses can also be cached locally on the FortiGate, providing a quicker response time, while easing
load on the FortiGuard servers, aiding in a quicker response time for less common email address requests.
By default, the anti-spam cache is enabled. The cache includes a TTL value, which is the amount of time an email
address will stay in the cache before expiring. You can change this value to shorten or extend the time between 5 and
1,440 minutes.
To modify the antispam cache TTL - GUI:
1. Go to System > FortiGuard.
2. Under Filtering, enable Anti-Spam Cache.
3. Enter the TTL value in minutes.
4. Select Apply.
To modify the Anti-Spam filter TTL - CLI:

set antispam-cache-ttl <integer>
end

Getting Started 68
Further antispam filtering options can be configured to block, allow, or quarantine specific email addresses. These
configurations are available through the Security Profiles > Anti-Spam menu.
Online security tools
The FortiGuard online center provides a number of online security tools, including but not limited to:
l URL lookup — By entering a website address, you can see if it has been rated and what category and
classification it is filed as. If you find your website or a site you commonly go to has been wrongly categorized, you
can use this page to request that the site be re-evaluated: https://fortiguard.com/webfilter
l Threat Encyclopedia — Browse the Fortiguard Labs extensive encyclopedia of threats. Search for viruses, botnet
C&C, IPS, endpoint vulnerabilities, and mobile malware: https://www.fortiguard.com/encyclopedia
l Application Control — Browse the Fortiguard Labs extensive encyclopedia of applications:
https://fortiguard.com/appcontrol
FortiCloud
FortiCloud is a hosted security management and log retention service for FortiGate devices. It gives you centralized
reporting, traffic analysis, configuration management, and log retention without the need for additional hardware or
software.
FortiCloud offers a wide range of features:
l Simplified central management — FortiCloud provides a central web-based management console to manage
individual or aggregated FortiGate and FortiWiFi devices. Adding a device to the FortiCloud management
subscription is straightforward. FortiCloud has detailed traffic and application visibility across the whole network.
l Hosted log retention with large default storage allocated — Log retention is an integral part of any security
and compliance program but administering a separate storage system is burdensome. FortiCloud takes care of this
automatically and stores the valuable log information in the cloud. Each device is allowed up to 200GB of log
retention storage. Different types of logs can be stored including Traffic, System Events, Web, Applications, and
Security Events.
l Monitoring and alerting in real time — Network availability is critical to a good end-user experience. FortiCloud
enables you to monitor your FortiGate network in real time with different alerting mechanisms to pinpoint potential
issues. Alerting mechanisms can be delivered via email.
l Customized or pre-configured reporting and analysis tools — Reporting and analysis are your eyes and
ears into your network’s health and security. Pre-configured reports are available, as well as custom reports that
can be tailored to your specific reporting and compliance requirements. For example, you may want to look closely
at application usage or website violations. The reports can be emailed as PDFs and can cover different time
periods.
l Maintain important configuration information uniformly — The correct configuration of the devices within
your network is essential to maintaining an optimum performance and security posture. In addition, maintaining the
correct firmware (operating system) level allows you to take advantage of the latest features.
l Service security — All communication (including log information) between the devices and the clouds is
encrypted. Redundant data centers are always used to give the service high availability. Operational security
measures have been put in place to make sure your data is secure — only you can view or retrieve it.

Getting Started 69
Registration and activation
Before you can activate a FortiCloud account, you must first register your device.
FortiCloud accounts can be registered manually through the FortiCloud website, https://www.forticloud.com, but you
can easily register and activate your account directly from your FortiGate.
Activating your FortiCloud account
1. On your device’s dashboard, in the FortiCloud widget, select the Activate button in the status field.
2. A dialogue asking you to register your FortiCloud account appears. Select Create Account, enter your
information, view and accept the terms and conditions, and select OK.
3. A second dialogue window appears, asking you to enter your information to confirm your account. This sends a
confirmation email to your registered email. The dashboard widget then updates to show that confirmation is
required.
4. Open your email, and follow the confirmation link it contains.
Results
A FortiCloud page will open, stating that your account has been confirmed. The Activation Pending message on the
dashboard will change to state the type of account you have (‘1GB Free’ or ‘200GB Subscription’), and will provide a link
to the FortiCloud portal.
Enabling logging to FortiCloud
1. Go to Log & Report > Log Settings.

2. Enable Send Logs to FortiCloud.
3. Select Test Connectivity to ensure that your FortiGate can connect to the registered FortiCloud account.
4. Scroll down to GUI Preferences, set Display Logs/FortiView From, to see FortiCloud logs within the
FortiGate's GUI.
Logging into the FortiCloud portal
Once logging has been configured and you have registered your account, you can log into the FortiCloud portal and
begin viewing your logging results. There are two methods to reach the FortiCloud portal:
l If you have direct networked access to the FortiGate, you can simply open your Dashboard and check the License
Information widget. Next to the current FortiCloud connection status will be a link to reach the FortiCloud Portal.
l If you do not currently have access to the FortiGate’s interface, you can visit the FortiCloud website
(https://forticloud.com) and log in remotely, using your email and password. It will ask you to confirm the
FortiCloud account you are connecting to and then you will be granted access. Connected devices can be remotely
configured using the Scripts page in the Management Tab, useful if an administrator may be away from the unit for
a long period of time.

Getting Started 70
Cloud sandboxing
FortiCloud can be used for automated sample tracking, or sandboxing, for files from a FortiGate. This allows suspicious
files to be sent to be inspected without risking network security. If the file exhibits risky behavior, or is found to contain a
virus, a new virus signature is created and added to the FortiGuard antivirus signature database.
Cloud sandboxing is configured by going to Security Fabric > Settings. After enabling Sandbox Inspection, select
the FortiSandbox type.
Sandboxing results are shown in a new tab called AV Submissions in the FortiCloud portal. This tab only appears
after a file has been sent for sandboxing.
For more information about FortiCloud, see the FortiCloud documentation.
Troubleshooting your installation
If your FortiGate does not function as desired after installation, try the following troubleshooting tips:
1. Check for equipment issues Verify that all network equipment is powered on and operating as expected. Refer
to the QuickStart Guide for information about connecting your FortiGate to the network. You will also find detailed
information about the FortiGate LED indicators.The FortiGate has multiple LED lights on the faceplate. Verify
whether or not the LEDs on your FortiGate indicate a problem. For information on what the LEDs mean, see the
LED specifications on page 44
2. Check the physical network connections Check the cables used for all physical connections to ensure that they
are fully connected and do not appear damaged, and make sure that each cable connects to the correct device and
the correct Ethernet port on that device.
3. Verify that you can connect to the internal IP address of the FortiGate Connect to the GUI from the
FortiGate’s internal interface by browsing to its IP address. From the PC, try to ping the internal interface IP
address; for example, ping 192.168.1.99. If you cannot connect to the internal interface, verify the IP
configuration of the PC. If you can ping the interface but can't connect to the GUI, check the settings for
administrative access on that interface. Alternatively, use SSH to connect to the CLI, and then confirm that HTTPS
has been enabled for Administrative Access on the interface.
4. Check the FortiGate interface configurations Check the configuration of the FortiGate interface connected to
the internal network (under Network > Interfaces) and check that Addressing mode is set to the correct mode.
5. Verify the security policy configuration Go to Policy & Objects > IPv4 Policy and verify that the internal
interface to Internet-facing interface security policy has been added and is located near the top of the policy list.
Check the Active Sessions column to ensure that traffic has been processed (if this column does not appear,
right-click on the table header and select Active Sessions). If you are using NAT mode, check the configuration of
the policy to make sure that NAT is enabled and that Use Outgoing Interface Address is selected.
6. Verify the static routing configuration
Go to Network > Static Routes and verify that the default route is correct. Go to Monitor > Routing Monitor
and verify that the default route appears in the list as a static route. Along with the default route, you should see
two routes shown as Connected, one for each connected FortiGate interface.
7. Verify that you can connect to the Internet-facing interface’s IP address Ping the IP address of the Internet-
facing interface of your FortiGate. If you cannot connect to the interface, the FortiGate is not allowing sessions
from the internal interface to Internet-facing interface. Verify that PING has been enabled for Administrative
Access on the interface.

Getting Started 71
8. Verify that you can connect to the gateway provided by your ISP
Ping the default gateway IP address from a PC on the internal network. If you cannot reach the gateway, contact
your ISP to verify that you are using the correct gateway.
9. Verify that you can communicate from the FortiGate to the Internet
Access the FortiGate CLI and use the command execute ping 8.8.8.8. You can also use the execute
traceroute 8.8.8.8 command to troubleshoot connectivity to the Internet.
10. Verify the DNS configurations of the FortiGate and the PCs
Check for DNS errors by pinging or using traceroute to connect to a domain name; for example: ping
www.fortinet.com.
If the name cannot be resolved, the FortiGate or PC cannot connect to a DNS server and you should confirm that
the DNS server IP addresses are present and correct.
11. Confirm that the FortiGate can connect to the FortiGuard network Once the FortiGate is on your network,
you should confirm that it can reach the FortiGuard network. First, check the License Information widget to make
sure that the status of all FortiGuard services matches the services that you have purchased. Go to System
> FortiGuard. Scroll down to Filtering Services Availability and select Check Again. After a minute, the GUI
should indicate a successful connection.Verify that your FortiGate can resolve and reach FortiGuard at
service.fortiguard.net by pinging the domain name. If you can reach this service, you can then verify the
connection to FortiGuard servers by running the command diagnose debug rating. This displays a list of
FortiGuard IP gateways you can connect to, as well as the following information:
l Weight: Based on the difference in time zone between the FortiGate and this server
l RTT: Return trip time
l Flags: D (IP returned from DNS), I (Contract server contacted), T (being timed), F (failed)
l TZ: Server time zone
l Curr Lost: Current number of consecutive lost packets
l Total Lost: Total number of lost packets
12. Consider changing the MAC address of your external interface Some ISPs do not want the MAC address of
the device connecting to their network cable to change. If you have added a FortiGate to your network, you may
have to change the MAC address of the Internet-facing interface using the following CLI command:
edit <interface>
set macaddr <xx:xx:xx:xx:xx:xx>
end
end
13. Check the FortiGate bridge table (transparent mode) When a FortiGate is in transparent mode, the unit acts
like a bridge sending all incoming traffic out on the other interfaces. The bridge is between interfaces on the
FortiGate unit. Each bridge listed is a link between interfaces. Where traffic is flowing between interfaces, you
expect to find bridges listed. If you are having connectivity issues and there are no bridges listed, that is a likely
cause. Check for the MAC address of the interface or device in question.To list the existing bridge instances on the
FortiGate, use the following CLI command:
diagnose netlink brctl name host root.b
show bridge control interface root.b host.
fdb: size=2048, used=25, num=25, depth=1
Bridge root.b host table
port no device devname mac addr ttl attributes
3 4 wan1 00:09:0f:cb:c2:77 88
3 4 wan1 00:26:2d:24:b7:d3 0
3 4 wan1 00:13:72:38:72:21 98
4 3 internal 00:1a:a0:2f:bc:c6 6
1 6 dmz 00:09:0f:dc:90:69 0 Local Static
3 4 wan1 c4:2c:03:0d:3a:38 81
3 4 wan1 00:09:0f:15:05:46 89

Getting Started 72
3 4 wan1 c4:2c:03:1d:1b:10 0
2 5 wan2 00:09:0f:dc:90:68 0 Local Static
14. Use FortiExplorer if you can’t connect to the FortiGate over Ethernet If you can’t connect to the FortiGate
GUI or CLI, you may be able to connect using FortiExplorer. Refer to the QuickStart Guide or see the section on
FortiExplorer for more details.
15. Either reset the FortiGate to factory defaults or contact Fortinet Support for assistance To reset the
FortiGate to factory defaults, use the CLI command execute factoryreset. When prompted, type y to
confirm the reset.
If you require further assistance, visit the Fortinet Support website.

Security Fabric
The Fortinet Security Fabric provides an intelligent architecture that interconnects discrete security solutions into an
integrated whole to detect, monitor, block, and remediate attacks across the entire attack surface. It delivers broad
protection and visibility into every network segment and device, be they hardware, virtual, or cloud based.
l The physical topology view shows all connected devices, including access layer devices. The logical topology view
shows information about the interfaces that each device is connected to.
l Security rating checks analyze the Security Fabric deployment to identify potential vulnerabilities and highlight best
practices to improve the network configuration, deploy new hardware and software, and increase visibility and
control of the network.
l Automation pairs an event trigger with one or more actions to monitor the network and take the designated actions
automatically when the Security Fabric detects a threat.
l Fabric connectors provide integration with multiple SDN, cloud, and partner technology platforms to automate the
process of managing dynamic security updates without manual intervention.
Components
The Fortinet Security Fabric consists of different components that work together to secure you network.
The following devices are required to create a Security Fabric:
Device Description
FortiGate FortiGate devices are the core of the Security Fabric and can have one of the following roles:
l Root:
The root FortiGate is the main component in the Security Fabric. It is typically located on
the edge of the network and connects the internal devices and networks to the Internet
through your ISP. From the root FortiGate, you can see information about the entire
Security Fabric on the Physical and Logical Topology pages in the GUI.
l Downstream:
After a root FortiGate is installed, all other FortiGate devices in the Security Fabric act as
Internal Segmentation Firewalls (ISFWs), located at strategic points in your internal
network, rather than on the network edge. This allows extra security measures to be
taken around key network components, such as servers that contain valuable intellectual
property. ISFW FortiGate devices create network visibility by sending traffic and
information about the devices that are connected to them to the root FortiGate.
FortiGate documentation: https://docs.fortinet.com/product/fortigate
FortiAnalyzer FortiAnalyzer gives you increased visibility into your network, centralized monitoring, and
awareness of threats, events, and network activity by collecting and correlating logs from all
Security Fabric devices. This gives you a deeper and more comprehensive view across the
entire Security Fabric.
FortiAnalyzer documentation: https://docs.fortinet.com/product/fortianalyzer
The following devices are recommended:

Security Fabric 74
Device Description
FortiADC FortiADC devices optimize the availability, user experience, and scalability of enterprise
application delivery. They enable fast, secure, and intelligent acceleration and distribution of
even the most demanding enterprise applications.
FortiADC documentation: https://docs.fortinet.com/product/fortiadc
FortiAP Add FortiAP devices to extend the Security Fabric to your wireless devices. Devices
connected to a FortiAP appear in the Physical and Logical Topology pages in the Security
Fabric menu.
FortiAP documentation: https://docs.fortinet.com/product/fortiap
FortiClient FortiClient adds endpoint control to devices that are located in the Security Fabric, allowing
only traffic from compliant devices to flow through the FortiGate. FortiClient compliance
profiles are applied by the first FortiGate that a device’s traffic flows through. Device
registration and on-net status information for a device that is running FortiClient appears only
on the FortiGate that applies the FortiClient profile to that device.
FortiClient documentation: https://docs.fortinet.com/product/forticlient
FortiClient EMS FortiClient EMS is used in the Security Fabric to provide visibility across your network,
securely share information, and assign security profiles to endpoints.
FortiClient EMS documentation: https://docs.fortinet.com/product/forticlient
FortiDDoS FortiDDoS is a Network Behavior Anomaly (NBA) prevention system that detects and blocks
attacks that intend to disrupt network service by overutilizing server resources.
FortiDDoS documentation: https://docs.fortinet.com/product/fortiddos
FortiMail FortiMail antispam processing helps offload from other devices in the Security Fabric that
would typically carry out this process.
FortiMail documentation: https://docs.fortinet.com/product/fortimail
FortiManager Add FortiManager to simplify the network management of devices in the Security Fabric by
centralizing management access in a single device. This allows you to easily control the
deployment of security policies, FortiGuard content security updates, firmware revisions, and
individual configurations for devices in the Security Fabric.
FortiManager documentation: https://docs.fortinet.com/product/fortimanager
FortiSandbox Add FortiSandbox to your Security Fabric to improve security with sandbox inspection.
Sandbox integration allows FortiGate devices in the Security Fabric to automatically receive
signature updates from FortiSandbox and add the originating URL of any malicious file to a
blocked URL list.
FortiSandbox documentation: https://docs.fortinet.com/product/fortisandbox
FortiSwitch A FortiSwitch can be added to the Security Fabric when it is managed by a FortiGate that is in
the Security Fabric with the FortiLink protocol, and connected to an interface that uses
FortiTelemetry. FortiSwitch ports to become logical extensions of the FortiGate.
Devices connected to the FortiSwitch appear in the Physical and Logical Topology pages in
the Security Fabric menu, and security features, such as FortiClient compliance profiles, are
applied to them.
FortiSwitch documentation: https://docs.fortinet.com/product/fortiswitch

Security Fabric 75
Device Description
FortiWeb Add FortiWeb to defend the application attack surface from attacks that target application
exploits. You can also configure FortiWeb to apply web application firewall features, virus
scanning, and web filtering to HTTP traffic to help offload from other devices in the Security
Fabric that would typically carry out these processes.
FortiWeb documentation: https://docs.fortinet.com/product/fortiweb
FortiWLC FortiWLC delivers seamless mobility and superior reliability with optimized client distribution
and channel utilization. Both single and multi channel deployment options are supported,
maximizing efficiency to make the most of available wireless spectrum.
FortiWLC documentation: https://docs.fortinet.com/product/wireless-controller
The following devices are optional:
Device Description
Other Fortinet Many other Fortinet products can be added to the Security Fabric, including
products FortiAuthenticator, FortiToken, FortiCache, and FortiSIEM.
Documentation: https://docs.fortinet.com/
Third-party Third-party products that belong to the Fortinet Fabric-Ready Partner Program can be added
products to the Security Fabric.
Security Fabric device configuration
This section contains information about how to configure the following devices as part of the Fortinet Security Fabric:
l FortiGate
l FortiAnalyzer
l FortiManager
l FortiSandbox
l FortiClient EMS
l FortiAP and FortiSwitch
l Additional devices
System requirements
To set up the Security Fabric in FortiOS 6.2, the devices that you want to include must meet the Product Integration and
Support requirements in the FortiOS Release Notes.
Some features of the Security Fabric are only available in certain firmware versions and models. Not all FortiGate
models can run the FortiGuard Security Rating Service if they are the root FortiGate in a Security Fabric. For more
information, see the Special Notices in the FortiOS Release Notes.

Security Fabric 76
Prerequisites
l If devices are not already installed in your network, complete basic installation and configuration tasks by following
the instructions in the device documentation.
l Either disable VDOMs on all FortiGate devices that you want to add to the Security Fabric or make sure devices are
in split-task VDOM mode. See Virtual Domains on page 222.
l Configure all FortiGate devices to operate in NAT mode.
FortiGate
The following procedures include configuration steps for a typical Security Fabric implementation, where the edge
FortiGate is the root FortiGate, and the downstream FortiGate devices are all devices that are downstream from the
root FortiGate.
Configure the root FortiGate
The edge FortiGate is typically configured as the root FortiGate, as this allows you to view the full topology of the
Security Fabric from the top down.
To configure the root FortiGate:
1. Connect to the root FortiGate and go to Security Fabric > Settings.

2. Enable FortiGate Telemetry.
FortiAnalyzer Logging is automatically enabled.
3. Enter the Group name and select the FortiTelemetry enabled interfaces.
4. In the FortiAnalyzer Logging section, in the IP address field, enter the IP address of the FortiAnalyzer.
If you select Test Connectivity and this is the first time that you are connecting the FortiGate to the FortiAnalyzer,
you will receive a warning message because the FortiGate has not yet been authorized on the FortiAnalyzer. You

Security Fabric 77
can configure this authorization when you configure the FortiAnalyzer. See FortiAnalyzer on page 80.
5. If you need log transmissions to be encrypted, enable SSL encrypt log transmission.
6. If required, enable Allow access to FortiGate REST API.
The FortiGate will verify the FortiAnalyzer by retrieving its serial number and checking it against the FortiAnalyzer
certificate. For more information, see Simplify FortiAnalyzer Pairing, in the FortiOS 6.2.0 New Features Guide.
7. Click Apply.
Add downstream devices
Downstream FortiGate devices can be securely added to the Security Fabric without sharing the password of the root
FortiGate. Downstream device serial numbers can be authorized from the root FortiGate, or allowed to join by request.
New authorization requests include the device serial number, IP address, and HA members. HA members can include
up to four serial numbers and is used to ensure that, in the event of a fail over, the secondary FortiGate is still
authorized.
Pre-authorizing the downstream FortiGate
When a downstream Fortinet device's serial number is added to the trusted list on the root FortiGate, the device can join
the Security Fabric as soon as it connects. After the new device is authorized, connected FortiAP and FortiSwitch
devices are automatically included in the topology, where they can be authorized with one click.
To pre-authorize a FortiGate:
1. On the root FortiGate, go to Security Fabric > Settings.

2. Ensure that the interface that connects to the downstream FortiGate has FortiTelemetry enabled.
3. In the Pre-authorized FortiGates, select Edit. Add a new FortiGate to the list using the downstream device's serial
number.
4. On the downstream FortiGate, go to Security Fabric > Settings.

6. Enable Connect to upstream FortiGate.
7. Enter the IP address of the upstream or root FortiGate in the FortiGate IP field.
8. Add the FortiTelemetry enabled interfaces.

Security Fabric 78
9. Click Apply.
10. On the root FortiGate, go to Security Fabric > Settings and verify that the downstream FortiGate that you added
appears in the Security Fabric topology.
Using LLDP
You can automatically prompt downstream FortiGate devices to join the Security Fabric using Link Layer Discovery
Protocol (LLDP) and interface role assignments.
1. On the root FortiGate, assign the LAN role to all interfaces that may connect to downstream FortiGate devices.
When the LAN role is assigned to an interface, LLDP transmission is enabled by default.
2. When a downstream FortiGate is installed, assign the WAN role to the interface that connects to the upstream
FortiGate.
When the WAN role is assigned, LLDP reception is enabled by default. The newly installed FortiGate uses LLDP to
discover the upstream FortiGate, and the administrator is prompted to configure the FortiGate to join the Security
Fabric.
3. On the root FortiGate, the new FortiGate must be authorized before it can join the Security Fabric.
If the network contains switches or routers, LLDP may not function as expected because
some devices do not pass LLDP packets.
Device request
A device can request to join the Security Fabric from another FortiGate, but it must have the IP address of the root
FortiGate. The administrator of the root FortiGate must also authorize the device before it can join the Security Fabric.
The root FortiGate must have FortiTelemetry enabled on the interface that the device connects to.
To enable FortiTelemetry on an interface:
1. Go to Network > Interfaces.

2. Edit the interface that the device that you authorizing to join the Security Fabric is connected to.
3. Under Administrative Access, enable FortiTelemetry.
4. Under Networked Devices, turn on Device Detection.

Security Fabric 79
To join the Security Fabric by device request:
1. Connect to the unauthorized FortiGate or FortiWiFi device, and go to Security Fabric > Settings.
3. To connect, enable Connect to upstream FortiGate.
4. Set FortiGate IP to the IP address of the upstream FortiGate.
5. Connect to the root FortiGate and go to Security Fabric > Settings. The new FortiGate appears in the Topology as
unauthorized.
6. Click on the unauthorized device and select Authorize to authorize the device.
CLI commands
Use the following commands to view, accept, and deny authorization requests, to view upstream and downstream
devices, and to list or test fabric devices:
Command Description
diagnose sys csf authorization View pending authorization requests on the root FortiGate.
pending-list
diagnose sys csf authorization Authorize a device to join the Security Fabric.
accept <serial-number-value>
diagnose sys csf authorization Deny a device from joining the Security Fabric.
deny <serial-number-value>
diagnose sys csf downstream Show connected downstream devices.
diagnose sys csf upstream Show connected upstream devices.
diagnose sys csf fabric-device list List all known fabric devices.
diagnose sys csf fabric-device Test connections to locally configured fabric devices.
test
Desynchronizing settings
By default, the settings for FortiAnalyzer logging, central management, sandbox inspection, and FortiClient EMS are
synchronized between all FortiGate devices in the Security Fabric. To disable the automatic synchronization of these
settings, use the following CLI command:
config system csf
set configuration-sync local
end
Deauthorizing a device
A device can be deauthorized to remove it from the Security Fabric.

Security Fabric 80
To deauthorize a device:
1. On the root FortiGate, go to Security Fabric > Settings

2. In the Topology field, click on the device and select Deauthorize.
3. Click on the device.
After devices are deauthorized, the devices' serial numbers are saved in a trusted list that can be viewed in the CLI using
the show system csf command. For example, this result shows a deauthorized FortiSwitch:
show system csf
config system csf
set status enable
set group-name "Office-Security-Fabric"
set group-password ENC 1Z2X345V678
config trusted-list
edit "FGT6HD391806070"
next
edit "S248DF3X17000482"
set action deny
next
end
end
end
FortiAnalyzer
FortiAnalyzer is a required component for the Security Fabric. It allows the Security Fabric to show historical data for the
Security Fabric topology and logs for the entire Security Fabric.
For more information about using FortiAnalyzer, see the FortiAnalyzer Administration Guide.
To connect a FortiAnalyzer to the Security Fabric:
1. Enable FortiAnalyzer Logging on the root FortiGate. See Configure the root FortiGate on page 76.
2. On the FortiAnalyzer, go to System Settings > Network and click All Interfaces.
3. Edit the port that connects to the root FortiGate.
4. Set the IP Address/Netmask to the IP address that is used for the Security Fabric on the root FortiGate.
5. Click OK.
If the FortiGates have already been configured, it will now be listed as an unauthorized device.

Security Fabric 81
6. Go to Device Manager > Devices Unauthorized. The unauthorized FortiGate devices are listed.
7. Select the root FortiGate and downstream FortiGate devices in the list, then click Authorize. The Authorize Device
page opens.
8. Click OK to authorize the selected devices.
On the FortiGate devices, the FortiAnalyzer Logging section on the Security Fabric > Settings page will now show
the ADOM on the FortiAnalyzer that the FortiGate is in, and the storage, analytics, and archive usage.
FortiSandbox
The Security Fabric supports FortiSandbox appliances and FortiSandbox Cloud. A FortiCloud account is not required
(see Decouple FortiSandbox Cloud from FortiCloud, in the FortiOS 6.2.0 New Features Guide).
To use FortiSandbox in a Security Fabric, connect the FortiSandbox to the Security Fabric, then configure an antivirus
profile to send files to the FortiSandbox. Sandbox inspection can also be used in Web Filter profiles.
FortiSandbox settings are configured on the root FortiGate of the Security Fabric. After configuration, the root FortiGate
pushes the settings to other FortiGate devices in the Security Fabric.
To add a FortiSandbox appliance to the Security Fabric:

2. Enable Sandbox Inspection and set the FortiSandbox Type to FortiSandbox Appliance.

Security Fabric 82
3. In the Server field, enter the FortiSandbox device's IP address.
4. Optionally, enter a Notifier email.

5. Click Apply.
6. On the FortiSandbox appliance, go to Scan Input > Device.
7. Edit the root FortiGate.
8. Under Permissions, check the Authorized box.
9. Click OK.
10. Authorize the rest of the FortiGate devices that are in the Security Fabric.
To add a FortiSandbox cloud instance to the Security Fabric:

2. Enable Sandbox Inspection and set the FortiSandbox Type to FortiSandbox Cloud.
3. Select the FortiSandbox cloud region from the drop-down list. Data from your network will only be sent to servers in
the selected region.
4. Click Apply.
Antivirus profiles
An antivirus profile must be configured to send files to the FortiSandbox.

Security Fabric 83
To configure an antivirus profile:
1. On the FortiGate, go to Security Profile > AntiVirus.

2. Create, edit, or clone an antivirus profile.
3. Under APT Protection Options, set Send Files to FortiSandbox Appliance for Inspection to All Supported Files.
4. Optionally, configure file exceptions.
5. Enable Use FortiSandbox Database.
6. Click OK.
Web Filter profiles
Sandbox inspection can be used in Web Filter profiles.
To configure a Web Filter profile:
1. On the FortiGate, go to Security Profiles > Web Filter.

2. Create, edit, or clone a profile.
3. Under Static URL Filter, enable Block malicious URLs discovered by FortiSandbox.
4. Click OK.
FortiManager
When a FortiManager device is added to the Security Fabric, it automatically synchronizes with any connected
downstream devices.
To add a FortiManager to the Security Fabric, configure central management on the root FortiGate. The root FortiGate
then pushes this configuration to downstream FortiGate devices. The FortiManager provides remote management of
FortiGate devices over TCP port 541. The FortiManager must have internet access for it to join the Security Fabric.
Once configured, the FortiGate can receive antivirus and IPS updates, and allow remote management through
FortiManager or the FortiCloud service. The FortiGate management option must be enabled so that the FortiGate can
accept management updates to its firmware and FortiGuard services.

Security Fabric 84
To add a FortiManager to the Security Fabric using the CLI:
config system central-management

set type fortimanager
set fmg {<IP_address> | <FQDN_address>}
end
To add a FortiManager to the Security Fabric using the GUI:

2. Enable Central Management.
3. Set the Type to FortiManager.
4. Enter the IP/Domain Name of the FortiManager.

5. Click Apply.
6. On the FortiManager, go to Device Manager and find the FortiGate in the Unauthorized Devices list.
7. Select the FortiGate device or devices, and click Authorize in the toolbar.
8. In the Authorize Device pop-up, adjust the device names as needed, then click OK.
For more information about using FortiManager, see the FortiManager Administration Guide.
FortiClient EMS
You can configure endpoint control for your Security Fabric using FortiClient Endpoint Management System (EMS). Up
to three EMS servers can be added on the global Security Fabric settings page. EMS settings are synchronized between
all fabric members.
If you disable FortiClient Endpoint Management System (EMS) on the Security Fabric >
Settings page, all previously configured EMS server entries will be deleted.
To add a FortiClient EMS server to the Security Fabric using the CLI:
config endpoint-control fctems

edit <ems_name>

Security Fabric 85
set server <ip_address>

set serial-number <string>
set admin-username <string>
set admin-password <string>
set https-port <integer>
set source-ip <ip_address>
next
end
The https-port is the EMS HTTPS access port number, and the source-ip is the REST API call source IP
address.
To add a FortiClient EMS server to the Security Fabric using the GUI:
1. To enable endpoint control, on the root FortiGate, go to System > Feature Visibility and enable Endpoint Control.
2. Go to Security Fabric > Settings.
3. Enable FortiClient Endpoint Management System (EMS).
4. Enter a Name for the EMS server.

5. Enter the IP/Domain Name and Serial Number of the EMS server in their requisite fields.
6. Enter the Admin User name and Password.
7. Optionally, click the plus icon to add up to three servers.
8. Click Apply.
FortiAP and FortiSwitch
FortiAP and FortiSwitch devices can be authorized in the Security Fabric with one click. After connecting a FortiAP or
FortiSwitch device to an authorized FortiGate, it will automatically be listed in the topology tree.
To authorize FortiAP and FortiSwitch devices:
1. Connect the FortiAP or FortiSwitch device to a FortiGate.

2. On the root FortiGate, go to Security Fabric > Settings. The new device will be shown in the Topology.
3. Click on the device and select Authorize.

Security Fabric 86
Additional devices
The following Fortinet devices are supported by the Security Fabric:

l FortiADC
l FortiDDoS
l FortiMail
l FortiWeb
l FortiWLC
To add one of the above devices to the Security Fabric:

2. Enable Fabric Devices.
3. Enter the Name, IP, HTTPS port for the device.
4. Click Generate to generate an access token. The Generate Access Token pane opens.
a. Enter the device's username and password.
b. Click OK.
5. Click Apply.
For more information, see Telemetry Integration - New FTNT Products, in the FortiOS 6.2.0 New Features Guide.
Using the Security Fabric
The Security Fabric includes multiple features that can improve your network security.
l Dashboard widgets on page 86
l Topology on page 89
l Security rating on page 93
l Automation stitches on page 96
l Fabric connectors on page 105
Dashboard widgets
Security Fabric widgets can be added to FortiGate dashboards, including:

l Security Fabric Status on page 86
l Security Rating on page 87
l Fabric Device on page 88
l FortiGate Cloud on page 88
Security Fabric Status
The Security Fabric Status widget shows a summary of the devices in the Security Fabric.

Security Fabric 87
Hover the cursor over the top icons to view pop-ups showing the statuses of the devices in the fabric.
The device tree shows devices that are connected, or could be connected, to you Security Fabric, according to the
following color scheme:
l Blue: connected to the network
l Gray: not configured or not detected
l Red: no longer connected or not authorized
Hover over a device in the tree to view details about the device, such as it's serial number, operation mode, IP address,
CPU and memory usage, and others, depending on the device type.
Unauthorized FortiAP and FortiSwitch devices are highlighted in the list, and can be authorized by clicking on the device
name.
Security Rating
The Security Rating widget shows the security rating for your Security Fabric. It can show the current rating percentile,
or historical security rating score or percentile charts.
The widget can be configured to show how your organization's security rating compares to the ratings of either all
organizations, or only organizations that are in the same industry and/or geographic region as you (determined from
your FortiCare account settings).
To receive a security rating score, all FortiGate devices that are in the Security Fabric must have a valid Security Rating
License.

Security Fabric 88
Fabric Device
The Fabric Device widget show statistics and system information about the selected fabric device.
For a FortiMail device, the widget can show:
l Mail Statistics: a chart of the total messages and total spam messages over time.
l Statistics Summary: a pie chart summarizes mail statistics.
l System Information: The FortiMail System Information widget
l System Usage: System usage information, such as CPU, memory, and disk usage, as well as the number of active
sessions.
FortiGate Cloud
The FortiGate Cloud widget shows the FortiGate Cloud status and information. If your account is not activated, you can
activate it from the widget.

Security Fabric 89
To activate your FortiGate Cloud account:
1. Click on the Not Activated button and select Activate. The FortiCare Registration pane opens.
2. If you already have a FortinetOne account:

a. Fill in your email address, password, country or region, and reseller.
b. Click OK.
3. If you are creating a FortinetOne account:
a. In the FortinetOne field select Create Account.
b. Fill in all of the required information.
c. Click OK.
Topology
The full Security Fabric topology can be viewed on the root FortiGate. Downstream FortiGate devices' topology views
do not include upstream devices.
The Physical Topology shows the physical structure of your network, including all connected devices and the
connections between them. The Logical Topology shows information about the interfaces that connect devices to the
Security Fabric. The size of the bubbles in the topology vary based on traffic volume. Only Fortinet devices are shown in
the topologies.
In both views, filtering and sorting options allow you to control the information that is shown. Hover the cursor over a
device icon, port number, or endpoint to open a tooltip that shows information about that specific device, port, or
endpoint. Right-click on a device to log in to it or to deauthorize it. Right-click on an endpoint to perform various tasks,
including drilling down for more details on sources or compromised hosts, quarantining the host, and banning the
IP address.
The small number that might be shown on the top right corner of a device icon is the number of security ratings
recommendations or warnings for that device. The color of the circle shows the severity of the highest security rating
check that failed. Clicking on it will open the Security Rating page. See Security rating on page 93 for more information.

Security Fabric 90
Servers and server clusters are represented by squares with rounded corners, and are grouped separately from circular
endpoints. Devices are grouped by device type, and colored based on their risk level.
AWS assets are grouped by AWS security groups or subnets, and information about detected Common Vulnerabilities
and Exposures (CVEs) is shown.
WAN cloud
The WAN cloud icon includes a drop-down menu for selecting where the destination data comes from. The available
options are: Internet, Owner, IP Address, and Country/Region. These options are only available when the filtering
based on Device Traffic.
When Owner is selected, the destination hosts are shown as donut charts that show the percentage of internal (with
private IP addresses) and Internet hosts. Hover over either color in the chart to see additional information. To see more
details, right-click on the chart and select Destination Owner Details to go to the FortiView > Destinations page.

Security Fabric 91
FortiAP and FortiSwitch devices
Newly discovered FortiAP and FortiSwitch devices are initial shown in the topologies with gray icons to indicate that they
have not been authorized. To authorize a device, click on the device icon or name and select Authorize. Once
authorized, the device icon will turn blue.
Right-click on an authorized FortiAP device to Deauthorize or Restart the device. Right-click on a FortiSwitch device to
Deauthorize, Restart, or Upgrade the device, or to Connect to the CLI.
FortiAP and FortiSwitch links are enhanced to show Link Aggregation Groups for the Inter-switch Link (ISL-LAG). To
differentiate them from physical links, ISL-LAG links are shown with a thicker line. The endpoint circles can also be used
as a reference to identify ISL-LAG groups that have more than two links.
Views
The topology views can be focused using filters and by sorting in different ways to help you locate the information that
you need.
Select one of Access Device or No Access Device to only show access or no access devices in the physical topology.
From the Bubble Option drop-down list, select one of the following views:
l Device Traffic: Organize devices by traffic.
l Device Count: Organize devices by the number of devices connected to it.
l Device Type: Organize devices by the device type.
l Risk: Only include devices that have endpoints with medium, high, or critical risk values of the specified type: All,
Compromised Host, Vulnerability, Threat Score.
l No Devices: Don't show endpoints.
The time period drop-down list filters the view by time. Options include: now (real time), 5 minutes, 1 hour, 24 hours, 7
days.
Critical risks
Click the Critical Risks button to see a list of endpoints that are deemed critical risks, organized by threat severity.
These are the red endpoints in the current topology view.

Security Fabric 92
For each endpoint, the user's photo, name, IP address, email address, and phone number are shown. The number of
vulnerabilities of each severity is shown, and if the IoC verdict is that the endpoint is compromised.
If applicable, the endpoint's host can be quarantined or their IP address banned, by clicking the Quarantine Host on Ban
IP button.
The drop-down menu also provides options to drill down to more information on compromised hosts or endpoint
vulnerabilities.
Clicking Drill Down to Compromised Hosts will open the FortiView > Compromised Hosts page showing a summary
for the selected endpoint.
Compromised host information can also be viewed on the FortiAnalyzer in SOC > FortiView > Threats > Compromised
Hosts.
The FortiAnalyzer must have a FortiGuard Indicators of Compromise service license in order
to see compromised hosts.

Security Fabric 93
Clicking Drill Down to Endpoint Vulnerability will open the vulnerabilities page showing a summary of the vulnerabilities
on the selected endpoint.
FortiAnalyzer
The Security Fabric topology can also be seen on the FortiAnalyzer device. In the Device Manager, FortiGate devices
are shown as part of a Security Fabric group, with an asterisk next to the name of the root FortiGate.
To view the Security Fabric topology, right-click on the fabric group and select Fabric Topology. Only Fortinet devices
are shown in the Security Fabric topology views.
Security rating
The security rating analyzes your Security Fabric deployment, identifies potential vulnerabilities, highlights best
practices that can be used to improve the security and performance of your network, and calculates Security Fabric
scores.

Security Fabric 94
To view the security rating and run a security rating check, go to Security Fabric > Security Rating on the root
FortiGate. Click Run Now to run a security rating check. Checks can also be run automatically every four hours.
The security rating check uses real-time monitoring to analyze the network based on the current network configuration.
When the check is complete, the results table shows a list of the checks that where performed, including:
l The name and a description of the check.
l The device or devices that the check was performed on.
l The impact of the check on the overall security score.
l The check results - whether it passed or failed.
The list can be searched, filtered to show all results or only failed checks, and exported to a CSV or JSON file. Clicking
on a color or legend name in the donut charts will also filter the results.
Hovering the cursor over a check result score will show the breakdown of how that score was calculated.
Selecting a specific check from the list shows details about that check in the Security Control Details pane, including
recommendations and compliance information. For failed checks, this includes a description of what remediation
actions could be taken. For recommendations that support Easy Apply, the device will have an EZ symbol next to its
name, and the remediation action can be taken automatically by clicking Apply under the recommendations.
For more information about security ratings, and details about each of the checks that are performed, go to Security
Best Practices & Security Rating Feature.
Security Rating licenses are required to run security rating checks across all the devices in the
Security Fabric. It also allows ratings scores to be submitted to and received from FortiGuard
for ranking networks by percentile.
See https://www.fortinet.com/support/support-services/fortiguard-security-
subscriptions/security-rating.html for information.
Automatic security rating checks
Security rating checks can be scheduled to run automatically every four hours.

Security Fabric 95
To enable automatic security checks using the CLI:

security-rating-run-on-schedule {enable | disable}
end
Opt out of ranking
Security rating scores can be submitted to FortiGuard for comparison with other organizations' scores, allowing a
percentile score to be calculated. If you opt out of submitting your score, only an absolute score will be available.
To opt out of submitting the score using the CLI:

set security-rating-result-submission {enable | disable}
end
Logging the security rating
The results of past security checks is available in Log & Report > Security Rating Events.
An event filter subtype can be created for the Security Fabric rating so that event logs are created on the root FortiGate
that summarize the results of a check, and show detailed information for the individual tests.
To configure Security Rating logging using the CLI:
config log eventfilter

set security-rating enable
end
Security Fabric score
The Security Fabric score is calculated when a security rating check is run, based on the severity level of the checks that
are passed or failed. A higher scores represents a more secure network. Points are added for passed checks, and
removed for failed checks.

Security Fabric 96
Severity level Weight (points)
Critical 50
High 25
Medium 10
Low 5
To calculate the number of points awarded to a device for a passed check, the following equation is used:
<severity level weight>

score = x <secure FortiGate multiplier>
<# of FortiGates>
The secure FortiGate multiplier is determined using logarithms and the number of FortiGate devices in the Security
Fabric.
For example, if there are four FortiGate devices in the Security Fabric that all pass the Compatible Firmware check, the
score for each FortiGate device is calculated with the following equation:
50
x 1.292 = 16.15 points
4
All of the FortiGate devices in the Security Fabric must pass the check in order to receive the points. If any one of the
FortiGate devices fails a check, the devices that passed are not awarded any points. For the device that failed the
check, the following equation is used to calculated the number of points that are lost:
score = <severity level weight> x <secure FortiGate multiplier>
For example, if the check finds two critical FortiClient vulnerabilities, the score is calculated with the following equation:
-50 x 2 = -100 points
Scores are not affect by checks that do not apply to your network. For example, if there are no FortiAP devices in the
Security Fabric, no points will be added or subtracted for the FortiAP firmware version check.
Automation stitches
Automation stitches automate the activities between the different components in the Security Fabric, decreasing the
response times to security events. Events from any source in the Security Fabric can be monitored, and action
responses can be set up to any destination.
Automation stitches can also be used on FortiGate devices that are not part of a Security
Fabric.
Automation stitches that use cloud-based actions, such as AWS Lambda and Azure Function, have the option to delay
an action after the previous action is completed.
Diagnose commands are available in the CLI to test, log, and display the history and settings of stitches.

Security Fabric 97
Automation stitches can only be created on the root FortiGate in a Security Fabric.
Create automation stitches
To create an automation stitch, a trigger event and a response action or actions are selected. Automation stitches can
also be tested after they are created.
To create an automation stitch in the GUI:
1. On the root FortiGate, go to Security Fabric > Automation.

2. Click Create New. The New Automation Stitch page opens.
3. Enter the following information:
Name Enter a name for the automation stitch.
Status Enable/disable the stitch.
FortiGate Select the FortiGate device to apply the automation stitch to, or select All
FortiGates to apply it to all of them.
Trigger Select a trigger.
Action Select an action.
Minimum interval (seconds) Enter a minimum time interval during which notifications for the same trigger
event will not be sent.
After the time interval elapses, an collated alert is sent that includes all the
events that occurred during the interval.

Security Fabric 98
4. Click OK.
To create an automation stitch in the CLI:
1. Create an automation trigger:

config system automation-trigger
edit <automation-trigger-name>
set trigger-type {event-based | scheduled}
set event-type <option>
set license-type <option>
set ioc-level {medium | high}
set logid <integer>
set trigger-frequency {hourly | daily | weekly | monthly}
set trigger-weekday <option>
set trigger-day <integer>
set trigger-hour <integer>
set trigger-minute <integer>
set faz-event-severity <string>
set faz-event-tags <string>
next
end
The available options will vary depending on the selected event type.
2. Create an automation action:
config system automation-action
edit <name>
set action-type <option>
set email-to <names>
set email-from <string>
set email-subject <string>
set email-body <string>
set minimum-interval <integer>
set delay <integer>
set required {enable | disable}
set aws-api-id <string>
set aws-region <string>
set aws-domain <string>
set aws-api-stage <string>
set aws-api-path <string>
set aws-api-key <string>
set azure-app <string>
set azure-function <string>
set azure-domain <string>
set azure-function-authorization {anonymous | function | admin}
set azure-api-key <string>
set gcp-function-region <string>
set gcp-project <string>
set gcp-function-domain <string>
set gcp-function <string>
set alicloud-account-id <string>
set alicloud-region <string>
set alicloud-function-domain <string>
set alicloud-version <string>
set alicloud-service <string>
set alicloud-function <string>

Security Fabric 99
set alicloud-function-authorization {anonymous | function}

set alicloud-access-key-id <string>
set alicloud-access-key-secret <string>
set protocol {http | https}
set method {post | put | get | patch | delete}
set uri <string>
set http-body <string>
set port <integer>
set headers <header>
set script <string>
set security-tag <string>
set sdn-connector <connector_name>
next
end
3. Create an automation destination:

config system automation-destination
edit <name>
set type {fortigate | ha-cluster}
set destination <serial numbers>
set ha-group-id <integer>
next
end
4. Create the automation stitch:

config system automation-stitch
edit <automation-stitch-name>
set status {enable | disable}
set trigger <trigger-name>
set action <action-name>
set destination <serial-number>
next
end
To test an automation stitch:
In the GUI, go to Security Fabric > Automation, right-click on the automation stitch and select Test Automation Stitch.
In the CLI, enter the following command:
diagnose automation test <stitch-name> <log>
Chaining and delaying actions
Automation stitches that use cloud-based or webhook actions have the option to delay an action after the previous
action is completed. The execution of the actions can be delayed by up to 3600 seconds (one hour).
To configure this option in the GUI, select a cloud-based action, then enter the required value, in seconds, in the action
configuration's Delay field.
To configure a delay in the CLI, use the following command:
config system automation-action
edit <name>
set action-type {aws-lambda | azure-function | google-cloud-function | alicloud-
function | webhook}
set required {enable | disable}

Security Fabric 100
set delay <seconds>

next
end
Triggers
The following table outlines the available automation stitch triggers:
Trigger Description
Compromised Host An Indicator of Compromise (IoC) is detected on a host endpoint.

The threat level must be selected and can be Medium or High. If Medium is
selected, both medium and high level threats are included.
Note: Additional actions are available only for Compromised Host triggers:
l Access Layer Quarantine
l Quarantine FortiClient via EMS
l Assign VMware NSX Security Tag
l IP Ban
Security Rating Summary A summary is available for a recently run Security Rating.
Configuration Change A FortiGate configuration change has occurred.
Reboot A FortiGate is rebooting.
Low memory This option is only available in the CLI.

Conserve mode due to low memory.
High CPU This option is only available in the CLI.

High CPU usage.
License Expiry A FortiGuard license is expiring.

The license type must be selected. Options include:
l FortiCare Support
l FortiGuard Web Filter
l FortiGuard AntiSpam
l FortiGuard AntiVirus
l FortiGuard IPS
l FortiGuard Management Service
l FortiGate Cloud
HA Failover An HA failover is occurring.
AV & IPS DB Update The antivirus and IPS database is updating.
FortiOS Event Log The specified FortiOS log has occurred.

The event must be selected from the event list.
FortiAnalyzer Event Handler The specified FortiAnalyzer event handler has occurred.
The event handler name must be selected. The event severity and event tag can
also be configured.

Security Fabric 101
Trigger Description
Schedule A scheduled monthly, weekly, daily, or hourly trigger. Set to occur on a specific
minute of an specific hour on a specific day.
Actions
The following table outlines the available automation stitch actions:
Action Description
Alert This option is only available in the CLI.

Generate a FortiOS dashboard alert.
CLI Script Run one or more CLI scripts.

Each script must be named. The script can be manually types in, imported from
the management computer, or recorded in the CLI console.
Multiple scripts can be added and reorganized as needed by dragging and
dropping.
Disable SSID This option is only available in the CLI.

Disable the SSID interface.
Email Send a custom email message to the selected recipients. At least one recipient
and an email subject must be specified.
The email body can use parameters from logs or previous action results.
Wrapping the parameter with %% will replace the expression with the JSON
value for the parameter, for example: %%results.source%% is the source
property from the previous action.
FortiExplorer Notification Send push notifications to FortiExplorer.

The FortiGate must be registered to FortiCare on the iOS App that will receive
the notification.
Access Layer Quarantine This option is only available for Compromised Host triggers.
Impose a dynamic quarantine on multiple endpoints based on the access layer.
Quarantine FortiClient via This option is only available for Compromised Host triggers.
EMS Use FortiClient EMS to block all traffic from the source addresses that are
flagged as compromised hosts.
Quarantined devices are flagged on the Security Fabric topology views. Go to
Monitor > Quarantine Monitor to view and manage quarantined IP addresses.
Assign VMware NSX Security This option is only available for Compromised Host triggers.
Tag
IP Ban This option is only available for Compromised Host triggers.

Block all traffic from the source addresses flagged by the IoC.
Go to Monitor > Quarantine Monitor to view and manage banned IP addresses.
AWS Lambda Send log data to an integrated AWS service.

Security Fabric 102
Action Description
Multiple actions can be added and reorganized as needed by dragging and

dropping.
The API gateway URL is in the format:
{restapi-id}.execute-api.{region}.{domain}/{stage}/{path}
The CLI must be used to manually enter the individual parameters.
Azure Function Send log data to an Azure function.

dropping.
{application}.{domain}/api/{function}
Google Cloud Function Send log data to a Google Cloud function.

dropping.
{region}-{project}{domain}/{function}
AliCloud Function Send log data to an AliCloud function.

dropping.
The HTTP URL is in the format:
{account id}.{region}.{domain}/{version}/proxy/{service}/
{function}
Webhook Send an HTTP request using a REST callback.

dropping.
The URI and HTTP body can use parameters from logs or previous action results.
Wrapping the parameter with %% will replace the expression with the JSON
value for the parameter, for example: %%results.source%% is the source
property from the previous action.
Diagnostics
Diagnose commands are available to:

l Test an automation stitch
l Enable or disable log dumping for automation stitches
l Display the settings of every automation stitch
l Display statistics on every automation stitch
To test an automation stitch:
diagnose automation test <automation-stitch-name>

Security Fabric 103
Example:
# diagnose automation test HA-failover
automation test is done. stitch:HA-failover
To toggle log dumping:
diagnose test application autod 1
Examples:
# diagnose test application autod 1
autod log dumping is enabled
autod log dumping is disabled
autod logs dumping summary:

autod dumped total:7 logs, num of logids:4
To display the settings for all of the automation stitches:
Example:
csf: enabled root:yes
total stitches activated: 3
stitch: Compromised-IP-Banned
destinations: all
trigger: Compromised-IP-Banned
local hit: 0 relayed to: 0 relayed from: 0

actions:
Compromised-IP-Banned_ban-ip type:ban-ip interval:0
stitch: HA-failover
destinations: HA-failover_ha-cluster_25;
trigger: HA-failover

actions:
HA-failover_email type:email interval:0
subject: HA Failover
mailto:[email protected];
stitch: rebooot
destinations: all
trigger: reboot

actions:
action1 type:alicloud-function interval:0
delay:1 required:yes
Account ID: id
Region: region

Security Fabric 104
Function domain: fc.aliyuncs.com

Version: versoin
Service name: serv
Function name: funcy
headers:
To display statistic on all of the automation stitches:
Example:
stitch: Compromised-IP-Banned
last trigger:Wed Dec 31 20:00:00 1969
last relay:Wed Dec 31 20:00:00 1969
actions:
Compromised-IP-Banned_ban-ip:
done: 1 relayed to: 0 relayed from: 0
last trigger:Wed Dec 31 20:00:00 1969
last relay:
stitch: HA-failover
last trigger:Thu May 24 11:35:22 2018
last relay:Thu May 24 11:35:22 2018
actions:
HA-failover_email:
last trigger:Thu May 24 11:35:22 2018
last relay:Thu May 24 11:35:22 2018
stitch: rebooot
last trigger:Fri May 3 13:30:56 2019
last relay:Fri May 3 13:30:23 2019
actions:
action1
last trigger:Fri May 3 13:30:56 2019
last relay:
logid2stitch mapping:
id:20103 local hit: 0 relayed to: 0 relayed from: 0
License Expiry
lambada
id:32138 local hit: 2 relayed to: 1 relayed from: 1

Compromised-IP-Banned
HA-failover
rebooot
action run cfg&stats:

total:2 cur:0 done:1 drop:1
email:
flags:10
stats: total:1 cur:0 done:1 drop:0

Security Fabric 105
ios-notification:
flags:1
alert:
flags:0
disable-ssid:
flags:7
quarantine:
flags:7
quarantine-forticlient:
flags:4
quarantine-nsx:
flags:4
ban-ip:
flags:7
aws-lambda:
flags:11
webhook:
flags:11
cli-script:
flags:10
azure-function:
flags:11
google-cloud-function:
flags:11
alicloud-function:
flags:11
Fabric connectors
Fabric connectors allow you to connect your network to external services. There are four categories of connectors:
Public SDN, Private SDN, SSO/Identity, and Threat Feeds.

Security Fabric 106
If VDOMs are enabled, SDN and Threat Feeds connectors are in the global settings, and
SSO/Identity connectors are per VDOM.
SDN connectors
Fabric connectors to SDNs provide integration and orchestration of Fortinet products with SDN solutions. Fabric
Connectors ensure that any changes in the SDN environment are automatically updated in your network.
There are four steps to creating and using an SDN connector:
1. Gather the required information
2. Create the fabric connector on page 108
3. Create a fabric connector address on page 108
4. Add the address to a firewall policy on page 109
An example of creating a Microsoft Azure SDN connector is available at
https://docs.fortinet.com/vm/azure/fortigate/6.2/azure-cookbook/6.2.0/502895.
Required information
Specific information is required to create each connector type:

Security Fabric 107
Service Required information
Amazon Web Services l Access key ID

l Secret access key
l Region name
l VPC ID (optional)
Microsoft Azure l Server region

l Tenant ID
l Client ID
l Client secret
l Subscription ID (optional)
l Resource group (optional)
l Login endpoint (Azure Stack only)
l Resource URL (Azure Stack only)
Google Cloud Platform (GCP) l Project name

l Service account email
l Private key
Oracle Cloud Infrastructure l User ID

(OCI) l Tenant ID
l Compartment ID
l Server region
l Certificate
AliCloud l AccessKey ID
l AccessKey Secret
l Region ID
Kubernetes l IP address
l Port
l Secret token
VMware ESXi and NSX l IP address or hostname

l Username
l Password
OpenStack (Horizon) l IP address

l Username
l Password
Application Centric l IP address

Infrastructure (ACI) l Port
l Username
l Password
Nuage Virtualized Services l IP address

Platform l Port
l Username
l Password

Security Fabric 108
Create the fabric connector
To create an SDN Fabric connector in the GUI:
1. Go to Security Fabric > Fabric Connectors.

2. Click Create New.
3. Click on the service that you are using.
4. Enter the Name, Status, and Update Interval for the connector.
5. Enter the previously collected information for the specific connector that you are creating.
6. Click OK.
To create an SDN Fabric connector in the CLI:
config system sdn-connector

edit <name>
set type {connector type}
...
set update-interval <integer>
next
end
The available CLI commands will vary depending on the selected SDN connector type.
Create a fabric connector address
A fabric connector address can be used in the following ways:

l As the source or destination address for firewall policies.
l To automatically update changes to addresses in the environment of the service that you are using, based on
specified filtering conditions.
l To automatically apply changes to firewall policies that use the address, based on specified filtering conditions.
To create a fabric connector address in the GUI:
1. Go to Policy & Objects > Addresses.

2. Click Create New > Address.
3. Enter a name for the address.
4. Set the Type to Fabric Connector Address.
5. Select an SDN Connector from the drop-down list, or click Create New to make a new one.
6. Set the SDN address type. Only addresses of the selected type will be collected.
7. Configure the connector specific settings.
8. Select an Interface for the address, or leave it as any, enable or disable Show in Address List, and optionally add
Comments.
9. Add tags.
10. Click OK.

Security Fabric 109
To create a fabric connector address in the CLI:

edit <name>
set type dynamic
set sdn <sdn_connector>
set visibility enable
set associated-interface <interface_name>
set color <integer>
...
set comment <comment>
config tagging
edit <name>
set category <string>
set tags <strings>
next
end
next
end
The available CLI commands will vary depending on the selected SDN connector type.
Add the address to a firewall policy
A fabric connector address can be used as either the source or destination address.
To add the address to a firewall policy in the GUI:
1. Go to Policy & Objects > IPv4 Policy.

3. Enter a name for the policy.
4. Set the incoming and outgoing interfaces.
5. Use the fabric connector address as the source or destination address.
6. Configure the remaining settings as needed.
7. Click OK.
To add the address to a firewall policy in the CLI:

edit 0
set name <name>
set srcintf <port_name>
set dstintf <port_name>
set srcaddr <firewall_address>
set dstaddr <firewall_address>
set action accept
set schedule <schedule>
set service <service>

Security Fabric 110
next
end
Threat feeds
Threat feeds dynamically import an external block lists from an HTTP server in the form of a text file. Block lists can be
used to enforce special security requirements, such as long term policies to always block access to certain websites, or
short term requirements to block access to known compromised locations. The lists are dynamically imported, so that
any changes are immediately imported by FortiOS.
There are four types of threat feeds:
FortiGuard The file contains one URL per line. It is available as a Remote Category in Web Filter profiles
Category and SSL inspection exemptions.
Example:
http://example/com.url
https://example.com/url
http://example.com:8080/url
IP Address The file contains one IP/IP range/subnet per line. It is available as an External IP Block List
in DNS Filter profiles, and as a Source/Destination in IPv4, IPv6, and proxy policies.
Example:
192.168.2.100
172.200.1.4/16
172.16.1.2/24
172.16.8.1-172.16.8.100
2001:0db8::eade:27ff:fe04:9a01/120
2001:0db8::eade:27ff:fe04:aa01-2001:0db8::eade:27ff:fe04:ab01
Domain Name The file contains one domain per line. Simple wildcards are supported. It is available as a
Remote Category in DNS Filter profiles.
Example:
mail.*.example.com
*-special.example.com
www.*example.com
example.com
Malware Hash The file contains one hash per line in the format <hex hash> [optional hash
description]. Each line supports MD5, SHA1, and SHA256 hex hashes. It is
automatically used for Virus Outbreak Prevention on antivirus profiles with Use External
Malware Block List enabled.
Note: For optimal performance, do not mix different hashes in the list. Only use one of MD5,
SHA1, or SHA26.
Example:
292b2e6bb027cd4ff4d24e338f5c48de
dda37961870ce079defbf185eeeef905 Trojan-Ransom.Win32.Locky.abfl
3fa86717650a17d075d856a41b3874265f8e9eab Trojan-Ransom.Win32.Locky.abfl
c35f705df9e475305c0984b05991d444450809c35dd1d96106bb8e7128b9082f
Trojan-Ransom.Win32.Locky.abfl
See External malware blocklist for Antivirus on page 329 for an example.

Security Fabric 111
To create a threat feed in the GUI:

3. In the Thread Feeds section, click on the required feed type.
4. Configure the connector settings:
Name Enter a name for the threat feed connector.
URI of external resource Enter the link to the external resource file. The file should be a plain text file
with one entry on each line.
HTTP basic authentication Enable/disable basic HTTP authentication. When enabled, enter the
username and password in the requisite fields.
Refresh Rate The time interval to refresh the external resource, in minutes (1 - 43200,
default = 5).
Comments Optionally, enter a description of the connector.
Status Enable/disable the connector.
5. Click OK.
To create a threat feed in the CLI:
config system external-resource

edit <name>
set type {category | address | domain | malware}
set category <integer>
set username <string>
set password <string>
set comments [comments]
*set resource <resource-uri>
*set refresh-rate <integer>
set source-ip <string>
next
end
Parameters marked with a * are mandatory and must be filled in. Other parameters either have default values or are
optional.
Update history
To review the update history of a threat feed, go to Security Fabric > Fabric Connectors, select a feed, and click Edit.
The Last Update field shows the date and time that the feed was last updated.
Click View Entries to view the current entries in the list.

Security Fabric 112
Deploy Security Fabric
This recipe provides an example of deploying Security Fabric with three downstream FortiGates connecting to one root
FortiGate. To deploy Security Fabric, you need a FortiAnalyzer running firmware version 6.2.
The following shows a sample network topology of three downstream FortiGates (Accounting, Marketing, and Sales)
connected to the root FortiGate (Edge).

Security Fabric 113
To configure the root FortiGate (Edge):
1. Configure interface:
a. In the root FortiGate (Edge), go to Network > Interfaces.
b. Edit port16:
l Set Role to DMZ.
l For the interface connected to FortiAnalyzer, set the IP/Network Mask to 192.168.65.2/255.255.255.0
c. Edit port10:
l Set Role to LAN.
l For the interface connected to the downstream FortiGate (Accounting), set the IP/Network Mask to
192.168.10.2/255.255.255.0
d. Edit port11:
l Set Role to LAN.
l For the interface connected to the downstream FortiGate (Marketing), set the IP/Network Mask to
192.168.200.2/255.255.255.0
2. Configure Security Fabric:
a. In the root FortiGate (Edge), go to Security Fabric > Settings.
l Enable FortiGate Telemetry.
l Set a Group name, such as Office-Security-Fabric.
l Add port10 and port11 to FortiTelemetry enabled interfaces.
After FortiGate Telemetry is enabled, FortiAnalyzer automatically enables Logging and Upload Option is set
to Real Time.
b. Set IP address to the FortiAnalyzer IP 192.168.65.10.
c. Select Test Connectivity.
A warning message indicates that the FortiGate is not authorized on the FortiAnalyzer. The authorization is
configured in a later step on the FortiAnalyzer.
3. Create a policy to allow the downstream FortiGate (Accounting) to access the FortiAnalyzer:
a. In the root FortiGate (Edge), go to Policy & Objects > Addresses.
l Click Create New.
l Set Name to FAZ-addr.
l Set Type to Subnet.
l Set Subnet/IP Range to 192.168.65.10/32.
l Set Interface to any.
l Click Create New.
l Set Name to Accounting.
b. In the root FortiGate (Edge), go to Policy & Objects > IPv4 Policy.
l Set Name to Accounting-to-FAZ.
l Set srcintf to port10.
l Set dstintf to port16.
l Set srcaddr to Accounting-addr.
l Set dstaddr to FAZ-addr.

Security Fabric 114
l Set Action to Accept.

l Set Schedule to Always.
l Set Service to All.
l Enable NAT.
l Set IP Pool Configuration to Use Outgoing Interface Address.
4. Create a policy to allow the two downstream FortiGates (Marketing and Sales) to access the FortiAnalyzer:
a. In the root FortiGate (Edge), go to Policy & Objects > Addresses and click Create New.
l Set Name to Marketing-addr.
b. In the root FortiGate (Edge), go to Policy & Objects > IPv4 Policy.
l Set Name to Marketing-to-FAZ.
l Set dstintf to port16.
l Set srcaddr to Marketing-addr.
l Enable NAT.
To configure the downstream FortiGate (Accounting):
a. In the downstream FortiGate (Accounting), go to Network > Interfaces.
b. Edit interface wan1:
l Set Role to WAN .
l For the interface connected to root, set the IP/Network Mask to 192.168.10.10/255.255.255.0
2. Configure the default static route to connect to the root FortiGate (Edge):
a. In the downstream FortiGate (Accounting), go to Network > Static Routes:
l Set Destination to 0.0.0.0/0.0.0.0.
l Set Interface to wan1.
l Set Gateway Address to 192.168.10.2.
a. In the downstream FortiGate (Accounting), go to Security Fabric > Settings.
l Enable Connect to upstream FortiGate.
l FortiGate IP is filled in automatically with the default static route Gateway Address of 192.168.10.2 set
in the previous step.
l Leave FortiTelemetry enabled interfaces empty since there is no downstream FortiGate connecting to it.
After FortiGate Telemetry is enabled, FortiAnalyzer automatically enables Logging. Settings for the
FortiAnalyzer are retrieved from the root FortiGate (Edge) when FortiGate (Accounting) connects to the root

Security Fabric 115
FortiGate (Edge).
To configure the downstream FortiGate (Marketing):
a. In the downstream FortiGate (Marketing), go to Network > Interfaces.
b. Edit port12:
l Set Role to LAN.
l For the interface connected to the downstream FortiGate (Sales), set the IP/Network Mask to
192.168.135.11/255.255.255.0.
c. Edit wan1:
l Set Role to WAN .
l For the interface connected to the root FortiGate (Edge), set the IP/Network Mask to
192.168.200.10/255.255.255.0.
a. In the downstream FortiGate (Marketing), go to Network > Static Routes:
a. In the downstream FortiGate (Marketing), go to Security Fabric > Settings.
l In FortiTelemetry enabled interfaces, add port12.
FortiAnalyzer are retrieved from the root FortiGate (Edge) when FortiGate (Marketing) connects to the root
FortiGate (Edge).
4. Create a policy to allow another downstream FortiGate (Sales) going through FortiGate (Marketing) to access the
FortiAnalyzer:
a. In the downstream FortiGate (Marketing), go to Policy & Objects > Addresses and click Create New.
l Set Name to FAZ-addr.
b. Click Create New.
l Set Name to Sales-addr.
c. In the downstream FortiGate (Marketing), go to Policy & Objects > IPv4 Policy.
l Set Name to Sales-to-FAZ.
l Set dstintf to wan1.

Security Fabric 116
l Set srcaddr to Sales-addr.

l Enable NAT.
To configure the downstream FortiGate (Accounting):
a. In the downstream FortiGate (Accounting), go to Network > Interfaces.
l Set Role to WAN .
l For the interface connected to root, set the IP/Network Mask to 192.168.10.10/255.255.255.0
a. In the downstream FortiGate (Accounting), go to Network > Static Routes:
a. In the downstream FortiGate (Accounting), go to Security Fabric > Settings.
FortiAnalyzer are retrieved from the root FortiGate (Edge) when FortiGate (Accounting) connects to the root
FortiGate (Edge).
To configure the downstream FortiGate (Sales):
a. In the downstream FortiGate (Sales), go to Network > Interfaces.
b. Edit wan2:
l Set Role to WAN .
l For the interface connected to the upstream FortiGate (Marketing), set the IP/Network Mask to
192.168.135.10/255.255.255.0.
2. Configure the default static route to connect to the upstream FortiGate (Marketing):
a. In the downstream FortiGate (Sales), go to Network > Static Routes:

Security Fabric 117

a. In the downstream FortiGate (Sales), go to Security Fabric > Settings.
l FortiGate IP is filled in automatically with the default static route Gateway Address of 192.168.135.11
set in the previous step.
FortiAnalyzer are retrieved from the root FortiGate (Edge) when FortiGate (Sales) connects to the root
FortiGate (Edge).
To authorize downstream FortiGates (Accounting, Marketing, and Sales) on the root FortiGate (Edge):
1. In the root FortiGate (Edge), go to Security Fabric > Settings.

The Topology field highlights two connected FortiGates with their serial numbers and asks you to authorize the
highlighted devices.
2. Select the highlighted FortiGates and select Authorize.
After they are authorized, the two downstream FortiGates (Accounting and Marketing) appear in the Topology field
in Security Fabric > Settings. This means the two downstream FortiGates (Accounting and Marketing) have
successfully joined the Security Fabric.
3. The Topology field now highlights the FortiGate with the serial number that is connected to the downstream
FortiGate (Marketing) and asks you to authorize the highlighted device.
4. Select the highlighted FortiGates and select Authorize.
After it is authorized, the downstream FortiGate ( Sales) appears in the Topology field in Security Fabric >
Settings. This means the downstream FortiGates (Sales) has successfully joined the Security Fabric.
To use FortiAnalyzer to authorize all the Security Fabric FortiGates:
1. Authorize all the Security Fabric FortiGates on the FortiAnalyzer side:

a. In the FortiAnalyzer, go to System Settings > Network > All Interfaces.
l Edit port1 and set IP Address/Netmask to 192.168.65.10/255.255.255.0.
b. Go to Device Manager > Unauthorized.
All the FortiGates are listed as unauthorized.
i. Select all the FortiGates and select Authorize.
The FortiGates are now listed as authorized.
After a moment, a warning icon appears beside the root FortiGate (Edge) because the FortiAnalyzer
needs administrative access to the root FortiGate (Edge) in the Security Fabric.
ii. Click the warning icon and enter the admin username and password of the root FortiGate (Edge).
2. Check FortiAnalyzer status on all the Security Fabric FortiGates:
l On each FortiGates, go to Security Fabric > Settings and check that FortiAnalyzer Logging shows Storage
usage information.

Security Fabric 118
To check Security Fabric deployment result:
1. On FortiGate (Edge), go to Dashboard > Status.

The Security Fabric widget displays all the FortiGates in the Security Fabric.
2. On FortiGate (Edge), go to Security Fabric > Physical Topology.

This page shows a visualization of access layer devices in the Security Fabric.
3. On FortiGate (Edge), go to Security Fabric > Physical Topology.

This dashboard shows information about the interfaces of each device in the Security Fabric.
To run diagnose commands:
1. Run the diagnose sys csf authorization pending-list command in the root FortiGate to show the
downstream FortiGate pending for root FortiGate authorization:
Edge # diagnose sys csf authorization pending-list
Serial IP Address HA-Members Path

Security Fabric 119
------------------------------------------------------------------------------------
FG201ETK18902514 0.0.0.0 FG3H1E5818900718:FG201ETK18902514
2. Run the diagnose sys csf downstream command in the root or middle FortiGate to show the downstream
FortiGates after they join Security Fabric:
Edge # diagnose sys csf downstream
1: FG201ETK18902514 (192.168.200.10) Management-IP: 0.0.0.0 Management-port:0 parent:
FG3H1E5818900718
path:FG3H1E5818900718:FG201ETK18902514
data received: Y downstream intf:wan1 upstream intf:port11 admin-port:443
authorizer:FG3H1E5818900718
2: FGT81ETK18002246 (192.168.10.10) Management-IP: 0.0.0.0 Management-port:0 parent:
FG3H1E5818900718
path:FG3H1E5818900718:FGT81ETK18002246
FG201ETK18902514
path:FG3H1E5818900718:FG201ETK18902514:FG101ETK18002187
3. Run the diagnose sys csf upstream command in any downstream FortiGate to show the upstream
FortiGate after downstream FortiGate joins Security Fabric:
Marketing # diagnose sys csf upstream
Upstream Information:
Serial Number:FG3H1E5818900718
IP:192.168.200.2
Connecting interface:wan1
Connection status:Authorized
Security Fabric over IPsec VPN
This recipe provides an example of configuring Security Fabric over IPsec VPN.
The following sample topology shows a downstream FortiGate (HQ2) connected to the root FortiGate (HQ1) over IPsec
VPN to join Security Fabric.

Security Fabric 120
To configure the root FortiGate (HQ1):
a. In the root FortiGate (HQ1), go to Network > Interfaces.
b. Edit port2:
l Set Role to WAN .
l For the interface connected to the Internet, set the IP/Network Mask to 10.2.200.1/255.255.255.0
c. Edit port6:
l Set Role to DMZ.
l For the interface connected to FortiAnalyzer, set the IP/Network Mask to 192.168.8.250/255.255.255.0
2. Configure the static route to connect to the Internet:
a. Go to Network > Static Routes and click Create New.
l Set Interface to port2.
3. Configure IPsec VPN:
a. Go to VPN > IPsec Wizard.
l Set VPN Name to To-HQ2.
l Set Template Type to Custom.
l Click Next.
l Set Authentication to Method.
l Set Pre-shared Key to 123456.
b. Leave all other fields in their default values and click OK.
4. Configure the IPsec VPN interface IP address which will be used to form Security Fabric:
a. Go to Network > Interfaces.
b. Edit To-HQ2:
l Set Role to LAN.
l Set the IP/Network Mask to 10.10.10.1/255.255.255.255.
l Set Remote IP/Network Mask to 10.10.10.3/255.255.255.0.
5. Configure IPsec VPN local and remote subnet:
a. Go to Policy & Objects > Addresses.
l Click Create New
l Set Name to To-HQ2_local_subnet_1.
l Set IP/Network Mask to 192.168.8.0/24.
l Click OK.
l Click Create New
l Set Name to To-HQ2_remote_subnet_1.
l Click OK.

Security Fabric 121
l Click Create New

l Click OK.
6. Configure IPsec VPN static routes:
l For Named Address, select Type and select To-HQ2_remote_subnet_1.
l Set Interface to To-HQ2.
l Click OK.
l Set Interface to Blackhole.
l Set Administrative Distance to 254.
l Click OK.
7. Configure IPsec VPN policies:
a. Go to Policy & Objects > IPv4 Policy and click Create New.
l Set Name to vpn_To-HQ2_local.
l Set Incoming Interface to port6.
l Set Outgoing Interface to To-HQ2.
l Set Source to To-HQ2_local_subnet_1.
l Set Destination to To-HQ2_remote_subnet_1.
l Disable NAT.
l Set Name to vpn_To-HQ2_remote.
l Set Incoming Interface to To-HQ2.
l Set Outgoing Interface to port6.
l Set Source to To-HQ2_remote_subnet_1, To-HQ2_remote_subnet_2.
l Set Destination to To-HQ2_local_subnet_1.
l Enable NAT.
a. Go to Security Fabric > Settings.
l Set Group name to Office-Security-Fabric.
l In FortiTelemetry enabled interfaces, add VPN interface To-HQ2.
l Set IP address to the FortiAnalyzer IP of 192.168.8.250.
After FortiGate Telemetry is enabled, FortiAnalyzer automatically enables Logging and Upload is set to Real
Time.

Security Fabric 122
To configure the downstream FortiGate (HQ2):
l Set Role to WAN .
l For the interface connected to the Internet, set the IP/Network Mask to 192.168.7.3/255.255.255.0.
c. Edit interface vlan20:
l Set Role to LAN.
l For the interface connected to local endpoint clients, set the IP/Network Mask to
10.1.100.3/255.255.255.0.
2. Configure the static route to connect to the Internet:
3. Configure IPsec VPN:
a. Go to VPN > IPsec Wizard.
l Set VPN Name to To-HQ1.
l Set Template Type to Custom.
l Click Next.
l In the Network IP Address, enter 10.2.200.1.
l Set Authentication to Method.
l Set Pre-shared Key to 123456.
b. Leave all other fields in their default values and click OK.
4. Configure the IPsec VPN interface IP address which will be used to form Security Fabric:
b. Edit To-HQ1:
l Set Role to WAN .
l Set the IP/Network Mask to 10.10.10.3/255.255.255.255.
l Set Remote IP/Network Mask to 10.10.10.1/255.255.255.0.0.
5. Configure IPsec VPN local and remote subnet:
a. Go to Policy & Objects > Addresses.
l Click Create New
l Set Name to To-HQ1_local_subnet_1.
l Click OK.
l Click Create New

Security Fabric 123

Click OK.
l
6. Configure IPsec VPN static routes:

l Set Interface to To-HQ1.
l Click OK.
l Set Interface to Blackhole.
l Set Administrative Distance to 254.
l Click OK.
7. Configure IPsec VPN policies:
l Set Name to vpn_To-HQ1_local.
l Set Incoming Interface to vlan20.
l Set Outgoing Interface to To-HQ1.
l Set Source to To-HQ1_local_subnet_1.
l Set Destination to To-HQ1_remote_subnet_1.
l Disable NAT.
l Set Name to vpn_To-HQ1_remote.
l Set Incoming Interface to To-HQ1.
l Set Outgoing Interface to vlan20.
l Set Source to To-HQ1_remote_subnet_1.
l Set Destination to -HQ1_local_subnet_1.
l Disable NAT.
l Set FortiGate IP to 10.10.10.1.
FortiAnalyzer are retrieved from the downstream FortiGate (HQ2) when it connects to the root FortiGate
(HQ1).

Security Fabric 124
To authorize the downstream FortiGate (HQ2) on the root FortiGate (HQ1):
1. In the root FortiGate (HQ1), go to Security Fabric > Settings.

The Topology field highlights the connected FortiGate (HQ2)with the serial number and asks you to authorize the
highlighted device.
2. Select the highlighted FortiGate and select Authorize.
After authorization, the downstream FortiGate (HQ2) appears in the Topology field in Security Fabric > Settings.
This means the downstream FortiGate (HQ2) has successfully joined the Security Fabric.
To check Security Fabric over IPsec VPN:
1. On the root FortiGate (HQ1), go to Security Fabric > Physical Topology.

The root FortiGate (HQ1) is connected by the downstream FortiGate (HQ2) with VPN icon in the middle.
2. On the root FortiGate (HQ1), go to Security Fabric > Logical Topology.

The root FortiGate (HQ1) VPN interface To-HQ2 is connected by downstream FortiGate (HQ2) VPN interface To-
HQ1 with VPN icon in the middle.
1. Run the diagnose sys csf authorization pending-list command in the root FortiGate (HQ1) to
show the downstream FortiGate pending for root FortiGate authorization:
HQ1 # diagnose sys csf authorization pending-list
Serial IP Address HA-Members
Path
------------------------------------------------------------------------------------
FG101ETK18002187 0.0.0.0
FG3H1E5818900718:FG101ETK18002187
2. Run the diagnose sys csf downstream command in the root FortiGate (HQ1) to show the downstream
FortiGate (HQ2) after it joins Security Fabric:
HQ1 # diagnose sys csf downstream
FG3H1E5818900718
path:FG3H1E5818900718:FG101ETK18002187
data received: Y downstream intf:To-HQ1 upstream intf:To-HQ2 admin-port:443
3. Run the diagnose sys csf upstream command in the downstream FortiGate (HQ2) to show the root
FortiGate (HQ1) after the downstream FortiGate joins Security Fabric:

Security Fabric 125
HQ2 # diagnose sys csf upstream

Serial Number:FG3H1E5818900718
IP:10.10.10.1
Connecting interface:To-HQ1
Viewing and controlling network risks via topology view
This recipe shows how to view and control compromised hosts via the Security Fabric > Physical Topology or Security
Fabric > Logical Topology view.
In the following topology, the downstream FortiGate (Marketing) is connected to the root FortiGate (Edge) through a
FortiSwitch (Distribution). The Endpoint Host is connected to the downstream FortiGate (Marketing) through another
FortiSwitch (Access).
This recipe consists of the following steps:

1. Configure the root FortiGate.
2. Configure the downstream FortiGate.
3. Authorize the downstream FortiGate on the root FortiGate.
4. Authorize Security Fabric FortiGates on the FortiAnalyzer.
5. View the compromised endpoint host.
6. Quarantine the compromised endpoint host.
7. Run diagnose commands.
To configure the root FortiGate:
1. Configure the interface:

a. In FortiOS on the downstream FortiGate, go to Network > Interfaces.
b. Edit port4. Set the role to WAN and set the IP/Network Mask to 192.168.5.2/255.255.255.0 for the interface
that is connected to the Internet.
c. Edit port6. Set the role to DMZ and set the IP/Network Mask to 192.168.8.2/255.255.255.0 for the interface
which is connected to FortiAnalyzer.
d. Edit port5. Set the Addressing mode to Dedicated to the FortiSiwitch for the interface which is connected to
the Distribution FortiSwitch.
e. Return to Network > Interfaces and click Create New. For the new interface, set the name to vlan70, Type to
VLAN, Interface to port5, VLAN ID to 70, Role to LAN, and IP/Network Mask to 192.168.7.2/255.255.255.0
2. Authorize the Distribution FortiSwitch:
a. Go to WiFi & Switch Controller > Managed FortiSwitch.
b. Click the FortiGate icon, then click Edit. Set the Name to Distribution-Switch, enable the Authorized option,
then click OK.
c. Click the FortiSwitch port1 icon. For port1's Native VLAN, select vlan70.

Security Fabric 126
3. Configure the default static route to connect to the root FortiGate. Go to Network > Static Routes. Set the
Destination to 0.0.0.0/0.0.0.0, select port4 as the Interface, and set the Gateway Address as 192.168.5.254.
4. Configure the Security Fabric:
b. Enable FortiGate Telemetry.
c. Configure a group name.
d. In FortiTelemetry enabled interfaces, add vlan70.
e. FortiAnalyzer logging is enabled and the Upload option is set to Real Time after FortiGate Telemetry is
enabled. Set the IP address to the FortiAnalyzer IP address, which in this example is 192.168.8.250.
FortiAnalyzer settings will be retrieved when the downstream FortiGate connects to the root FortiGate.
5. Create a policy to access the Internet. Go to Policy & Objects > IPv4 Policy. Click Create New, and configure the
policy as follows:
a. Set the Name to Access-internet1.
b. Set the Source Interface to vlan70 and the Destination Interface to port4.
c. Set the Source Address to all and the Destination Address to all.
d. Set the Action to ACCEPT.
e. Set the Schedule to Always.
f. Set the Service to ALL.
g. Enable NAT.
h. Set the IP Pool Configuration to Use Outgoing Interface Address.
6. Create an address for the FortiAnalyzer:
a. Go to Policy & Objects > Addresses. Click Create New, then Address.
b. Set the Name to FAZ-addr.
c. Set the Type to Subnet.
d. Set the Subnet/IP Range to 192.168.8.250/32.
e. Set the Interface to Any.
7. Create a policy for the downstream FortiGate to access the FortiAnalyzer. Go to Policy & Objects > IPv4 Policy.
Click Create New, and configure the policy as follows:
a. Set the Name to Access-Resources.
b. Set the Source Interface to vlan70 and the Destination Interface to port6.
c. Set the Source Address to all and the Destination Address to FAZ-addr.
g. Enable NAT.
To configure the downstream FortiGate:
1. Configure the interface:

a. In FortiOS on the downstream FortiGate, go to Network > Interfaces.
b. Edit wan1. Set the role to WAN and set the IP/Network Mask to 192.168.7.3/255.255.255.0 for the interface
that is connected to the root FortiGate.
c. Edit wan2. Set the Addressing mode to Dedicated to the FortiSiwitch for the interface which is connected to
the Access FortiSwitch.

Security Fabric 127
d. Return to Network > Interfaces and click Create New. For the new interface, set the name to vlan20, Type to
VLAN, Interface to wan2, VLAN ID to 20, Role to LAN, and IP/Network Mask to 10.1.100.3/255.255.255.0.
2. Authorize the Access FortiSwitch:
a. Go to WiFi & Switch Controller > Managed FortiSwitch.
b. Click the FortiGate icon, then click Edit. Set the Name to Access-Switch, enable the Authorized option, then
click OK.
c. Click the FortiSwitch port2 icon. For port2's Native VLAN, select vlan20.
3. Configure the default static route to connect to the root FortiGate. Go to Network > Static Routes. Set the
Destination to 0.0.0.0/0.0.0.0, select wan1 as the Interface, and set the Gateway Address as 192.168.7.2.
4. Configure the Security Fabric:
b. Enable FortiGate Telemetry.
c. Under FortiGate Telemetry, enable Connect to upstream FortiGate.
d. Configure the FortiGate IP to 192.168.7.2.
e. In FortiTelemetry enabled interfaces, add vlan20.
f. FortiAnalyzer logging is enabled after FortiGate Telemetry is enabled. FortiAnalyzer settings will be retrieved
when the downstream FortiGate connects to the root FortiGate.
5. Create a policy to access the Internet. Go to Policy & Objects > IPv4 Policy. Click Create New, and configure the
policy as follows:
a. Set the Name to Access-internet2.
b. Set the Source Interface to vlan20 and the Destination Interface to wan1..
c. Set the Source Address to all and the Destination Address to all.
g. Enable NAT.
i. Choose the default Web Filter profile.
To authorize the downstream FortiGate on the root FortiGate:
1. In FortiOS on the root FortiGate, go to Security Fabric > Settings. In the Topology field, a highlighted FortiGate
with a serial number is connecting to the root FortiGate, and a highlighted warning asks for authorization of the
highlighted device.
2. Click the highlighted FortiGate, then select Authorize. After authorization, the downstream FortiGate appears in
the Topology field in Security Fabric > Settings, meaning that the downstream FortiGate joined the Security
Fabric successfully.
To authorize Security Fabric FortiGates on the FortiAnalyzer:
1. Ensure that the FortiAnalyzer firmware is 6.2.0 or a later version.

2. In FortiAnalyzer, go to Device Manager > Unauthorized. All FortiGates are listed as unauthorized. Select all
FortiGates, then select authorize. The FortiGates now appear as authorized.
3. After a moment, a warning icon appears beside the root FortiGate since the FortiAnalyzer needs administrative
access to the root FortiGate in the Security Fabric. Click the warning icon, then enter the admin user and password
for the root FortiGate.

Security Fabric 128
To view the compromised endpoint host:
1. Test that FortiGate detects a compromised endpoint host by opening a browser on the endpoint host and entering
a malicious website URL. The browser displays a Web Page Blocked! warning and does not allow access to the
website.
2. In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology. The endpoint host, connected to the
Access FortiSwitch, is highlighted in red. Mouse over the endpoint host to view a tooltip that shows the IoC verdict.
The endpoint host is compromised.
3. Go to Security Fabric > Logical Topology. The endpoint host, connected to the downstream FortiGate, is
highlighted in red. Mouse over the endpoint host to view a tooltip that shows the IoC verdict. The endpoint host is
compromised.
To quarantine the compromised endpoint host:
1. In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology.

2. Right-click the endpoint host and select Quarantine Host. Click OK to confirm the confirmation dialog.
3. Go to Monitor > Quarantine Monitor. From the dropdown list at the top right corner, select All FortiGates. The
quarantined endpoint host displays in the content pane.
4. On the endpoint host, open a browser and visit a website such as https://fortinet.com. If the website cannot be
accessed, this confirms that the endpoint host is quarantined.
1. To show the downstream FortiGate after it joins the Security Fabric, run the diagnose sys csf downstream
command in the root FortiGate (Edge) CLI. The output should resemble the following:
Edge # diagnose sys csf downstream
FG201ETK18902514
path:FG201ETK18902514:FG101ETK18002187
data received: Y downstream intf:wan1 upstream intf:vlan70 admin-port:443
authorizer:FG201ETK18902514
2. To show the upstream FortiGate after the downstream FortiGate joins the Security Fabric, run the diagnose
sys csf upstream command in the downstream FortiGate (Marketing) CLI. The output should resemble the
following:
Marketing # diagnose sys csf upstream
Serial Number:FG201ETK18902514
IP:192.168.7.2
Connecting interface:wan1

Security Fabric 129
3. To show the quarantined endpoint host in the connected FortiGate, run the following commands in the
downstream FortiGate (Marketing) CLI:
Marketing # show user quarantine
config user quarantine
config targets
edit "PC2"
set description "Manually quarantined"
config macs
edit 00:0c:29:3d:89:39
set description "manual-qtn Hostname: PC2"
next
end
next
end
end

FortiView
Introduction
This topic provides a general guide to FortiView, the FortiOS log view tool, with a brief summary of its layout, features,
and how it works in daily administration scenarios.
FortiView is a comprehensive monitoring system for your network. It integrates real-time and historical data into a single
view on your FortiGate. It can log and monitor network threats, filter data on multiple levels, keep track of administration
activities, and more.
You can use multiple filters in the consoles to narrow your view to a specific time range, by user ID or local IP address,
by application, and many more.
Use FortiView to investigate traffic activity such as user uploads/downloads or videos watched on YouTube. You view
the traffic on the whole network, by user group, or by individual. FortiView displays the information in both text and
visual format, giving you an overall picture of your network traffic activity so that you can quickly decide on actionable
items.
Logging range and depth depends on the FortiGate model.
The following are just some of the FortiView categories:
l Source
l Destination
l Application
l Cloud Application
l Country
l Website
l Threat
l All Sessions
l Failed Authentication Attempt
l System Events
l Admin Login
l VPN Login
l FortiSandbox
l Policy
l Interface
l WiFi Clients
l Threat Map
l Traffic Shaping
l Endpoint Vulnerability
FortiOS has widgets that you can use to further customize these categories. You can place widgets where you want on
dashboards. You can also customize widgets to show information that is most important to you, such as the time range,
source logging device, and other information.

FortiView 131
FortiView is integrated with many UTM functions and each release adds more features. For example, you can
quarantine an IP address directly in FortiView or create custom devices and addresses from a FortiView entry.
FortiView from disk
Prerequisites
All FortiGates with an SSD disk.
Restrictions
l Desktop models (for example: under 100D) with SSD only supports five minutes and one hour view.
l Medium models (for example: 200D, 500D) with SSD supports up to 24 hours view.
l Large models (for example: 1500D and above) with SSD supports up to seven days view.
l Confirm that the setting is enabled:
config log setting
set fortiview-weekly-data enable
end
Configuration
A firewall policy needs to be in place with traffic logging enabled. For best operation with FortiView, internal interface
roles should be clearly defined as LAN; DMZ and internet facing or external interface roles should be defined as WAN.
To enable FortiView from Disk:
1. Enable disk logging from the FortiGate GUI.

a. Go to Log & Report > Log Settings > Local Log.
b. Select the checkbox next to Disk.
2. Enable historical FortiView from the FortiGate GUI.
a. Go to Log & Report > Log Settings > Local Log.
b. Select the checkbox next to Enable Historical FortiView.
3. Click Apply.

FortiView 132
To include sniffer traffic and local-deny traffic when FortiView from Disk:
This feature is only supported through the CLI.

config report setting
set report-source forward-traffic sniffer-traffic local-deny-traffic
end
Source View
Top Level
Sample entry:
Time l Realtime or Now entries are determined by the FortiGate's system session list.
l Historical or 5 minutes and later entries are determined by traffic logs, with additional
information coming from UTM logs.
Graph l The graph shows the bytes sent/received in the time frame. Realtime does not include a
chart.
l Users can customize the time frame by selecting a time period within the graph.
Bubble Chart l Bubble chart shows the same information as the table, but in a different graphical
manner.
Columns l Source shows the IP address (and user as well as user avatar if configured) of the source
device.
l Device shows the device information as listed in User & Device > Device Inventory.
Device detection should be enabled on the applicable interfaces for best function.
l Threat Score is the threat score of the source based on UTM features such as Web Filter
and antivirus. It shows threat scores allowed and threat scores blocked.
l Bytes is the accumulated bytes sent/received. In realtime, this is calculated from the
session list, and in historical it is from logs.
l Sessions is the total sessions blocked/allowed. In realtime, this is calculated from the
session list, and in historical it is from logs.
l Source is a simplified version of the first column, including only the IP address without
extra information.
l Source Interface is the interface from which the traffic originates. In realtime, this is
calculated from the session list, and in historical it is from the logs.
l More information can be shown in a tooltip while hovering over these entries.
l For realtime, two more columns are available, Bandwidth and Packets, both of which
come from the session list.

FortiView 133
Drilldown Level
Sample entry:
Graph l The graph shows the bytes sent/received in the time frame. Realtime does not include a
chart.
l Users can customize the time frame by selecting a time period within the graph.
Summary l Shows information such as the user/avatar, avatar/source IP, bytes, and sessions total
Information for the time period.
l Can quarantine host (access layer quarantine) if they are behind a FortiSwitch or
FortiAP.
l Can ban IP addresses, adds the source IP address into the quarantine list.
Tabs l Drilling down entries in any of these tabs (except sessions tab) will take you to the
underlying traffic log in the sessions tab.
l Applications shows a list of the applications attributed to the source IP. This can include
scanned applications (using Application Control in a firewall policy or unscanned
applications.
config log gui-display
set fortiview-unscanned-apps enable
end
l Destinations shows destinations grouped by IP address/FQDN.
l Threats lists the threats caught by UTM profiles. This can be from antivirus, IPS, Web
Filter, Application Control, etc.
l Web Sites contains the websites which were detected either with webfilter, or through
FQDN in traffic logs.
l Web Categories groups entries into their categories as dictated by the Web Filter
Database.
l Search Phrases shows entries of search phrases on search engines captured by a Web
Filter UTM profile, with deep inspection enabled in firewall policy.
l Policies groups the entries into which polices they passed through or were blocked by.
l Sessions shows the underlying logs (historical) or sessions (realtime). Drilldowns from
other tabs end up showing the underlying log located in this tab.
l More information can be shown in a tooltip while hovering over these entries.

FortiView 134
Troubleshooting
l Use diagnose debug application httpsd -1 to check which filters were passed through httpsd.
For example:
[httpsd 3163 - 1546543360 info] api_store_parameter[227] -- add API parameter 'filter':
'{ "source": "10.1.100.30", "application": "TCP\/5228", "srcintfrole": [ "lan",
"dmz", "undefined" ] }' (type=object)
l Use diagnose debug application miglogd 0x70000 to check what the SQL command is that is
passed to the underlying SQL database.
For example:
fortiview_request_data()-898: total:31 start:1546559580 end:1546563179
_dump_sql()-799: dataset=fv.general.chart, sql:select a.timestamp1,ses_al,ses_
bk,r,s,ifnull(sc_l,0),ifnull(sc_m,0),ifnull(sc_h,0),ifnull(sc_c,0) from (select
timestamp-(timestamp%60) timestamp1 ,sum(case when passthrough<>'block' then
sessioncount else 0 end) ses_al,sum(case when passthrough='block' then sessioncount
else 0 end) ses_bk,sum(rcvdbyte) r,sum(sentbyte) s from grp_traffic_all_src where
timestamp BETWEEN 1546559580 and 1546563179 and 1=1 AND srcip in ('10.1.100.11')
AND srcintfrole in ('lan','dmz','undefined') group by timestamp1 ) a left join
(select timestamp-(timestamp%60) timestamp1 ,sum(case when threat_level=1 then
crscore else 0 end) sc_l,sum(case when threat_level=2 then crscore else 0 end) sc_
m,sum(case when threat_level=3 then crscore else 0 end) sc_h,sum(case when threat_
level=4 then crscore else 0 end) sc_c from grp_threat where timestamp BETWEEN
1546559580 and 1546563179 and 1=1 AND srcip in ('10.1.100.11') AND srcintfrole in
('lan','dmz','undefined') group by timestamp1 ) b on a.timestamp1 = b.timestamp1;
takes 40(ms), agggr:0(ms)
l Use exe report flush-cache and exe report recreate-db to clear up any irregularities that may be
caused by upgrading or cache issues.
FortiView from FortiAnalyzer
Attaching a FortiAnalyzer to the FortiGate increases the functionality of FortiView . For example, it adds the
Compromised Hosts view.
The following devices are required:
l A FortiGate or FortiOS
l A compatible FortiAnalyzer (see https://docs.fortinet.com/document/fortianalyzer/6.2.0/compatibility-with-
fortios)
To enable FortiView from FortiAnalyzer:
1. On the FortiGate, go to Security Fabric > Settings.

2. Turn on FortiAnalyzer Logging and enter the IP address of the FortiAnalyzer device.

FortiView 135
3. Click Test Connectivity. A message will be shown stating that the FortiGate is not authorized on the FortiAnalyzer.
4. On the FortiAnalyzer, go to Device Manager.

5. In the device list, right click the just added FortiGate, then click Authorize.
6. On the FortiGate, go to Security Fabric > Settings and click Test Connectivity to confirm that the device is now
authorized.
7. Go to FortiView > Sources.

8. Select a time range other than now from the drop-down list to view historical data.

FortiView 136
9. From the source drop-down list, select FortiAnalyzer.
All the historical information now comes from the FortiAnalyzer.

Network Configurations
DNS
Introduction
DNS (Domain Name System) is used by devices connecting to the Internet to locate websites by mapping a domain
name to a website’s IP address. For example, a DNS server maps the domain name www.fortinet.com to the IP address
66.171.121.34.
A FortiGate can serve different roles based on user requirements:
l A FortiGate can control which DNS serves network uses.
l A FortiGate can function as a DNS server.
l FortiGuard Dynamic Domain Name Service (DDNS) allows a remote administrator to access a FortiGate's Internet-
facing interface using a domain name that remains constant even when its IP address changes.
FortiOS supports DNS configuration for both IPv4 and IPv6 addressing. When a user requests a website, the FortiGate
looks to the configured DNS servers to provide the IP address of the website in order to know which server to contact to
complete the transaction.
The FortiGate queries the DNS servers whenever it needs to resolve a domain name into an IP address, such as for
NTP or web servers defined by their domain names.
FGT_A (dns) # set
*primary Primary DNS server IP address.
secondary Secondary DNS server IP address.
dns-over-tls Enable/disable/enforce DNS over TLS.
ssl-certificate Name of local certificate for SSL connections.
domain Search suffix list for hostname lookup.
ip6-primary Primary DNS server IPv6 address.
ip6-secondary Secondary DNS server IPv6 address.
timeout DNS query timeout interval in seconds (1 - 10).
retry Number of times to retry (0 - 5).
dns-cache-limit Maximum number of records in the DNS cache.
dns-cache-ttl Duration in seconds that the DNS cache retains information.
cache-notfound-responses Enable/disable response from the DNS server when a record is not
in cache.
source-ip IP address used by the DNS server as its source IP.
FGT_A (dns) # set
Important DNS commands
dns-over-tls
FortiGate version 6.2 adds DNS over TLS (DoT) support. DoT is a security protocol for encrypting and wrapping DNS
queries and answers via the Transport Layer Security (TLS) protocol.

FGT_A (dns) # set dns-over-tls

disable Disable DNS over TLS.
enable Use TLS for DNS queries if TLS is available.
enforce Use only TLS for DNS queries. Does not fall back to unencrypted DNS queries if TLS
is unavailable.
cache-notfound-responses
When you enable DNS cache not found responses, any DNS requests that are returned with NOT FOUND can be stored
in the cache. When enabled, the DNS server is not asked to resolve the host name for NOT FOUND entries.
config system dns
set cache-notfound-responses enable
end
dns-cache-limit
This command enables you to set how many DNS entries are stored in the cache. Entries that remain in the cache
provide a quicker response to requests than going out to the Internet to get the same information.
config system dns
set dns-cache-limit 2
end
dns-cache-ttl
This command enables you to set how long entries remain in the cache.
FGT_A (dns) # set dns-cache-limit
dns-cache-limit Enter an integer value from <0> to <4294967295> (default = <5000>).
DNS troubleshooting
The FortiGate CLI can collect the following list of DNS debug information.
FGT_A (global) # diagnose test application dnsproxy
worker idx: 0
1. Clear DNS cache
2. Show stats
3. Dump DNS setting
4. Reload FQDN
5. Requery FQDN
6. Dump FQDN
7. Dump DNS cache
8. Dump DNS DB
9. Reload DNS DB
10. Dump secure DNS policy/profile
11. Dump Botnet domain
12. Reload Secure DNS setting
13. Show Hostname cache
14. Clear Hostname cache
15. Show SDNS rating cache
16. Clear SDNS rating cache
17. DNS debug bit mask
99. Restart dnsproxy worker

The example below shows useful information about the ongoing DNS connection.
Important fields include:
tls 1 if the connection is TLS. 0 for non-TLS connection.

rt Round trip time of the DNS latency.
probe The number of probes sent.
FGT_A (global) # diagnose test application dnsproxy 3

worker idx: 0
vdom: root, index=0, is master, vdom dns is disabled, mip-169.254.0.1 dns_log=1 tls=0 cert=
dns64 is disabled
vdom: vdom1, index=1, is master, vdom dns is enabled, mip-169.254.0.1 dns_log=1 tls=0 cert=
dns64 is disabled
dns-server:208.91.112.220:53 tz=-480 tls=0 req=0 to=0 res=0 rt=0 rating=1 ready=0 timer=37
probe=9 failure=0 last_failed=0
dns-server:8.8.8.8:53 tz=0 tls=0 req=73 to=0 res=73 rt=5 rating=0 ready=1 timer=0 probe=0 fail-
ure=0 last_failed=0
dns-server:65.39.139.63:53 tz=0 tls=0 req=39 to=0 res=39 rt=1 rating=0 ready=1 timer=0 probe=0
failure=0 last_failed=0
DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=-1
DNS FD: udp_s=12 udp_c=17:18 ha_c=22 unix_s=23, unix_nb_s=24, unix_nc_s=25
v6_udp_s=11, v6_udp_c=20:21, snmp=26, redir=13, v6_redir=14
DNS FD: tcp_s=29, tcp_s6=27, redir=31 v6_redir=32
FQDN: hash_size=1024, current_query=1024
DNS_DB: response_buf_sz=131072
LICENSE: expiry=2015-04-08, expired=1, type=2
FDG_SERVER:208.91.112.220:53
FGD_CATEGORY_VERSION:8
SERVER_LDB: gid=eb19, tz=-480, error_allow=0
FGD_REDIR_V4:208.91.112.55 FGD_REDIR_V6:
DNS proxy performance enhancement
For a FortiGate with multiple CPUs, version 6.2 adds a new CLI command to allow the customer to set the DNS process
number from 1 to the number of CPUs. The default DNS process number is 1.
set dnsproxy-worker-count 4
end
Note: The range of dnsproxy-worker-count is 1 to the number of CPUs that the FortiGate has.
To debug DNS proxy on the worker ID, use the following command. The following example runs test commands on the
second dnsproxy worker. If you do not specify worker ID, the default worker ID is 0.
#diagnose test application dnsproxy 7 1

Similarly, the following command enables debug on the second worker.

#diagnose debug application dnsproxy -1 1
For debugging, you can also enable it on all workers by specifying -1 as worker ID.
#diagnose debug application dnsproxy -1 -1
DNS local domain list
End-users who commonly use incomplete URLs without a domain (for example: http://host1) rely on the proxy to locate
the domain and resolve the address. If the configured domain is company.com and the URL is http://host1, the DNS
feature will send a request for host1.company.com to a DNS server for the IP address. If you have local Microsoft
domains on the network, you can enter a domain name in the Local Domain Name field. In situations where all three
fields are configured, the FortiGate first looks to the local domain, and if no match is found, sends a request to the
external DNS servers.
Whenever a client requests a URL which does not include a fully qualified domain name (FQDN), FortiGate resolves the
URL by traversing through the DNS suffix list and doing a DNS query for each entry until the first match.
Sample configuration
To configure a FortiGate's DNS domain list in the GUI:
1. By default, FortiGate is configured to use FortiGuard's DNS servers which are primary (208.91.112.53) and
secondary (208.91.112.52).
2. To configure the DNS server addresses, go to Network > DNS and select Specify, then enter the preferred DNS
server addresses.
For example: 172.16.200.1 as the primary DNS server and 172.16.200.2 as the secondary.
3. FortiGate supports a total of eight local domain lists.
To configure a FortiGate's DNS domain list in the CLI:
Additional DNS configuration options are available in the CLI using the config system dns command.
New CLI commands added in 6.2 allow users to set up to eight domains. Retry Time and Timeout values can be
configured to define how many attempts the FortiGate makes to search a particular domain and when FortiGate gives
up on the domain.
FGT_B (dns) # set domain
*domain DNS search domain list separated by space (maximum 8 domains)
config system dns

set primary 172.16.200.1
set domain "sample.com" "example.com" "domainname.com"
end
FG3H1E5818900749 (global) # config system dns
FG3H1E5818900749 (dns) # set

*primary Primary DNS server IP address.
secondary Secondary DNS server IP address.
domain Search suffix list for hostname lookup.

ip6-primary Primary DNS server IPv6 address.

ip6-secondary Secondary DNS server IPv6 address.
timeout DNS query timeout interval in seconds (1 - 10).
retry Number of times to retry (0 - 5).
dns-cache-limit Maximum number of records in the DNS cache.
dns-cache-ttl Duration in seconds that the DNS cache retains information.
cache-notfound-responses Enable/disable response from the DNS server when a record is not
in cache.
source-ip IP address used by the DNS server as its source IP.
FG3H1E5818900749 (dns) # set timeout

timeout Enter an integer value from <1> to <10> (default = <5>).
FG3H1E5818900749 (dns) # set retry

retry Enter an integer value from <0> to <5> (default = <2>).
DNS local domain example
In the example below, the local domain resolves host1 to 1.1.1.1 and host2 to 2.2.2.2. The local DNS server has
an entry for host1 mapped to the FQDN of host1.sample.com and a second entry for host2 mapped to the FQDN of
host2.example.com.
ping host1
PING host1.sample.com (1.1.1.1): 56 data bytes
ping host2
PING host2.example.com (2.2.2.2): 56 data bytes
Using FortiGate as a DNS server
This topic provides the following sample configurations:

l About using a DNS server to resolve internal and external requests
l About using an internal DNS server for internal requests and a public DNS server for external requests
You can also create local DNS servers for your network. Depending on your requirements, you can manually maintain
your entries (master DNS server) or use it as a jumping point where the server refers to an outside source (slave DNS
server).
In version 6.2, FortiGate as a DNS server also supports TLS connections to a DNS client.
Sample configuration about DNS servers
This section describes how to set up a FortiGate to use a DNS server for resolving internal and external requests.
To configure FortiGate as a DNS server using the GUI:
1. Ensure the DNS Database feature is visible.

a. Go to System > Feature Visibility and ensure DNS Database is enabled.

2. Add the DNS entry to the FortiGate DNS server.

a. Go to Network > DNS Servers.
b. Under DNS Database, click Create New.
l For Type, select Master.
l For View , select Shadow .
View controls the accessibility of the DNS server. If you select Public, external users can access or use
the DNS server. If you select Shadow , only internal users can use it.
l Enter a DNS Zone, for example, WebServer.
l Enter the Domain Name of the zone, for example, fortinet.com.
l Enter the Hostname of the DNS server, for example, Corporate.
l Enter the Contact Email Address for the administrator, for example, [email protected].
l Disable Authoritative.
l Click OK.
c. Under DNS Entries, click Create New.
l Select the Type, for example, Address (A).
l Enter the Hostname, for example, example.
l Specify the remaining fields depending on the Type you select.
l Click OK.
3. Enable the DNS service on the interface.
a. Go to Network > DNS Servers.
b. Under DNS Service, click Create New.
l Select the Interface.
l For Mode, select Recursive.
l Click OK.
To configure FortiGate as a DNS server using the CLI:
config system dns-database

edit "example"
set domain "fortinet.com"
config dns-entry
edit 1
set hostname "example"
set ip 2.3.3.4
next
end
set primary-name "Corporate"
set contact "[email protected]"
next
end
To configure DNS query using the CLI:
config system dns-server

edit wan1
set mode recursive
end

Run dig to query the FortiGate DNS server. Dig (Domain Information Grouper) is a Unix-like network administration
command line tool for querying DNS servers.
root@PC05:~# dig @172.16.200.1 example.fortinet.com
; <<>> DiG 9.11.0-P1 <<>> @172.16.200.1 example.fortinet.com

; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51137
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;example.fortinet.com. IN A
;; ANSWER SECTION:
example.fortinet.com. 86400 IN A 2.3.3.4
;; Query time: 0 msec

;; SERVER: 172.16.200.1#53(172.16.200.1)
;; WHEN: Thu Jan 10 10:24:01 PST 2019
;; MSG SIZE rcvd: 54
Sample configuration about internal and public DNS servers
This section describes how to set up a FortiGate to use an internal DNS server for resolving internal requests and a
public DNS server for resolving external requests.
To configure FortiGate using the CLI:
1. Set up a forwarder for the DNS database:

In this example, an IP address of 172.16.100.100 is used to resolve the domain fortinet.com:
config system dns-database
edit "corp"
set domain "fortinet.com"
set authoritative disable
set forwarder "172.16.100.100"
next
2. Set up a listening interface:
In this example, you are setting up the listening interface to connect to the host.
FGT_A (dns-server) # show
edit "wan1"
next
end
3. Set the system DNS to 8.8.8.8 for all other queries:
config system dns
set primary 8.8.8.8
end

Technical information
The Type of the DNS Database Zone can be one of the following:
l A Master zone is an editable version of a zone.

l A Slave zone is a synchronized read-only copy from another DNS server that holds the master zone.
The View of the DNS Database Zone can be one of the following:
l Public view is usually a general (outside) view of a DNS zone.

l Shadow views in this context are used to present a different view of a zone to local networks, that is, shadow view
might contain different IPs and names).
The DNS Database Zone can be one of the following categories:
l An Authoritative zone claims to hold all existing entries concerning this zone. A DNS server holding an authoritative
zone serves requests to this zone only from its local zone file, that is, it does not perform additional recursive
requests such as matching this zone to other defined DNS servers for zone records which do not exist in this zone
file.
l An Unauthoritative zone serves the records it holds itself from the local zone file and performs recursive request to
other defined DNS servers for requests that match the zone but are not listed in the local zone file.
The Mode of the DNS Service can be one of the following:
l Recursive DNS servers performs DNS lookups to other defined DNS servers for any zone requests they cannot
fulfill from local files.
l Non-recursive DNS servers only serve from local zone files.
l Forward to system DNS forwards the query to the FortiGate's configured system DNS.
FortiGuard DDNS
If your ISP changes your external IP address regularly and you have a static domain name, you can configure the
external interface to use a dynamic DNS (DDNS) service. This ensures that external users and customers can always
connect to your company firewall. If you have a FortiGuard subscription, you can use FortiGuard as the DDNS server.
l FortiGate does not support DDNS for pure TP mode.

l FortiGate models 1000D and higher do not support DDNS in the GUI.
You can configure FortiGuard as the DDNS server using the GUI or CLI.

Sample topology
To configure FortiGuard as a DDNS server in the FortiGate using the GUI:
1. Go to Network > DNS and enable FortiGuard DDNS.

2. Select the Interface with the dynamic connection.
3. Specify the other fields.
To configure FortiGuard as a DDNS server in the FortiGate using the CLI:

set ddns-server-ip
set ddns-server-port
end
If you don't have a FortiGuard subscription or want to use a different DDNS server, you can configure DDNS in the CLI.
You can configure a DDNS for each interface. Only the first configured port appears in the FortiGate GUI. Additional
commands vary depending on the DDNS server you select. Use the following CLI commands:
config system ddns
edit <DDNS_ID>
set monitor-interface <external_interface>
set ddns-server <ddns_server_selection>
next
end
You can configure FortiGate to refresh DDNS IP addresses. FortiGate periodically checks the DDNS server that is
configured.

To configure FortiGate to refresh DDNS IP addresses using the CLI:
config system ddns

edit <1>
set ddns-server FortiGuardDDNS
set use-public-ip enable
set update-interval seconds
next
end
The possible values for update-interval are 60 to 2592000 seconds, and the default is 300
seconds.
When clear-text is disabled, FortiGate uses the SSL connection to send and receive (DDNS) updates.
To disable cleartext and set the SSL certificate using the CLI:
config system ddns

set clear-text disable
set ssl-certificate <cert_name>
end
A DHCP server has an override command option that allows DHCP server communications to go through DDNS to
perform updates for the DHCP client. This enforces a DDS update of the AA field every time even if the DHCP client
does not request it. This allows supporting the allow/ignore/deny client-updates options.
To enable DDNS update override using the CLI:
config system dhcp server

edit <0>
set ddns-update_override enable
next
end

SD-WAN
SD-WAN is a software-defined approach to managing Wide-Area Networks (WAN). It allows you to offload internet-
bound traffic, meaning that private WAN services remain available for real-time and mission critical applications. This
added flexibility improves traffic flow and reduces pressure on the network.
SD-WAN platforms create hybrid networks that integrate broadband and other network services into the corporate WAN
while maintaining the performance and security of real-time and sensitive applications.
SD-WAN with Application Aware Routing can measure and monitor the performance of multiple services in a hybrid
network. It uses application routing to offer more granular control of where and when an application uses a specific
service, allowing better use of the overall network.
Some of the key benefits of SD-WAN include:
l Reduced cost with transport independence across MPLS, 3G/4G LTE, and others.
l Improve business application performance thanks to increased availability and agility.
l Optimized user experience and efficiency with SaaS and public cloud applications.
SD-WAN has 3 objects:
l SD-WAN interface
Also called members, SD-WAN interfaces are the ports and interfaces that are used to run traffic. At least one
interface must be configured for SD-WAN to function; up to 255 member interfaces can be configured. See
Creating the SD-WAN interface on page 147.
l Performance-SLA
Also called health-check, performance SLAs are used to monitor member interface link quality, and to detect link
failures. They can be used to remove routes, and to reroute traffic when an SD-WAN member cannot detect the
server. They can also be used in SD-WAN rules to select the preferred member interface for forwarding traffic. See
Performace SLA - link monitoring on page 156.
l SD-WAN rule
Also called service, SD-WAN rules are used to control path selection. Specific traffic can be dynamically sent to the
best link, or use a specific route. There are five modes:
l auto: Assign interfaces a priority based on quality.
l manual: Assign interfaces a priority manually.
l priority: Assign interfaces a priority based on the link-cost-factor quality of the interface.
l sla: Assign interfaces a priority based on selected SLA settings.
l load-balance: Distribute traffic among all available links based on the load balance algorithm.
See SD-WAN rules - best quality on page 158, SD-WAN rules - lowest cost (SLA) on page 161, and SD-WAN rules -
maximize bandwidth (SLA) on page 163.
Basic SD-WAN setup
Creating the SD-WAN interface
This recipe provides an example of how to start using SD-WAN for load balancing and redundancy.

SD-WAN 148
In this example, two ISP internet connections (wan1 and wan2) use SD-WAN to balance traffic between them at 50%
each.
To configure SD-WAN using the GUI:
1. On the FortiGate, enable SD-WAN and add interfaces wan1 and wan2 as members:
a. Go to Network > SD-WAN.
b. Set the Status to Enable.
c. Click the plus icon to add members, using the ISPs' proper gateways for each member.
d. Click Apply to save your settings.

SD-WAN 149
2. Create a static route with virtual-wan-link enabled:

a. Go to Network > Static Routes.
b. Click Create New. The New Static Route page opens.
c. From the Interface drop-down list, select SD-WAN.
d. Click OK to save your changes.
3. Create a firewall policy to allow the traffic:
a. Go to Policy & Objects > IPv4 Policy.
b. Click Create New. The New Policy page opens.
c. For the Incoming Interface, select DMZ.
d. For the Outgoing Interface, select SD-WAN.
e. Configure the remaining settings as needed, then click OK to create the policy.
Outgoing traffic will balance between wan1 and wan2 at a 50:50 ratio.
To configure SD-WAN using the CLI:
1. On the FortiGate, configure the wan1 and wan2 interfaces:

edit "wan1"
set alias to_ISP1
set ip 172.16.20.1 255.255.255.0
next
edit "wan2"
set alias to_ISP2
set ip 10.100.20.1 255.255.255.0
next
end
2. Enable SD-WAN and add the interfaces as members:

config system virtual-wan-link
set status enable
config members
edit 1
set interface "wan1"
set gateway 172.16.20.2
next
edit 2
next
end
end
3. Configure a static route:

config router static
edit 1
set distance 1
set virtual-wan-link enable
next
end

SD-WAN 150
4. Configure a firewall policy:

edit 2
set name "VWL"
set srcintf "dmz"
set dstintf "virtual-wan-link"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set nat enable
next
end
5. Use a diagnose command to check the state of the SD-WAN:

# diagnose sys virtual-wan-link member
Member(1): interface: wan1, gateway: 172.16.20.2, priority: 0, weight: 0
Using DHCP interface
This recipe provides a sample configuration for customer using the DHCP interface as SD-WAN members. SD-WAN
members can be all static IP interfaces, all DHCP interfaces, or a mix of both IP and DHCP interfaces.
In this example, we'll use a customer who has two ISP internet connections: wan1 and wan2. wan1 is a DHCP interface
and wan2 is a static IP address interface.
Sample topology
To configure DHCP interface on the GUI:
1. Enable SD-WAN and add wan1 and wan2 as SD-WAN members.

a. Go to Network > SD-WAN and ensure Status is Enable.
b. In the SD-WAN Interface Members section, click the + button and add two members: wan1 and wan2.
l For the static IP member, enter the Gateway address.
l For the DHCP member, do not change the Gateway.
c. Click Apply.

SD-WAN 151
2. Create static route and enable virtual-wan-link.

b. Click the Interface dropdown list and select SD-WAN.
c. Click OK.
3. Create policy for this traffic.
b. For the Incoming Interface, select dmz.
c. For the Outgoing Interface, select SD-WAN
d. Configure other options as needed.
e. Click OK.
Outgoing traffic is balanced between wan1 and wan2 at about 50% each.
To configure the interface on the CLI:

edit "wan1"
set alias to_ISP1
set mode dhcp
next
edit "wan2"
set alias to_ISP2
set ip 10.100.20.1 255.255.255.0
next
end
To configure SD-WAN on the CLI:

set status enable
config members
edit 1
next
edit 2
next
end
end
To configure static route on the CLI:

edit 1
set distance 1
set virtual-wan-link enable
next
end

SD-WAN 152
To configure firewall policy on the CLI:

edit 2
set name "VWL"
set srcintf "dmz"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set nat enable
next
end
To use the diagnose command to check SD-WAN state:
# diagnose sys virtual-wan-link member

Implicit rule
SD-WAN supports five types of implicit rules (load-balance mode):

l Source IP (CLI command: source-ip-based): SD-WAN will load balance the traffic equally among its members
according to a hash algorithm based on the source IP addresses.
l Session (weight-based): SD-WAN will load balance the traffic according to the session numbers ratio among its
members.
l Spillover (usage-based): SD-WAN will use the first member until the bandwidth reaches its limit, then use the
second, and so on.
l Source-Destination IP (source-dest-ip-based): SD-WAN will load balance the traffic equally among its
members according to a hash algorithm based on both the source and destination IP addresses.
l Volume (measured-volume-based): SD-WAN will load balance the traffic according to the bandwidth ratio
among its members.
Examples
The following four examples demonstrate how to use the implicit rules (load-balance mode).

SD-WAN 153
Example 1
Outgoing traffic is equally balanced between wan1 and wan2, using source-ip-based or source-dest-ip-based mode.
Using the GUI:
1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static
route. See Creating the SD-WAN interface on page 147 for details.
2. Go to Network > SD-WAN Rules.
3. Edit the sd-wan rule (the last default rule).
4. For the Load Balancing Algorithm, select either Source IP or Source-Destination IP.
5. Click OK.
Using the CLI:
1. Enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route. See Creating
the SD-WAN interface on page 147 for details.
2. Set the load balancing algorithm:
Source IP based:
set load-balance-mode source-ip-based
end
Source-Destination IP based:
set load-balance-mode source-dest-ip-based
end
Example 2
Outgoing traffic is balanced between wan1 and wan2 with a customized ratio, using weight-based mode: wan1 runs
80% of the sessions, and wan2 runs 20% of the sessions.
Using the GUI:

3. For the Load Balancing Algorithm, select Sessions.

SD-WAN 154
4. Enter 80 in the wan1 field, and 20 in the wan2 field.
5. Click OK.
Using the CLI:

set load-balance-mode weight-based
config members
edit 1
set weight 80
next
edit 2
set weight 20
next
end
end
Example 3
Outgoing traffic is balanced between wan1 and wan2 with a customized ratio, using measured-volume-based mode:
wan1 runs 80% of the volume, and wan2 runs 20% of the volume.
Using the GUI:

3. For the Load Balancing Algorithm, select Volume.
4. Enter 80 in the wan1 field, and 20 in the wan2 field.
5. Click OK.
Using the CLI:

set load-balance-mode measured-volume-based
config members
edit 1
set volume-ratio 80
next

SD-WAN 155
edit 2
set volume-ratio 20
next
end
end
Example 4
Load balancing can be used to reduce costs when internet connections are charged at different rates. For example, if
wan2 charges based on volume usage and wan1 charges a fixed monthly fee, we can use wan1 at its maximum
bandwidth, and use wan2 for overflow.
In this example, wan1's bandwidth is 10Mbps down and 2Mbps up. Traffic will use wan1 until it reaches its spillover
limit, then it will start to use wan2. Note that auto-asic-offload must be disabled in the firewall policy.
Using the GUI:
4. For the Load Balancing Algorithm, select Spillover.
5. Enter 10000 in the wan1 Ingress Spillover Threshold field, and 2000 in the wan1 Egress Spillover Threshold field.
6. Click OK.
Using the CLI:

set load-balance-mode usage-based
config members
edit 1
set spillover-threshold 2000
set ingress-spillover-threshold 10000
next
end
end

SD-WAN 156
WAN path control
Performace SLA - link monitoring
Performance SLA link monitoring measures the health of links that are connected to SD-WAN member interfaces by
sending probing signals through each link to a server and measuring the link quality based on latency, jitter, and packet
loss. If a link is broken, the routes on that link are removed, and traffic is routed through other links. When the link is
working again, the routes are reenabbled. This prevents traffic being sent to a broken link and lost.
In this example:
l Interfaces wan1 and wan2 connect to the internet through separate ISPs
l The detection server IP address is 208.91.114.182
A performance SLA is created so that, if one link fails, its routes are removed and traffic is detoured to the other link.
To configure a Performance SLA using the GUI:
2. Go to Network > Performance SLA.
3. Click Create New. The Performance SLA page opens.
4. Enter a name for the SLA and select a protocol.
5. In the Server field, enter the detection server IP address (208.91.114.182 in this example).
6. In the Participants field, select both wan1 and wan2.

SD-WAN 157
7. Configured the remaining settings as needed, then click OK.
To configure a Performance SLA using the CLI:

config health-check
edit "server"
set server "208.91.114.182"
set update-static-route enable
set members 1 2
next
end
end
To diagnose the Performance SLA status:
FGT # diagnose sys virtual-wan-link health-check

Health Check(server):
Seq(1): state(alive), packet-loss(0.000%) latency(15.247), jitter(5.231) sla_map=0x0
Performace SLA - SLA targets
SLA targets are a set of constraints that are used in SD-WAN rules to control the paths that traffic take.
The available constraints are:
l Latency threshold: Latency for SLA to make decision, in milliseconds (0 - 10000000, default = 5).
l Jitter threshold: Jitter for SLA to make decision, in milliseconds (0 - 10000000, default = 5).
l Packet loss threshold: Packet loss for SLA to make decision, in percentage (0 - 100, default = 0).
To configure Performance SLA targets using the GUI:
2. Go to Network > Performance SLA.
3. Create a new Performance SLA or edit an existing one. See Performace SLA - link monitoring on page 156.
4. Under SLA Targets, click the plus icon to add a target.

SD-WAN 158
5. Turn on or off the required constraints, and set their values.
6. Configured the remaining settings as needed, then click OK.
To configure Performance SLA targets using the GUI:

config health-check
edit "server"
set server "208.91.114.182"
set members 1 2
config sla
edit 1
set link-cost-factor latency jitter packet-loss
set latency-threshold 10
set jitter-threshold 10
set packetloss-threshold 1
next
end
next
end
end
The link-cost-factor variable is used to select which constraints are enabled.
SD-WAN rules - best quality
SD-WAN rules are used to control how sessions are distributed to SD-WAN members. Rules can be configured in one of
five modes:
l auto: Interfaces are assigned a priority based on quality.
l Manual (manual): Interfaces are manually assigned a priority.
l Best Quality (priority): Interface are assigned a priority based on the link-cost-factor of the interface.
l Lowest Cost (SLA) (sla): Interfaces are assigned a priority based on selected SLA settings. See SD-WAN rules -
lowest cost (SLA) on page 161.

SD-WAN 159
l Maximize Bandwith (SLA) (load-balance): Traffic is distributed among all available links based on the selected
load balancing algorithm. See SD-WAN rules - maximize bandwidth (SLA) on page 163.
When using Best Quality mode, SD-WAN will choose the best link to forward traffic by comparing the link-cost-factor,
selected from one of the following:
GUI CLI Description
Latency latency Select a link based on latency.
Jitter jitter Select a link based on jitter.
Packet Loss packet-loss Select a link based on packet loss.
Downstream inbandwidth Select a link based on available bandwidth of incoming traffic.
Upstream outbandwidth Select a link based on available bandwidth of outgoing traffic.
Bandwidth bibandwidth Select a link based on available bandwidth of bidirectional traffic.
custom-profile-1 custom-profile-1 Select link based on customized profile. If selected, set the following
weights:
l packet-loss-weight: Coefficient of packet-loss.
l latency-weight: Coefficient of latency.
l jitter-weight: Coefficient of jitter.
l bandwidth-weight: Coefficient of reciprocal of available
bidirectional bandwidth.
In this example, your wan1 and wan2 SD-WAN interfaces connect to two ISPs that both go to the public internet, and
you want Gmail services to use the link with the least latency.
To configure an SD-WAN rule to use Best Quality:
2. Create a new Performance SLA named google. See Performace SLA - link monitoring on page 156.
4. Click Create New. The Priority Rule page opens.
5. Enter a name for the rule, such as gmail.

SD-WAN 160
6. Configure the following settings:
Field Setting
Internet Service Google-Gmail
Strategy Best Quality
Interface preference wan1 and wan2
Measured SLA google (created in step 2).
Quality criteria Latency
7. Click OK to create the rule.
To configure an SD-WAN rule to use priority:

config health-check
edit "google"
set server "google.com"
set members 1 2
next
end
config service
edit 1
set name "gmail"
set mode priority
set internet-service enable
set internet-service-id 65646
set health-check "google"
set link-cost-factor latency
set priority-members 1 2
next
end
end
FGT # diagnose sys virtual-wan-link health-check google

Health Check(google):

SD-WAN 161

FGT # diagnose sys virtual-wan-link service 1

Service(1):
TOS(0x0/0x0), protocol(0: 1->65535), Mode(priority), link-cost-facotr(latency), link-cost-

threshold(10), health-check(google) Members:
1: Seq_num(2), alive, latency: 12.633, selected

Internet Service: Google-Gmail(65646)
As wan2 has a smaller latency, SD-WAN will put Seq_num(2) on top of Seq_num(1) and wan2 will be used to forward
Gmail traffic.
SD-WAN rules - lowest cost (SLA)
five modes:
l Best Quality (priority): Interface are assigned a priority based on the link-cost-factor of the interface. See SD-
WAN rules - best quality on page 158.
l Lowest Cost (SLA) (sla): Interfaces are assigned a priority based on selected SLA settings.
l Maximize Bandwidth (SLA) (load-balance): Traffic is distributed among all available links based on the selected
load balancing algorithm. See SD-WAN rules - maximize bandwidth (SLA) on page 163.
When using Lowest Cost (SLA) mode (sla in the CLI), SD-WAN will choose the lowest cost link that satisfies SLA to
forward traffic.
In this example, your wan1 and wan2 SD-WAN interfaces connect to two ISPs that both go to the public internet. The
cost of wan2 is less than that of wan1. You want to configure Gmail services to use the lowest cost interface, but the link
quality must meet a standard of latency: 10ms, and jitter: 5ms.
To configure an SD-WAN rule to use Lowest Cost (SLA):

SD-WAN 162
2. Create a new Performance SLA named google that includes an SLA Target 1 with Latency threshold = 10ms and
Jitter threshold = 5ms. See Performace SLA - link monitoring on page 156.
Field Setting
Strategy Lowest Cost (SLA)
Required SLA target google#1 (created in step 2).
To configure an SD-WAN rule to use sla:

config members
edit 1
set cost 10
next
edit 2
set cost 5
next
end
config health-check
edit "google"
set members 1 2
config sla
edit 1

SD-WAN 163
next
end
next
end
config service
edit 1
set name "gmail"
set mode sla
config sla
edit "google"
set id 1
next
end
next
end
end


Service(1): Address Mode(IPV4) flags=0x0
TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla)

Members:<<BR>>
1: Seq_num(2), alive, sla(0x1), cfg_order(1), selected

2: Seq_num(1), alive, sla(0x1), cfg_order(0), selected
Internet Service: Google.Gmail(65646)
When both wan1 and wan2 meet the SLA requirements, Gmail traffic will only use wan2. If only wan1 meets the SLA
requirements, Gmail traffic will only use wan1, even though it has a higher cost. If neither interface meets the
requirements, wan2 will be used.
If both interface had the same cost and both met the SLA requirements, the first link configured in set priority-
members would be used.
SD-WAN rules - maximize bandwidth (SLA)
five modes:

SD-WAN 164
l Best Quality (priority): Interface are assigned a priority based on the link-cost-factor of the interface. See SD-
WAN rules - best quality on page 158.
l Lowest Cost (SLA) (sla): Interfaces are assigned a priority based on selected SLA settings. See SD-WAN rules -
lowest cost (SLA) on page 161.
l Maximize Bandwidth (SLA) (load-balance): Traffic is distributed among all available links based on the selected
load balancing algorithm.
When using Maximize Bandwidth mode (load balance in the CLI), SD-WAN will all of the links that satisfies SLA to
forward traffic based on a round-robin load balancing algorithm.
In this example, your wan1 and wan2 SD-WAN interfaces connect to two ISPs that both go to the public internet. You
want to configure Gmail services to use both of the interface, but the link quality must meet a standard of latency:
10ms, and jitter: 5ms. This can maximize the bandwidth usage.
To configure an SD-WAN rule to use Maximize Bandwidth (SLA):
2. Create a new Performance SLA named google that includes an SLA Target 1 with Latency threshold = 10ms and
Jitter threshold = 5ms. See Performace SLA - link monitoring on page 156.

SD-WAN 165
Field Setting
Strategy Maximize Bandwidth (SLA)
Required SLA target google#1 (created in step 2).
To configure an SD-WAN rule to use SLA:

config health-check
edit "google"
set members 1 2
config sla
edit 1
next
end
next
end
config service
edit 1
set name "gmail"
set mode load-balance
config sla
edit "google"
set id 1
next
end
next
end
end
To diagnose the performance SLA status:


TOS(0x0/0x0), Protocol(0: 1->65535), Mode(load-balance)

Members:<<BR>>

SD-WAN 166
1: Seq_num(1), alive, sla(0x1), num of pass(1), selected

Internet Service: Google.Gmail(65646)
When both wan1 and wan2 meet the SLA requirements, Gmail traffic will use both wan1 and wan2. If only one of the
interfaces meets the SLA requirements, Gmail traffic will only use that interface.
If neither interface meets the requirements, the rule is not matched and traffic will try to use a following rule, but if no
rules match, traffic will still be processed with the implicit rule algorithm, see Implicit rule on page 152.
MPLS (SIP and backup) + DIA (cloud apps)
This topic covers a typical customer usage scenario where the customer's SD-WAN has two members: MPLS and DIA.
DIA is mostly used for direct Internet access to Internet applications, for example, Office365, Google applications,
Amazon, Dropbox, etc. MPLS is mostly used for SIP and works as a backup when DIA is not working.
Sample topology
This sample configures all SIP traffic to use MPLS while all other traffic uses DIA. If DIA is not working, the traffic will
use MPLS.
To configure an SD-WAN rule to use SIP and DIA using the GUI:
route.
See Creating the SD-WAN interface on page 147.
2. When you add a firewall policy, enable Application Control.
5. Enter a name for the rule, such as SIP.
6. Click the Application box to display the popup dialog box; then select the applicable SIP applications.
7. For Strategy, select Manual.
8. For Interface preference, select MPLS.
9. Click OK.
10. Click Create New to create another rule.
11. Enter a name for the rule, such as Internet.
12. Click the Address box to display the popup dialog box and select all.

SD-WAN 167
13. For Strategy, select Manual.

14. For Interface preference, select DIA.
15. Click OK.
To configure the firewall policy using the CLI:

edit 1
set name "1"
set srcintf "dmz"
set dstintf ""virtual-wan-link""
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set utm-status enable
set fsso disable
set application-list "g-default"
set ssl-ssh-profile "certificate-inspection"
set nat enable
next
end
To configure an SD-WAN rule to use SIP and DIA using the CLI:

set status enable
config members
edit 1
set interface "MPLS"
set gateway x.x.x.x
next
edit 2
set interface "DIA"
set gateway x.x.x.x
next
end
config service
edit 1
set name "SIP"
set member 1
set internet-service-app-ctrl 34640 152305677 38938 26180 26179 30251
next
edit 2
set name "Internet"
set input-device "dmz"
set member 2
set dst "all"
next
end
end

SD-WAN 168
All SIP traffic uses MPLS. All other traffic goes to DIA. If DIA is broken, the traffic uses MPLS. If you use VPN instead of
MPLS to run SIP traffic, you must configure a VPN interface, for example vpn1, and then replace member 1 from MPLS
to vpn1 for SD-WAN member.
To use the diagnose command to check performance SLA status using the CLI:
FGT_A (root) # diagnose sys virtual-wan-link service 1
TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)

Members:<<BR>>
1: Seq_num(1), alive, selected
Internet Service: SIP(4294836224 34640) SIP.Method(4294836225 152305677) SIP.Via.NAT

(4294836226 38938) SIP_Media.Type.Application(4294836227 26180) SIP_Message(4294836228 26179)
SIP_Voice(4294836229 30251)
FGT_A (root) # diagnose sys virtual-wan-link service 2

Members:<<BR>>
Dst address: 0.0.0.0-255.255.255.255
FGT_A (root) #
FGT_A (root) # diagnose sys virtual-wan-link internet-service-app-ctrl-list

Ctrl application(SIP 34640):Internet Service ID(4294836224)
Ctrl application(SIP.Method 152305677):Internet Service ID(4294836225)
Ctrl application(SIP.Via.NAT 38938):Internet Service ID(4294836226)
Ctrl application(SIP_Media.Type.Application 26180):Internet Service ID(4294836227)
Ctrl application(SIP_Message 26179):Internet Service ID(4294836228)
Ctrl application(SIP_Voice 30251):Internet Service ID(4294836229)
FGT_A (root) #
SD-WAN traffic shaping and QoS with SD-WAN
Use traffic shaper in a firewall shaping policy to control traffic flow. You can use it to control maximum and guaranteed
bandwidth, or put certain traffic to one of the three different traffic priorities: high, medium, or low.
An advanced shaping policy can classify traffic into 30 groups. Use a shaping profile to define the percentage of the
interface bandwidth that is allocated to each group. Each group of traffic is shaped to the assigned speed limit based on
the outgoing bandwidth limit configured on the interface.
For more information, see the online help on shared policy traffic shaping and interface-based traffic shaping.

SD-WAN 169
Sample topology
This example shows a typical customer usage where the customer's SD-WAN has two member: wan1 and wan2 and
each is 10Mb/s.
An overview of the procedures to configure SD-WAN traffic shaping and QoS with SD-WAN includes:
1. Give HTTP/HTTPS traffic high priority and give FTP low priority so that if there are conflicts, FortiGate will forward
HTTP/HTTPS traffic first.
2. Even though FTP has low priority, configure FortiGate to give it a 1Mb/s guaranteed bandwidth on each SD-WAN
member so that if there is no FTP traffic, other traffic can use all the bandwidth. If there is heavy FTP traffic, it can
still be guaranteed a 1Mb/s bandwidth.
3. Traffic going to specific destinations such as a VOIP server uses wan1 to forward, and SD-WAN forwards with an
Expedited Forwarding (EF) DSCP tag 101110.
To configure SD-WAN traffic shaping and QoS with SD-WAN in the GUI:
route.
See Creating the SD-WAN interface on page 147.
2. When you add a firewall policy, enable Application Control.
3. Go to Policy & Objects > Traffic Shapers and edit low-priority.
a. Enable Guaranteed Bandwidth and set it to 1000 kbps.
4. Go to Policy & Objects > Traffic Shaping Policy and click Create New.
a. Name the traffic shaping policy, for example, HTTP-HTTPS.
b. Click the Source box and select all.
c. Click the Destination box and select all.
d. Click the Service box and select HTTP and HTTPS.
e. Click the Outgoing Interface box and select SD-WAN.
f. Enable both Shared Shaper and Reverse Shaper and select high-priority for both options.
g. Click OK.
5. Go to Policy & Objects > Traffic Shaping Policy and click Create New.
a. Name the traffic shaping policy, for example, FTP.
b. Click the Source box and select all.
c. Click the Destination box and select all.
d. Click the Service box and select FTP, FTP_GET, and FTP_PUT.
e. Click the Outgoing Interface box and select SD-WAN.

SD-WAN 170
f. Enable both Shared Shaper and Reverse Shaper and select low-priority for both options.
g. Click OK
6. Go to Network > SD-WAN Rules and click Create New.
a. Enter a name for the rule, such as Internet.
b. In the Destination section, click the Address box and select the VOIP server you created in the firewall
address.
c. For Strategy, select Manual.
d. For Interface preference, select wan1.
e. Click OK.
7. Use CLI commands to modify DSCP settings. See the DSCP CLI commands below.
To configure the firewall policy using the CLI:

edit 1
set name "1"
set srcintf "dmz"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set nat enable
next
end
To configure the firewall traffic shaper priority using the CLI:
config firewall shaper traffic-shaper

edit "high-priority"
set maximum-bandwidth 1048576
set per-policy enable
next
edit "low-priority"
set guaranteed-bandwidth 1000
set priority low
next
end
To configure the firewall traffic shaping policy using the CLI:
config firewall shaping-policy

edit 1
set name "http-https"
set service "HTTP" "HTTPS"
set traffic-shaper "high-priority"
set traffic-shaper-reverse "high-priority"
set srcaddr "all"
set dstaddr "all"

SD-WAN 171
next
edit 2
set name "FTP"
set service "FTP" "FTP_GET" "FTP_PUT"
set traffic-shaper "low-priority"
set traffic-shaper-reverse "low-priority"
set srcaddr "all"
set dstaddr "all"
next
end
To configure SD-WAN traffic shaping and QoS with SD-WAN in the CLI:

set status enable
config members
edit 1
set gateway x.x.x.x
next
edit 2
set gateway x.x.x.x
next
end
config service
edit 1
set name "SIP"
set member 1
set dst "voip-server"
set dscp-forward enable
set dscp-forward-tag 101110
next
end
end
To use the diagnose command to check if specific traffic is attached to the correct traffic shaper:
# diagnose firewall iprope list 100015
policy index=1 uuid_idx=0 action=accept

flag (0):
shapers: orig=high-priority(2/0/134217728) reply=high-priority(2/0/134217728)
cos_fwd=0 cos_rev=0
group=00100015 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0 dd_type=0 dd_mode=0
zone(1): 0 -> zone(2): 36 38
source(1): 0.0.0.0-255.255.255.255, uuid_idx=6,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=6,
service(2):
[6:0x0:0/(1,65535)->(80,80)] helper:auto
[6:0x0:0/(1,65535)->(443,443)] helper:auto

SD-WAN 172
flag (0):
shapers: orig=low-priority(4/128000/134217728) reply=low-priority(4/128000/134217728)
cos_fwd=0 cos_rev=0
group=00100015 av=00000000 au=00000000 split=00000000
zone(1): 0 -> zone(2): 36 38
source(1): 0.0.0.0-255.255.255.255, uuid_idx=6,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=6,
service(3):
[6:0x0:0/(1,65535)->(21,21)] helper:auto
[6:0x0:0/(1,65535)->(21,21)] helper:auto
[6:0x0:0/(1,65535)->(21,21)] helper:auto
FGT_A (root) #
To use the diagnose command to check if the correct traffic shaper is applied to the session:
# dia sys session list

session info: proto=6 proto_state=01 duration=11 expire=3599 timeout=3600 flags=00000000 sock-
flag=00000000 sockport=0 av_idx=0 use=5
origin-shaper=low-priority prio=4 guarantee 128000Bps max 1280000Bps traffic 1050Bps drops 0B
reply-shaper=
per_ip_shaper=
class_id=0 shaping_policy_id=2 ha_id=0 policy_dir=0 tunnel=/ helper=ftp vlan_cos=0/255
state=may_dirty npu npd os mif route_preserve
statistic(bytes/packets/allow_err): org=868/15/1 reply=752/10/1 tuples=2
tx speed(Bps/kbps): 76/0 rx speed(Bps/kbps): 66/0
orgin->sink: org pre->post, reply pre->post dev=39->38/38->39 gwy=172.16.200.55/0.0.0.0
hook=post dir=org act=snat 10.1.100.11:58241->172.16.200.55:21(172.16.200.1:58241)
hook=pre dir=reply act=dnat 172.16.200.55:21->172.16.200.1:58241(10.1.100.11:58241)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=4
serial=0003255f tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
npu_state=0x100000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason: offload-denied helper
total session 1
To use the diagnose command to check the status of a shared traffic shaper:
# diagnose firewall shaper traffic-shaper list
name high-priority
maximum-bandwidth 131072 KB/sec
guaranteed-bandwidth 0 KB/sec
current-bandwidth 0 B/sec
priority 2
tos ff
packets dropped 0
bytes dropped 0
name low-priority

SD-WAN 173

priority 4
tos ff
packets dropped 0
bytes dropped 0
name high-priority
priority 2
policy 1
tos ff
packets dropped 0
bytes dropped 0
name low-priority
priority 4
policy 2
tos ff
packets dropped 0
bytes dropped 0
Advanced configuration
Per packet distribution and tunnel aggregation
This topic shows an example of how to aggregate IPSec tunnels. This example shows how to make per-packet load-
balancing among IPSec tunnels.
For example, a customer has two ISP connections, wan1 and wan2. Using these two connections, we create two VPN
interfaces and configure traffic for per-packet load-balancing among IPSec tunnels.
This feature only allows static/DDNS tunnels to be members.

Dynamic (dialup) tunnels are not allowed because dialup instances tend to have different
locations and hence different routings. This conflicts with the rule that all the members of an
aggregate must have the same routing.

SD-WAN 174
Sample topology
On the FortiGate, first create two IPsec VPN interfaces. Then create an ipsec-aggregate interface and add this
interface as an SD-WAN member.
FortiGate 1 configuration
To create two IPsec VPN interfaces on FortiGate 1:
config vpn ipsec phase1-interface

edit "vd1-p1"
set peertype any
set net-device disable
set proposal aes256-sha256
set dhgrp 14
set remote-gw 172.16.201.2
set psksecret ftnt1234
next
edit "vd1-p2"
set peertype any
set dhgrp 14
next
end
edit "vd1-p1"
set phase1name "vd1-p1"
next
edit "vd1-p2"
next
end
To create an ipsec-aggregate interface on FortiGate 1:
config system ipsec-aggregate

edit "agg1"

SD-WAN 175
set member "vd1-p1" "vd1-p2"

set algorithm L3
next
end
edit "agg1"
set vdom "root"
set ip 172.16.11.1 255.255.255.255
set allowaccess ping
set remote-ip 172.16.11.2 255.255.255.255
end
To configure the firewall policy on FortiGate 1:

edit 1
set name "1"
set srcintf "dmz"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set nat enable
next
end
To configure SD-WAN on FortiGate 1:

set status enable
config members
edit 1
set interface "agg1"
next
end
end
FortiGate 2 configuration
To create two IPsec VPN interfaces on FortiGate 2:

edit "vd2-p1"
set peertype any
set dhgrp 14
next
edit "vd2-p2"

SD-WAN 176

set peertype any
set dhgrp 14
next
end
edit "vd2-p1"
next
edit "vd2-p2"
next
end
To create an ipsec-aggregate interface on FortiGate 2:

edit "agg2"
set member "vd2-p1" "vd2-p2"
set algorithm L3
next
end
edit "agg2"
set vdom "root"
set ip 172.16.11.2 255.255.255.255
set remote-ip 172.16.11.1 255.255.255.255
next
end
To configure the firewall policy on FortiGate 2:

edit 1
set name "1"
set srcintf "dmz"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set nat enable
next
end
To configure SD-WAN on FortiGate 2:

set status enable
config members

SD-WAN 177
edit 1
set interface "agg2"
next
end
end
To use the diagnose command to display aggregate IPSec members:
# diagnose sys ipsec-aggregate list

agg1 algo=L3 member=2 run_tally=2
members:
vd1-p1
vd1-p2
To use the diagnose command to check VPN status:
# diagnose vpn tunnel list

list all ipsec tunnel in vd 0
------------------------------------------------------
name=vd1-p1 ver=1 serial=2 172.16.200.1:0->172.16.201.2:0 dst_mtu=0
bound_if=10 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc
run_state=1 accept_traffic=0
proxyid_num=1 child_num=0 refcnt=5 ilast=15 olast=676 ad=/0

stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=vd1-p1 proto=0 sa=0 ref=1 serial=1
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
------------------------------------------------------
name=vd1-p2 ver=1 serial=3 172.16.203.1:0->172.16.202.2:0 dst_mtu=1500
bound_if=28 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc

proxyid=vd1-p2 proto=0 sa=1 ref=9 serial=1
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=4 options=10226 type=00 soft=0 mtu=1438 expire=42164/0B replaywin=2048
seqno=697 esn=0 replaywin_lastseq=00000002 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42902/43200
dec: spi=f6ae9f83 esp=aes key=16 f6855c72295e3c5c49646530e6b96002
ah=sha1 key=20 f983430d6c161d0a4cd9007c7ae057f1ff011334
enc: spi=8c72ba1a esp=aes key=16 6330f8c532a6ca5c5765f6a9a6034427
ah=sha1 key=20 e5fe385ed5f0f6a33f1d507601b15743a8c70187
dec:pkts/bytes=1/16536, enc:pkts/bytes=1686/223872
npu_flag=02 npu_rgwy=172.16.202.2 npu_lgwy=172.16.203.1 npu_selid=2 dec_npuid=1 enc_npuid=0

SD-WAN 178
Forward error correction on VPN overlay networks
This topic shows an SD-WAN with forward error correction (FEC) on VPN overlay networks. FEC can be used to lower
packet loss ratio by consuming more bandwidth. It uses six parameters in IPsec phase1/phase1-interface settings:
fec-ingress Enable/disable Forward Error Correction for ingress IPsec traffic (default =
disable).
fec-egress Enable/disable Forward Error Correction for egress IPsec traffic (default =
disable).
fec-base The number of base Forward Error Correction packets (1 - 100, default = 20).
fec-redundant The number of redundant Forward Error Correction packets (1 - 100, default =
10).
fec-send-timeout The time before sending Forward Error Correction packets, in milliseconds (1 -
1000, default = 8).
fec-receive-timeout The time before dropping Forward Error Correction packets, in milliseconds (1 -
1000, default = 5000).
For example, a customer has tow ISP connections, wan1 and wan2. Using these two connections, create two IPsec
VPN interfaces as SD-WAN members. Configure FEC on each VPN interface to lower packet loss ratio by re-
transmitting the packets using its backend algorithm.
Sample topology
To configure IPsec VPN:

edit "vd1-p1"
set peertype any
set dhgrp 14
set fec-egress enable
set fec-send-timeout 8
set fec-base 20
set fec-redundant 10
set fec-ingress enable

SD-WAN 179
set fec-receive-timeout 5000

next
edit "vd1-p2"
set peertype any
set dhgrp 14
set fec-egress enable
set fec-send-timeout 8
set fec-base 20
set fec-redundant 10
set fec-ingress enable
set fec-receive-timeout 5000
next
end
edit "vd1-p1"
next
edit "vd1-p2"
next
end
To configure the interface:

edit "vd1-p1"
set ip 172.16.211.1 255.255.255.255
set remote-ip 172.16.211.2 255.255.255.255
next
edit "vd1-p2"
set ip 172.16.212.1 255.255.255.255
set remote-ip 172.16.212.2 255.255.255.255
next
end
To configure the firewall policy:

edit 1
set name "1"
set srcintf "dmz"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set nat enable
next
end

SD-WAN 180
To configure SD-WAN:

set status enable
config members
edit 1
set interface "vd1-p1"
next
edit 1
set interface "vd2-p2"
next
end
end
To use the diagnose command to check VPN FEC status:

------------------------------------------------------
name=vd1 ver=1 serial=1 172.16.200.1:0->172.16.200.2:0
bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/3600 options[0e10]=create_dev
frag-rfc fec-egress fec-ingress accept_traffic=1

fec-egress: base=20 redundant=10 remote_port=50000 <<<<<<<<<<<<<<<<<<<<<<
fec-ingress: base=20 redundant=10 <<<<<<<<<<<<<<<<<<<<<<
proxyid=demo proto=0 sa=1 ref=2 serial=1
src: 0:10.1.100.0/255.255.255.0:0
dst: 0:173.1.1.0/255.255.255.0:0
dec: spi=181f4f81 esp=aes key=16 6e8fedf2a77691ffdbf3270484cb2555
ah=sha1 key=20 f92bcf841239d15d30b36b695f78eaef3fad05c4
enc: spi=0ce10190 esp=aes key=16 2d684fb19cbae533249c8b5683937329
ah=sha1 key=20 ba7333f89cd34cf75966bd9ffa72030115919213
Using BGP tags with SD-WAN rules
SD-WAN rules can use Border Gateway Protocol (BGP) learned routes as dynamic destinations.

SD-WAN 181
In this example, a customer has two ISP connections, wan1 and wan2. wan1 is used primarily for direct access to
internet applications, and wan2 is used primarily for traffic to the customer's data center.
The customer could create an SD-WAN rule using the data center's IP address range as the destination to force that
traffic to use wan2, but the data center's IP range is not static. Instead, a BGP tag can be used.
For this example, wan2's BGP neighbor advertises the data center's network range with a community number of 30:5.
This example assumes that SD-WAN is enable on the FortiGate, wan1 and wan2 are added as SD-WAN members, and
a policy and static route have been created. See Creating the SD-WAN interface on page 147 for details.
To configure BGP tags with SD-WAN rules:
1. Configure the community list:

config router community-list
edit "30:5"
config rule
edit 1
set action permit
set match "30:5"
next
end
next
end
2. Configure the route map:

config router route-map
edit "comm1"
config rule
edit 1
set match-community "30:5"
set set-route-tag 15
next
end
next
end
3. Configure BGP:
config router bgp
set as xxxxx
set router-id xxxx
config neighbor
edit "10.100.20.2"

SD-WAN 182
set soft-reconfiguration enable

set remote-as xxxxx
set route-map-in "comm1"
next
end
end

edit 1
set name "1"
set srcintf "dmz"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set nat enable
next
end
5. Edit the SD-WAN configuration:

set status enable
config members
edit 1
next
edit 2
next
end
config service
edit 1
set name "DataCenter"
set mode manual
set route-tag 15
set members 2
next
end
end
Troubleshooting
Check the network community
Use the get router info bgp network command to check the network community:
# get router info bgp network
BGP table version is 5, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

SD-WAN 183
Network Next Hop Metric LocPrf Weight RouteTag Path

*> 0.0.0.0/0 10.100.1.5 32768 0 ?
*> 1.1.1.1/32 0.0.0.0 32768 0 ?
*> 10.1.100.0/24 172.16.203.2 32768 0 ?
*> 10.100.1.0/30 0.0.0.0 32768 0 ?
*> 10.100.1.4/30 0.0.0.0 32768 0 ?
*> 10.100.1.248/29 0.0.0.0 32768 0 ?
*> 10.100.10.0/24 10.100.1.5 202 10000 15 20 e
*> 172.16.200.0/24 0.0.0.0 32768 0 ?
*> 172.16.200.200/32
0.0.0.0 32768 0 ?
*> 172.16.201.0/24 172.16.200.4 32768 0 ?
*> 172.16.203.0/24 0.0.0.0 32768 0 ?
*> 172.16.204.0/24 172.16.200.4 32768 0 ?
*> 172.16.205.0/24 0.0.0.0 32768 0 ?
*> 172.16.206.0/24 0.0.0.0 32768 0 ?
*> 172.16.207.1/32 0.0.0.0 32768 0 ?
*> 172.16.207.2/32 0.0.0.0 32768 0 ?
*> 172.16.212.1/32 0.0.0.0 32768 0 ?
*> 172.16.212.2/32 0.0.0.0 32768 0 ?
*> 172.17.200.200/32
0.0.0.0 32768 0 ?
*> 172.27.1.0/24 0.0.0.0 32768 0 ?
*> 172.27.2.0/24 0.0.0.0 32768 0 ?
*> 172.27.5.0/24 0.0.0.0 32768 0 ?
*> 172.27.6.0/24 0.0.0.0 32768 0 ?
*> 172.27.7.0/24 0.0.0.0 32768 0 ?
*> 172.27.8.0/24 0.0.0.0 32768 0 ?
*> 172.29.1.0/24 0.0.0.0 32768 0 ?
*> 172.29.2.0/24 0.0.0.0 32768 0 ?
*> 192.168.1.0 0.0.0.0 32768 0 ?
Total number of prefixes 28
# get router info bgp network 10.100.11.0

BGP routing table entry for 10.100.10.0/24
Paths: (2 available, best 1, table Default-IP-Routing-Table)
Advertised to non peer-group peers:
172.10.22.2
20
10.100.20.2 from 10.100.20.2 (6.6.6.6)
Origin EGP metric 200, localpref 100, weight 10000, valid, external, best
Community: 30:5 <<<<===========================
Last update: Wen Mar 20 18:45:17 2019
Check dynamic BGP addresses
Use the get router info route-map-address command to check dynamic BGP addresses:
# get router info route-map-address
Extend-tag: 15, interface(wan2:16)
10.100.11.0/255.255.255.0
Check dynamic BGP addresses used in policy routes
Use the diagnose firewall proute list command to check dynamic BGP addresses used in policy routes:

SD-WAN 184
# diagnose firewall proute list

list route policy info(vf=root):
id=4278779905 vwl_service=1(DataCenter) flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport-

t=0:65535 iif=0 dport=1-65535 oif=16
source wildcard(1): 0.0.0.0/0.0.0.0
destination wildcard(1): 10.100.11.0/255.255.255.0
Troubleshooting
Tracking SD-WAN sessions
You can check the destination interface in FortiView in order to see which port the traffic is being forwarded to.
The example below demonstrates a source-based load-balance between two SD-WAN members.
l If the source IP address is an even number, it will go to port13.
l If the source IP address is an odd number, it will go to port12.
For information on other features of FortiView, see FortiView on page 130.
Understanding SD-WAN related logs
This topic lists the SD-WAN related logs and explains when the logs will be triggered.
Health-check detects a failure:
l When health-check detects a failure, it will record a log:

34: date=2019-03-23 time=17:26:06 logid="0100022921" type="event" subtype="system"
level="critical" vd="root" eventtime=1553387165 logdesc="Routing information changed"
name="test" interface="R150" status="down" msg="Static route on interface R150 may be
removed by health-check test. Route: (10.100.1.2->10.100.2.22 ping-down)"

SD-WAN 185
l When health-check detects a recovery, it will record a log:

level="critical" vd="root" eventtime=1553387214 logdesc="Routing information changed"
name="test" interface="R150" status="up" msg="Static route on interface R150 may be added
by health-check test. Route: (10.100.1.2->10.100.2.22 ping-up)"
Health-check has an SLA target and detects SLA qualification changes:
l When health-check has an SLA target and detects SLA changes, and changes to fail:
level="notice" vd="root" eventtime=1555008519816639290 logdesc="Virtual WAN Link status"
msg="SD-WAN Health Check(ping) SLA(1): number of pass members changes from 2 to 1."
l When health-check has an SLA target and detects SLA changes, and changes to pass:
msg="SD-WAN Health Check(ping) SLA(1): number of pass members changes from 1 to 2."
SD-WAN calculates a link's session/bandwidth over/under its ratio and stops/resumes traffic:
l When SD-WAN calculates a link's session/bandwidth over its configured ratio and stops forwarding traffic:
level="notice" vd="root" eventtime=1554941740185866628 logdesc="Virtual WAN Link volume
status" interface="R160" msg="The member(3) enters into conservative status with limited
ablity to receive new sessions for too much traffic."
l When SD-WAN calculates a link's session/bandwidth according to its ratio and resumes forwarding traffic:
level="notice" vd="root" eventtime=1554942040196041728 logdesc="Virtual WAN Link volume
status" interface="R160" msg="The member(3) resume normal status to receive new sessions
for internal adjustment."
The SLA mode service rule's SLA qualified member changes:
l When the SLA mode service rule's SLA qualified member changes. In this example R150 fails the SLA check, but is
still alive:
msg="Service2() prioritized by SLA will be redirected in seq-num order 2(R160) 1(R150)."
interface="R150" msg="The member1(R150) SLA order changed from 1 to 2. "
l When the SLA mode service rule's SLA qualified member changes. In this example R150 changes from fail to pass:
msg="Service2() prioritized by SLA will be redirected in seq-num order 1(R150) 2(R160)."

SD-WAN 186

The priority mode service rule member's link status changes:
l When priority mode service rule member's link status changes. In this example R150 changes to better than R160,
and both are still alive:
msg="Service2() prioritized by packet-loss will be redirected in seq-num order 1(R150) 2
(R160)."
interface="R160" msg="The member2(R160) link quality packet-loss order changed from 1 to 2.
"
"
l When priority mode service rule member's link status changes. In this example R160 changes to better than R150,
and both are still alive:
msg="Service2() prioritized by packet-loss will be redirected in seq-num order 2(R160) 1
(R150)."
"
"
SD-WAN member is used in service and it fails the health-check:
l When SD-WAN member fails the health-check, it will stop forwarding traffic:

interface="R160" msg="The member2(R160) link is unreachable or miss threshold. Stop
forwarding traffic. "
l When SD-WAN member passes the health-check again, it will resume forwarding logs:
interface="R160" msg="The member2(R160) link is available. Start forwarding traffic. "
Load-balance mode service rule's SLA qualified member changes:
l When load-balance mode service rule's SLA qualified member changes. In this example R150 changes to not meet
SLA:

SD-WAN 187

msg="Service1(rule2) will be load balanced among members 2(R160) with available routing."
l When load-balance mode service rule's SLA qualified member changes. In this example R150 changes to meet
SLA:
msg="Service1(rule2) will be load balanced among members 1(R150) 2(R160) with available
routing."
"
"
SLA link status logs, generated with interval sla-fail-log-period or sla-pass-log-period:
l When SLA fails, SLA link status logs will be generated with interval sla-fail-log-period:
level="notice" vd="root" eventtime=1553388352 logdesc="Link monitor SLA information"
name="test" interface="R150" status="up" msg="Latency: 0.016, jitter: 0.002, packet loss:
21.000%, inbandwidth: 0Mbps, outbandwidth: 200Mbps, bibandwidth: 200Mbps, sla_map: 0x0"
l When SLA passes, SLA link status logs will be generated with interval sla-pass-log-period:
level="information" vd="root" eventtime=1553388363 logdesc="Link monitor SLA information"
name="test" interface="R150" status="up" msg="Latency: 0.017, jitter: 0.003, packet loss:
0.000%, inbandwidth: 0Mbps, outbandwidth: 200Mbps, bibandwidth: 200Mbps, sla_map: 0x1"
SD-WAN related diagnose commands
This topic lists the SD-WAN related diagnose commands and related output.
To check SD-WAN health-check status:

Health Check(server):

Health Check(ping):

SD-WAN 188
Seq(2): state(dead), packet-loss(100.000%) sla_map=0x0

To check SD-WAN member status:
l When SD-WAN load-balance mode is source-ip-based/ source-dest-ip-based.

FGT # diagnose sys virtual-wan-link member
Member(1): interface: port13, gateway: 10.100.1.1 2004:10:100:1::1, priority: 0, weight: 0
l When SD-WAN load-balance mode is weight-based.

l When SD-WAN load-balance mode is measured-volume-based.

l Both members are under volume and still have room:
Member(1): interface: port13, gateway: 10.100.1.1 2004:10:100:1::1, priority: 0,
weight: 33
Config volume ratio: 33, last reading: 8211734579B, volume room 33MB
weight: 66
l Some members are overloaded and some still have room:

Member(1): interface: port1, gateway: 10.10.0.2, priority: 0, weight: 0
Config volume ratio: 10, last reading: 10297221000B, overload volume 1433MB
Member(2): interface: port2, gateway: 10.11.0.2, priority: 0, weight: 38
l When SD-WAN load balance mode is usage-based/ spillover.

l When no spillover occurs:
weight: 255
Egress-spillover-threshold: 400kbit/s, ingress-spillover-threshold: 300kbit/s
Egress-overbps=0, ingress-overbps=0
weight: 254
l When member has reached limit and spillover occurs:

weight: 255

SD-WAN 189
weight: 254
l You can also use the diagnose netlink dstmac list command to check if you are over the limit.
FGT # diag netlink dstmac list port13
dev=port13 mac=08:5b:0e:ca:94:9d rx_tcp_mss=0 tx_tcp_mss=0 egress_overspill_
threshold=51200 egress_bytes=103710 egress_over_bps=1 ingress_overspill_threshold=38400
ingress_bytes=76816 ingress_over_bps=1 sampler_rate=0
To check SD-WAN service rules status:
l Manual mode service rules.

FGT # diagnose sys virtual-wan-link service
Members:
Dst address: 10.100.21.0-10.100.21.255
l Auto mode service rules.

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(auto), link-cost-factor(latency), link-cost-
threshold(10), health-check(ping)
Members:
1: Seq_num(2), alive, latency: 0.011
Dst address: 10.100.21.0-10.100.21.255
l Priority mode service rules.

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(latency), link-
cost-threshold(10), health-check(ping)
Members:
Dst address: 10.100.21.0-10.100.21.255
l Load-balance mode service rules.

TOS(0x0/0x0), Protocol(0: 1->65535), Mode(load-balance)
Members:
Dst address: 10.100.21.0-10.100.21.255
l SLA mode service rules.


SD-WAN 190
TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla)

Members:
1: Seq_num(1), alive, sla(0x1), cfg_order(0), cost(0), selected
2: Seq_num(2), alive, sla(0x1), cfg_order(1), cost(0), selected
Dst address: 10.100.21.0-10.100.21.255
To check interface logs from the past 15 minutes:
FGT (root) # diagnose sys virtual-wan-link intf-sla-log R150

Timestamp: Fri Apr 12 11:08:36 2019, used inbandwidth: 0bps, used outbandwidth: 0bps, used bib-
andwidth: 0bps, tx bytes: 860bytes, rx bytes: 1794bytes.
Timestamp: Fri Apr 12 11:08:46 2019, used inbandwidth: 1761bps, used outbandwidth: 1710bps,
used bibandwidth: 3471bps, tx bytes: 2998bytes, rx bytes: 3996bytes.
To check SLA logs in the past 15 minutes:
FGT (root) # diagnose sys virtual-wan-link sla-log ping 1

Timestamp: Fri Apr 12 11:09:27 2019, vdom root, health-check ping, interface: R150, status:
up, latency: 0.014, jitter: 0.003, packet loss: 16.000%.
To check Application Control used in SD-WAN and the matching IP addresses:
FGT # diagnose sys virtual-wan-link internet-service-app-ctrl-list

Ctrl application(Microsoft.Authentication 41475):Internet Service ID(4294836224)
Protocol(6), Port(443)
Address(2): 104.42.72.21 131.253.61.96
Ctrl application(Microsoft.CDN 41470):Internet Service ID(4294836225)
Ctrl application(Microsoft.Lync 28554):Internet Service ID(4294836226)
Ctrl application(Microsoft.Office.365 33182):Internet Service ID(4294836227)
Ctrl application(Microsoft.Office.365.Portal 41468):Internet Service ID(4294836228)
Ctrl application(Microsoft.Office.Online 16177):Internet Service ID(4294836229)
Ctrl application(Microsoft.OneNote 40175):Internet Service ID(4294836230)
Ctrl application(Microsoft.Portal 41469):Internet Service ID(4294836231)
Protocol(6), Port(443)
Address(8): 23.58.134.172 131.253.33.200 23.58.135.29 204.79.197.200 64.4.54.254
23.59.156.241 13.77.170.218 13.107.22.200
Ctrl application(Microsoft.Sharepoint 16190):Internet Service ID(4294836232)
Ctrl application(Microsoft.Sway 41516):Internet Service ID(4294836233)
Ctrl application(Microsoft.Tenant.Namespace 41471):Internet Service ID(4294836234)

SD-WAN 191
To check IPsec aggregate interface when SD-WAN uses the per-packet distribution feature:
# diagnose sys ipsec-aggregate list

agg1 algo=L3 member=2 run_tally=2
members:
vd1-p1
vd1-p2
To check BGP learned routes and determine if they are used in SD-WAN service:
FGT # get router info bgp network

FGT # get router info bgp network 10.100.11.0
BGP routing table entry for 10.100.10.0/24
Paths: (2 available, best 1, table Default-IP-Routing-Table)
Advertised to non peer-group peers:
172.10.22.2
20
10.100.20.2 from 10.100.20.2 (6.6.6.6)
Origin EGP metric 200, localpref 100, weight 10000, valid, external, best
Community: 30:5
Last update: Wen Mar 20 18:45:17 2019
FGT # get router info route-map-address
Extend-tag: 15, interface(wan2:16)
10.100.11.0/255.255.255.0
FGT # diagnose firewall proute list

list route policy info(vf=root):
id=4278779905 vwl_service=1(DataCenter) flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport-

t=0:65535 iif=0 dport=1-65535 oif=16
source wildcard(1): 0.0.0.0/0.0.0.0
destination wildcard(1): 10.100.11.0/255.255.255.0

System Configurations
System management introduction
This topic contains information about FortiGate administration that you can do after installing the FortiGate in your
network.
Basic system settings
Administrator
By default, FortiGate has an administrator account with the username admin and no password. To prevent
unauthorized access to the FortiGate, we highly recommended that you protect this account with a password.
Administrator profile
An administrator profile defines what the administrator can do on the FortiGate. You can set up different administrator
profiles depending on the nature of the administrator’s work, access level, or seniority. When you set up an
administrator account, assign the administrator profile for what that administrator can do.
Interface
Both the physical and virtual interface allow traffic to flow between internal networks, and between the Internet and
internal networks. FortiGate has options for setting up interfaces and groups of sub-networks that can scale as your
organization grows. You can create and edit VLAN, EMAC-VLAN, switch interface, zone, and so on.
Advanced system settings
Password policy
Set up a password policy for administrators and IPsec pre-shared keys. A password policy can enforce password criteria
and change frequency.
SNMP
The Simple Network Management Protocol (SNMP) allows you to monitor hardware on your network. You can configure
hardware such as the FortiGate SNMP agent to report system information and traps. SNMP traps alert you to events
that happen such as when a log disk is full or a virus is detected.
DHCP server
You can configure one or more DHCP servers on any FortiGate interface. A DHCP server dynamically assigns IP
addresses to hosts on the network connected to the interface. Host computers must be configured to obtain their IP
addresses using DHCP.

VDOM
You can use virtual domains (VDOMs) to divide a FortiGate into multiple virtual devices that function independently. For
each separate VDOM, you can create different configurations including firewall policies, routing, VPNs, and security
profiles.
Administrators
Administrator profiles
Introduction
By default, the FortiGate has a super administrator account, called admin. Additional administrators can be added for
various functions, each with a unique username, password, and set of access privileges.
Administrator profiles define what the administrator can do when logged into the FortiGate. When you set up an
administrator account, you also assign an administrator profile which dictates what the administrator sees. Depending
on the nature of the administrator’s work, access level or seniority, you can allow them to view and configure as much or
as little as is required.
Super_admin profile
This profile has access to all components of FortiOS, including the ability to add and remove other system
administrators. For certain administrative functions, such as backing up and restoring the configuration, super_admin
access is required. To ensure that there is always a method to administer the FortiGate, the super_admin profile can't
be deleted or modified.
Lower level administrator profiles can't backup or restore the FortiOS configuration.
The super_admin profile is used by the default admin account. It is recommended that you add a password and rename
this account once you have set up your FortiGate. In order to rename the default account, a second admin account is
required.
Creating customized profiles
To create a profile in the GUI:
1. Go to System > Admin Profiles.

2. Select Create New.
l Name.
l Access permissions.
l Override idle timeout.

4. Select OK.
To create a profile in the CLI:
config system accprofile

edit "sample"
set secfabgrp read-write
set ftviewgrp read-write
set authgrp read-write
set sysgrp read-write
set netgrp read-write
set loggrp read-write
set fwgrp read-write
set vpngrp read-write
set utmgrp read-write
set wanoptgrp read-write
set wifi read-write
next
end
Edit profiles
To edit a profile in the GUI:

2. Choose the profile to be edited and select Edit.
3. Select OK to save any changes made.
To edit a profile in the CLI:

edit "sample"
set secfabgrp read
next
end
Delete profiles
To delete a profile in the GUI:

2. Choose the profile to be deleted and select Delete.
3. Select OK.
To delete a profile in the CLI:

delete "sample"
end

Add a local administrator
By default, FortiGate has one super admin named admin. You can create more administrator accounts with difference
privileges.
To create an administrator account in the GUI:

2. Select Create New > Administrator.
3. Specify the Username.
Don't use the characters < > ( ) # " ' in the administrator username.
Using these characters in an administrator username might have a cross site scripting
(XSS) vulnerability.
4. Set Type to Local User.

5. Set the password and other fields.
6. Click OK.
To create an administrator account in the CLI:
config system admin

edit <Admin_name>
set accprofile <Profile_name>
set vdom <Vdom_name>
set password <Password for this admin>
next
end
Remote authentication for administrators
Administrators can use remote authentication, such as LDAP, to connect to the FortiGate.
Setting up remote authentication for administrators includes the following steps:
1. Configure the LDAP server on page 195
2. Add the LDAP server to a user group on page 196
3. Configure the administrator account on page 196
Configure the LDAP server
To configure the LDAP server in the GUI:
1. Go to User & Device > LDAP Servers and select Create New.
2. Enter the server Name, Server IP address or Name.
3. Enter the Common Name Identifier and Distinguished Name.

4. Set the Bind Type to Regular and enter the Username and Password.
5. Click OK.
To configure the LDAP server in the CLI:
config user ldap

edit <ldap_server_name>
set server <server_ip>
set cnid "cn"
set dn "dc=XYZ,dc=fortinet,dc=COM"
set type regular
set username "cn=Administrator,dc=XYA, dc=COM"
set password <password>
next
end
Add the LDAP server to a user group
After configuring the LDAP server, create a user group that include the LDAP server you configured.
To create a user group in the GUI:
1. Go to User & Device > User Groups and select Create New.
2. Enter a Name for the group.
3. In the Remote groups section, select Create New.
4. Select the Remote Server from the dropdown list.
5. Click OK.
To create a user group in the CLI:
config user group

edit <Group_name>
set member "ldap_server_name"
next
end
Configure the administrator account
After configuring the LDAP server and adding it to a user group, create a new administrator. For this administrator,
instead of entering a password, use the new user group and the wildcard option for authentication.
To create an administrator in the GUI:

2. Select Create New > Administrator.
3. Specify the Username.
4. Set Type to Match a user on a remote server group.
5. In Remote User Group, select the user group you created.

6. Select Wildcard.
The Wildcard option allows LDAP users to connect as this administrator.
7. Select an Administrator Profile.
8. Click OK.
To create an administrator in the CLI:
config system admin

edit <admin_name>
set remote-auth enable
set accprofile super_admin
set wild card enable
set remote-group ldap
end
Other methods of administrator authentication
Administrator accounts can use different methods for authentication, including RADIUS, TACACS+, and PKI.
RADIUS authentication for administrators
To use a RADIUS server to authenticate administrators, you must:

l Configure the FortiGate to access the RADIUS server.
l Create the RADIUS user group.
l Configure an administrator to authenticate with a RADIUS server.
TACACS+ authentication for administrators
To use a TACACS+ server to authenticate administrators, you must:

l Configure the FortiGate to access the TACACS+ server.
l Create a TACACS+ user group.
l Configure an administrator to authenticate with a TACACS+ server.
PKI certificate authentication for administrators
To use PKI authentication for an administrator, you must:

l Configure a PKI user.
l Create a PKI user group.
l Configure an administrator to authenticate with a PKI certificate.
Password policy
Brute force password software can launch more than just dictionary attacks. It can discover common passwords where a
letter is replaced by a number. For example, if p4ssw0rd is used as a password, it can be cracked.
Using secure passwords is vital for preventing unauthorized access to your FortiGate. When changing the password,
consider the following to ensure better security:

l Do not use passwords that are obvious, such as the company name, administrator names, or other obvious words
or phrases.
l Use numbers in place of letters, for example, passw0rd.
l Administrator passwords can be up to 64 characters.
l Include a mixture of numbers, and upper and lower case letters.
l Use multiple words together, or possibly even a sentence, for example keytothehighway.
l Use a password generator.
l Change the password regularly and always make the new password unique and not a variation of the existing
password, such as changing from password to password1.
l Make note of the password and store it in a safe place away from the management computer, in case you forget it;
or ensure at least two people know the password in the event one person becomes unavailable. Alternatively, have
two different admin logins.
FortiGate allows you to create a password policy for administrators and IPsec pre-shared keys. With this policy, you can
enforce regular changes and specific criteria for a password policy including:
l Minimum length between 8 and 64 characters.
l If the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters.
l If the password must contain numbers (1, 2, 3).
l If the password must contain special or non-alphanumeric characters (!, @, #, $, %, ^, &, *, (, and )).
l Where the password applies (admin or IPsec or both).
l The duration of the password before a new one must be specified.
the FortiGate, the administrator is prompted to update the password to meet the new requirements before proceeding
to log in.
To create a system password policy the GUI:

2. In the Password Policy section, change the Password scope to Admin, IPsec, or Both.
3. Specify the password options.
4. Click Apply.
To create a system password policy the CLI:
config system password-policy

status Enable/disable setting a password policy for locally defined
administrator passwords and IPsec VPN pre-shared keys.
apply-to Apply password policy to administrator passwords or IPsec pre-
shared keys or both. Separate entries with a space.
minimum-length Minimum password length (8 - 128, default = 8).
min-lower-case-letter Minimum number of lowercase characters in password (0 - 128,
default = 0).
min-upper-case-letter Minimum number of uppercase characters in password (0 - 128,
default = 0).
min-non-alphanumeric Minimum number of non-alphanumeric characters in password (0 -
128, default = 0).
min-number Minimum number of numeric characters in password (0 - 128,
default = 0).
change-4-characters Enable/disable changing at least 4 characters for a new password
(This attribute

overrides reuse-password if both are enabled).

expire-status Enable/disable password expiration.
reuse-password Enable/disable reusing of password (if both reuse-password and
change-4-characters are enabled, change-4-characters overrides).
end
Update FortiGate firmware
Updating or upgrading a firewall is similar to upgrading the operating system so you should make the same
preparations. Make sure everything is backed up and you have a plan in case something doesn't work. Make a checklist
to confirm that the update is successful. Finally, ensure you have enough time to do the update.
This is a summary of the steps for updating FortiGate firmware:
1. Backup and store the old configuration on another server.
Do a full configuration backup using the CLI. This should already be part of your disaster recovery plan. If the
upgrade fails, be sure you have a plan to get the firewall back up and running.
2. Have copy of old firmware available.
This should also be part of your disaster recovery plan. If the upgrade fails, you might be able to switch the active
partition. But be prepared for the worst case scenario where you need your old firmware.
3. Have a disaster recovery option on standby, especially for a remote site.
This should be part of your plan in a critical failure. In this scenario, this is your plan if your firewall doesn’t come
back up after the upgrade. In this case, you need access to the console port to find out why, such as if the DHCP or
the IP has changed, or the OS is corrupt. You must have access to the console to find out.
If there is no simple fix, be prepared for a format and TFTP reload.
4. Read the release notes, including the upgrade path and bug information.
Be sure to read the release notes, preferably more than once. The release notes contain lots of important
information, known bugs, fixed bugs, upgrade issues such as lost configuration settings.
5. Double check everything.
For example, double check that your TFTP server is working, your console connection functions properly, you have
read the release notes and understand everything that affects the upgrade for your FortiGate models, you have
backed up your configuration, you have covered everything you might need for the upgrade.
6. Perform the upgrade.
The upgrade itself usually doesn’t take very long, usually just a few minutes. But make sure you schedule enough
time for the entire process and possible contingencies. If the upgrade is successful, you need time to check and
confirm that all important functions are working, such as VPNs etc. If the upgrade fails, you need time to sort things
out.
Sample upgrade
This is an example of upgrading the FortiGate from FortiOS 6.0.4 to 6.2.0.
To view the FortiOS firmware:
1. Go to Dashboard.
The System Information widget shows the current firmware version.

To check if a new FortiOS firmware version is available:

If a new firmware version is available, a notice appears in the Current version section.
When a new FortiOS version is released, it may not be listed on your FortiGate right away. You can download the
firmware from Fortinet Support, then use Upload Firmware to upgrade your FortiGate.
To upgrade to the latest version from FortiGuard:

2. In the FortiGuard Firmware section, click Latest.
If you see a message saying there is no valid upgrade path for this firmware version, click All available and select a
suitable firmware version for your FortiGate.
3. Click Release Notes and read the release notes for that version.
Release Notes are also available from the Fortinet Documentation Library.
4. Click Backup config and upgrade and follow the prompts.
5. Save the backup of your configuration in case you need to restore it after the upgrade.
To upgrade to the latest version from local PC:
1. Ensure you have downloaded the firmware from Fortinet Support.

3. In the Upload Firmware section, click Browse and select the firware.
4. Click Backup config and upgrade and follow the prompts.
5. Save the backup of your configuration in case you need to restore it after the upgrade.
FortiGate uploads and installs the firmware, and then restarts and displays the login screen.
See the procedure above to view the FortiOS firmware to ensure you are running the new firmware version.
Interface
Interface settings
Administrator can configure both physical and virtual FortiGate interfaces in Network > Interfaces. There are different
options for configuring interfaces when FortiGate is in NAT mode or transparent mode.
To configure an interface in the GUI:

2. Click Create New > Interface.
3. Configure the interface fields.
Interface Physical interface names cannot be changed.

Name

Alias Enter an alternate name for a physical interface on the FortiGate unit. This field appears when
you edit an existing physical interface. The alias does not appear in logs.
The maximum length of the alias is 25 characters.
Link Status Indicates whether the interface is connected to a network or not (link status is up or down). This
field appears when you edit an existing physical interface.
Interface This field appears when Type is set to VLAN .

Select the name of the physical interface that you want to add a VLAN interface to. Once
created, the VLAN interface is listed below its physical interface in the Interface list.
You cannot change the physical interface of a VLAN interface except when you add a new
VLAN interface.
Virtual Select the virtual domain to add the interface to.

Domain Administrator accounts with the super_admin profile can change the Virtual Domain.
Interface This section can have two different formats depending on the interface type:
Members Software Switch: This section is a display-only field showing the interfaces that belong to the
virtual interface of the software switch.
802.3ad Aggregate or Redundant Interface: This section includes the available interface list
and the selected interface list.
IP/Netmask If Addressing Mode is set to Manual, enter an IPv4 address and subnet mask for the interface.
FortiGate interfaces cannot have IP addresses on the same subnet.
IPv6 Address If Addressing Mode is set to Manual and IPv6 support is enabled, enter an IPv6 address and
subnet mask for the interface. A single interface can have an IPv4 address, IPv6 address, or
both.
Secondary IP Add additional IPv4 addresses to this interface.

Address
To configure an interface in the CLI:

edit "<Interface_Name>"
set vdom "<VDOM_Name>"
set mode static/dhcp/pppoe
set ip <IP_address> <netmask>
set allowaccess ping https ssh http telnet
set secondary-IP enable
config secondaryip
edit 1
set ip 9.1.1.2 255.255.255.0
set allowaccess ping https ssh snmp http telnet
next
end
next
end

Configure administrative access to interfaces
You can configure the protocols that administrators can use to access interfaces on the FortiGate. This helps secure
access to the FortiGate by restricting access to a limited number of protocols. It helps prevent users from accessing
interfaces that you don't want them to access, such as public-facing ports.
As a best practice, you should configure administrative access when you're setting the IP address for a port.
To configure administrative access to interfaces in the GUI:

2. Create or edit an interface.
3. In the Administrative Access section, select which protocols to enable for IPv4 and IPv6 Administrative Access.
HTTPS Allow secure HTTPS connections to the FortiGate GUI through this interface. If configured, this
option is enabled automatically.
PING The interface responds to pings. Use this setting to verify your installation and for testing.
HTTP Allow HTTP connections to the FortiGate GUI through this interface. If configured, this option
also enables the HTTPS option.
SSH Allow SSH connections to the CLI through this interface.
SNMP Allow a remote SNMP manager to request SNMP information by connecting to this interface.
FMG-Access Allow FortiManager authorization automatically during the communication exchanges between
FortiManager and FortiGate devices.
CAPWAP Allow the FortiGate wireless controller to manage a wireless access point such as a FortiAP
device.
Aggregation and redundancy
Link aggregation (IEEE 802.3ad) enables you to bind two or more physical interfaces together to form an aggregated
(combined) link. This new link has the bandwidth of all the links combined. If a link in the group fails, traffic is transferred
automatically to the remaining interfaces. The only noticeable effect is reduced bandwidth.
This feature is similar to redundant interfaces. The major difference is a redundant interface group only uses one link at
a time, where an aggregate link group uses the total bandwidth of the functioning links in the group, up to eight (or
more).
Some models support the IEEE standard 802.3ad for link aggregation.
An interface is available to be an aggregate interface if:
l It is a physical interface and not a VLAN interface or subinterface.
l It is not already part of an aggregate or redundant interface.
l It is in the same VDOM as the aggregated interface. Aggregate ports cannot span multiple VDOMs.
l It does not have an IP address and is not configured for DHCP or PPPoE.
l It is not referenced in any security policy, VIP, IP Pool, or multicast policy.
l It is not an HA heartbeat interface.
l It is not one of the FortiGate-5000 series backplane interfaces.

When an interface is included in an aggregate interface, it is not listed on the Network > Interfaces page. Interfaces still
appear in the CLI although configuration for those interfaces do not take affect. You cannot configure the interface
individually and it is not available for inclusion in security policies, VIPs, IP pools, or routing.
This example creates an aggregate interface on a FortiGate-140D POE using ports 3-5 with an internal IP address of
10.1.1.123, as well as the administrative access to HTTPS and SSH.
To create an aggregate interface using the GUI:
1. Go to Network > Interfaces and select Create New > Interface.

2. For Interface Name, enter Aggregate.
3. For the Type, select 802.3ad Aggregate.
4. In the physical Interface Members, click to add interfaces and select ports 4, 5, and 6.
5. For Addressing mode, select Manual.
6. For the IP address for the port, enter 10.1.1.123/24.
7. For Administrative Access, select HTTPS and SSH.
8. Select OK.
To create an aggregate interface using the CLI:
FG140P3G15800330 (aggregate) # show

edit "aggregate"
set vdom "root"
set ip 10.1.1.123 255.255.255.0
set allowaccess ping https ssh snmp http fgfm radius-acct capwap ftm
set type aggregate
set member "port3" "port4" "port5"
set device-identification enable
set lldp-transmission enable
set fortiheartbeat enable
set role lan
set snmp-index 45
next
end
Redundancy
In a redundant interface, traffic only goes over one interface at any time. This differs from an aggregated interface
where traffic goes over all interfaces for increased bandwidth. This difference means redundant interfaces can have
more robust configurations with fewer possible points of failure. This is important in a fully-meshed HA configuration.
An interface is available to be in a redundant interface if:
l It is a physical interface and not a VLAN interface.
l It is not already part of an aggregated or redundant interface.
l It is in the same VDOM as the redundant interface.
l It does not have an IP address and is not configured for DHCP or PPPoE.
l It has no DHCP server or relay configured on it.

l It does not have any VLAN subinterfaces.

l It is not referenced in any security policy, VIP, or multicast policy.
l It is not monitored by HA.
l It is not one of the FortiGate-5000 series backplane interfaces.
When an interface is included in a redundant interface, it is not listed on the Network > Interfaces page. You cannot
configure the interface individually and it is not available for inclusion in security policies, VIPs, or routing.
To create a redundant interface using the GUI:
1. Go to Network > Interfaces and select Create New > Interface.

2. For Interface Name, enter Redundant.
3. For the Type, select Redundant Interface.
4. In the physical Interface Members, click to add interfaces and select ports 4, 5, and 6.
5. For Addressing mode, select Manual.
6. For the IP address for the port, enter 10.13.101.100/24.
7. For Administrative Access, select HTTPS and SSH.
8. Select OK.
To create a redundant interface using the CLI:

edit "red"
set vdom "root"
set ip 10.13.101.100 255.255.255.0
set allowaccess https http
set type redundant
set member "port4" "port5" "port6"
set device-identification enable
set role lan
set snmp-index 9
next
end
VLANs
Virtual Local Area Networks (VLANs) multiply the capabilities of your FortiGate unit and can also provide added network
security. VLANs use ID tags to logically separate devices on a network into smaller broadcast domains. These smaller
domains forward packets only to devices that are part of that VLAN domain. This reduces traffic and increases network
security.
VLANs in NAT mode
In NAT mode, the FortiGate unit functions as a layer-3 device. In this mode, the FortiGate unit controls the flow of
packets between VLANs and can also remove VLAN tags from incoming VLAN packets. The FortiGate unit can also
forward untagged packets to other networks such as the Internet.

In NAT mode, the FortiGate unit supports VLAN trunk links with IEEE 802.1Q-compliant switches or routers. The trunk
link transports VLAN-tagged packets between physical subnets or networks. When you add VLAN subinterfaces to the
FortiGate's physical interfaces, the VLANs have IDs that match the VLAN IDs of packets on the trunk link. The FortiGate
unit directs packets with VLAN IDs to subinterfaces with matching IDs.
You can define VLAN subinterfaces on all FortiGate physical interfaces. However, if multiple virtual domains are
configured on the FortiGate unit, you only have access to the physical interfaces on your virtual domain. The FortiGate
unit can tag packets leaving on a VLAN subinterface. It can also remove VLAN tags from incoming packets and add a
different VLAN tag to outgoing packets.
Normally in VLAN configurations, the FortiGate unit's internal interface is connected to a VLAN trunk, and the external
interface connects to an Internet router that is not configured for VLANs. In this configuration, the FortiGate unit can
apply different policies for traffic on each VLAN interface connected to the internal interface, which results in less
network traffic and better security.
Sample topology
In this example, two different internal VLAN networks share one interface on the FortiGate unit and share the
connection to the Internet. This example shows that two networks can have separate traffic streams while sharing a
single interface. This configuration can apply to two departments in a single company or to different companies.
There are two different internal network VLANs in this example. VLAN_100 is on the 10.1.1.0/255.255.255.0 subnet,
and VLAN_200 is on the 10.1.2.0/255.255.255.0 subnet. These VLANs are connected to the VLAN switch.
The FortiGate internal interface connects to the VLAN switch through an 802.1Q trunk. The internal interface has an IP
address of 192.168.110.126 and is configured with two VLAN subinterfaces (VLAN_100 and VLAN_200). The external
interface has an IP address of 172.16.21.2 and connects to the Internet. The external interface has no VLAN
subinterfaces.
When the VLAN switch receives packets from VLAN_100 and VLAN_200, it applies VLAN ID tags and forwards the
packets of each VLAN both to local ports and to the FortiGate unit across the trunk link. The FortiGate unit has policies
that allow traffic to flow between the VLANs, and from the VLANs to the external network.
In this example, both the FortiGate unit and the Cisco 2950 switch are installed and connected and basic configuration
has been completed. On the switch, you need access to the CLI to enter commands. No VDOMs are enabled in this
example.
General configuration steps include:
1. Configure the external interface.
2. Add two VLAN subinterfaces to the internal network interface.
3. Add firewall addresses and address ranges for the internal and external networks.

4. Add security policies to allow:

l the VLAN networks to access each other.
l the VLAN networks to access the external network.
To configure the external interface:

edit external
set mode static
set ip 172.16.21.2 255.255.255.0
end
To add VLAN subinterfaces:

edit VLAN_100
set vdom root
set interface internal
set type vlan
set vlanid 100
set mode static
set ip 10.1.1.1 255.255.255.0
set allowaccess https ping telnet
next
edit VLAN_200
set vdom root
set type vlan
set vlanid 200
set mode static
set ip 10.1.2.1 255.255.255.0
set allowaccess https ping telnet
end
To add the firewall addresses:

edit VLAN_100_Net
set type ipmask
set subnet 10.1.1.0 255.255.255.0
next
edit VLAN_200_Net
set type ipmask
set subnet 10.1.2.0 255.255.255.0
end
To add security policies:
Policies 1 and 2 do not need NAT enabled, but policies 3 and 4 do need NAT enabled.
edit 1
set srcintf VLAN_100
set srcaddr VLAN_100_Net
set dstintf VLAN_200

set dstaddr VLAN_200_Net

set schedule always
set service ALL
set action accept
set nat disable
set status enable
next
edit 2
set dstintf VLAN_100
set dstaddr VLAN_100_Net
set schedule always
set service ALL
set action accept
set nat disable
set status enable
next
edit 3
set dstintf external
set dstaddr all
set schedule always
set service ALL
set action accept
set nat enable
set status enable
next
edit 4
set dstaddr all
set schedule always
set service ALL
set action accept
set nat enable
set status enable
end
VLANs in transparent mode
In transparent mode, the FortiGate unit behaves like a layer-2 bridge but can still provide services such as antivirus
scanning, web filtering, spam filtering, and intrusion protection to traffic. Some limitations of transparent mode is that
you cannot use SSL VPN, PPTP/L2TP VPN, DHCP server, or easily perform NAT on traffic. The limits in transparent
mode apply to IEEE 802.1Q VLAN trunks passing through the unit.
You can insert the FortiGate unit operating in transparent mode into the VLAN trunk without making changes to your
network. In a typical configuration, the FortiGate unit internal interface accepts VLAN packets on a VLAN trunk from a
VLAN switch or router connected to internal network VLANs. The FortiGate external interface forwards VLAN-tagged
packets through another VLAN trunk to an external VLAN switch or router and on to external networks such as the
Internet. You can configure the unit to apply different policies for traffic on each VLAN in the trunk.

To pass VLAN traffic through the FortiGate unit, you add two VLAN subinterfaces with the same VLAN ID, one to the
internal interface and the other to the external interface. You then create a security policy to permit packets to flow from
the internal VLAN interface to the external VLAN interface. If required, create another security policy to permit packets
to flow from the external VLAN interface to the internal VLAN interface. Typically in transparent mode, you do not permit
packets to move between different VLANs. Network protection features such as spam filtering, web filtering, and anti-
virus scanning, are applied through the UTM profiles specified in each security policy, enabling very detailed control over
traffic.
When the FortiGate unit receives a VLAN-tagged packet on a physical interface, it directs the packet to the VLAN
subinterface with the matching VLAN ID. The VLAN tag is removed from the packet and the FortiGate unit then applies
security policies using the same method it uses for non-VLAN packets. If the packet exits the FortiGate unit through a
VLAN subinterface, the VLAN ID for that subinterface is added to the packet and the packet is sent to the corresponding
physical interface.
Sample topology
In this example, the FortiGate unit is operating in transparent mode and is configured with two VLANs: one with an ID of
100 and the other with ID 200. The internal and external physical interfaces each have two VLAN subinterfaces, one for
VLAN_100 and one for VLAN_200.
The IP range for the internal VLAN_100 network is 10.100.0.0/255.255.0.0, and for the internal VLAN_200 network is
10.200.0.0/255.255.0.0.
The internal networks are connected to a Cisco 2950 VLAN switch which combines traffic from the two VLANs onto one
in the FortiGate unit's internal interface. The VLAN traffic leaves the FortiGate unit on the external network interface,
goes on to the VLAN switch, and on to the Internet. When the FortiGate units receives a tagged packet, it directs it from
the incoming VLAN subinterface to the outgoing VLAN subinterface for that VLAN.
In this example, we create a VLAN subinterface on the internal interface and another one on the external interface, both
with the same VLAN ID. Then we create security policies that allow packets to travel between the VLAN_100_int
interface and the VLAN_100_ext interface. Two policies are required: one for each direction of traffic. The same is
required between the VLAN_200_int interface and the VLAN_200_ext interface, for a total of four security policies.
There are two main steps to configure your FortiGate unit to work with VLANs in transparent mode:
1. Add VLAN subinterfaces.
2. Add security policies.
You can also configure the protection profiles that manage antivirus scanning, web filtering, and spam filtering.

To add VLAN subinterfaces:

edit VLAN_100_int
set type vlan
set vlanid 100
next
edit VLAN_100_ext
set type vlan
set interface external
set vlanid 100
next
edit VLAN_200_int
set type vlan
set vlanid 200
next
edit VLAN_200_ext
set type vlan
set interface external
set vlanid 200
end
To add security policies:

edit 1
set srcintf VLAN_100_int
set srcaddr all
set dstintf VLAN_100_ext
set dstaddr all
set action accept
set schedule always
set service ALL
next
edit 2
set srcintf VLAN_100_ext
set srcaddr all
set dstintf VLAN_100_int
set dstaddr all
set action accept
set schedule always
set service ALL
next
edit 3
set srcintf VLAN_200_int
set srcaddr all
set dstintf VLAN_200_ext
set dstaddr all
set action accept
set schedule always
set service ALL
next
edit 4
set srcintf VLAN_200_ext

set srcaddr all

set dstintf VLAN_200_int
set dstaddr all
set action accept
set schedule always
set service ALL
end
Enhanced MAC VLANs
The Media Access Control (MAC) Virtual Local Area Network (VLAN) feature in Linux allows you to configure multiple
virtual interfaces with different MAC addresses (and therefore different IP addresses) on a physical interface.
FortiGate implements an enhanced MAC VLAN consisting of a MAC VLAN with bridge functionality. Because each MAC
VLAN has a unique MAC address, virtual IP addresses (VIPs) and IP pools are supported, and you can disable Source
Network Address Translation (SNAT) in policies.
MAC VLAN cannot be used in a Transparent mode virtual domain (VDOM). In a Transparent mode VDOM, a packet
leaves an interface with the MAC address of the original source instead of the interface’s MAC address. FortiGate
implements an enhanced version of MAC VLAN where it adds a MAC table in the MAC VLAN which learns the MAC
addresses when traffic passes through.
If you configure a VLAN ID for an enhanced MAC VLAN, it won’t join the switch of the underlying interface. When a
packet is sent to this interface, a VLAN tag is inserted in the packet and the packet is sent to the driver of the underlying
interface. When the underlying interface receives a packet, if the VLAN ID doesn’t match, it won’t deliver the packet to
this enhanced MAC VLAN interface.
If you use an interface in an enhanced MAC VLAN, do not use it for other purposes such as a management interface,
HA heartbeat interface, or in Transparent VDOMs.
If a physical interface is used by an EMAC VLAN interface, you cannot use it in a Virtual Wire Pair.
In high availability (HA) configurations, enhanced MAC VLAN is treated as a physical interface. It’s assigned a unique
physical interface ID and the MAC table is synchronized with the slaves in the same HA cluster.
Example 1: Enhanced MAC VLAN configuration for multiple VDOMs that use the same interface
or VLAN
In this example, a FortiGate is connected, through port 1 to a router that’s connected to the Internet. Three VDOMs
share the same interface (port 1) which connects to the same router that’s connected to the Internet. Three enhanced
MAC VLAN interfaces are configured on port 1 for the three VDOMs. The enhanced MAC VLAN interfaces are in the
same IP subnet segment and each have unique MAC addresses.
The underlying interface (port 1) can be a physical interface, an aggregate interface, or a VLAN interface on a physical
or aggregate interface.

To configure enhanced MAC VLAN for this example in the CLI:

edit port1.emacvlan1
set vdom VDOM1
set type emac-vlan
set interface port1
next
edit port 1.emacvlan2
set vdom VDOM2
set type emac-vlan
set interface port1
next
edit port1.emacvlan3
set vdom VDOM3
set type emac-vlan
set interface port1
next
end
Example 2: Enhanced MAC VLAN configuration for shared VDOM links among multiple VDOMs
In this example, multiple VDOMs can connect to each other using enhanced MAC VLAN on network processing unit
(NPU) virtual link (Vlink) interfaces.
FortiGate VDOM links (NPU-Vlink) are designed to be peer-to-peer connections and VLAN interfaces on NPU Vlink ports
use the same MAC address. Connecting more than two VDOMs using NPU Vlinks and VLAN interfaces is not
recommended.


edit npu0_vlink0.emacvlan1
set vdom VDOM1
set type emac-vlan
set interface npu0_vlink0
next
set vdom VDOM3
set type emac-vlan
next
set vdom VDOM2
set type emac-vlan
next
end
Example 3: Enhanced MAC VLAN configuration for unique MAC addresses for each VLAN
interface on the same physical port
Some networks require a unique MAC address for each VLAN interface when the VLAN interfaces share the same
physical port. In this case, the enhanced MAC VLAN interface is used the same way as normal VLAN interfaces.
To configure this, use the set vlanid command for the VLAN tag.

edit interface-name
set type emac-vlan
set vlanid <VLAN-ID>
set interface <physical-interface>
end
Inter-VDOM routing
In the past, virtual domains (VDOMs) were separate from each other and there was no internal communication. Any
communication between VDOMs involved traffic leaving on a physical interface belonging to one VDOM and re-entering
the FortiGate unit on another physical interface belonging to another VDOM to be inspected by firewall policies in both
directions.
Inter-VDOM routing changes this. With VDOM links, VDOMs can communicate internally without using additional
physical interfaces.
Inter-VDOM routing is the communication between VDOMs. VDOM links are virtual interfaces that connect VDOMs. A
VDOM link contains a pair of interfaces, each one connected to a VDOM and forming either end of the inter-VDOM
connection.
When VDOMs are configured on your FortiGate unit, configuring inter-VDOM routing and VDOM-links is very much like
creating a VLAN interface. VDOM-links are managed through the web-based manager or CLI. In the web-based
manager, VDOM link interfaces are managed in the network interface list.

VDOM link does not support traffic offload. If you want to use traffic offload, use NPU-VDOM-
LINK.
To configure a VDOM link in the GUI:

2. Click Create New > VDOM Link.
3. Configure the fields including the Name, Virtual Domain, IP information, access levels, and other fields.
To configure a VDOM link in the CLI:
config system vdom-link

edit "<vdom-link-name>"
next
end
edit "<vdom-link-name0>"
set vdom "<VDOM Name>"
set type vdom-link
next
end
edit "<vdom-link-name1>"
set vdom "<VDOM Name>"
set type vdom-link
next
end
To delete a VDOM link in the GUI:

2. Select a VDOM Link and click Delete.
To delete a VDOM link in the CLI:

delete <VDOM-LINK-Name>
end
Sample configuration: Inter-VDOM routing
This example shows how to configure a FortiGate unit to use inter-VDOM routing.

Two departments of a company, Accounting and Sales, are connected to one FortiGate. The company uses a single
ISP to connect to the Internet.
This example includes the following general steps. We recommend following the steps in the order below.
Create the VDOMs
To enable VDOMs and create the Sales and Accounting VDOMs:

set vdom-mode multi-vdom
end
config system vdom
edit Accounting
next
edit Sales
next
end
Configure the physical interfaces
Next, configure the physical interfaces. This example uses three interfaces on the FortiGate unit: port2 (internal), port3
(DMZ), and port1 (external). Port2 and port3 interfaces each have a department’s network connected. Port1 is for all
traffic to and from the Internet and uses DHCP to configure its IP address, which is common with many ISPs.
config global
edit port2
set alias AccountingLocal
set vdom Accounting
set mode static
set ip 172.100.1.1 255.255.0.0
set allowaccess https ping ssh
set description "The accounting dept internal interface"
next
edit port3
set alias SalesLocal
set vdom Sales
set mode static
set ip 192.168.1.1 255.255.0.0
set description "The sales dept. internal interface"
next
edit port1
set alias ManagementExternal
set vdom root
set mode DHCP
set distance 5
set gwdetect enable
set dns-server-override enable
set allowaccess https ssh snmp
set description “The systemwide management interface.”
end
end

Configure the VDOM links
To complete the connection between each VDOM and the management VDOM, add the two VDOM links. One pair is
the Accounting – management link and the other is the Sales – management link.
When configuring inter-VDOM links, you do not have to assign IP addresses to the links unless you are using advanced
features such as dynamic routing that require them. Not assigning IP addresses results in faster configuration and more
available IP addresses on your networks.
To configure the Accounting and management VDOM link:
config global
edit AccountVlnk
next
end
edit AccountVlnk0
set vdom Accounting
set ip 11.11.11.2 255.255.255.0
set description “Accounting side of the VDOM link“
next
edit AccountVlnk1
set vdom root
set ip 11.11.11.1 255.255.255.0
set description “Management side of the VDOM link“
end
end
To configure the Sales and management VDOM link:
config global
edit SalesVlnk
end
edit SalesVlnk0
set vdom Accounting
set ip 12.12.12.2 255.255.255.0
set description "Sales side of the VDOM link"
next
edit SalesVlnk1
set vdom root
set ip 12.12.12.1 255.255.255.0
set description "Management side of the VDOM link"
end
end

Configure the firewall and Security Profile
With the VDOMs, physical interfaces, and VDOM links configured, the firewall must now be configured to allow the
proper traffic. Firewalls are configured per-VDOM, and firewall objects and routes must be created for each VDOM
separately.
To configure the firewall policies from AccountingLocal to Internet:
config vdom
edit Accounting
edit 1
set name "Accounting-Local-to-Management"
set srcintf port2
set dstintf AccountVlnk
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set nat enable
end
end
config vdom
edit root
edit 2
set name "Accounting-VDOM-to-Internet"
set srcintf AccountVlnk
set dstintf port1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set nat enable
end
end
To configure the firewall policies from SalesLocal to the Internet:
config vdom
edit root
edit 6
set name "Sales-local-to-Management"
set srcintf port2
set srcaddr all
set dstintf SalesVlnk
set dstaddr all
set schedule always
set service ALL
set action accept
set logtraffic enable
end

end
config vdom
edit Sales
edit 7
set name "Sales-VDOM-to-Internet"
set srcintf SalesVlnk
set srcaddr SalesManagement
set dstaddr all
set schedule always
set service OfficeServices
set action accept
set logtraffic enable
end
end
Test the configuration
When the inter-VDOM routing has been configured, test the configuration to confirm proper operation.
Testing connectivity ensures that physical networking connections, FortiGate unit interface configurations, and firewall
policies are properly configured.
The easiest way to test connectivity is to use the ping and traceroute command to confirm the connectivity of
different routes on the network.
Test both from AccountingLocal to Internet and from SalesLocal to Internet.
Software switch
A software switch, or soft switch, is a virtual switch that is implemented at the software or firmware level and not at the
hardware level. A software switch can be used to simplify communication between devices connected to different
FortiGate interfaces. For example, using a software switch, you can place the FortiGate interface connected to an
internal network on the same subnet as your wireless interfaces. Then devices on the internal network can communicate
with devices on the wireless network without any additional configuration on the FortiGate unit, such as additional
security policies.
A software switch can also be useful if you require more hardware ports for the switch on a FortiGate unit. For example,
if your FortiGate unit has a 4-port switch, WAN1, WAN2, and DMZ interfaces, and you need one more port, you can
create a soft switch that can include the four-port switch and the DMZ interface, all on the same subnet. These types of
applications also apply to wireless interfaces, virtual wireless interfaces, and physical interfaces such as those in
FortiWiFi and FortiAP units.
Similar to a hardware switch, a software switch functions like a single interface. A soft switch has one IP address and all
the interfaces in the software switch are on the same subnet. Traffic between devices connected to each interface are
not regulated by security policies, and traffic passing in and out of the switch are controlled by the same policy.
When setting up a software switch, consider the following:
l Ensure you have a back up of the configuration.
l Ensure you have at least one port or connection such as the console port to connect to the FortiGate unit. If you
accidentally combine too many ports, you need a way to undo errors.
l The ports that you include must not have any link or relation to any other aspect of the FortiGate unit, such as
DHCP servers, security policies, and so on.

l For increased security, you can create a captive portal for the switch to allow only specific user groups access to the
resources connected to the switch.
To create a software switch in the GUI:

2. Click Create New > Interface.
3. Set Type to Software Switch.
4. Configure the Interface Name, Virtual Domain, Interface Members, and other fields.
To create a software switch in the CLI:
config system switch-interface

edit <switch-name>
set type switch
set member <interface_list>
end
edit <switch_name>
set ip <ip_address>
set allowaccess https ssh ping
end
Sample configuration: software switch
For this example, the wireless interface (WiFi) needs to be on the same subnet as the DMZ1 interface to facilitate
wireless syncing from an iPhone and a local computer. Because synching between two subnets is problematic, putting
both interfaces on the same subnet the synching will work. The software switch will accomplish this.
1. Clear the interfaces and back up the configuration.
a. Ensure the interfaces are not used for other security policy or for other use on the FortiGate unit.
b. Check the WiFi and DMZ1 ports to ensure DHCP is not enabled on the interface and that there are no other
dependencies on these interfaces.
c. Save the current configuration so that if something doesn’t work, recovery can be quick.
2. Merge the interfaces.
Merge the WiFi port and DMZ1 port to create a software switch named synchro with an IP address of
10.10.21.12.
Use the following CLI commands to create the switch, add the IP, and then set the administrative access for
HTTPS, SSH and Ping.
edit synchro
set type switch
set member dmz1 wifi
end
edit synchro
set ip 10.10.21.12
set allowaccess https ssh ping
end

When the soft switch is set up, you now add security policies, DHCP servers, and any other configuration you
normally do to configure interfaces on the FortiGate unit.
Zone
Zones are a group of one or more physical or virtual FortiGate interfaces that you can apply security policies to control
inbound and outbound traffic. Grouping interfaces and VLAN subinterfaces into zones simplifies the creation of security
policies where a number of network segments can use the same policy settings and protection profiles.
When you add a zone, you select the names of the interfaces and VLAN subinterfaces to add to the zone. Each
interface still has its own address. Routing is still done between interfaces, that is, routing is not affected by zones. You
can use security policies to control the flow of intra-zone traffic.
For example, in the sample configuration below, the network includes three separate groups of users representing
different entities on the company network. While each group has its own set of ports and VLANs in each area, they can
all use the same security policy and protection profiles to access the Internet. Rather than the administrator making nine
separate security policies, he can make administration simpler by adding the required interfaces to a zone and creating
three policies.
You can configure policies for connections to and from a zone but not between interfaces in a zone. For this example,
you can create a security policy to go between zone 1 and zone 3, but not between WAN2 and WAN1, or WAN1 and
DMZ1.

To create a zone in the GUI:
If VDOMs are enabled, go to the VDOM to create a zone.
2. Click Create New > Zone.

3. Configure the Name and add the Interface Members.
To configure a zone to include the internal interface and a VLAN using the CLI:
config system zone

edit Zone_1
set interface internal VLAN_1
set intrazone deny/allow
end
Using zone in a firewall policy
To configure a firewall policy to allow any interface to access the Internet using the CLI:

edit 2
set name "2"
set srcintf "Zone_1"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set nat enable
next
end
Intra-zone traffic
In the zone configuration you can set intrazone deny to prohibit the different interfaces in the same zone to talk
to each other.
For example, if you have ten interfaces in your zone and the intrazone setting is deny. You now want to allow traffic
between a very small number of networks on different interfaces that are part of the zone but you do not want to disable
the intra-zone blocking.
In this example, the zone VLANs are defined as: 192.168.1.0/24, 192.168.2.0/24, ... 192.168.10.0/24.
This policy allows traffic from 192.168.1.x to 192.168.2.x even though they are in the same zone and intra-zone
blocking is enabled. The intra-zone blocking acts as a default deny rule and you have to specifically override it by
creating a policy within the zone.

To enable intra-zone traffic, create the following policy:
Source Interface Zone-name, e.g., Vlans
Source Address 192.168.1.0/24
Destination Zone-name (same as Source Interface, i.e., Vlans)
Destination Address 192.168.2.0/24
Virtual Wire Pair
A virtual wire pair consists of two interfaces that do not have IP addressing and are treated like a transparent mode
VDOM. All traffic received by one interface in the virtual wire pair can only be forwarded to the other interface, provided
a virtual wire pair firewall policy allows this traffic. Traffic from other interfaces cannot be routed to the interfaces in a
virtual wire pair.
Virtual wire pairs are useful for a typical topology where MAC addresses do not behave normally. For example, port
pairing can be used in a Direct Server Return (DSR) topology where the response MAC address pair may not match the
request’s MAC address pair.
Sample topology
In this example, a virtual wire pair (port3 and port4) makes it easier to protect a web server that is behind a FortiGate
operating as an Internal Segmentation Firewall (ISFW). Users on the internal network access the web server through
the ISFW over the virtual wire pair.
Interfaces used in a virtual wire pair cannot be used to access the ISFW FortiGate. Before
creating a virtual wire pair, make sure you have a different port configured to allow admin
access using your preferred protocol.
To add a virtual wire pair using the GUI:

2. Click Create New > Virtual Wire Pair.
3. Select the Interface Members to add to the virtual wire pair.
These interfaces cannot be part of a switch, such as the default LAN/internal interface.
4. If desired, enable Wildcard VLAN.
To add a virtual wire pair using the CLI:
config system virtual-wire-pair

edit "VWP-name"

set member "port3" "port4"

set wildcard-vlan enable/disable
next
end
To create a virtual wire pair policy using the GUI:
1. Go to Policy & Objects > IPv4 Virtual Wire Pair Policy.

3. Select the direction that traffic is allowed to flow.
4. Configure the other fields.
5. Click OK.
To create a virtual wire pair policy using the CLI:

edit 1
set name "VWP-Policy"
set srcintf "port3" "port4"
set dstintf "port3" "port4"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set fsso disable
next
end
Virtual Domains
Virtual Domains (VDOMs) are used to divide a FortiGate into two or more virtual units that function independently.
VDOMs can provide separate security policies and, in NAT mode, completely separate configurations for routing and
VPN services for each connected network.
There are two VDOM modes:
l Split-task VDOM mode: One VDOM is used only for management, and the other is used to manage traffic. See
Split-task VDOM mode on page 223.
l Multi VDOM mode: Multiple VDOMs can be created and managed as independent units. See Multi VDOM mode
on page 227.
By default, most FortiGate units support 10 VDOMs, and many FortiGate models support purchasing a license key to
increase the maximum number.
Global settings are configured outside of a VDOM. They effect the entire FortiGate, and include settings such as
interfaces, firmware, DNS, some logging and sandboxing options, and others. Global settings should only be changed
by top level administrators.

Switching VDOM modes
Current VDOM mode New VDOM mode Rule
No VDOM Split-task VDOM Allowed
Split-task VDOM No VDOM Allowed
No VDOM Multi VDOM Allowed only if CSF is disabled
Multi VDOM No VDOM Allowed
Split-task VDOM Multi VDOM Allowed only if CSF is disabled
Multi VDOM Split-task VDOM Not Allowed. User must first switch to No
VDOM
Split-task VDOM mode
In split-task VDOM mode, the FortiGate has two VDOMs: the management VDOM (root) and the traffic VDOM (FG-
traffic).
The management VDOM is used to manage the FortiGate, and cannot be used to process traffic.
The following GUI sections are available when in the management VDOM:
l The Status dashboard
l Security Fabric topology and settings (read-only, except for HTTP Service settings)
l Interface and static route configuration
l FortiClient configuration
l Replacement messages
l Advanced system settings
l Certificates
l System events
l Log and email alert settings
l Threat weight definitions
The traffic VDOM provides separate security policies, and is used to process all network traffic.
The following GUI sections are available when in the traffic VDOM:
l The Status, Top Usage LAN/DMZ, and Security dashboards
l Security Fabric topology, settings (read-only, except for HTTP Service settings), and Fabric Connectors
(SSO/Identity connectors only)
l FortiView
l Interface configuration
l Packet capture
l SD-WAN, SD-WAN Rules, and Performance SLA

l Static and policy routes

l RIP, OSPF, BGP, and Multicast
l Replacement messages
l Advanced system settings
l Feature visibility
l Tags
l Certificates
l Policies and objects
l Security profiles
l VPNs
l User and device authentication
l Wifi and switch controller
l Logging
l Monitoring
Split-task VDOM mode is not available on all FortiGate models. The Fortinet Security Fabric supports split-task VDOM
mode.
Enable split-task VDOM mode
Split-task VDOM mode can be enabled in the GUI or CLI. Enabling it does not require a reboot, but does log you out of
the FortiGate.
When split-task VDOM mode is enabled, all current management configuration is assigned to
the root VDOM, and all non-management settings, such as firewall policies and security
profiles, are deleted.
To enable split-task VDOM mode in the GUI:
1. On the FortiGate, go to System > Settings.

2. In the System Operation Settings section, enable Virtual Domains.
3. Select Split-Task VDOM for the VDOM mode.

4. Select a Dedicated Management Interface from the Interface list. This interface is used to access the
management VDOM, and cannot be used in firewall policies.
5. Click OK.
To enable split-task VDOM mode with the CLI:

set vdom-mode split-vdom
end
Assign interfaces to a VDOM
An interface can only be assigned to one of the VDOMs. When split-task VDOM mode is enabled, all interfaces are
assigned to the root VDOM. To use an interface in a policy, it must first be assigned to the traffic VDOM.
An interface cannot be moved if it is referenced in an existing configuration.
In the GUI, the interface list Ref. column shows if the interface is referenced in an existing
configuration, and allows you to quickly access and edit those references.
To assign an interface to a VDOM in the GUI:
1. On the FortiGate, go to Global > Network > Interfaces.

2. Edit the interface that will be assigned to a VDOM.
3. Select the VDOM that the interface will be assigned to from the Virtual Domain list.
4. Click OK.
To assign an interface to a VDOM using the CLI:
config global
edit <interface>

set vdom <VDOM_name>

next
end
end
Create per-VDOM administrators
Per-VDOM administrators can be created that can access only the management or traffic VDOM. These administrators
must use either the prof_admin administrator profile, or a custom profile.
A per-VDOM administrator can only access the FortiGate through a network interface that is assigned to the VDOM that
they are assigned to. The interface must also be configured to allow management access. They can also connect to the
FortiGate using the console port.
To assign an administrator to multiple VDOMs, they must be created at the global level. When creating an administrator
at the VDOM level, the super_admin administrator profile cannot be used.
To create a per-VDOM administrator in the GUI:
1. On the FortiGate, connect to the management VDOM.

2. Go to Global > System > Administrators and click Create New > Administrator.
3. Fill in the required information, setting the Type as Local User.
4. In the Virtual Domains field, add the VDOM that the administrator will be assigned to, and if necessary, remove
the other VDOM from the list.
5. Click OK.
To create a per-VDOM administrator using the CLI:
config global
config system admin
edit <name>
set vdom <VDOM_name>
set accprofile <admin_profile>
...
next
end

end
Multi VDOM mode
In multi VDOM mode, the FortiGate can have multiple VDOMs that function as independent units. One VDOM is used
to manage global settings.
Multi VDOM mode isn't available on all FortiGate models. The Fortinet Security Fabric does not support multi VDOM
mode.
There are three main configuration types in multi VDOM mode:
Independent VDOMs:
Multiple, completely separate VDOMs are created. Any VDOM can be the management VDOM, as long as it has
Internet access. There are no inter-VDOM links, and each VDOM is independently managed.
Management VDOM:
A management VDOM is located between the other VDOMs and the Internet, and the other VDOMs connect to the
management VDOM with inter-VDOM links. The management VDOM has complete control over Internet access,
including the types of traffic that are allowed in both directions. This can improve security, as there is only one point of
ingress and egress.
There is no communication between the other VDOMs.

Meshed VDOMs:
VDOMs can communicate with inter-VDOM links. In full-mesh configurations, all the VDOMs are interconnected. In
partial-mesh configurations, only some of the VDOMs are interconnected.
In this configuration, proper security must be achieved by using firewall policies and ensuring secure account access for
administrators and users.
Multi VDOM configuration examples
The following examples show how to configure per-VDOM settings, such as operation mode, routing, and security
policies, in a network that includes the following VDOMs:
l VDOM-A: allows the internal network to access the Internet.
l VDOM-B: allows external connections to an FTP server.
l root: the management VDOM.
You can use VDOMs in either NAT or transparent mode on the same FortiGate. By default, VDOMs operate in NAT
mode.
For both examples, multi VDOM mode must be enabled, and VDOM-A and VDOM-B must be created.
Enable multi VDOM mode
Multi VDOM mode can be enabled in the GUI or CLI. Enabling it does not require a reboot, but does log you out of the
device. The current configuration is assigned to the root VDOM.
To enable multi VDOM mode in the GUI:
1. On the FortiGate, go to System > Settings.

3. Select Multi VDOM for the VDOM mode.
4. Click OK.

To enable multi VDOM mode with the CLI:

end
Create the VDOMs
To create the VDOMs in the GUI:
1. In the Global VDOM, go to System > VDOM, and click Create New. The New Virtual Domain page opens.
2. In the Virtual Domain field, enter VDOM-A.

3. If required, set the NGFW Mode. If the NGFW Mode is Policy-based, select an SSL/SSH Inspection from the
list.
4. Optionally, enter a comment.
5. Click OK to create the VDOM.
6. Repeat the above steps for VDOM-B.
To create the VDOMs with the CLI:
config vdom
edit <VDOM-A>
next
edit <VDOM-B>
next
end
end
NAT mode
In this example, both VDOM-A and VDOM-B use NAT mode. A VDOM link is created that allows users on the internal
network to access the FTP server.
This configuration requires the following steps:
1. Configure VDOM-A on page 229
2. Configure VDOM-B on page 231
3. Configure the VDOM link on page 234
Configure VDOM-A
VDOM-A allows connections from devices on the internal network to the Internet. WAN 1 and port 1 are assigned to this
VDOM.
The per-VDOM configuration for VDOM-A includes the following:

l A firewall address for the internal network

l A static route to the ISP gateway
l A security policy allowing the internal network to access the Internet
All procedures in this section require you to connect to VDOM-A, either using a global or per-VDOM administrator
account.
To add the firewall addresses in the GUI:
1. Go to Policy & Objects > Addresses and create a new address.

Name internal-network
Type Subnet
Subnet / IP Range 192.168.10.0/255.255.255.0
Interface port1
Show in Address List enabled
To add the firewall addresses with the CLI:
config vdom
edit VDOM-A
edit internal-network
set associated-interface port1
set subnet 192.168.10.0 255.255.255.0
next
end
next
end
To add a default route in the GUI:
1. Go to Network > Static Routes and create a new route.

Destination Subnet
IP address 0.0.0.0/0.0.0.0
Gateway 172.20.201.7
Interface wan1
Distance 10
To add a default route with the CLI:
config vdom
edit VDOM-A
edit 0


set device wan1
next
end
next
end
To add the security policy in the GUI:
1. Connect to VDOM-A.
2. Go to Policy & Objects > IPv4 Policy and create a new policy.
Name VDOM-A-Internet
Incoming Interface port1
Outgoing Interface wan1
Source Address internal-network
Destination Address all
Schedule always
Service ALL
Action ACCEPT
NAT enabled
To add the security policy with the CLI:
config vdom
edit VDOM-A
edit 0
set name VDOM-A-Internet
set srcintf port1
set dstintf wan1
set srcaddr internal-network
set dstaddr all
set action accept
set schedule always
set service ALL
set nat enable
next
end
next
end
Configure VDOM-B
VDOM-B allows external connections to reach an internal FTP server. WAN 2 and port 2 are assigned to this VDOM.
The per-VDOM configuration for VDOM-B includes the following:

l A firewall address for the FTP server

l A virtual IP address for the FTP server
l A security policy allowing external traffic to reach the FTP server
All procedures in this section require you to connect to VDOM-B, either using a global or per-VDOM administrator
account.

Address Name FTP-server
Type Subnet
Subnet / IP Range 192.168.20.10/32
Interface port2
config vdom
edit VDOM-B
edit FTP-server
set subnet 192.168.20.10 255.255.255.255
next
end
next
end
To add the virtual IP address in the GUI:
1. Go to Policy & Objects > Virtual IPs and create a new virtual IP address.

Name FTP-server-VIP
Interface wan2
External IP Address/Range 172.25.177.42
Internal IP Address/Range 192.168.20.10
To add the virtual IP address with the CLI:
config firewall vip

edit FTP-server-VIP
set extip 172.25.177.42
set extintf wan2
set mappedip 192.168.20.10

next
end

Destination Subnet
IP address 0.0.0.0/0.0.0.0
Gateway 172.20.10.10
Interface wan2
Distance 10
config vdom
edit VDOM-B
edit 0
set device wan2
next
end
next
end

Name Access-server
Incoming Interface wan2
Outgoing Interface port2
Source Address all
Destination Address FTP-server-VIP
Schedule always
Service FTP
Action ACCEPT
NAT enabled
config vdom
edit VDOM-B


edit 0
set name Access-server
set srcintf wan2
set dstintf port2
set srcaddr all
set dstaddr FTP-server-VIP
set action accept
set schedule always
set service FTP
set nat enable
next
end
next
end
Configure the VDOM link
The VDOM link allows connections from VDOM-A to VDOM-B. This allows users on the internal network to access the
FTP server through the FortiGate.
The configuration for the VDOM link includes the following:
l The VDOM link interface
l Firewall addresses for the FTP server on VDOM-A and for the internal network on VDOM-B
l Static routes for the FTP server on VDOM-A and for the internal network on VDOM-B
l Policies allowing traffic using the VDOM link
All procedures in this section require you to connect to the global VDOM using a global administrator account.
To add the VDOM link in the GUI:
1. Connect to root.
2. Go to Global > Network > Interfaces and select Create New > VDOM link.
Name VDOM-link
Interface 0
Virtual Domain VDOM-A
IP/Netmask 0.0.0.0/0.0.0.0
Interface 1
Virtual Domain VDOM-B
IP/Netmask 0.0.0.0/0.0.0.0
To add the VDOM link with the CLI:
config global
edit vlink
end


edit VDOM-link0
set vdom VDOM-A
set ip 0.0.0.0 0.0.0.0
next
edit VDOM-link1
set vdom VDOM-B
set ip 0.0.0.0 0.0.0.0
next
end
end
To add the firewall address on VDOM-A in the GUI:
Type Subnet
Subnet / IP Range 192.168.20.10/32
Interface VDOM-link0
Static Route Configuration enabled
To add the firewall addresses on VDOM-A with the CLI:
config vdom
edit VDOM-B
edit FTP-server
set associated-interface VDOM-link0
set allow-routing enable
set subnet 192.168.20.10 255.255.255.255
next
end
next
end
To add the static route on VDOM-A in the GUI:
Destination Named Address
Named Address FTP-server

Gateway 0.0.0.0
To add the static route on VDOM-A with the CLI:
config vdom
edit VDOM-A
edit 0
set device VDOM-link0
set dstaddr FTP-server
next
end
next
end
To add the security policy on VDOM-A in the GUI:
Name Access-FTP-server
Outgoing Interface VDOM-link0
Source internal-network
Destination FTP-server
Schedule always
Service FTP
Action ACCEPT
NAT disabled
To add the security policy on VDOM-A with the CLI:
config vdom
edit VDOM-A
edit 0
set name Access-FTP-server
set srcintf port1
set dstintf VDOM-link0
set action accept
set schedule always
set service FTP
next
end

next
end
To add the firewall address on VDOM-B in the GUI:
1. Connect to VDOM-B.
Address Name internal-network
Type Subnet
Subnet / IP Range 192.168.10.0/24
Static Route Configuration enabled
To add the firewall addresses on VDOM-B with the CLI:
config vdom
edit VDOM-B
set associated-interface VDOM-link1
set allow-routing enable
set subnet 192.168.10.0 255.255.255.0
next
end
next
end
To add the static route on VDOM-B in the GUI:
Destination Named Address
Named Address internal-network
Gateway 0.0.0.0
To add the static route on VDOM-B with the CLI:
config vdom
edit VDOM-B
edit 0
set device VDOM-link1

set dstaddr internal-network

next
end
next
end
To add the security policy on VDOM-B in the GUI:
Name Internal-server-access
Incoming Interface VDOM-link1
Source internal-network
Destination FTP-server
Schedule always
Service FTP
Action ACCEPT
NAT disabled
To add the security policy on VDOM-B with the CLI:
config vdom
edit VDOM-B
edit 0
set name Internal-server-access
set srcintf VDOM-link1
set dstintf port2
set action accept
set schedule always
set service FTP
next
end
next
end
NAT and transparent mode
In this example, VDOM-A uses NAT mode and VDOM-B uses transparent mode.
This configuration requires the following steps:
1. Configure VDOM-A on page 239
2. Configure VDOM-B on page 241

Configure VDOM-A
VDOM-A allows connections from devices on the internal network to the Internet. WAN 1 and port 1 are assigned to this
VDOM.
The per-VDOM configuration for VDOM-A includes the following:
l A firewall address for the internal network
l A security policy allowing the internal network to access the Internet
All procedures in this section require you to connect to VDOM-A, either using a global or per-VDOM administrator
account.

Name internal-network
Type Subnet
Subnet / IP Range 192.168.10.0/24
Interface port1
config vdom
edit VDOM-A
set subnet 192.168.10.0 255.255.255.0
next
end
next
end

Destination Subnet
IP address 0.0.0.0/0.0.0.0
Gateway 172.20.201.7
Interface wan1
Distance 10

config vdom
edit VDOM-A
edit 0
set device wan1
next
end
next
end
Name VDOM-A-Internet
Outgoing Interface wan1
Source Address internal-network
Destination Address all
Schedule always
Service ALL
Action ACCEPT
NAT enabled
config vdom
edit VDOM-A
edit 0
set name VDOM-A-Internet
set srcintf port1
set dstintf wan1
set dstaddr all
set action accept
set schedule always
set service ALL
set nat enable
next
end
next
end

Configure VDOM-B
VDOM-B allows external connections to reach an internal FTP server. WAN 2 and port 2 are assigned to this VDOM.
The per-VDOM configuration for VDOM-B includes the following:
l A firewall address for the FTP server
l A security policy allowing external traffic to reach the FTP server
All procedures in this section require you to connect to VDOM-B, either using a global or per-VDOM administrator
account.

Type Subnet
Subnet / IP Range 172.25.177.42/32
Interface port2
config vdom
edit VDOM-B
edit FTP-server
set subnet 172.25.177.42 255.255.255.255
next
end
next
end
1. Go to Network > Routing Table and create a new route.

Destination Subnet
IP address 0.0.0.0/0.0.0.0
Gateway 172.20.10.10
config vdom
edit VDOM-B


edit 0
next
end
next
end
Name Access-server
Incoming Interface wan2
Source Address all
Destination Address FTP-server
Schedule always
Service FTP
Action ACCEPT
config vdom
edit VDOM-B
edit 0
set name Access-server
set srcintf wan2
set dstintf port2
set srcaddr all
set dstaddr FTP-server-VIP
set action accept
set schedule always
set service FTP
next
end
next
end
Advanced configurations
The following recipes provide instructions on advanced configurations:

l VDOM on page 243

l SNMP on page 245
l DHCP server on page 250
l Use Custom Images for Replacement Messages on page 252
VDOM
You can use VDOMs (virtual domains) as a method of dividing a FortiGate unit into multiple virtual units. Each unit
functions as an independent unit. VDOMs can provide separate security policies and, in NAT mode, completely
separate configurations for routing and VPN services for each connected network.
By default, most FortiGate units support up to ten VDOMs. Many FortiGate models support purchasing a license key to
increase the maximum number of VDOMs.
Sample topology
In this sample, you use VDOMs to provide Internet access for two different companies (called Company A and
Company B) using a single FortiGate.
VDOM mode
There are three VDOM modes:

l No VDOM. The VDOM setting is disabled. When VDOMs are disabled on any FortiGate unit, there is still one
active VDOM: the root VDOM. The root VDOM is always in the background. When VDOMs are disabled, the root
VDOM is not visible but it is still there.
l Split VDOM. FortiGate has two VDOMs: the root VDOM and a VDOM for FortiGate traffic.
a. The root VDOM is the management VDOM and only does management work. The following items are hidden
in the root VDOM:
l All Policy & Object entries.
l User & Device entries.
l Security Profiles.
l Traffic-related FortiView entries.
l VPN entries.
l Fabric Connectors, Reputation, Feature Visibility, and Object Tags entries.

l Wan-Opt entries.
l Most route entries.
l Most Log Event entries.
l Monitor entries.
b. The FortiGate traffic VDOM can provide separate security policies and allow traffic through the FortiGate.
l Multi-VDOM. Multiple VDOMs each functioning as an independent unit.
You can change VDOM modes in the following ways:
l Change from no VDOM to split VDOM or vice versa.
l Change from multi-VDOM to no VDOM.
l Change from no VDOM/split VDOM to multi-VDOM is allowed only if CSF is disabled.
l Change from multi-VDOM directly to split VDOM is not allowed. You must change to no VDOM first and then
change from no VDOM to split VDOM.
To enable VDOMs in the GUI:

3. Specify VDOM options.
On FortiGate 60 series models, you must use CLI to enable VDOMs.
To enable VDOMs in the CLI:

set vdom-mode no-vdom/split-vdom/multi-vdom
end
To add a VDOMs in the GUI:
1. Go to Global > System > VDOM.

2. Select Create New and specify the new VDOM parameters.
To add a VDOMs in the CLI:
config vdom
edit <new_vdom_name>
end
To edit a VDOMs in the GUI:

2. Select the VDOM and select Edit.
3. Specify the new VDOM parameters.
To edit a VDOMs in the CLI:
config vdom
edit vdom_name
config system settings

set opmode nat

end
To delete a VDOMs in the GUI:

2. Select the VDOM and select Delete.
To delete a VDOMs in the CLI:
config vdom
delete vdom_name
end
Operation mode
A FortiGate can operate in one of two modes: NAT/Route or Transparent.

NAT/Route is the most common operating mode. In this mode, a FortiGate is installed as a gateway or router between
two networks. In most cases, it is used between a private network and the Internet. This allows the FortiGate to hide the
IP addresses of the private network using network address translation (NAT). You can also use NAT/Route mode when
several Internet service providers (ISPs) provide the FortiGate with redundant Internet connections.
In Transparent mode, the FortiGate is installed between the internal network and the router. In this mode, the FortiGate
does not changes any IP addresses and only applies security scanning to traffic. When you add a FortiGate to a network
in Transparent mode, no network changes are requiredexcept to provide the FortiGate with a management IP address.
Transparent mode is used primarily when there is a need to increase network protection but changing the configuration
of the network itself is impractical.
By default, new VDOMs are set to NAT/Route operation mode. If you want a VDOM to be in Transparent operation
mode, you must manually change it.
To change operation mode in the CLI:

set opmode nat | transparent
end
SNMP
The Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network. You can
configure the hardware, such as the FortiGate SNMP agent, to report system information and send traps (alarms or
event messages) to SNMP managers.
SNMP v1/v2c
SNMPWALK is a Simple Network Management Protocol (SNMP) application present on the Security Management
System (SMS) CLI that uses SNMP GETNEXT requests to query a network device for information. An object identifier
(OID) may be given on the command line. This OID specifies which portion of the object identifier space will be
searched using GETNEXT requests. All variables in the subtree below the given OID are queried and their values
presented to the user.

To configure SNMP v1/v2c:
config system snmp community

edit 1
set name "REGR-SYS"
config hosts
edit 1
set ip 10.1.100.11 255.255.255.255
next
end
set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-
failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change
fm-conf-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-conf-
change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-
open faz-disconnect wc-ap-up wc-ap-down fswctl-session-up fswctl-session-down load-balance-
real-server-down device-new
next
end
Below is a sample SNMPWALK output on the above configuration:
snmpwalk -v2c -c REGR-SYS 10.1.100.1 1

SNMPv2-MIB::sysDescr.0 = STRING: REGR-SYS
SNMPv2-MIB::sysObjectID.0 = OID: FORTINET-FORTIGATE-MIB::fgt140P
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (224721) 0:37:27.21
SNMPv2-MIB::sysContact.0 = STRING: Gundam-Justice
SNMPv2-MIB::sysName.0 = STRING: FortiGate-140D-POE
SNMPv2-MIB::sysLocation.0 = STRING: Gundam-Seed
SNMPv2-MIB::sysServices.0 = INTEGER: 78
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORIndex.1 = INTEGER: 1
SNMPv2-MIB::sysORID.1 = OID: SNMPv2-SMI::zeroDotZero.0
SNMPv2-MIB::sysORDescr.1 = STRING:
SNMPv2-MIB::sysORUpTime.1 = Timeticks: (0) 0:00:00.00
IF-MIB::ifNumber.0 = INTEGER: 45
IF-MIB::ifIndex.1 = INTEGER: 1
---------------truncated-----------------------
SNMP v3
Authentication is used to ensure the identity of users. Privacy allows for encryption of SNMP v3 messages to ensure
confidentiality of data. These protocols provide a higher level of security than is available in SNMP v1 and v2c, which

use community strings for security. Both authentication and privacy are optional.
To configure SNMP v3:
config system snmp user

edit "v3user"
set notify-hosts 10.1.100.11
set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-
failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change
fm-conf-change ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversize-
passed av-oversize-blocked ips-pkg-update faz-disconnect
set security-level auth-priv
set auth-pwd ENC nu9t3vKW5BOw03RBzrp8cRVgq5kXg/ZqMgEACPNeNi+o-
pioCE6ztKXjkn+eReY9DxSUjgO5Tck-
bMgqfH+YpVzNJxvL8jueq8g00Hs5gJyRy-
ueP22xsRudVv6v0gdfX47WTYvhqxBIDGnUKsL4NsztG0rJVUVZWNVPepdtWYMNDgGgePhvir3Rk/M1OjbS+mGX0YkYw==
set priv-pwd ENC
YlZKutoqQPWK0-
fut2QPy-
fFayGaMssCaBT4y+6mP0AXNC+NJSbOeYCf-
hL4XFvyvhH8l07Hww6QY-
coIGAU9jBcMt+tJk97MExQ/VutOwlS-
izKNqfy9MnJjLWARoKQwOYKpnE2b-
tZGxiFnFmD37mQHcKAtC9n531CPTYOuCtPQB26IjQ97yyWca4SqhRvuSZs6sjkSVWA==
next
end
Below is a sample SNMPWALK output on the above configuration:
snmpwalk -v3 -u v3user -c REGR-SYS -a sha -A 1234567890 -x aes -X 1234567890 10.1.100.1 1 -l

authpriv
SNMPv2-MIB::sysDescr.0 = STRING: REGR-SYS
SNMPv2-MIB::sysObjectID.0 = OID: FORTINET-FORTIGATE-MIB::fgt140P
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (14328) 0:02:23.28
SNMPv2-MIB::sysContact.0 = STRING: Gundam-Justice
SNMPv2-MIB::sysName.0 = STRING: FortiGate-140D-POE
SNMPv2-MIB::sysLocation.0 = STRING: Gundam-Seed
SNMPv2-MIB::sysServices.0 = INTEGER: 78
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORIndex.1 = INTEGER: 1
SNMPv2-MIB::sysORID.1 = OID: SNMPv2-SMI::zeroDotZero.0
SNMPv2-MIB::sysORDescr.1 = STRING:
SNMPv2-MIB::sysORUpTime.1 = Timeticks: (0) 0:00:00.00
IF-MIB::ifNumber.0 = INTEGER: 45

=====================Truncated=========================
Important SNMP traps
Link Down and Link Up traps
This trap is sent when a FortiGate port goes down or is brought up. For example, the below traps are generated when
the state of port34 is set to down using set status down and then brought up using set status up.
NET-SNMP version 5.7.3 2019-01-31 14:11:48 10.1.100.1(via UDP: [10.1.100.1]:162->
[10.1.100.11]:162) TRAP, SNMP v1, community REGR-SYS SNMPv2-MIB::snmpTraps Link Down Trap (0)
Uptime: 0:14:44.95 IF-MIB::ifIndex.42 = INTEGER: 42 IF-MIB::ifAdminStatus.42 = INTEGER: down
(2) IF-MIB::ifOperStatus.42 = INTEGER: down(2) FORTINET-CORE-MIB::fnSysSerial.0 = STRING:
FG140P3G15800330 SNMPv2-MIB::sysName.0 = STRING: FortiGate-140D-POE
2019-01-31 14:11:48 <UNKNOWN> [UDP: [10.1.100.1]:162->[10.1.100.11]:162]: DISMAN-EVENT-

MIB::sysUpTimeInstance = Timeticks: (88495) 0:14:44.95 SNMPv2-MIB::snmpTrapOID.0 = OID: IF-
MIB::linkDown IF-MIB::ifIndex.42 = INTEGER: 42 IF-MIB::ifAdminStatus.42 = INTEGER: down(2) IF-
MIB::ifOperStatus.42 = INTEGER: down(2) FORTINET-CORE-MIB::fnSysSerial.0 = STRING:
FG140P3G15800330 SNMPv2-MIB::sysName.0 = STRING: FortiGate-140D-POE 2019-01-31 14:12:01
10.1.100.1(via UDP: [10.1.100.1]:162->[10.1.100.11]:162) TRAP, SNMP v1, community REGR-SYS
SNMPv2-MIB::snmpTraps Link Up Trap (0) Uptime: 0:14:57.98 IF-MIB::ifIndex.42 = INTEGER: 42 IF-

MIB::ifAdminStatus.42 = INTEGER: up(1) IF-MIB::ifOperStatus.42 = INTEGER: up(1) FORTINET-CORE-

MIB::fnSysSerial.0 = STRING: FG140P3G15800330 SNMPv2-MIB::sysName.0 = STRING: FortiGate-140D-
POE
2019-01-31 14:12:01 <UNKNOWN> [UDP: [10.1.100.1]:162->[10.1.100.11]:162]: DISMAN-EVENT-

MIB::sysUpTimeInstance = Timeticks: (89798) 0:14:57.98 SNMPv2-MIB::snmpTrapOID.0 = OID: IF-
MIB::linkUp IF-MIB::ifIndex.42 = INTEGER: 42 IF-MIB::ifAdminStatus.42 = INTEGER: up(1) IF-
MIB::ifOperStatus.42 = INTEGER: up(1) FORTINET-CORE-MIB::fnSysSerial.0 = STRING:
FG140P3G15800330 SNMPv2-MIB::sysName.0 = STRING: FortiGate-140D-POE
fgFmTrapIfChange trap
This trap is sent when any changes are detected on the interface. The change can be very simple, such as giving an
IPV4 address. For example, the user has given the IP address of 1.2.3.4/24 to port 1 and the EMS Manager has
detected the below trap.
DISMAN-EXPRESSION-MIB::sysUpTimeInstance = Timeticks: (7975058) 22:09:10.58 SNMPv2-MIB::s-
nmpTrapOID.0 = OID: FORTINET-FORTIGATE-MIB::fgFmTrapIfChange FORTINET-CORE-MIB::fnSysSerial.0
= STRING: FG140P3G15800330 IF-MIB::ifName.45 = STRING: port1 FORTINET-FORTIGATE-
MIB::fgManIfIp.0 = IpAddress: 1.2.3.4 FORTINET-FORTIGATE-MIB::fgManIfMask.0 = IpAddress:
255.255.255.0 FORTINET-FORTIGATE-MIB::fgManIfIp6.0 = STRING: 0:0:0:0:0:0:0:0
entConfigChange trap
The change to the interface in the example above has also triggered the ConfChange Trap which is sent along with the
fgFmTrapIfChange trap.
2018-11-15 09:30:23 FGT_A [UDP: [172.16.200.1]:162->[172.16.200.55]:162]: DISMAN-EXPRESSION-
MIB::sysUpTimeInstance = Timeticks: (8035097) 22:19:10.97 SNMPv2-MIB::snmpTrapOID.0 = OID:
ENTITY-MIB::entConfigChange
fgTrapDeviceNew trap
This trap is triggered when a new device like FortiAP/FortiSwitch is connected to the FortiGate. For example, the below
scenario has given the device a new trap for adding FortiAP on a POE interface of FGT140D-POE. The trap has
important information about the device name, device MAC address, and when it was last seen.
2018-11-15 11:17:43 UDP/IPv6: [2000:172:16:200::1]:162 [UDP/IPv6: [2000:172:16:200::1]:162]:
DISMAN-EXPRESSION-MIB::sysUpTimeInstance = Timeticks: (520817) 1:26:48.17 SNMPv2-MIB::s-
nmpTrapOID.0 = OID: FORTINET-FORTIGATE-MIB::fgTrapDeviceNew FORTINET-CORE-MIB::fnSysSerial.0 =
STRING: FG140P3G15800330 SNMPv2-MIB::sysName.0 = STRING: FGT_A IF-MIB::ifIndex.0 = INTEGER: 0
FORTINET-FORTIGATE-MIB::fgVdEntIndex.0 = INTEGER: 0 FORTINET-FORTIGATE-MIB::fgDeviceCreated.0
= Gauge32: 5 FORTINET-FORTIGATE-MIB::fgDeviceLastSeen.0 = Gauge32: 5 FORTINET-FORTIGATE-
MIB::fgDeviceMacAddress.0 = STRING: 90:6c:ac:f9:97:a0
2018-11-15 11:17:43 FGT_A [UDP: [172.16.200.1]:162->[172.16.200.55]:162]: DISMAN-EXPRESSION-

MIB::sysUpTimeInstance = Timeticks: (520817) 1:26:48.17 SNMPv2-MIB::snmpTrapOID.0 = OID:
FORTINET-FORTIGATE-MIB::fgTrapDeviceNew FORTINET-CORE-MIB::fnSysSerial.0 = STRING:
FG140P3G15800330 SNMPv2-MIB::sysName.0 = STRING: FGT_A IF-MIB::ifIndex.0 = INTEGER: 0
FORTINET-FORTIGATE-MIB::fgVdEntIndex.0 = INTEGER: 0 FORTINET-FORTIGATE-MIB::fgDeviceCreated.0
= Gauge32: 5 FORTINET-FORTIGATE-MIB::fgDeviceLastSeen.0 = Gauge32: 5 FORTINET-FORTIGATE-
MIB::fgDeviceMacAddress.0 = STRING: 90:6c:ac:f9:97:a0
fgTrapAvOversize trap
The fgTrapAvOversize trap is generated when Antivirus Scanner detects an Oversized File.

019-01-31 13:22:04 10.1.100.1(via UDP: [10.1.100.1]:162->[10.1.100.11]:162) TRAP, SNMP v1, com-

munity REGR-SYS FORTINET-FORTIGATE-MIB::fgt140P Enterprise Specific Trap (602) Uptime: 1 day,
3:41:10.31 FORTINET-CORE-MIB::fnSysSerial.0 = STRING: FG140P3G15800330 SNMPv2-MIB::sysName.0 =
STRING: FortiGate-140D-POE 2019-01-31 13:22:29 <UNKNOWN> [UDP: [10.1.100.1]:162->
[10.1.100.11]:162]: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (9967031) 1 day,
3:41:10.31 SNMPv2-MIB::snmpTrapOID.0 = OID: FORTINET-FORTIGATE-MIB::fgTrapAvOversize FORTINET-
CORE-MIB::fnSysSerial.0 = STRING: FG140P3G15800330 SNMPv2-MIB::sysName.0 = STRING: FortiGate-
140D-POE
DHCP server
A DHCP server provides an address from a defined address range to a client on the network, when requested.
You can configure one or more DHCP servers on any FortiGate interface. A DHCP server dynamically assigns IP
addresses to hosts on the network connected to the interface. The host computers must be configured to obtain their IP
addresses using DHCP.
You can configure a FortiGate interface as a DHCP relay. The interface forwards DHCP requests from DHCP clients to
an external DHCP server and returns the responses to the DHCP clients. The DHCP server must have appropriate
routing so that its response packets to the DHCP clients arrive at the unit.
Configure DHCP on the FortiGate
To add a DHCP server on the GUI:

2. Edit an interface.
3. Enable the DHCP Server option and configure the settings.
To add a DHCP server on the CLI:

edit 1
set dns-service default
set default-gateway 192.168.1.2
set netmask 255.255.255.0
set interface "port1"
config ip-range
edit 1
set start-ip 192.168.1.1
set end-ip 192.168.1.1
next
edit 2
set end-ip 192.168.1.254
next
end
set timezone-option default
set tftp-server "172.16.1.2"
next
end

DHCP options
When adding a DHCP server, you can include DHCP codes and options. The DHCP options are BOOTP vendor
information fields that provide additional vendor-independent configuration parameters to manage the DHCP server.
For example, you might need to configure a FortiGate DHCP server that gives out a separate option as well as an IP
address, such as an environment that needs to support PXE boot with Windows images.
The option numbers and codes are specific to the application. The documentation for the application indicates the
values to use. Option codes are represented in a option value/HEX value pairs. The option is a value between 1 and
255.
You can add up to three DHCP code/option pairs per DHCP server.
To configure option 252 with value http://192.168.1.1/wpad.dat using the CLI:

edit <server_entry_number>
set option1 252 687474703a2f2f3139322e3136382e312e312f777061642e646174
end
For detailed information about DHCP options, see RFC 2132, DHCP Options and BOOTP Vendor Extensions.
Option-82
DHCP option 82, also known as the DHCP relay agent information option, helps protect FortiGate against attacks such
as spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation.
FG3H1E5818900749 (1) # show
config reserved-address
edit 1
set type option82
set ip 100.100.100.12
set circuit-id-type hex
set circuit-id "00010102"
set remote-id-type hex
set remote-id "704ca5e477d6"
next
end
FG3H1E5818900749 (1) # set
type DHCP reserved-address type.
*ip IP address to be reserved for the MAC address.
circuit-id-type DHCP option type.
circuit-id Option 82 circuit-ID of the client that will get the reserved IP address.
remote-id-type DHCP option type.
remote-id Option 82 remote-ID of the client that will get the reserved IP address.
description Description.
FortiGate-140D-POE (1) # set type
mac Match with MAC address.
option82 Match with DHCP option 82.
FortiGate-140D-POE (1) # set circuit-id-type
hex DHCP option in hex.
string DHCP option in string.

FortiGate-140D-POE (1) # set remote-id-type

hex DHCP option in hex.
string DHCP option in string.
Option-42
This option specifies a list of the NTP servers available to the client by IP address.

FortiGate-140D-POE # config system dhcp server
FortiGate-140D-POE (server) # edit 2
FortiGate-140D-POE (2) # set ntp-service

local IP address of the interface the DHCP server is added to becomes the client's NTP
server IP address.
default Clients are assigned the FortiGate's configured NTP servers.
specify Specify up to 3 NTP servers in the DHCP server configuration.
FortiGate-140D-POE (2) # set ntp-service
FortiGate-140D-POE (2) # set ntp-server1

<class_ip> Class A,B,C ip xxx.xxx.xxx.xxx
FortiGate-140D-POE (2) # set ntp-server1 1.1.1.1
FortiGate-140D-POE (2) # end
Use Custom Images for Replacement Messages
The replacement message list in System > Replacement Messages enables you to view and customize replacement
messages. Highlight the replacement messages you want to edit and customize the message content to your
requirements. Hit Save when done. If you do not see the message you want to edit, select the Extended View option in
the upper right-hand corner of the screen.
If you make a mistake, select Restore Default to return to the original message and code base.
Replacement message images
You can add images to replacement messages on:

l Disclaimer pages
l Login pages
l Declined disclaimer pages
l Login failed pages

l Login challenge pages

l Keepalive pages
Supported image formats are GIF, JPEG, TIFF, and PNG. The maximum file size
supported is 24KB.
Adding images to replacement messages
To add images to replacement messages in the GUI:
1. Go to System > Replacement Messages.

2. Select Manage Images at the top of the page.
3. Select Create New.
4. Enter a name for the image.
5. Select the Content Type.
6. Select Browse to locate the file and select OK.
Modify images in replacement messages
Replacement messages can be modified to include an HTML message or content that suits your organization. A list of
common replacement messages appear in the main window. Select Extended View to see the entire list and all
categories for replacement messages.
To modify an image in a replacement message:

2. Select the replacement message you want to edit.
In the bottom pane of the GUI the message will be displayed on the left alongside the HTML code on the right. The
message view changes in real-time as you edit the content.
3. Select Save.
Replacement message groups
Replacement message groups enable you to view common messages in groups for large carriers. Message groups can
be configured by going to Config > Replacement Message Group.
Using the defined groups, you can manage specific replacement messages from a single location, rather than searching
through the entire replacement message list.
If you enable virtual domains (VDOMs) on the FortiGate unit, replacement message groups are configured separately
for each virtual domain. Each VDOM has its own default replacement message group, configured from System
> Replacement Message Group.
When you modify a message in a replacement message group, a reset icon appears beside the message in the group.
Select the reset icon to reset the message in the replacement message group to the default version.

High Availability
Cluster setup
HA active-passive cluster setup
An HA Active-Passive (A-P) cluster can be set up using the GUI or CLI.

This example uses the following network topology:
To set up an HA A-P cluster using the GUI:
1. Make all the necessary connections as shown in the topology diagram.

2. Log into one of the FortiGates.
3. Go to System > HA and set the following options:
Mode Active-Passive
Device priority 128 or higher
Group name Example_cluster
Heartbeat interfaces ha1 and ha2
Except for the device priority, these settings must be the same on all FortiGates in the cluster.

4. Leave the remaining settings as their default values. They can be changed after the cluster is in operation.
5. Click OK.
The FortiGate negotiates to establish an HA cluster. Connectivity with the FortiGate may be temporarily lost as the
HA cluster negotiates and the FGCP changes the MAC addresses of the FortiGate's interfaces.
6. Factory reset the other FortiGate that will be in the cluster, configure GUI access, then repeat steps 1 to 5, omitting
setting the device priority, to join the cluster.
To set up an HA A-P cluster using the CLI:

3. Change the hostname of the FortiGate:
set hostname Example1_host
end
Changing the host name makes it easier to identify individual cluster units in the cluster operations.
4. Enable HA:
config system ha
set mode a-p
set group-name Example_cluster
set hbdev ha1 10 ha2 20
end
6. Repeat steps 1 to 5 on the other FortiGate devices to join the cluster.
HA active-active cluster setup
An HA Active-Active (A-A) cluster can be set up using the GUI or CLI.


To set up an HA A-A cluster using the GUI:

Mode Active-Active
5. Click OK.

To set up an HA A-P cluster using the CLI:

3. Change the hostname of the FortiGate:
set hostname Example1_host
end
Changing the host name makes it easier to identify individual cluster units in the cluster operations.
4. Enable HA:
config system ha
set mode a-a
set group-name Example_cluster
set hbdev ha1 10 ha2 20
end
6. Repeat steps 1 to 5 on the other FortiGate devices to join the cluster.
HA virtual cluster setup
An HA virtual cluster can be set up using the GUI or CLI.

HA virtual clusters are based on VDOMs and are more complicated than regular clusters.

To set up an HA virtual cluster using the GUI:

Mode Active-Passive
5. Click OK.
7. Go to System > Settings and enable Virtual Domains.
8. Click Apply. You will be logged out of the FortiGate.
9. Log back into the FortiGate, ensure that you are in the global VDOM, and go to System > VDOM.
10. Create two new VDOMs, such as VD1 and VD2:
a. Click Create New. The New Virtual Domain page opens.
b. Enter a name for the VDOM in the Virtual Domain field, then click OK to create the VDOM.
c. Repeat these steps to create a second new VDOM.
11. Implement a virtual cluster by moving the new VDOMs to Virtual cluster 2:
a. Go to System > HA.
b. Enable VDOM Partitioning.

c. Click on the Virtual cluster 2 field and select the new VDOMs.
d. Click OK.
To set up an HA virtual cluster using the CLI:

2. Set up a regular A-P cluster. See HA active-passive cluster setup on page 254.
3. Enable VDOMs:
end
You will be logged out of the FortiGate.

4. Create two VDOMs:
config vdom
edit VD1
next
edit VD2
next
end
5. Reconfigure the HA settings to be a virtual cluster:

config global
config system ha
set vcluster2 enable
config secondary-vcluster
set vdom "VD1" "VD2"
end
end
end

Fail protection
The FortiGate Clustering Protocol (FGCP) provides failover protection, meaning that a cluster can provide FortiGate
services even when one of the devices in the cluster encounters a problem that would result in the complete loss of
connectivity for a stand-alone FortiGate unit. Fail protection provides a backup mechanism that can be used to reduce
the risk of unexpected downtime, especially in mission-critical environments.
FGCP supports failover protection in two ways:
1. Link failover maintains traffic flow if a link fails, and
2. If a device loses power, it automatically fails over to a backup unit with minimal impact on the network.
When session-pickup is enabled in the HA settings, existing TCP session are kept, and users on the network are not
impacted by downtime as the traffic can be passed without reestablishing the sessions.
When and how the failover happens
1. link fails
Before triggering a failover when a link fails, the administrator must ensure that monitor interfaces are configured.
Normally, the internal interface that connects to the internal network, and an outgoing interface for traffic to the internet
or outside the network, should be monitored. Any of those links going down will trigger a failover.
2. Loss of power for active unit.
When an active (master) unit loses power, a backup (slave) unit automatically becomes the master, and the impact on
traffic is minimal. There are no settings for this kind of fail over.

FGSP (session-sync) peer setup
Connect all necessary interfaces as per the topology diagram below. Interfaces may be changed depending on the
models in use. Interface names in the topology diagram are for example purposes only.
To setup a FGSP peer through the CLI:
These instructions assume that the device has been connected to the console and the CLI is accessible, and that all
boxes have been factory reset.
1. Connect all necessary interfaces as per the topology diagram.
2. Enter the following command to change the FortiGate unit host name:
set hostname Example1_host(Example2_host, etc)
end
3. On each FGSP peer device, enter the following command:

config system cluster-sync
set peerip xx.xx.xx.xx --->> peer's interface IP for session info to be passed.
end
4. Set up identical firewall policies.

FGSP peers share the same session information which goes from the same incoming interface (example: port1) to
the outgoing interface (example: port2). Firewall policies should be identical as well, and can be copied from one
device to its peer.
To test the setup:
1. Initiate TCP traffic (like HTTP access) to go through boxA.

2. Check the session information.
Example: diag sys session filter src xx.xx.xx.xx (your PCs IP) diag sys session lsit.
3. Use the same command on boxB to determine if the same session information appeared.

Troubleshoot an HA formation
The following are requirements for setting up an HA cluster or FGSP peers.

Cluster members must have:
l The same model.
l The same hardware configuration.
l The same connections.
l The same generation.
The requirement to have the same generation is done as a best practice as it avoids issues
that can occur later on. If you are unsure if the boxes you have are from the same generation,
please contact customer service.
Troubleshooting common HA formation errors
One box keeps shutting down during HA setup (hard drive failure):
If one box has a hard drive failure but the other does not, the one with the hard drive failure will be shut down during
HA setup. In this case, RMA the box to resolve the issue.

Desired box won't be the Master:
When all members join together as a cluster, a process called a negotiation begins in order to decide which box will
become the Master. It is decided by the following criteria:
The first factor is the amount of connected good interfaces. If Box A has two monitored interfaces up and Box B has only
one, then Box A will become the Master. Ensure all monitored connections to members are good.
All members are Masters and members can't see other members:
Typically, this is a heartbeat issue. It is recommended that for a two-member cluster, you use a back-to-back connection
for heartbeat communication. If there are more than three members in the cluster, a separate switch should be used to
connect all heartbeat interfaces.
Check HA sync status
The HA sync status can be viewed in the GUI through either a widget on the Dashboard or on the System > HA page. It
can also be confirmed through the CLI. When a cluster is out of sync, administrators should correct the issue as soon as
possible as it affects the configuration integrity and can cause issues to occur.

HA sync status in the GUI
l Dashboard widget:
l Following HA setup, the HA Status widget can be added to the Dashboard. The widget shows the HA sync
status by displaying a green checkmark next to each member in sync. A red mark indicates the member is out
of sync.
l System > HA page:

l The same set of icons will be displayed on the System > HA page to indicate if the member is in sync.
HA sync status in the CLI
l In the CLI, run the command get sys ha status to see if the cluster is in sync. The sync status is reported
under Configuration Status. In the following example, both members are in sync:
FGT_A # get sys ha status
HA Health Status: OK Model: FortiGate-300D Mode: HA A-P Group: 146 Debug: 0 Cluster Uptime:
0 days 21:42:53 Cluster state change time: 2019-03-09 11:40:51 Master selected using:

<2019/03/08 18:56:12> FGT6HD3914800153 is selected as the master because it has the

least value 0 of link-failure + pingsvr-failure.
ses_pickup: enable, ses_pickup_delay=disable override: enable Configuration Status:
FGT6HD3914800069(updated 5 seconds ago): in-sync

FGT6HD3914800153(updated 4 seconds ago): in-sync
System Usage stats:
FGT6HD3914800069(updated 5 seconds ago):

sessions=17, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=25%
FGT6HD3914800153(updated 4 seconds ago):
sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=25%
: : : Master: FGT6HD3914800069, HA operating index = 0 Slave : FGT6HD3914800153, HA

operating index = 1

Policies and Objects
Policies
Policy introduction
Firewall policies
The firewall policy is the axis around which most features of the FortiGate firewall revolve. Many settings in the firewall
end up relating to or being associated with the firewall policies and the traffic that they govern. Any traffic going through
a FortiGate unit has to be associated with a policy. These policies are essentially discrete compartmentalized sets of
instructions that control the traffic flow going through the firewall. These instructions control where the traffic goes, how
it’s processed, if it’s processed, and even whether or not it’s allowed to pass through the FortiGate.
When the firewall receives a connection packet, it analyzes the packet’s source address, destination address, and
service (by port number). It also registers the incoming interface, the outgoing interface it needs to use, and the time of
day. Using this information, the FortiGate firewall attempts to locate a security policy that matches the packet. If it finds
a policy that matches the parameters, it then looks at the action for that policy. If it is Accept, the traffic is allowed to
proceed to the next step. If the Action is Deny or a match cannot be found, the traffic is not allowed to proceed.
The two basic actions at the initial connection are either Accept or Deny:
l If the Action is Accept, the policy action permits communication sessions. There may be other packet processing
instructions, such as requiring authentication to use the policy or restrictions on the source and destination of the
traffic.
l If the Action is Deny, the policy action blocks communication sessions, and you can optionally log the denied
traffic. If no security policy matches the traffic, the packets are dropped. A Deny security policy is needed when it is
required to log the denied traffic, also called violation traffic.
One other action can be associated with the policy:
l IPsec - This is an Accept action that is specifically for IPsec VPNs.
In addition to the Accept or Deny actions, there can be a number of instructions associated with a FortiGate firewall,
some of which are optional. Instructions on how to process the traffic can include such things as:
l Logging traffic.
l Authentication.
l Network Address Translation or Port Address Translation.
l Use Virtual IPs or IP Pools.
l Caching.
l Whether the source of the traffic is based on address, user, device, or a combination.
l Whether to treat as regular traffic or IPsec traffic.
l What certificates to use.
l Security profiles to apply.
l Proxy Options.
l Traffic Shaping.

Firewall policy parameters
For traffic to flow through the FortiGate firewall, there must be a policy that matches its parameters:
l Incoming interface(s)
l Outgoing interface(s)
l Source address(es)
l User(s) identity
l Destination address(es)
l Internet service(s)
l Schedule
l Service
Without all six (possibly eight) of these things matching, the traffic is declined.
Traffic flow initiated from each direction requires a policy, that is, if sessions can be initiated from both directions, each
direction requires a policy.
Just because packets can go from point A to point B on port X does not mean that the traffic can flow from point B to
point A on port X. A policy must be configured for each direction.
When designing a policy, there is often reference to the traffic flow, but most communication is two-way so trying to
determine the direction of the flow might be confusing. If traffic is HTTP web traffic, the user sends a request to the
website, but most of the traffic flow will be coming from the website to the user or in both directions? For the purposes
of determining the direction for a policy, the important factor is the direction of the initiating communication. The user is
sending a request to the website, so this is the initial communication; the website is responding so the traffic is from the
user's network to the Internet.
Profile-based NGFW vs policy-based NGFW
From version 5.6, we added a new policy mode called Next Generation Firewall (NGFW). This mode is only available
when the VDOM inspection-mode is flow. This model is divided into two working modes — profile-based and policy-
based. Profile-based NGFW is the traditional mode where a user needs to create an AV/web/IPS profile which is applied
to the policy.
Policy-based mode is new. In this mode, users can add applications and web filtering categories directly to a policy
without having to first create and configure Application Control or Web Filter profiles. If a URL category is set, the
applications that are added to the policy must be within the browser-based technology category. NGFW is per VDOM
setting. This means users can operate their FortiGate or individual VDOMs on their FortiGate in NGFW policy-based
mode when they select flow-based inspection.
Switching NGFW mode from profile-based to policy-based converts your profile-based security policies to policy-based
security policies. If you don’t want this to happen or you just want to experiment with policy-based NGFW mode,
consider creating a new VDOM for policy-based NGFW mode. You can also backup your configuration before switching
modes.
NGFW policy-based firewall policies might have unintended consequences to the passing or blocking of traffic. For
example, if you add new firewall policies that are designed to DENY social media traffic based on applications or URLs,
having a traditional “catch all” firewall policy to DENY all other traffic at the bottom of the firewall policy list may have the
unintended consequence of blocking legitimate traffic. Also note that NGFW policy-based mode applies the NAT
settings from matching Central SNAT policies. If you don’t already have a Central SNAT policy in place, you must create
one.

After version 6.2, we removed the inspection-mode from VDOM to firewall policy, and the default inspection-mode is
flow so we can change NGFW mode from profile-based (default) to policy-based directly in the VDOM's System >
Settings.
To enable policy-based NGFW mode using the GUI:
You can operate your FortiGate or individual VDOMs in Next Generation Firewall (NGFW) policy mode.
2. In NGFW Mode, select Policy-based.
3. In SSL/SSH Inspection, select the SSL/SSH inspection mode to be applied to all policies.
To enable policy-based NGFW mode using the CLI:

set ngfw-mode {profile-based | policy-based}
end
NGFW policy mode and NAT
If your FortiGate is operating in NAT mode, rather than enabling source NAT in individual NGFW policies, go to Policy
& Objects > Central SNAT and add source NAT policies that apply to all matching traffic. In many cases, you may only
need one SNAT policy for each interface pair. For example, if you allow users on the internal network (connected to
LAN) to browse the Internet (connected to wan1), you can add a LAN to wan1 Central SNAT policy similar to the
following.
Application Control in NGFW policy-based mode
Configure Application Control by adding individual applications to security policies. You can set the action to ACCEPT
or DENY to allow or block applications.

In the above example, if you browse to www.facebook.com, your connection will time out.
Other NGFW policy-based mode options
You can combine both Application Control and Web Filter in the same NGFW policy mode policy. If the policy accepts
applications or URL categories, you can apply Antivirus, DNS Filter, and IPS profiles in NGFW mode policies as well as
logging and policy learning mode.
Policy views and policy lookup
This topic provides a sample of firewall policy views and firewall policy lookup.
Policy views
In Policy & Objects policy list page, there are two policy views: Interface Pair View and By Sequence view.
Interface Pair View displays the policies in the order that they are checked for matching traffic, grouped by the pairs of
Incoming and Outgoing interfaces. For example, all policies referencing traffic from WAN1 to DMZ are in one section.
The policies referencing traffic from DMZ to WAN1 are in another section. The sections are collapsible so that you only
need to look at the sections you want.

By Sequence displays policies in the order that they are checked for matching traffic without any grouping.
The default display is Interface Pair View . You can switch between the two views except if any or multiple-interfaces
are applied in the policy.
How Any or multiple-interfaces policy can change the Interface Pair View
The FortiGate unit automatically changes the view on the policy list page to By Sequence whenever there is a policy
containing any or multiple-interfaces as the Source or Destination interface. If the Interface Pair View is grayed out, it
is likely that one or more policies have used the any or multiple-interfaces.
When you use the any or multiple-interfaces, the policy goes into multiple sections because it might be any one of a
number of interface pairings. Policies are divided into sectioned using the interface pairings, for example, port1 to port2.
Each section has its own policy order. The order in which a policy is checked for matching criteria to a packet’s
information is based solely on the position of the policy within its section or within the entire list of policies. If the policy
is in multiple sections, FortiGate cannot place the policy in order in multiple sections. Therefore the view can only be By
Sequence.
Policy lookup
Firewall policy lookup is based on the Source_interfaces/Protocol/Source_Address/Destination_

Address that matches the source-port and dst-port of the protocol. Use this tool to find out which policy

matches specific traffic from a number of policies. After completing the lookup, the matching firewall policy is
highlighted on the policy list page.
The Policy Lookup tool has the following requirements:
l Transparent mode does not support Policy lookup function.
l When executing the policy lookup, you need to confirm whether the relevant route required for the policy work
already exists.
This example uses the TCP protocol to show how policy lookup works:
1. In Policy & Objects policy list page, click Policy Lookup and enter the traffic parameters.
2. Click Search to display the policy lookup results.
Policy with source NAT
Static SNAT
NAT or Network Address Translation is the process that enables a single device such as a router or firewall to act as an
agent between the Internet or Public Network and a local or private network. This agent acts in real time to translate the
source or destination IP address of a client or server on the network interface. For the source IP translation, this enables
a single public address to represent a significantly larger number of private addresses. For the destination IP translation,
the firewall can translate a public destination address to a private address. So we don't have to configure a real public IP
address for the server deployed in a private network.
We can subdivide NAT into two types: source NAT (SNAT) and destination NAT (DNAT). This topic is about SNAT, We
support three NAT working modes: static SNAT, dynamic SNAT, and central SNAT.

In static SNAT all internal IP addresses are always mapped to the same public IP address. This is a port address
translation, Since we have 60416 available port numbers, this one public IP address can handle the conversion of
60,416 internal IP addresses. See example below.
FortiGate firewall configurations commonly use the Outgoing Interface address.
The following example of static SNAT uses an internal network with subnet 10.1.100.0/24 (vlan20) and an external/ISP
network with subnet 172.16.200.0/24 (vlan30).
When the clients in internal network need to access the servers in external network, We need to translate IP addresses
from 10.1.100.0/24 to an IP address 172.16.200.0/24, In this example, we implement static SNAT by creating a firewall
policy.
To configure static NAT:
1. In Policy & Objects > IPv4 Policy, click Create New.

2. Enter the required policy parameters.
3. Enable NAT and select Use Outgoing Interface Address.
4. If needed, enable Preserve Source Port.
Enable Preserve Source Port to keep the same source port for services that expect traffic to come from a specific
source port.
Disable Preserve Source Port to allow more than one connection through the firewall for that service.
For packets that match this policy, its source IP address is translated to the IP address of the outgoing interface.

Dynamic SNAT
Dynamic SNAT maps the private IP addresses to the first available public address from a pool of addresses. In the
FortiGate firewall, this can be done by using IP pools. IP pools is a mechanism that allows sessions leaving the
FortiGate firewall to use NAT. An IP pool defines a single IP address or a range of IP addresses to be used as the source
address for the duration of the session. These assigned addresses are used instead of the IP address assigned to that
FortiGate interface.
IP pool types
FortiGate uses four types of IPv4 IP pools. This recipe focuses on some of the differences between them.
Overload
This type of IP pool is similar to static SNAT mode. We just need to define an external IP range, This range can contain
one or multiple IP addresses, When there is only one IP address, it almost as same as static SNAT – use Outgoing
Interface address. When it contains multiple IP addresses, It is equivalent to an extended mode of static SNAT.
For instance, if we define an overload type IP pool with two external IP addresses (172.16.200.1—172.16.200.2), since
there are 60,416 available port numbers per IP, this IP pool can handle 60,416*2 internal IP addresses. See example
below.
One-to-one
This type of IP pool means that the internal IP address and the external (translated) IP address match one-to-one. The
port address translation (PAT) is disabled when using this type of IP pool. For example, if we define a one-to-one type IP
pool with two external IP addresses (172.16.200.1-172.16.200.2), this IP pool only can handle two internal IP
addresses.
Fixed port range
For the overload and one-to-one IP pool types, we do not need to define the internal IP range. For the fixed port range
type of IP pool, we can define both internal IP range and external IP range. Since each external IP address and the
number of available port numbers is a specific number, if the number of internal IP addresses is also determined, we
can calculate the port range for each address translation combination. So we call this type fixed port range. This type of
IP pool is a type of port address translation (PAT).

For instance, if we define one external IP address (172.16.200.1) and ten internal IP addresses (10.1.100.1-
10.1.100.10), we have translation IP+Port combination like following table:
Port block allocation
This type of IP pool is also a type of port address translation (PAT). It gives users a more flexible way to control the way
external IPs and ports are allocated. Users need to define Block Size/Block Per User and external IP range. Block
Size means how many ports each Block contains. Block per User means how many blocks each user (internal IP) can
use.
Following is a simple example:
External IP Range: 172.16.200.1—172.16.200.1
Block Size: 128
Block Per User: 8
Result:
Total-PBAs: 472 (60416/128)
Maximum ports can be used per User (Internal IP Address): 1024 (128*8)
How many Internal IP can be handled: 59 (60416/1024 or 472/8)
To configure Overload IP pool using the GUI:
1. In Policy & Objects > IP Pools, click Create New.

2. Select IPv4 Pool and then select Overload.

To configure Overload IP pool using the CLI:
config firewall ippool

edit "Overload-ippool"
set startip 172.16.200.1
set endip 172.16.200.1
next
end
To configure One-to-One IP pool using the GUI:

2. Select IPv4 Pool and then select One-to-One.
To configure One-to-One IP pool using the CLI:

edit "One-to-One-ippool"
set type one-to-one
set endip 172.16.200.2
next
end
To configure Fixed Port Range IP pool using the GUI:

2. Select IPv4 Pool and then select Fixed Port Range.
To configure Fixed Port Range IP pool using the CLI:

edit "FPR-ippool"

set type fixed-port-range

set endip 172.16.200.1
set source-startip 10.1.100.1
set source-endip 10.1.100.10
next
end
To configure Port Block Allocation IP pool using the GUI:

2. Select IPv4 Pool and then select Port Block Allocation.
To configure Port Block Allocation IP pool using the CLI:

edit PBA-ippool
set type port-block-allocation
set endip 172.16.200.1
set block-size 128
set num-blocks-per-user 8
next
end
Central SNAT
The central SNAT table enables you to define and control (with more granularity) the address translation performed by
FortiGate. With the NAT table, you can define the rules for the source address or address group, and which IP pool the
destination address uses.
While similar in functionality to IP pools where a single address is translated to an alternate address from a range of IP
addresses, with IP pools there is no control over the translated port. When using the IP pool for source NAT, you can
define a fixed port to ensure the source port number is unchanged. If no fixed port is defined, the port translation is
randomly chosen by FortiGate. With the central NAT table, you have full control over both the IP address and port
translation.
FortiGate reads the NAT rules from the top down until it hits a matching rule for the incoming address. This enables you
to create multiple NAT policies that dictate which IP pool is used based on the source address. NAT policies can be
rearranged within the policy list. NAT policies are applied to network traffic after a security policy.
The central SNAT table allows you to create, edit, delete, and clone central SNAT entries.

Central SNAT notes
l The central NAT feature in not enabled by default.

l If central NAT is enabled, the NAT option under IPv4 policies is skipped and SNAT must be done via central-
snat-map. The IPv4 policy list and dialog boxes have messages and redirection links to show this information.
l If NGFW mode is policy-based, then it is assumed that central NAT (specifically SNAT) is enabled implicitly.
l The option to toggle NAT in central-snat-map policies has been added. Previously it was only shown in
NGFW policy-based mode.
l In the central SNAT policy dialog box, the port mapping fields for the original port have been updated to accept
ranges.
l If per VDOM NAT is enabled, NAT is skipped in firewall policy.
l The central SNAT window contains a table of all the central SNAT policies.
To enable or disable central SNAT using the CLI:

set central-nat [enable | disable]
end
When central NAT is enabled, Policy & Objects displays the Central SNAT section.
To create central SNAT using the GUI:
1. In Policy & Objects > Central SNAT.

The right pane displays a table of Central SNAT entries.
2. To create a new entry, click Create New in the right pane.
To edit an entry, double-click the policy you want to edit.
3. To set the Incoming Interface, click + in that field.
4. In the pane on the right, select an interface to add it.
You can select multiple interfaces.
5. To set the Outgoing Interface, click click + in that field.
6. In the pane on the right, select an interface to add it.
You can select multiple interfaces.
7. To set the Source Address, click click + in that field.
8. In the pane on the right, select an address to add it.
You can select multiple addresses.
9. To set the Destination Address, click click + in that field.
10. In the pane on the right, select an address to add it.
You can select multiple addresses.
11. In NAT > IP Pool Configuration, select either Use Outgoing Interface Address or Use Dynamic IP Pool.
If you select Use Dynamic IP Pool, click + and select which IP pool to use.
12. Select one of the following Protocol parameters.
l ANY. Use any protocol traffic.
l TCP. Use TCP traffic only. Protocol number is set to 6.
l UDP. Use UDP traffic only. Protocol number is set to 17.

l SCTP. Use SCTP traffic only. Protocol number is set to 132.

l Specify. You can specify the traffic filter protocol by setting the protocol number.
13. If you use the Overload type of IP pool, you can enable Explicit Port Mapping.
a. If you enable Explicit Port Mapping, set the Original Source Port to the start number of the source port range.
b. Set the Translated Port to the start number of the translated port range.
14. Click OK.
To configure central SNAT using the CLI:
config firewall central-snat-map

edit <policyID number>set status [enable|disable]
set orig-addr <valid address object preconfigured on the FortiGate>
set srcintf <name of interface on the FortiGate>
set dst-addr <valid address object preconfigured on the FortiGate>
set dstintf <name of interface on the FortiGate>
set protocol <integer for protocol number>
set orig-port <integer for original port number>
set nat-port <integer for translated port number>
set comments <string>
end
To set NAT to be not available regardless of NGFW mode:

edit 1
set orig-addr "192-86-1-86"
set dst-addr "192-96-1-96"
set nat-ippool "pool1"
set protocol 17
set orig-port 2896-2897
set nat enable
next
end
To hide NAT port if NAT IP pool is not set or if NAT is disabled:

edit 1
set dst-addr "192-96-1-96"
set protocol 17
set orig-port 2896-2897
set nat disable
next
end

To change original port to accept range:

edit 1
set dst-addr "192-96-1-96"
set protocol 17
set orig-port 2896-2897 (help text changed to: Original port or port range).
set nat-port 35804-35805
next
end
Policy with destination NAT
Static virtual IPs
Usually we use VIP to implement Destination Address Translation. Mapping a specific IP address to another specific IP
address is usually referred to as Destination NAT. When the Central NAT Table is not used, FortiOS calls this a Virtual
IP Address (VIP). FortiOS uses a DNAT or Virtual IP address to map an external IP address to an IP address. This
address does not have to be an individual host, it can also be an address range. This mapping can include all TCP/UDP
ports or, if Port Forwarding is enabled, it only refers to the configured ports. Because, the Central NAT table is disabled
by default, the term Virtual IP address or VIP is predominantly used.
Virtual IP addresses are typically used to NAT external or public IP addresses to internal or private IP addresses. Using a
Virtual IP address between two internal interfaces made up of private IP addresses is possible but there is rarely a
reason to do so as the two networks can just use the IP addresses of the networks without the need for any address
translation. Using a Virtual IP address for traffic going from the inside to the Internet is even less likely to be a
requirement, but it is supported.
To create a virtual IP using the GUI:
1. In Policy & Objects > Virtual IPs.

2. Click Create New and select Virtual IP.
3. Select a VIP Type.
Select the VIP Type depending on the IP version network on the FortiGate's external interface and internal
interface.
l If IPv4 is on both sides of the FortiGate unit, select IPv4.
l If IPv6 is on both sides of the FortiGate unit, select IPv6.
l If traffic goes from an IPv4 network to an IPv6 network, select NAT46.
l If traffic goes from an IPv6 network to an IPv4 network, select NAT64.

4. Enter a unique name for the virtual IP and fill in the other fields.
To create a virtual IP using the CLI:
config firewall vip

edit "Internal_WebServer"
set extip 10.1.100.199
set extintf "any"
set mappedip "172.16.200.55"
next
end
To apply a virtual IP to policy using the CLI:

edit 8
set name "Example_Virtual_IP_in_Policy"
set srcintf "wan2"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "Internal_WebServer"
set action accept
set service "ALL"
set nat enable
next
end
Virtual IP with services
Virtual IP with services is a more flexible virtual IP mode. This mode allows users to define services to a single port
number mapping.
This recipe shows how to use virtual IP with services enabled. This example has one public external IP address. We
map TCP ports 8080, 8081, and 8082 to an internal WebServer TCP port 80. This allows remote connections to
communicate with a server behind the firewall.

To create a virtual IP with services using the GUI:

3. For VIP Type, select IPv4.
5. Configure the fields in the Network section. For example:
l Set External IP Address/Range to 10.1.100.199.
l Set Mapped IP Address/Range to 172.16.200.55.
6. Enable Optional Filters and then enable Services.
7. In the Services field, click + to display the Services pane.
8. In the Services pane, select TCP_8080, TCP_8081, and TCP_8082.
9. Enable Port Forwarding.
10. Set Map to Port to 80.
11. Click OK.
To see the results:
1. Apply the above virtual IP to the Firewall policy.

2. The results are:
l Access 10.1.100.199:8080 from external network and FortiGate maps to 172.16.200.55:80 in internal
network.
network.

network.
To create a virtual IP with services using the CLI:
config firewall vip

edit "WebServer_VIP_Services"
set service "TCP_8080" "TCP_8081" "TCP_8082"
set extip 10.1.100.199
set extintf "any"
set portforward enable
set mappedip "172.16.200.55"
set mappedport 80
next
end
Virtual IPs with port forwarding
If you need to hide the internal server port number or need to map several internal servers to the same public IP
address, enable port-forwarding for Virtual IP.
This recipe shows how to use virtual IPs to configure port forwarding on a FortiGate unit. This example has one public
external IP address. We map TCP ports 8080, 8081, and 8082 to different internal WebServers' TCP port 80. This
allows remote connections to communicate with a server behind the firewall.
To create a virtual IP with port forwarding using the GUI:

3. For VIP Type, select IPv4.
5. Configure the fields in the Network section. For example:
l Set External IP Address/Range to 10.1.100.199.
l Set Mapped IP Address/Range to 172.16.200.55.
6. Leave Optional Filters disabled.
7. Enable Port Forwarding.
8. Configure the fields in the Port Forwarding section. For example:
l Set Protocol to TCP.
l Set External Service Port to 8080 - 8080.
l Set Map to Port to 80 - 80.

9. Click OK.
10. Follow the above steps to create two additional virtual IPs.
a. For one virtual IP:
l Use a different Mapped IP Address/Range, for example, 172.16.200.56.
l Use the same Map to Port numbers: 80 - 80.
b. For the other virtual IP:
l Use a different Mapped IP Address/Range, for example, 172.16.200.57.
l Use the same Map to Port numbers: 80 - 80.
11. Create a Virtual IP Group and put the above three virtual IPs into that group.
To see the results:
1. Apply the above virtual IP to the Firewall policy.

2. The results are:
network.

network.
l Access 10.1.100.199:8082 from external network and FortiGate maps to 172.16.200.57:80 in internal network
Virtual server
This topic shows a special virtual IP type: virtual server, Use this type of VIP to implement server load balancing.
The FortiOS server load balancing contains all the features of a server load balancing solution. You can balance traffic
across multiple backend servers based on multiple load balancing schedules including:
l Static (failover).
l Round robin.
l Weighted (to account for different sized servers or based on the health and performance of the server including
round trip time and number of connections).
The load balancer supports HTTP, HTTPS, IMAPS, POP3S, SMTPS, SSL/TLS, and generic TCP/UDP and IP protocols.
Session persistence is supported based on the SSL session ID based on an injected HTTP cookie, or based on the
HTTP or HTTPS host. SSL/TLS load balancing includes protection from protocol downgrade attacks. Server load
balancing is supported on most FortiGate devices and includes up to 10,000 virtual servers on high end systems.
Sample topology
SSL/TLS offloading
FortiGate SSL/TLS offloading is designed for the proliferation of SSL/TLS applications. The key exchange and
encryption/decryption tasks are offloaded to the FortiGate unit where they are accelerated using FortiASIC technology
which provides significantly more performance than a standard server or load balancer. This frees up valuable resources
on the server farm to give better response to business operations. Server load balancing offloads most SSL/TLS
versions including SSL 3.0, TLS 1.0, and TLS 1.2; and supports full mode or half mode SSL offloading with DH key sizes
up to 4096 bits.
FortiGate SSL offloading allows the application payload to be inspected before it reaches your servers. This prevents
intrusion attempts, blocks viruses, stops unwanted applications, and prevents data leakage. SSL/TLS content
inspection supports TLS versions 1.0, 1.1, and 1.2 and SSL versions 1.0, 1.1, 1.2, and 3.0.

Virtual server requirements
When creating a new virtual server, you must configure the following options:
l Virtual Server Type.
l Load Balancing Methods.
l Health check monitoring (optional).
l Session persistence (optional).
l Virtual Server IP (External IP Address).
l Virtual Server Port (External Port).
l Real Servers (Mapped IP Address & Port).
Virtual server types
Select the protocol to be load balanced by the virtual server. If you select a general protocol such as IP, TCP, or UDP,
the virtual server load balances all IP, TCP, or UDP sessions. If you select specific protocols such as HTTP, HTTPS, or
SSL, you can apply additional server load balancing features such as Persistence and HTTP Multiplexing.
HTTP Select HTTP to load balance only HTTP sessions with the destination port number that matches
the Virtual Server Port setting. Change Virtual Server Port to match the destination port of the
sessions to be load balanced (usually port 80 for HTTP sessions). You can also select HTTP
Multiplexing. You can also set Persistence to HTTP Cookie to enable cookie-based persistence.
HTTPS Select IMAPS to load balance only IMAPS sessions with the destination port number that matches
sessions to be load balanced (usually port 993 for IMAPS sessions). You can also set Persistence
to SSL Session ID.
IMAPS Select IMAPS to load balance only IMAPS sessions with the destination port number that matches
sessions to be load balanced (usually port 993 for IMAPS sessions). You can also set Persistence
to SSL Session ID.
POP3S Select POP3S to load balance only POP3S sessions with the destination port number that matches
sessions to be load balanced (usually port 995 for POP3S sessions). You can also set Persistence
to SSL Session ID.
SMTPS Select SMTPS to load balance only SMTPS sessions with the destination port number that
matches the Virtual Server Port setting. Change Virtual Server Port to match the destination port
of the sessions to be load balanced (usually port 465 for SMTPS sessions). You can also set
Persistence to SSL Session ID.
SSL Select SSL to load balance only SSL sessions with the destination port number that matches the
Virtual Server Port setting. Change Virtual Server Port to match the destination port of the
sessions to be load balanced.
TCP Select TCP to load balance only TCP sessions with the destination port number that matches the

UDP Select UDP to load balance only UDP sessions with the destination port number that matches the
IP Select IP to load balance all sessions accepted by the security policy that contains this virtual
server.
Load balancing methods
The load balancing method defines how sessions are load balanced to real servers.
All load balancing methods do not send traffic to real servers that are down or not responding. FortiGate can only
determine if a real server is not responding by using a health check monitor. You should always add at least one health
check monitor to a virtual server or to real servers; otherwise load balancing might try to distribute sessions to real
servers that are not functioning.
Static The traffic load is statically spread evenly across all real servers. Sessions are not assigned
according to how busy individual real servers are. This load balancing method provides some
persistence because all sessions from the same source address always go to the same real server.
Because the distribution is stateless, so if a real server is added, removed, or goes up or down, the
distribution is changed and persistence might be lost.
Round Robin Directs new requests to the next real server. This method treats all real servers as equals
regardless of response time or the number of connections. This method does not direct requests to
real servers that down or non responsive.
Weighted Real servers with a higher weight value receive a larger percentage of connections. Set the real
server weight when adding a real server.
Least Session Directs requests to the real server that has the least number of current connections. This method
works best in environments where the real servers or other equipment you are load balancing all
have similar capabilities. This load balancing method uses the FortiGate session table to track the
number of sessions being processed by each real server. The FortiGate unit cannot detect the
number of sessions actually being processed by a real server.
Least RTT Directs sessions to the real server with the lowest round trip time. The round trip time is determined
by a ping health check monitor. The default is 0 if no ping health check monitors are added to the
virtual server.
First Alive Directs sessions to the first live real server. This load balancing schedule provides real server
failover protection by sending all sessions to the first live real server. If a real server fails, all
sessions are sent to the next live real server. Sessions are not distributed to all real servers so all
sessions are processed by the first real server only.
HTTP Host Load balances HTTP host connections across multiple real servers using the host’s HTTP header to
guide the connection to the correct real server.
Health check monitoring
In the FortiGate GUI, you can configure health check monitoring so that the FortiGate unit can verify that real servers
are able respond to network connection attempts. If a real server responds to connection attempts, the load balancer
continues to send sessions to it. If a real server stops responding to connection attempts, the load balancer assumes
that the server is down and does not send sessions to it. The health check monitor configuration determines how the

load balancer tests real servers. You can use a single health check monitor for multiple load balancing configurations.
You can configure TCP, HTTP, and Ping health check monitors. You usually set the health check monitor to use the
same protocol as the traffic being load balanced to it. For example, for an HTTP load balancing configuration, you
would normally use an HTTP health check monitor.
Session persistence
Use persistence to ensure a user is connected to the same real server every time the user makes an HTTP, HTTPS, or
SSL request that is part of the same user session. For example, if you are load balancing HTTP and HTTPS sessions to
a collection of eCommerce web servers, when users make a purchase, they will be starting multiple sessions as they
navigate the eCommerce site. In most cases, all the sessions started by this user during one eCommerce session
should be processed by the same real server. Typically, the HTTP protocol keeps track of these related sessions using
cookies. HTTP cookie persistence ensure all sessions that are part of the same user session are processed by the same
real server.
When you configure persistence, the FortiGate unit load balances a new session to a real server according to the load
balance method. If the session has an HTTP cookie or an SSL session ID, the FortiGate unit sends all subsequent
sessions with the same HTTP cookie or SSL session ID to the same real server.
Real servers
Add real servers to a load balancing virtual server to provide information the virtual server requires to send sessions to
the server. A real server configuration includes the IP address of the real server and port number the real server receives
sessions on. The FortiGate unit sends sessions to the real server’s IP address using the destination port number in the
real server configuration.
When configuring a real server, you can also specify the weight (if the load balance method is set to Weighted) and you
can limit the maximum number of open connections between the FortiGate unit and the real server. If the maximum
number of connections is reached for the real server, the FortiGate unit automatically switches all further connection
requests to other real servers until the connection number drops below the limit. Setting Maximum Connections to 0
means that the FortiGate unit does not limit the number of connections to the real server.
Sample of HTTP load balancing to three real web servers
This example describes the steps to configure the load balancing configuration below. In this configuration, a FortiGate
unit is load balancing HTTP traffic from the Internet to three HTTP servers on the internal network. HTTP sessions are
accepted at the wan1 interface with destination IP address 172.20.120.121 on TCP port 8080, and forwarded from the
internal interface to the web servers. When forwarded, the destination address of the session is translated to the IP
address of one of the web servers.
This load balancing configuration also includes session persistence using HTTP cookies, round-robin load balancing,
and TCP health monitoring for the real servers. Ping health monitoring consists of the FortiGate unit using ICMP ping to
ensure the web servers can respond to network traffic.

To configure load balancing using the GUI:
1. Go to Policy & Objects > Health Check.

2. Create a new Health Check Monitor and set the following fields as an example:
l Set Name to Ping-mon-1.
l Set Type to Ping.
l Set Interval to 10 seconds.
l Set Timeout to 2 seconds.
l Set Retry to 3 attempt(s).

3. Go to Policy & Objects > Virtual Servers.

4. Create a new Virtual Server and set the following fields as an example:
l Set Name to Vserver-HTTP-1.
l In the Network section, set Type to HTTP.
l Set Virtual Server IP to 172.20.120.121.
l Set Virtual Server Port to 8080.
l Set Load Balance Method to Round Robin.
l Set Persistence to HTTP Cookie.
l Set Health Check to Ping-mon-1.
l Do not enable HTTP Multiplexing.
l Do not enable Preserve Client IP.
5. In the Real Servers section, add the three load balance real servers to the virtual server. For example:
l Add the IP Address 10.31.101.30, 10.31.101.40, and 10.31.101.50.
l For all IP addresses, set Port to 80.
l For all IP addresses, set Max Connections to 0.
l For all IP addresses, set Mode to Active.

6. Add a security policy that includes the load balance virtual server as the destination address.
To see the results:
l Traffic accessing 172.20.120.121:8080 is forwarded to the three real servers in turn.

l If the access request has an http-cookie, FortiGate forwards the access to the corresponding real server according
to the cookie.
Policy with Internet Service
Using Internet Service in policy
This recipe shows how to apply a predefined Internet Service entry into a policy.
The Internet Service Database is a comprehensive public IP address database that combines IP address range, IP
owner, service port number, and IP security credibility. The data comes from the FortiGuard service system. Information
is regularly added to this database, for example, geographic location, IP reputation, popularity & DNS, and so on. All
this information helps users define Internet security more effectively.
From FortiOS version 5.6 on, the Internet Service is included in the firewall policy, It can be applied to a policy only as a
Destination object. From version 6.0, Internet Services can be applied both as Source and Destination objects in policy.
You can also apply Internet Services to shaping policy.
There are three types of Internet Services we can apply to firewall policy:
l Predefined Internet Services.
l Custom Internet Services.
l Extension Internet Services.
To apply a predefined Internet Service entry into a policy using the GUI:
1. Go to Policy & Objects and create a new policy.

2. In the Source or Destination field, click +.
3. In the Select Entries pane, click Internet Service.

4. Locate and click Google.Gmail.
5. Configure the other fields and then click OK.
To apply a predefined Internet Service entry into a policy using the CLI:
In the CLI, enable the internet-service first and then use its ID to apply the policy.
This example uses Google Gmail and its ID is 65646. Each Internet Service has a unique ID.
edit 9
set name "Internet Service in Policy"
set srcintf "wan2"
set dstintf "wan1"
set srcaddr "all"
set action accept
set av-profile "g-default"
set nat enable
next
end

To diagnose an Internet Service entry using the CLI:
diag internet-service id-summary 65646

Version: 0000600096
Timestamp: 201902111802
Total number of IP ranges: 444727
Number of Groups: 7
Group(0), Singularity(20), Number of IP ranges(142740)
Internet Service: 65646(Google.Gmail)
Number of IP range: 60
Number of IP numbers: 322845
Singularity: 15
Reputation: 5(Known and verified safe sites such as Gmail, Amazon, eBay, etc.)
Icon Id: 510
Second Level Domain: 53(gmail.com)
Direction: dst
Data source: isdb
Result
Because the IP and services related to Google Gmail on the Internet are included in this Internet Service (65646), all
traffic to Google Gmail is forwarded by this policy.
Using custom Internet Service in policy
Even though there are about 1,395 predefined Internet Services entries and a total of 444,727 IP ranges, we sometimes
still need to create our own Internet Service entries. FortiOS supports custom Internet Service in a firewall policy.
When creating a custom Internet Service, you must set following elements:
l IP or IP Ranges
l Protocol number
l Port or Port Ranges
l Reputation
You must use CLI to create a custom Internet Service.
Custom Internet Service CLI syntax

config firewall internet-service-custom
edit <name>
set reputation {1|2|3|4|5}
config entry
edit <ID #>
set protocol <number #>
set dst <object_name>
config port-range

edit <ID #>

set start-port <number #>
set end-port <number #>
next
end
next
end
end
end
To configure a custom Internet Service using the CLI:
config firewall internet-service-custom

edit "test-isdb-1"
set comment "Test Custom Internet Service"
set reputation 4
config entry
edit 1
set protocol 6
config port-range
edit 1
set start-port 80
set end-port 443
next
end
set dst "10-1-100-0"
next
edit 2
set protocol 6
config port-range
edit 1
set start-port 80
set end-port 80
next
end
set dst "172-16-200-0"
next
end
next
end
To apply a custom Internet Service into policy using the CLI:

edit 1
set srcintf "wan2"
set dstintf "wan1"
set srcaddr "all"
set internet-service-custom "test-isdb-1"
set action accept


set nat enable
next
end
Result
In addition to the IP/IP-Ranges and services allowed by Google.Gmail, this policy also allows the traffic which access to
10.1.100.0/24 and TCP/80-443 and 172.16.200.0/24 and TCP/80.
Using extension Internet Service in policy
Extension Internet Service lets you add custom IP_Range(s)+Port_Range(s) to an existing prpedefined Internet Servic,
or remove IP_Range(s)+Port_Range(s) from an existing predefined Internet Service entry.
Using an extension type Internet Service is actually editing a predefined type Internet Service entry and add IP_Range
(s)+ Port_Range(s) to it.
When creating an extension Internet Service and adding custom IP_Range(s)+Port_Range(s), you must set following
elements:
l IP or IP Ranges
l Protocol number
l Port or Port Ranges
You must use CLI to add custom IP(s)+Port(s) entries into a predefined Internet Service.
You must use GUI to remove entries from a predefined Internet Service.
Custom extension Internet Service CLI syntax

config firewall internet-service-extension
edit <ID #>
config entry
edit <ID #>
set protocol <number #>
set dst <object_name>
config port-range
edit <ID #>
set start-port <number #>
set end-port <number #>
next
end
next
end
end
end

To configure an extension Internet Service using the CLI:

edit 65646
set comment "Test Extension Internet Service 65646"
config entry
edit 1
set protocol 6
config port-range
edit 1
set start-port 80
set end-port 443
next
end
set dst "172-16-200-0"
next
edit 2
set protocol 17
config port-range
edit 1
set start-port 53
set end-port 53
next
end
set dst "10-1-100-0"
next
end
next
end
To removing IP(s)+Port(s) entries from an existing Internet Service:
1. Go to Policy & Objects > Internet Service Database.

2. Search for Google.Gmail.
3. Select Google.Gmail and click Edit.
4. Locate the IP entry you want to remove and click Disable beside that entry.
5. Click Return.
6. When you complete the actions in the GUI, the CLI automatically generates the configuration from your GUI
actions:


edit 65646
set comment "Test Extension Internet Service 65646"
config entry
edit 1
set protocol 6
config port-range
edit 1
set start-port 80
set end-port 443
next
end
set dst "172-16-200-0"
next
edit 2
set protocol 17
config port-range
edit 1
set start-port 53
set end-port 53
next
end
set dst "10-1-100-0"
next
end
config disable-entry
edit 1
set protocol 6
config port-range
edit 1
set start-port 25
set end-port 25
next
edit 2
set start-port 80
set end-port 80
next
edit 3
set start-port 110
set end-port 110
next
edit 4
set start-port 143
set end-port 143
next
edit 5
set start-port 443
set end-port 443
next
edit 6
set start-port 465
set end-port 465
next
edit 7
set start-port 587
set end-port 587

next
edit 8
set start-port 993
set end-port 993
next
edit 9
set start-port 995
set end-port 995
next
edit 10
set start-port 2525
set end-port 2525
next
end
config ip-range
edit 1
set end-ip 2.20.183.160
next
end
next
end
next
end
To apply an extension Internet Service into policy using the CLI:

edit 9
set srcintf "wan2"
set dstintf "wan1"
set srcaddr "all"
set action accept
set nat enable
next
end
Result
In addition to the IP(s)/IP-Range(s) and services allowed by Google.Gmail, this policy also allows the traffic which
accesses 10.1.100.0/24 and UDP/53 and 172.16.200.0/24 and TCP/80-443. At the same time, the traffic which
accesses 2.20.183.160 is dropped because this IP+Port(s) is disabled from Google.Gmail.
NAT64 policy and DNS64 (DNS proxy)
NAT64 policy translates IPv6 addresses to IPv4 addresses so that a client on an IPv6 network can communicate
transparently with a server on an IPv4 network.

NAT64 policy is usually implemented in combination with the DNS proxy called DNS64. DNS64 synthesizes AAAA
records from A records and is used to synthesize IPv6 addresses for hosts that only have IPv4 addresses. DNS proxy
and DNS64 are interchangeable terms.
Sample topology
In this example, a host on the internal IPv6 network communicates with ControlPC.qa.fortinet.com that only
has IPv4 address on the Internet.
1. The host on the internal network does a DNS lookup for ControlPC.qa.fortinet.com by sending a DNS
query for an AAAA record for ControlPC.qa.fortinet.com.
2. The DNS query is intercepted by the FortiGate DNS proxy. The DNS proxy performs an A-record query for
ControlPC.qa.fortinet.com and gets back an RRSet containing a single A record with the IPv4 address
172.16.200.55.
3. The DNS proxy then synthesizes an AAAA record. The IPv6 address in the AAAA record begins with the configured
NAT64 prefix in the upper 96 bits and the received IPv4 address in the lower 32 bits. By default, the resulting IPv6
address is 64:ff9b::172.16.200.55.
4. The host on the internal network receives the synthetic AAAA record and sends a packet to the destination address
64:ff9b::172.16.200.55.
5. The packet is routed to the FortiGate internal interface (port10) where it is accepted by the NAT64 security policy.
6. The FortiGate unit translates the destination address of the packets from IPv6 address
64:ff9b::172.16.200.55 to IPv4 address 172.16.200.55 and translates the source address of the
packets to 172.16.200.200 (or another address in the IP pool range) and forwards the packets out the port9
interface to the Internet.
To enable display for IPv6, NAT46/NAT64, and DNS Database using the GUI:
1. Go to System > Feature Visibility.

2. In the Basic Features section, enable IPv6.
3. In the Additional Features section, enable the following features:
l NAT46 & NAT64
l DNS Database
4. Click Apply.

To enable display for IPv6, NAT46/NAT64, and DNS Database using the CLI:

set gui-ipv6 enable
end
set gui-nat46-64 enable
set gui-dns-database enable
end
To enable DNS proxy on the IPv6 interface using the GUI:
1. Go to Network > DNS Servers.

2. In DNS Service on Interface, click Create New.
3. For Interface, select port10.
4. Click OK.
To enable DNS proxy on the IPv6 interface using the CLI:

edit "port10"
set mode forward-only
next
end
To configure IPv6 DHCP server using the CLI:
config system dhcp6 server

edit 1
set subnet 2001:db8:1::/64
config ip-range
edit 1
set start-ip 2001:db8:1::11
set end-ip 2001:db8:1::20
next
end
set dns-server1 2001:db8:1::10
next
end
To enable NAT64 and related settings using the CLI:
Enabling NAT64 with the config system nat64 command means that all IPv6 traffic received by the current
VDOM can be subject to NAT64 if the source and destination address matches an NAT64 security policy.
By default, the setting always-synthesize-aaaa-record is enabled. If you disable this setting, the DNS proxy
(DNS64) will attempt to find an AAAA records for queries to domain names and therefore resolve the host names to IPv6
addresses. If the DNS proxy cannot find an AAAA record, it synthesizes one by adding the NAT64 prefix to the A record.
nat64-prefix setting is the nat64 prefix. By default, it is 64:ff9b::/96.
config system nat64
set status enable
end

To create NAT64 policy using the GUI:
1. Add an IPv4 firewall address for the external network.

a. Go to Policy & Object > Addresses.
c. For Name, enter external-net4.
d. For IP/Network, enter 17216.200.0/24.
e. For Interface, select port9.
f. Click OK.
2. Add an IPv6 firewall address for the internal network.
a. Go to Policy & Object > Addresses.
c. Change Category to IPv6 Address.
d. For Name, enter internal-net6.
e. For IPv6 Address, enter 2001:db8:1::/48.
f. Click OK.
3. Add an IP pool containing the IPv4 address that is used as the source address of the packets exiting port9.
a. Go to Policy & Object > IP Pools.
c. For Name, enter exit-pool4.
d. For External IP Range, enter 172.16.200.200-172.16.200.210.
e. Click OK.
4. Add a NAT64 policy that allows connections from the internal IPv6 network to the external IPv4 network.
a. Go to Policy & Object > NAT64 Policy.
c. For Incoming Interface, select port10.
d. For Outgoing Interface, select port9.
e. For Source Address, select internal-net6.
f. For Destination Address, select external-net4.
g. Set IP Pool Configuration to Use Dynamic IP Pool and select the IP pool exit-pool4.
h. Click OK.
To create NAT64 policy using the CLI:

edit "external-net4"
set associated-interface "port9"
set subnet 172.16.200.0 255.255.255.0
next
end
config firewall address6
edit "internal-net6"
set ip6 2001:db8:1::/48
next
end
edit "exit-pool4"

set startip 172.16.200.200

set endip 172.16.200.210
next
end
config firewall policy64
edit 1
set dstintf "port9"
set srcaddr "internal-net6"
set dstaddr "external-net4"
set action accept
set service "ALL"
set ippool enable
set poolname "exit-pool4"
next
end
NAT46 policy
NAT46 refers to the mechanism that allows IPv4 addressed hosts to communicate with IPv6 hosts. Without such a
mechanism, IPv4 environments cannot connect to IPv6 networks.
Sample topology
In this example, an IPv4 client tries to connect to an IPv6 server. A VIP is configured on FortiGate to map the server
IPv6 IP address 2000:172:16:200:55 to an IPv4 address 10.1.100.55. On the other side, an IPv6 IP pool is
configured and the source address of packets from client are changed to the defined IPv6 address. In this setup, the
client PC can access the server by using IP address 10.1.100.55.
To enable display for IPv6 and NAT46/NAT64 using the GUI:
1. Go to System > Feature Visibility.

2. In the Basic Features section, enable IPv6.
3. In the Additional Features section, enable NAT46 & NAT64.
4. Click Apply.

To enable display for IPv6 and NAT46/NAT64 using the CLI:

set gui-ipv6 enable
end
set gui-nat46-64 enable
end
To configure VIP46 using the GUI:
1. Go to Policy & Object > Virtual IPs.

3. For Name, enter vip46_server.
4. For External IP Address/Range, enter 10.1.100.55- 10.1.100.55.
5. For Mapped IP Address/Range, enter 2000:172:16:200::55.
6. Click OK.
To configure VIP46 using the CLI:
config firewall vip46

edit "vip46_server"
set extip 10.1.100.55
set mappedip 2000:172:16:200::55
next
end
To configure IPv6 IP pool using the GUI:
1. Go to Policy & Object > IP Pools.

3. For Name, enter client_expternal.
4. For External IP Range, enter 2000:172:16:201::11- 2000:172:16:201::20.
5. Click OK.
To configure IPv6 IP pool using the CLI:
config firewall ippool6

edit "client_external"
set startip 2000:172:16:201::11
set endip 2000:172:16:201::20
next
end
To enable NAT64 and configure address prefix using the CLI:
config system nat64

set status enable
set secondary-prefix-status enable
config secondary-prefix
edit "1"
set nat64-prefix 2000:172:16:201::/96

next
end
end
To create NAT46 policy using the GUI:
1. Go to Policy & Object > NAT46 Policy.

3. For Incoming Interface, select port10.
4. For Outgoing Interface, select port9.
5. For Source Address, select all.
6. For Destination Address, select vip46_server.
7. Set IP Pool Configuration to Use Dynamic IP Pool and select the IP pool client_expernal.
8. Click OK.
To create NAT46 policy using the CLI:
config firewall policy46

edit 1
set dstintf "port9"
set srcaddr "all"
set dstaddr "vip46_server"
set action accept
set service "ALL"
set ippool enable
set poolname "client_external"
next
end
Sample troubleshooting
Example to trace flow to see the whole process.

# dia de flow filter saddr 10.1.100.11
# dia de flow show function-name enable
show function name
# dia de flow show iprope enable
show trace messages about iprope
# dia de flow trace start 5
id=20085 trace_id=1 func=print_pkt_detail line=5401 msg="vd-root:0 received a packet(proto=1,

10.1.100.11:27592->10.1.100.55:2048) from port10. type=8, code=0, id=27592, seq=1."
id=20085 trace_id=1 func=init_ip_session_common line=5561 msg="allocate a new session-
000003b9"
id=20085 trace_id=1 func=iprope_dnat_check line=4948 msg="in-[port10], out-[]"
id=20085 trace_id=1 func=iprope_dnat_tree_check line=822 msg="len=1"
id=20085 trace_id=1 func=__iprope_check_one_dnat_policy line=4822 msg="checking gnum-100000
policy-1"
id=20085 trace_id=1 func=get_vip46_addr line=998 msg="find DNAT46: IP-2000:172:16:200::55,
port-27592"

id=20085 trace_id=1 func=__iprope_check_one_dnat_policy line=4904 msg="matched policy-1, act-

t=accept, vip=1, flag=100, sflag=2000000"
id=20085 trace_id=1 func=iprope_dnat_check line=4961 msg="result: skb_flags-02000000, vid-1,
ret-matched, act-accept, flag-00000100"
id=20085 trace_id=1 func=fw_pre_route_handler line=183 msg="VIP-10.1.100.55:27592, outdev-
unkown"
id=20085 trace_id=1 func=__ip_session_run_tuple line=3220 msg="DNAT 10.1.100.55:8-
>10.1.100.55:27592"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2594 msg="find a route: flag=80000000
gw-10.1.100.55 via root"
id=20085 trace_id=1 func=ip4_nat_af_input line=601 msg="nat64 ipv4 received a packet proto=1"
id=20085 trace_id=1 func=__iprope_check line=2112 msg="gnum-100012, check-ffffffffa0024ebe"
id=20085 trace_id=1 func=__iprope_check_one_policy line=1873 msg="checked gnum-100012 policy-
1, ret-matched, act-accept"
id=20085 trace_id=1 func=__iprope_user_identity_check line=1677 msg="ret-matched"
id=20085 trace_id=1 func=get_new_addr46 line=1047 msg="find SNAT46: IP-2000:172:16:201::13
(from IPPOOL), port-27592"
id=20085 trace_id=1 func=__iprope_check_one_policy line=2083 msg="policy-1 is matched, act-
accept"
id=20085 trace_id=1 func=__iprope_check line=2131 msg="gnum-100012 check result: ret-matched,
act-accept, flag-08050500, flag2-00200000"
id=20085 trace_id=1 func=iprope_policy_group_check line=4358 msg="after check: ret-matched,
act-accept, flag-08050500, flag2-00200000"
id=20085 trace_id=1 func=resolve_ip6_tuple line=4389 msg="allocate a new session-00000081"
Multicast processing and basic Multicast policy
You need to add firewall policies to allow packets to pass from one interface to another. Multicast packets require
multicast security policies. Similar to firewall policies, in a multicast policy, the administrator specifies the source
interface, destination interfaces, the allowed source address ranges, and destination addresses of the multicast traffic.
You can also use multicast policies to configure source NAT and destination NAT for multicast packets.
Multicast forwarding in NAT mode
When multicast-forward is enabled, the FortiGate forwards any multicast IP packets in which the TTL is 2 or
higher to all interfaces and VLAN interfaces except the receiving interface. The TTL in the IP header is reduced by 1.
Even though the multicast packets are forwarded to all interfaces, you must add multicast policies to allow multicast
packets through the FortiGate.
If multicast-forward is disabled, then FortiGate unit drops packets that have multicast source or destination
addresses.
In NAT mode, there is a per-VDOM configuration to disable forwarding any multicast traffic. This command is only
available in NAT mode.
set multicast-forward <disable|enable(default)>
end
You can also use the multicast-ttl-notchange option so that FortiGate doesn't increase the TTL value for
forwarded multicast packets. Use this option only if packets are expiring before reaching the multicast router.


set multicast-ttl-notchange enable
end
Multicast processing in TP mode
When multicast-skip-policy is enabled, no check is performed based on multicast policy. A multicast packet
received on an interface is flooded unconditionally to all interfaces (except the incoming interface) belonging to the
same forwarding domain. Multicast packets are forwarded even when there is no multicast policy or the multicast policy
is set to deny. To forward multicast traffic based on multicast policy, multicast-skip-policy must be disabled.
In transparent mode, there is a per-VDOM configuration to skip policy check and forward all multicast traffics. This
command is only available in transparent mode.
set multicast-skip-policy <disable(default)|enable>
end
To allow RIP2 packets from port1 to port2 using the GUI:
1. Go to Policy & Object > Multicast Policy.

3. For Incoming Interface, select port1.
4. For Outgoing Interface, select port2.
5. For Source Address, select 10.10.0.10/32.
6. For Destination Address, select RIPv2.
7. Click OK.
To allow RIP2 packets from port1 to port2 using the CLI:

edit "10.10.0.10/32"
set subnet 10.10.0.10 255.255.255.255
next
end
config firewall multicast-address
edit "RIPv2"
set end-ip 224.0.0.9
next
end
config firewall multicast-policy
edit 2
set srcintf "port1"
set dstintf "port2"
set srcaddr "10.10.0.10/32"
set dstaddr "RIPv2"
next
end

IPv4/IPv6 access control lists
Access control lists (ACL) in the FortiOS firmware is a granular or more specifically targeted blacklist. ACL drop IPv4 and
IPv6 packets at the physical network interface before the packets are analyzed by the CPU. On a busy appliance, this
can really improve performance.
ACL is available on FortiGates with NP6-accelerated interfaces. ACL checking is one of the first things that happens to
the packet and checking is done by the NP6 processor. The result is very efficient protection that does not use CPU or
memory resources.
The following platforms support ACL:
l FGT_100D, FGT_100E, FGT_100EF, FGT_101E.
l FGT_140D, FGT_140D_POE, FGT_140E, FGT_140E_POE.
l FGT_301E, FGT_500E, FGT_501E.
l FGT_1200D, FGT_1500D, FGT_1500DT.
l FGT_2000E, FGT_2500E.
l FGT_3000D, FGT_3100D, FGT_3200D, FGT_3700D.
l FGT_3800D, FGT_3810D, FGT_3815D.
l FGT_3960E, FGT_3980E.
Limitation
The configuration of ACL allows you to specify which interface the ACL is applied to. You should be aware of a hardware
limitation. The ACL is a Layer 2 function and is offloaded to the ISF hardware. Therefore no CPU resources are used in
the processing of the ACL. It is handled by the inside switch chip which can do hardware acceleration, which increases
the performance of the FortiGate. The drawback is that the ACL function is only supported on switch fabric driven
interfaces. It also cannot be applied to hardware switch interfaces or their members. Ports such as WAN1 or WAN2 on
some models that use network cards that connect to the CPU through a PCIe bus do support ACL.
To block all IPv4 and IPv6 Telnet traffic from port2 to Company_Servers using the CLI:
config firewall acl

edit 1
set srcaddr "all"
set dstaddr "Company_Servers"
set service "TELNET"
next
end
config firewall acl6
edit 1
set srcaddr "all"
set dstaddr "Company_Servers_v6"
set service "TELNET"
next
end

Sample troubleshooting
To check the number of packets drop by an ACL:
# diag firewall acl counter

ACL id 1 dropped 0 packets
To clear the packet drop counter:
# diag firewall acl clearcounter
Use the same commands for IPv6 ACL.

# dia firewall acl
counter Show number of packets dropped by ACL.
counter6 Show number of packets dropped by ACL6.
clearcounter Clear ACL packet counter.
clearcounter6 Clear ACL6 packet counter.
Traffic shaping
Interface bandwidth limit
You can limit interface bandwidth for arriving and departing traffic. In some cases, the traffic received on an interfaces
could exceed the maximum bandwidth limit defined in the security policy. Rather than waste processing power on
packets that will get dropped later in the process, you can configure FortiGate to preemptively drop excess packets
when they're received at the source interface. A similar command is available to the outgoing interface.
The following diagram shows how excess packets going from LAN to WAN1 can be intercepted and dropped at the
source interface.
To configure an interface bandwidth limit on the FortiOS GUI:
1. Go to Interface.
2. Click interface port1, and click Edit on top menu bar.
3. Go to the Traffic Shaping section, and set the following options:
a. Enable Inbound Bandwidth and type 200.
The default bandwidth unit is kbps.

b. Enable Outbound Bandwidth and type 400.

The default bandwidth unit is kbps.
4. Click OK.
To configure an interface bandwidth limit on the FortiOS CLI:
1. On the FortiGate, configure the interface bandwidth limit:

edit "port1"
.....
set inbandwidth 200
set outbandwidth 400
.....
next
end
ToS-based traffic prioritization
This traffic prioritization method puts packets into the following queues based on its Type of Service (ToS) value:
l High
l Medium
l Low
ToS-based traffic prioritization cannot be used to apply bandwidth limits and guarantees, but it can be used to prioritize
traffic at per-packet levels.
You can use the following command to configure the default system-wide level of priority:
set traffic-priority-level {high | low | medium}
end
You can also prioritize packets according to the ToS bit value in the packet’s IP header by using the following command:
config system tos-based-priority
edit <id_int>
set tos [0-15]
set priority {high | low | medium}
next
end
Example
The following configuration shows that packets with ToS bit values of 10 are prioritized as medium and packets with
ToS bit values of 20 are prioritized as high. All the other traffic is prioritized as low.
You can only configure this method by using the CLI.

set traffic-priority-level low

end
edit 1
set tos 10
set priority medium
next
edit 2
set tos 20
set priority high
next
end
Shared traffic shaper
Shared traffic shaper is used in a firewall shaping policy to indicate the priority and guaranteed and maximum bandwidth
for a specified type of traffic use.
The maximum bandwidth indicates the largest amount of traffic allowed when using the policy. You can set the
maximum bandwidth to a value between 1 and 16776000 Kbps. The GUI displays an error if any value outside this
range is used. If you want to allow unlimited bandwidth, use the CLI to enter a value of 0.
The guaranteed bandwidth ensures that there is a consistent reserved bandwidth available. When setting the
guaranteed bandwidth, ensure that the value is significantly less than the interface's bandwidth capacity. Otherwise, the
interface will allow very little or no other traffic to pass through, potentially causing unwanted latency.
In a shared traffic shaper, the administrator can prioritize certain traffic as high, medium, or low. FortiOS provides
bandwidth to low priority connections only when high priority connections do not need the bandwidth. For example, you
should assign a high traffic priority to a policy for connecting a secure web server that needs to support e-commerce
traffic. You should assign less important services a low priority.
When you configure a shared traffic shaper, you can apply bandwidth shaping per policy or for all policies. By default, a
shared traffic shaper applies traffic shaping evenly to all policies that use the shared traffic shaper.
When configuring a per-policy traffic shaper, FortiOS applies the traffic shaping rules defined for each security policy
individually. For example, if a per-policy traffic shaper is configured with a maximum bandwidth of 1000 Kbps, any
security policies that have that traffic shaper enabled get 1000 Kbps of bandwidth each.
If a traffic shaper for all policies is configured with a maximum bandwidth of 1000 Kbps, all policies share the 1000 Kbps
on a first-come, first-served basis.
The configuration is as follows:
edit "traffic_shaper_name"
next
end
The shared traffic shaper selected in the traffic shaping policy affects traffic in the direction defined in the policy. For
example, if the source port is LAN and the destination is WAN1, the traffic shaping affects the flow in this direction only,
affecting the outbound traffic's upload speed. You can define the traffic shaper for the policy in the opposite direction
(reverse shaper) to affect the inbound traffic's download speed. In this example, that would be from WAN1 to LAN.
The following example shows how to apply different speeds to different types of service. The example configures two
shared traffic shapers to use in two firewall shaping policies. One policy guarantees a speed of 10 Mbps for VoIP traffic.

The other policy guarantees a speed of 1 Mbps for other traffic. In the example, FortiOS communicates with a PC using
port10 and the Internet using port9.
To configure shared traffic shapers in the FortiOS GUI:
1. Create a firewall policy:

a. Go to Policy & Objects > IPv4 Policy. Click Create New.
b. In the Name field, enter Internet Access.
c. From the Incoming Interface dropdown list, select port10.
d. From the Outgoing Interface dropdown list, select port9.
e. For the Source and Destination fields, select all.
f. From the Schedule dropdown list, select always.
g. For the Service field, select ALL.
h. Click OK.
2. Create the shared traffic shapers:
a. Go to Policy & Objects > Traffic Shapers. Click Create New.
b. In the Name field, enter 10Mbps. This shaper is for VoIP traffic.
c. From the Traffic Priority dropdown list, select High.
d. Enable Max Bandwidth and enter 20000. This equates to 20 Mbps.
e. Enable Guaranteed Bandwidth and enter 10000. This equates to 10 Mbps.
f. Click OK.
g. Repeat the process above to create another traffic shaper named 1Mbps. Set the Traffic Priority to Low, the
Max Bandwidth and Guaranteed Bandwidth to 10000.
3. Create a firewall shaping policy:
a. Go to Policy & Objects > Traffic Shaping Policy. Click Create New.
b. In the Name field, enter VoIP_10Mbps_High. This policy is for VoIP traffic.
c. For the Source and Destination fields, select all.
d. For the Service field, select all VoIP services.
e. For the Outgoing Interface field, select port9.
f. Enable Shared shaper. Select 10Mbps from the dropdown list.
g. Enable Reverse shaper. Select 10Mbps from the dropdown list.
h. Click OK.
i. Repeat the process above to create a firewall shaping policy named Other_1Mbps_Low for other traffic. Set
the Source and Destination to all, Service to ALL, Outgoing Interface to port9, and Shared shaper and
Reverse shaper to 1Mbps.
To configure shared traffic shapers using the FortiOS CLI:

edit 1
set name "Internet Access"
set dstintf "port9"
set srcaddr "all"
set dstaddr "all"
set action accept


set service "ALL"
set fsso disable
set nat enable
next
end
2. Create the shared traffic shapers:
edit "10Mbps"
next
edit "1Mbps"
set priority low
next
end
edit 1
set name "VOIP_10Mbps_High"
set service "H323" "IRC" "MS-SQL" "MYSQL" "RTSP" "SCCP" "SIP" "SIP-MSNmessenger"
set dstintf "port9"
set traffic-shaper "10Mbps"
set traffic-shaper-reverse "10Mbps"
set srcaddr "all"
set dstaddr "all"
next
edit 2
set name "Other_1Mbps_Low"
set service "ALL"
set dstintf "port9"
set traffic-shaper "1Mbps"
set traffic-shaper-reverse "1Mbps"
set srcaddr "all"
set dstaddr "all"
next
end
To troubleshoot shared traffic shapers:
1. To check if specific traffic is attached to the correct traffic shaper, run the diagnose firewall iprope list
100015 command. The example output shows the traffic attached to the 10Mbps and 1Mbps shapers:

flag (0):
shapers: orig=10Mbps(2/1280000/2560000)
cos_fwd=0 cos_rev=0
group=00100015 av=00000000 au=00000000 split=00000000
zone(1): 0 -> zone(1): 38
source(1): 0.0.0.0-255.255.255.255, uuid_idx=0,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=0,

service(15):
[6:0x0:0/(1,65535)->(1720,1720)] helper:auto
[6:0x0:0/(1,65535)->(1503,1503)] helper:auto
[17:0x0:0/(1,65535)->(1719,1719)] helper:auto
[6:0x0:0/(1,65535)->(6660,6669)] helper:auto
[6:0x0:0/(1,65535)->(1433,1433)] helper:auto
[6:0x0:0/(1,65535)->(1434,1434)] helper:auto
[6:0x0:0/(1,65535)->(3306,3306)] helper:auto
[6:0x0:0/(1,65535)->(554,554)] helper:auto
[6:0x0:0/(1,65535)->(7070,7070)] helper:auto
[6:0x0:0/(1,65535)->(8554,8554)] helper:auto
[17:0x0:0/(1,65535)->(554,554)] helper:auto
[6:0x0:0/(1,65535)->(2000,2000)] helper:auto
[6:0x0:0/(1,65535)->(5060,5060)] helper:auto
[17:0x0:0/(1,65535)->(5060,5060)] helper:auto
[6:0x0:0/(1,65535)->(1863,1863)] helper:auto

flag (0):
shapers: orig=1Mbps(4/128000/1280000)
cos_fwd=0 cos_rev=0
group=00100015 av=00000000 au=00000000 split=00000000
zone(1): 0 -> zone(1): 38
source(1): 0.0.0.0-255.255.255.255, uuid_idx=0,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=0,
service(1):
[0:0x0:0/(0,0)->(0,0)] helper:auto
2. To check if the correct traffic shaper is applied to the session, run the diagnose sys session list
command. The example output shows that the 1Mbps shaper is applied to the session:
session info: proto=6 proto_state=01 duration=11 expire=3599 timeout=3600 flags=00000000
sockflag=00000000 sockport=0 av_idx=0 use=5
origin-shaper=1Mbps prio=4 guarantee 128000Bps max 1280000Bps traffic 1050Bps drops 0B
reply-shaper=
per_ip_shaper=
state=may_dirty npu npd os mif route_preserve
serial=0003255f tos=ff/ff app_list=0 app=0 url_cat=0
dd_type=0 dd_mode=0
npu_state=0x100000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0,
vlan=0x0000/0x0000
total session 1

3. To check statuses of shared traffic shapers, run the diagnose firewall shaper traffic-shaper list
command. The output should resemble the following:
# dia firewall shaper traffic-shaper list
name 10Mbps
priority 2
tos ff
packets dropped 0
bytes dropped 0
name 1Mbps
priority 4
tos ff
packets dropped 0
bytes dropped 0
Per-IP traffic shaper
With per-IP traffic shaping, you can limit each IP address's behavior to avoid a situation where one user uses all of the
available bandwidth. In addition to controlling the maximum bandwidth used per IP address, you can also define the
maximum number of concurrent sessions for an IP address. For example, if you apply a per-IP shaper of 1 Mbps to your
entire network, FortiOS allocates each user/IP address 1 Mbps of bandwidth. Even if the network consists of a single
user, FortiOS allocates them 1 Mbps. If there are ten users, each user gets 1 Mbps of bandwidth, totaling 10 Mbps of
outgoing traffic.
For shared shapers, all users share the set guaranteed and maximum bandwidths. For example, if you set a shared
shaper for all PCs using an FTP service to 10 Mbps, all users uploading to the FTP server share the 10 Mbps.
Shared shapers affect upload speed. If you want to limit the download speed from the FTP server in the example, you
must configure the shared shaper as a reverse shaper. Per-IP shapers apply the speed limit on both upload and
download operations.
The following example shows how to apply a per-IP shaper to a traffic shaping policy. This shaper assigns each user a
maximum bandwidth of 1 Mbps and allows each user to have a maximum of ten concurrent connections to the FTP
server. In the example, FortiOS communicates with users using port10 and the FTP server using port9.
To configure a per-IP shaper in the FortiOS GUI:

a. Go to Policy & Objects > IPv4 Policy. Click Create New.
b. In the Name field, enter FTP Access.
c. From the Incoming Interface dropdown list, select port10.
d. From the Outgoing Interface dropdown list, select port9.
e. For the Source and Destination fields, select all and FTP_Server, respectively.
f. From the Schedule dropdown list, select always.

g. For the Service field, select ALL.

h. Click OK.
2. Create the per-IP traffic shaper:
a. Go to Policy & Objects > Traffic Shapers. Click Create New.
b. For Type, select Per-IP.
c. In the Name field, enter FTP_Max_1M. This shaper is for VoIP traffic.
d. Enable Max Bandwidth and enter 1000. This equates to 1 Mbps.
e. Enable Max Concurrent Connections and enter 10. This means that each user can have up to ten concurrent
connections to the FTP server.
f. Click OK.
a. Go to Policy & Objects > Traffic Shaping Policy. Click Create New.
b. In the Name field, enter FTP speed 1M.
c. For the Source fields, select the users that need to access the FTP server.
d. For the Destination field, select FTP_Server.
e. For the Service field, select ALL.
f. For the Outgoing Interface field, select port9.
g. Enable Per-IP shaper. Select FTP_Max_1M from the dropdown list.
h. Click OK.
To configure a per-IP traffic shaper using the FortiOS CLI:

edit 1
set name "FTP Access"
set dstintf "port9"
set srcaddr "all"
set dstaddr "FTP_Server"
set action accept
set service "ALL"
set fsso disable
set nat enable
next
end
2. Create the per-IP traffic shaper:
config firewall shaper per-ip-shaper
edit "FTP_Max_1M"
set max-bandwidth 1000
set max-concurrent-session 10
next
end
edit 1
set name "FTP speed 1M"
set service "ALL"
set dstintf "port9"

set per-ip-shaper "FTP_Max_1M"

set srcaddr "PC1" "WinPC" "PC2"
set dstaddr "FTP_Server"
next
end
To troubleshoot per-IP traffic shapers:
1. To check if specific traffic is attached to the correct traffic shaper, run the diagnose firewall iprope list
100015 command. The example output shows the traffic attached to the FTP_Max_1M shaper:

flag (0):
shapers: per-ip=FTP_Max_1M
cos_fwd=0 cos_rev=0
group=00100015 av=00000000 au=00000000 split=00000000
zone(1): 0 -> zone(1): 38
source(3): 10.1.100.11-10.1.100.11, uuid_idx=30, 10.1.100.143-10.1.100.143, uuid_idx=32,
10.1.100.22-10.1.100.22, uuid_idx=31,
dest(1): 172.16.200.55-172.16.200.55, uuid_idx=89,
service(1):
[0:0x0:0/(0,65535)->(0,65535)] helper:auto
2. To check if the correct traffic shaper is applied to the session, run the diagnose sys session list
command. The example output shows that the FTP_Max_1M shaper is applied to the session:
session info: proto=6 proto_state=01 duration=36 expire=3567 timeout=3600 flags=00000000
sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=FTP_Max_1M
state=may_dirty per_ip npu npd mif route_preserve
serial=0000211a tos=ff/ff app_list=0 app=0 url_cat=0
dd_type=0 dd_mode=0
npu_state=0x100000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0,
vlan=0x0000/0x0000
3. To check statuses of per-IP traffic shapers, run the diagnose firewall shaper per-ip-shaper list
command. The output should resemble the following:
# diagnose firewall shaper per-ip-shaper list
name FTP_Max_1M

maximum-concurrent-session 10
tos ff/ff
packets dropped 0
bytes dropped 0
addr=10.1.100.11 status: bps=0 ses=3
Type of Service-based prioritization and policy-based traffic shaping
Priority queues
After packet acceptance, FortiOS classifies traffic and may apply Quality of Service techniques such as prioritization and
traffic shaping. Traffic shaping consists of a mixture of traffic policing to enforce bandwidth limits and priority queue
adjustment to assist packets in achieving the guaranteed rate.
If you have configured prioritization, FortiOS prioritizes egressing packets by distributing them among first in first out
queues associated with each possible priority number. Each physical interface has six priority queues. Virtual interfaces
use the priority queues of the physical interface to which they are bound.
Each physical interface's six queues are queue 0 to queue 5, where queue 0 is the highest priority queue. However, you
may observe that your traffic uses only a subset of those six queues. For example, some traffic may always use a
certain queue number. Queuing may also vary by the packet rate or mixture of services. Some queue numbers may only
be used by through traffic for which you have configured traffic shaping in the security policy that applies to that traffic
session.
Administrative access traffic always uses queue 0.

Traffic matching firewall policies without traffic shaping may use queue 0, queue 1, or queue 2. The queue is selected
based on the priority value you have configured for packets with that Type of Service (ToS) bit value, if you have
configured ToS-based priorities.
Traffic matching firewall shaping policies with traffic shaper enabled may use any queue. The queue is selected based
on whether the packet rate is currently below the guaranteed bandwidth (queue 0), or above the guaranteed bandwidth.
Packets at rates greater than the maximum bandwidth limit are dropped.
Priority types
Packets can be assigned a priority in one of three types:

l On entering ingress – for packets flowing through the firewall.
l Upon generation – for packets generated by the firewall (including packets generated due to AV proxying).
l On passing through a firewall policy – for packets passing through a firewall policy (firewall shaping policy) that has
a traffic shaper defined.

ToS priority
The first and second types, ingress priority and priority for generated packets, are controlled via two different CLI
settings, as shown below:
set traffic-priority-level {high|medium|low}
end
edit 1
set tos [0-15] -> type of service bit in the IP datagram header with a value between 0
and 15
set priority (high|medium|low)-> priority of this type of service
next
end
Each priority level is mapped to a value as follows:
ToS priority Value
High 0
Medium 1
Low 2
Firewall shaping policy priority
In a firewall shaping policy, you can enable traffic shaping. In the shared traffic shaper, you can set the firewall priority to
high, medium, or low, as shown below:
edit "1"
set priority (high|medium|low)
next
end
Since the priority in a traffic shaper is set to high by default, you must set some traffic at a lower priority to see results.
Each priority level is mapped to a value as follows:
Firewall policy priority Value
High (default) 1
Medium 2
Low 3
Combination of two priority types
To combine the two priority types, the global or ingress ToS-based priority value is combined with the firewall policy
priority value:
ToS priority (0, 1, 2) + policy priority (1, 2, 3) = total priority (queue number)

Consider the following scenarios:

l If the current packet rate is less than the guaranteed bandwidth, packets use priority queue 0. Packet priority is 0.
l If the current packet rate exceeds the maximum bandwidth, excess packets are dropped.
l If the current packet rate is greater than the guaranteed bandwidth but less than the maximum bandwidth, FortiOS
assigns a priority queue by adding the ToS-based priority and the firewall priority. For example, if you have enabled
traffic shaping in the security policy and the security policy's traffic priority is low (value 3), and the priority normally
applied to packets with that ToS bit is medium (value 1), the packets have a total packet priority of 4, and use
priority queue 4.
Interface-based traffic shaping profile
Priority Queues
After packet acceptance, FortiGate classifies traffic and might apply Quality of Service (QoS) techniques, such as
prioritization and traffic shaping. Traffic shaping consists of a mixture of traffic policing to enforce bandwidth limits and
priority queue adjustment to assist packets in achieving the guaranteed rate.
If you have configured prioritization, the FortiGate unit prioritizes egressing packets by distributing them among FIFO
(first in, first out) queues associated with each possible priority number. Each physical interface has six priority queues.
Virtual interfaces use the priority queues of the physical interface to which they are bound.
Each physical interface’s six queues are queue 0 to queue 5, where queue 0 is the highest priority queue. However, you
might observe that your traffic uses only a subset of those six queues. For example, some traffic might always use a
certain queue number. Queuing may also vary by the packet rate or mixture of services. Some queue numbers might
only be used by through traffic for which you have configured traffic shaping in the security policy that applies to that
traffic session.

l Administrative access traffic will always use queue 0.

l Traffic matching firewall policies without traffic shaping may use queue 0, queue 1, or queue 2. The queue is
selected based on the priority value you have configured for packets with that ToS (Type of Service) bit value, if you
have configured ToS-based priorities.
l Traffic matching firewall shaping policy with traffic shaper enabled may use any queue. The queue is selected
based on whether the packet rate is currently below the guaranteed bandwidth (queue 0), or above the guaranteed
bandwidth. Packets at rates greater than the maximum bandwidth limit are dropped.
l For Example, if the global ToS-based-priority is low (3) and the priority in a traffic-shaper is medium (2), when a
packet flows through a policy that refers to the shaper, the packet will be assigned the priority defined by the
shaper. In this case, medium (2).
Types of priority
Packets can be assigned a priority in one of three types:

1. On entering ingress – for packets flowing through the firewall.
2. Upon generation – for packets generated by the firewall (including packets generated due to AV proxying).
3. On passing through a firewall policy – for packets passing through a firewall policy(firewall shaping policy) that has
a traffic shaper defined.
Type of Service (ToS) priority
The first and second types (ingress priority and priority for generated packets) are controlled via two different CLI
settings:
set traffic-priority-level {high|medium|low}
end
And
edit 1
set tos [0-15] -> type of service bit in the IP datagram header with a value between 0
and 15
set priority (high|medium|low)-> priority of this type of service

next
end
Each priority level is mapped to a value like following:
ToS Priority Value
High 0
Medium 1
Low 2
Firewall shaping policy priority
In a firewall shaping policy, you can enable traffic shaping. In the shared traffic shaper, you can set the firewall priority to
high, medium, or low:
edit "1"
set priority (high|medium|low)
next
end
Since priority in traffic shaper are set to “high” priority by default, it is necessary to set some traffic at a lower priority to
get results. Each priority level is mapped to a value like following:
Firewall Policy Priority Value
High (default) 1
Medium 2
Low 3
Combination priority
The global or ingress ToS-based priority value is combined with the firewall policy priority value:
Tos priority (0, 1, 2) + policy priority (1, 2, 3) = total priority (queue number)
Let’s take a look at some scenarios:
Case 1: If the current packet rate is less than the guaranteed bandwidth, packets use priority queue 0. In other words,
packet priority = 0.
Case 2:If the current packet rate exceeds the maximum bandwidth, excess packets are dropped.
Case 3:If the current packet rate is greater than the guaranteed bandwidth, but less than maximum bandwidth, the
FortiGate unit assigns a priority queue by adding the ToS-based priority and the firewall priority.
For example, if you have enabled Traffic Shaping in the security policy, and the security policy’s Traffic Priority is Low
(value 3), and the priority normally applied to packets with that ToS bit is medium (value 1), then packets have a total
packet priority of 4, and use priority queue 4.


Security Profiles
Antivirus
Content disarm and reconstruction for Antivirus
Introduction
Content Disarm and Reconstruction (CDR) allows the FortiGate to sanitize Microsoft documents and PDF (disarm) by
removing active content such as hyperlinks, embedded media, javascript, macros, etc. from the office document files
without affecting the integrity of it's textual content (reconstruction).
This feature allows network admins to protect their users from malicious office document files.
Files processed by CDR can have the original copy quarantined on the FortiGate, allowing admins to observe them.
These original copies can also be obtained in the event of a false positive.
Support and limitations
l CDR can only be performed on Microsoft Office Document and PDF files.
l Local Disk CDR quarantine is only possible on FortiGate models that contain a hard disk.
l CDR is only supported on HTTP, SMTP, POP3, IMAP.
l SMTP splice and client-comfort mode is not supported.
l CDR does not work on flow based inspection modes.
l CDR can only work on files in .ZIP type archives.

Network topology example
Configuring the feature
In order to configure AntiVirus to work with CDR, you must enable CDR on your AntiVirus profile, set the quarantine
location, and then fine tune the CDR detection parameters.

To enable CDR on your Antivirus profile:
1. Go to Security Profiles > AntiVirus.

2. Enable the toggle for Content Disarm and Reconstruction under APT Protection Options.
To set a quarantine location:

2. Select a quarantine location from the available options, including Discard, File Quarantine, and FortiSandbox.
Discard The default setting which discards the original document file.
File Quarantine Saves the original document file to disk (if possible) or a connected
FortiAnalyzer based on the FortiGate's log settings, visible through Config
Global > Config Log FortiAnalyzer Setting.
FortiSandbox Saves the original document file to a connected FortiSandbox.
To fine tune CDR detection parameters in the FortiGate CLI:
l Select which active content to detect/process:

l By default, all active office and PDF content types are enabled. To fine tune CDR to ignore certain content,
you must disable that particular content parameter. The example below configures the CDR to ignore
Microsoft Office macros.

FGT_PROXY (vdom1) # config antivirus profile
FGT_PROXY (profile) # edit av

change table entry 'av'
FGT_PROXY (av) # config content-disarm
FGT_PROXY (content-disarm) # set ?

original-file-destination Destination to send original file if active content is
removed.
office-macro Enable/disable stripping of macros in Microsoft Office
documents.
office-hylink Enable/disable stripping of hyperlinks in Microsoft
Office documents.
office-linked Enable/disable stripping of linked objects in Microsoft
Office documents.
office-embed Enable/disable stripping of embedded objects in
Microsoft Office documents.
office-dde Enable/disable stripping of Dynamic Data Exchange
events in Microsoft Office documents.
office-action Enable/disable stripping of PowerPoint action events in
Microsoft Office documents.
pdf-javacode Enable/disable stripping of JavaScript code in PDF
documents.
pdf-embedfile Enable/disable stripping of embedded files in PDF
documents.
pdf-hyperlink Enable/disable stripping of hyperlinks from PDF
documents.
pdf-act-gotor Enable/disable stripping of PDF document actions that
access other PDF documents.
pdf-act-launch Enable/disable stripping of PDF document actions that
launch other applications.
pdf-act-sound Enable/disable stripping of PDF document actions that
play a sound.
pdf-act-movie Enable/disable stripping of PDF document actions that
play a movie.
pdf-act-java Enable/disable stripping of PDF document actions that
execute JavaScript code.
pdf-act-form Enable/disable stripping of PDF document actions that
submit data to other targets.
cover-page Enable/disable inserting a cover page into the disarmed
document.
detect-only Enable/disable only detect disarmable files, do not
alter content.
FGT_PROXY (content-disarm) # set office-macro disable

FGT_PROXY (content-disarm) #
l Detect but do not modify active content:

l By default, CDR will disarm any detected documents containing active content. To prevent CDR from
disarming documents, you can set it to operate in detect-only mode. To do this, the option detect-only must
be enabled.


FGT_PROXY (content-disarm) # set detect-only ?

disable Disable this Content Disarm and Reconstruction feature.
enable Enable this Content Disarm and Reconstruction feature.
FGT_PROXY (content-disarm) # set detect-only enable

l Enabling/disabling the CDR cover page:

l By default, a cover page will be attached to the file's content when the file has been processed by CDR. To
disable the cover page, the paramater cover-page needs to be disabled.

FGT_PROXY (content-disarm) # set cover-page

disable Disable this Content Disarm and Reconstruction feature.
enable Enable this Content Disarm and Reconstruction feature.
FGT_PROXY (content-disarm) # set cover-page disable
FortiGuard Outbreak Prevention for Antivirus
Introduction
FortiGuard Outbreak Prevention was introduced in FortiOS 6.0.0 and allows the FortiGate's AntiVirus database to be
subsidized with third-party malware hash signatures curated by the FortiGuard.
Those hash signatures are obtained from external sources such as VirusTotal, Symantec, Kaspersky, and other third-
party websites and services.
This feature provides the mechanism for AntiVirus to query the FortiGuard with the hash of a scanned file. If the
FortiGuard returns a match from its many curated signature sources, the scanned file is deemed to be malicious.
The concept of FortiGuard Outbreak Prevention is to detect zero-day malware in a collaborative approach.
l FortiGuard Outbreak Prevention can be used in both proxy-based and flow-based policy inspections across all
supported protocols.
l FortiGuard Outbreak Prevention does not support AV in quick scan mode.
l FortiGate must be registered with a valid FortiGuard Outbreak Prevention license before this feature can be used.

In order for AntiVirus to work with an external block list, you must register the FortiGate with a FortiGuard Outbreak
Prevention license and enable FortiGuard Outbreak Prevention in the AntiVirus profile.
To obtain/renew a FortiGuard AntiVirus license:
1. See the following link for instructions on how to purchase or renew a FortiGuard Outbreak Prevention license:
https://video.fortinet.com/products/fortigate/6.0/how-to-purchase-or-renew-fortiguard-services-6-0
2. Once the license has been activated, you can verify its status by going to Global > System > FortiGuard.

To enable FortiGuard Outbreak Prevention in the AntiVirus profile:
2. Select the toggle to enable Use FortiGuard Outbreak Prevention Database.
3. Select Apply.
Diagnostics and debugging
l Check if FortiGate has Outbreak Prevention license:

FGT_PROXY (global) # diagnose debug rating
Locale : english
Service : Web-filter
Status : Enable
License : Contract
Service : Antispam
Status : Disable
Service : Virus Outbreak Prevention

Status : Enable
License : Contract
-=- Server List (Tue Feb 19 16:36:15 2019) -=-
IP Weight RTT Flags TZ Packets Curr Lost Total Lost

Updated Time
192.168.100.185 -218 2 DI -8 113 0 0 Tue Feb
19 16:35:55 2019
l Scanunit daemon showing Outbreak Prevention verdict:

FGT_PROXY (vdom1) # diagnose debug application scanunit -1
Debug messages will be on for 30 minutes.
FGT_PROXY (vdom1) # diagnose debug enable

FGT_PROXY (vdom1) # su 4739 job 1 open

su 4739 req vfid 1 id 1 ep 0 new request, size 313, policy id 1, policy type 0
su 4739 req vfid 1 id 1 ep 0 received; ack 1, data type: 0
su 4739 job 1 request info:
su 4739 job 1 client 10.1.100.11:39412 server 172.16.200.44:80
su 4739 job 1 object_name 'zhvo_test.com'
su 4739 file-typing NOT WANTED options 0x0 file_filter no
su 4739 enable databases 0b (core mmdb extended)
su 4739 job 1 begin http scan
su 4739 scan file 'zhvo_test.com' bytes 68
su 4739 job 1 outbreak-prevention scan, level 0, filename 'zhvo_test.com'
su 4739 scan result 0
su 4739 job 1 end http scan
su 4739 job 1 inc pending tasks (1)
su 4739 not wanted for analytics: analytics submission is disabled (m 0 r 0)
su 4739 job 1 suspend
su 4739 outbreak-prevention recv error
su 4739 ftgd avquery id 0 status 1
su 4739 job 1 outbreak-prevention infected entryid=0
su 4739 report AVQUERY infection priority 1
su 4739 insert infection AVQUERY SUCCEEDED loc (nil) off 0 sz 0 at index 0 total
infections 1 error 0
su 4739 job 1 dec pending tasks 0
su 4739 job 1 send result
su 4739 job 1 close
su 4739 outbreak-prevention recv error
External malware blocklist for Antivirus
Introduction
External Malware Blocklist is a new feature introduced in FortiOS 6.2.0 which falls under the umbrella Outbreak
Prevention.
This feature provides another means of supporting the AV Database by allowing users to add their own malware
signatures in the form of MD5, SHA1, and SHA256 hashes.
This feature provides a mechanism for Antivirus to retrieve an external malware hash list from a remote server and polls
the hash list every n minutes for updates.
Malware detection using External Malware Blocklist can be used in both proxy-based and flow-based policy inspections.
Just like FortiGuard Outbreak Prevention, External Dynamic Block List is not supported in AV quick scan mode.
Using different types of hash simultaneously may slow down the performance of malware scanning. For this reason,
users are recommended to only using one type of hash (either MD5, SHA1, or SHA256), not all three simultaneously.

To configure AntiVirus to work with External Block List:
1. Creating the Malware Hash List

The malware hash list follows a strict format in order for its contents to be valid. Malware hash signatures entries
must be separated into each line. A valid signature needs to follow the format below:
# MD5 Entry with hash description
aa67243f746e5d76f68ec809355ec234 md5_sample1
# SHA1 Entry with hash description

a57983cb39e25ab80d7d3dc05695dd0ee0e49766 sha1_sample2
# SHA256 Entry with hash description

ae9bc0b4c5639d977d720e4271da06b50f7c60d1e2070e9c75cc59ab30e49379 sha256_sample1
# Entry without hash description

0289b0d967cb7b1fb1451339c7b9818a621903090e0020366ab415c549212521
# Invalid entries
7688499dc71b932feb126347289c0b8a_md5_sample2
7614e98badca10b5e2d08f8664c519b7a906fbd5180ea5d04a82fce9796a4b87sha256_sample3
2. Configure External Malware Blocklist source:

l Create new external source on Global > Security Fabric > Fabric Connectors page:
l Select Malware Hash:

l Fill out the fields as shown below. URI should point to the malware hashlist on the remote server:
l Malware Hash source object is now created:

l User can view entries inside the malware blocklist by clicking the View Entries button:
l Malware Has Threatfeed hash_list is shown.
3. Enable External Malware Blocklist in Antivirus profile

l Enable External Malware Blocklist on the AntiVirus profile and apply the change:
Antivirus is now ready to use external malware blocklist.
Check if scanunit daemon has updated itself with the external hashes:
FGT_PROXY # config global
FGT_PROXY (global) # diagnose sys scanunit malware-list list
md5 'aa67243f746e5d76f68ec809355ec234' profile 'hash_list' description 'md5_sample1'
sha1 'a57983cb39e25ab80d7d3dc05695dd0ee0e49766' profile 'hash_list' description 'sha1_sample2'
sha256 '0289b0d967cb7b1fb1451339c7b9818a621903090e0020366ab415c549212521' profile 'hash_list'
description ''
sha256 'ae9bc0b4c5639d977d720e4271da06b50f7c60d1e2070e9c75cc59ab30e49379' profile 'hash_list'
description 'sha256_sample1'
Application Control
Introduction to AppCtrl sensors
FortiGate units can detect and take action against network traffic depending on the application generating the traffic.
Based on FortiGate Intrusion Protection protocol decoders, Application Control is a user-friendly and powerful way to
use Intrusion Protection features to log and manage the behavior of application traffic passing through the FortiGate
unit. Application Control uses IPS protocol decoders that can analyze network traffic to detect application traffic even if
the traffic uses non-standard ports or protocols. Application Control supports detection for traffic using the HTTP
protocol (version 1.0, 1.1, and 2.0).
The FortiGate unit can recognize the network traffic generated by a large number of applications. You can create
Application Control sensors that specify the action to take with the traffic of the applications you need to manage and
the network on which they are active, and then add Application Control sensors to the firewall policies that control the
network traffic you need to monitor.

An Application Control sensor has one or more options/entries configured which examines the app traffic for:
l Application category
l Application signature ID
l Filters overrides
l Custom signature
l Default port service
l Default network service
When selecting the app category, signature, or filter that you intend to work with, the following actions can be set to the
specific entry:
l Allow: App traffic will be allowed and no logs are recorded.
l Monitor: The entry match is allowed and logged.
l Block: Traffic matching the entry will be blocked.
l Reset: The session will be dropped and a new session will be started.
l Quarantine IP address: Traffic matching the entry will be blocked. The client initiating the traffic will be source-ip
banned.
l Shaper/Per-ip-shaper: Max-bandwidth and quaratined-bandwidth values can be set to limit the link speed.
AppCtrl basic category filters and overrides
Once you have created an application sensor, you can define the applications that you want to control. You can add
applications and filters using categories, application overrides, and/or filter overrides.
l Categories: Choose groups of signatures based on a category type.
l Application overrides: Choose individual applications.
l Filter overrides: Select groups of applications and override the application signature settings for them.
Categories
Categories allow you to choose groups of signatures based on a category type.

Applications belonging to the category trigger the action set to the category.

To set category filters in the CLI:
config application list

edit {id}
config entries
edit 1
set category {id}
ID Select Category ID
2 P2P
3 VoIP
5 Video/Audio
6 Proxy
7 Remote.Access
8 Game
12 General.Interest
15 Network.Service
17 Update
21 Email
22 Storage.Backup
23 Social.Media
25 Web.Client
26 Industrial
28 Collaboration
29 Business
30 Cloud.IT
31 Mobile
set action {pass | block | reset}
pass Pass or allow matching traffic.
block Block or drop matching traffic.
reset Reset sessions for matching traffic.
set log {enable | disable}
next
end
next
end
To set category filters in the GUI:
1. Go to Security Profiles > Application Control.

2. Under Categories, left click the icon next to the category name to view a dropdown of actions:
l Allow
l Monitor
l Block
l Quarantine
l View signatures
3. Select OK.

Application and filter overrides
Override type Setting
Application Type: Choose Application for application overrides.

Action: Can be set to Monitor/Allow/Block/Quarantine.
Application: Multiple app signatures can be added for one entry. A slide-in
presenting an application list will be shown to select specific app signatures, and
the search box can be used to filter matched signatures.
Filter Type: Choose Filter for filter overrides.

Action: Can be set to Monitor/Allow/Block/Quarantine.
Filter: Filters can be selected by behavior, application category, technology,
popularity, protocol, risk, or vendor subtypes.
Search box: Can be used to determine if the input signature is included in

selected filters, where matched applications are shown at the bottom.
To set overrides in the CLI:

edit {id}
config entries
edit 1
set protocols {0-47} #network protocol ID
set risk {id}
*level Risk, or impact, of allowing traffic from this application to
occur (1 - 5; Low, Elevated, Medium, High, and Critical).
set vendor {0-25} #vendor ID
set technology {id}
All All
0 Network-Protocol

1 Browser-Based
2 Client-Server
4 Peer-to-Peer
set behavior {id}
All All
2 Botnet
3 Evasive
5 Excessive-Bandwidth
6 Tunneling
9 Cloud
set popularity {1-5} #Popularity level 1-5
set action {pass | block | reset}
pass Pass or allow matching traffic.
block Block or drop matching traffic.
reset Reset sessions for matching traffic.
set log {enable | disable}
next
end
next
end
To set overrides in the GUI:

2. Under the Application and Filter Overrides table, click Create New.
3. To add individual applications:
a. Select Application as the Type.
b. Choose an action to be associated with the application.
c. Select the + button in the Application field and choose the specific applications from the list where app
signatures are displayed. Multiple applications may be selected.
d. Select OK.
4. To add advanced filters:

a. Create another entry in the Application and Filter Overrides table.
b. Select Filter as the Type.

c. Select Cloud under the behavior section from the Select Entries list.
Matched signatures are shown along the bottom.
d. Select OK.
AppCtrl port enforcement check
Most networking applications run on specific ports. For example, SSH runs on port 22, and Facebook runs on port 80
and 443.
If the default network service is enabled in the Application Control profile, a port enforcement check is done at the
application profile level, and any detected application signatures running on the non-standard TCP/IP port are blocked.
This means that each application allowed by the app control sensor is only run on its default port.
To set port enforcement check in the CLI:

edit "default_port"
set enforce-default-app-port {enable | disable}
disable Disable default application port enforcement.
enable Enable default application port enforcement.
config entries
edit 1
set application 15896
set action pass
next
end
next
end
For example, when applying the above appctrl sensor, FTP traffic with the standard port (port 21) is allowed, while the
non-standard port (port 2121) is blocked.

AppCtrl protocol enforcement check
Protocol enforcement allows you to configure networking services (e.g. FTP, HTTP, HTTPS) on known ports (e.g. 21,
80, 443). For protocols which are not whitelisted under select ports, the IPS engine performs the violation action to
block, allow, or monitor that traffic.
This feature acts upon the following two scenarios:
l When one protocol dissector confirms the service of network traffic, protocol enforcement can check whether the
confirmed service is whitelisted under the server port. If it is not, then the traffic is considered a violation and IPS
can take the action specified by config (e.g. block).
l When there is no confirmed service for the network traffic, the traffic is considered a service violation if
IPS dissectors rule out all of the services enforced under its server port.
CLI configuration
In an applicable profile, a default-network-service list can be created to associate well known ports with accepted
services.
To setup protocol enforcement in the CLI:

edit "protocol-GUI"
set other-application-log enable
set control-default-network-services {enable | disable} # Enable/Disable enforcement
of protocols over select ports.
config default-network-services # Default network service
entries
edit 1
set port 80 # Port number, port Enter an
integer value from <0> to <65535>
set services http # Network protocols: http,
ssh, telnet, ftp, dns, smtp, pop3, imap, snmp, nntp and https
next
edit 2
set port 53
set services dns
set violation-action { pass | monitor | block } # Pass, or Log, or block
when non-DNS traffic run over port 53
next
end
next
end
GUI Configuration
A new table is displayed when the Network Protocol Enforcement toggle is set to the On position. Enforced entries can
be created, edited, or deleted to configure network services on certain ports and determine the violation action.

To setup protocol enforcement in the GUI:

2. Enable Network Protocol Enforcement.
4. In the New Default Network Service window:

a. Enter a Port number.
b. Select the Enforced protocols.
c. Choose the Violation action.
d. Select OK.

Web Filter
Introduction to Web Filter
Web Filter is a means of controlling the content that an internet user is able to view. With the increased popularity of
web applications, the need to monitor and control web access is becoming a key component of secure content
management systems that employ antivirus, Web Filter, and messaging security.
This topic provides a general introduction to the Web Filter security profile. Additional information, such as the GUI and
CLI configurations, can be found in subsequent topics.
Web Filter Configuration
Web Filter configuration can be separated into the following parts: Web Filter profile configuration and Web Filter
profile overrides.
There are five components to Web Filter configuration:
l URL filter: Block, allow, exempt, or monitor traffic by URL.
l FortiGuard filter: With a FortiGuard license, you can get the rating of a URL. Action can be taken against the
packet based on its rating.
l Content filter: Block or exempt traffic by checking its content.
l File filter: Log or block a file based on its file type (e.g. ZIP, MP3, PNG).
l Advanced filter
There are two different ways to override Web Filter behavior based on FortiGuard categorization of websites:
l Using alternate categories: Web rating overrides. This method manually assigns a specific website to a different
Fortinet category or a locally created category.
l Using alternate profiles: The traffic going through the FortiGate unit using identity based policies and a Web
Filter profile have the option where configured users or IP addresses can use an alternative Web Filter profile when
attempting to access blocked websites.
URL filter of webfilter
URL filter is also called static URL filter. By adding specific URLs with patterns containing text and regular expressions,
FortiGate can allow, block, exempt, and monitor web pages matching any specified URLs or patterns, and can display a
replacement message instead.

Sample topology
Create URL filter
You can create a URL filter using the GUI or CLI. After creating the URL filter, attach it to a webfilter profile.
To create URL filter in the GUI:
1. Go to Security Profiles > Web Filter and go to the Static URL Filter section.
2. Enable URL Filter.
3. Under URL Filter, select Create New to display the New URL Filter pane.
URL Filter Type Description
Simple FortiGate tries to strictly match the full context. For example, if you enter
www.facebook.com in the URL field, it only matches traffic with www.facebook.com. It
won't match facebook.com or message.facebook.com.
When FortiGate finds a match, it performs the selected URL Action.

URL Filter Type Description
Regular FortiGate tries to match the pattern based on the rules of regular expressions or
Expression or wildcards. For example, if you enter *fa* in the URL field, it matches all the content that
Wildcard has fa such as www.facebook.com, message.facebook.com, fast.com, etc.
When FortiGate finds a match, it performs the selected URL Action.
For more information, see the URL Filter expressions technical note in
https://kb.fortinet.com/kb/documentLink.do?externalID=FD37057.
URL Filter Action Description
Block Denies or blocks attempts to access any URL matching the URL pattern. FortiGate
displays a replacement message.
Allow The traffic is passed to the remaining FortiGuard webfilters, web content filters, web
script filters, antivirus proxy operations, and DLP proxy operations. If the URL does not
appear in the URL list, the traffic is permitted.
Monitor The traffic is processed the same way as the Allow action. For the Monitor action, a log
message is generated each time a matching traffic pattern is established.
Exempt The traffic is allowed to bypass the remaining FortiGuard webfilters, web content filters,
web script filters, antivirus scanning, and DLP proxy operations
4. For example, enter *facebook.com and select Wildcard and Block; and select OK.
After creating the URL filter, attach it to a webfilter profile.
Create URL filter using CLI
To create and enable a URL filter using the CLI, create the URL filter and then attach it to a webfilter profile. The CLI
commands below show the full configuration of creating a URL filter.
config webfilter urlfilter
edit {id}
# Configure URL filter lists.
set name {string} Name of URL filter list. size[35]
config entries
edit {id}
# URL filter entries.
set url {string} URL to be filtered. size[511]
set type {simple | regex | wildcard} Filter type (simple, regex, or wildcard).
simple Simple URL string.

regex Regular expression URL string.

wildcard Wildcard URL string.
set action {exempt | block | allow | monitor} Action to take for URL filter
matches.
exempt Exempt matches.
block Block matches.
allow Allow matches (no log).
monitor Allow matches (with log).
set status {enable | disable} Enable/disable this URL filter.
set exempt {option} If action is set to exempt, select the security profile oper-
ations that exempt URLs skip. Separate multiple options with a space.
av AntiVirus scanning.
web-content Web Filter content matching.
activex-java-cookie ActiveX, Java, and cookie filtering.
dlp DLP scanning.
fortiguard FortiGuard web filter.
range-block Range block feature.
pass Pass single connection from all.
all Exempt from all security profiles.
set referrer-host {string} Referrer host name. size[255]
next
next
end
To create URL filter to filter Facebook using the CLI:
config webfilter urlfilter

edit 1
set name "webfilter"
config entries
edit 1
set url "*facebook.com"
set type wildcard
set action block
next
end
next
end
To attach the URL filter to a webfilter profile:
config webfilter profile

edit "webfilter" <-- the name of the webfilter profile
config web
set urlfilter-table 1 <-- the URL filter created with ID number 1
end
config ftgd-wf
unset options
end
next
end
Attach webfilter profile to the firewall policy
After you have created the URL filter and attached it to a webfilter profile, you must attach the profile to a firewall policy.

To attach a webfilter profile to a firewall policy using the GUI:

2. Edit the policy that you want to enable the webfilter.
3. In the Security Profiles section, enable Web Filter and select the profile you created.
To attach a webfilter profile to a firewall policy using the CLI:

edit 1
set name "WF"
set uuid b725a4d4-5be5-51e9-43fa-6d4e67d56bad
set srcintf "wan2"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set inspection-mode proxy
set logtraffic all
set webfilter-profile "webfilter" <-- attach the webfilter profile you just
created.
set profile-protocol-options "protocol"
set ssl-ssh-profile "protocols"
set nat enable
next
end

Validate the URL filter results
Validate the URL filter results by going to a blocked website. For example, when you go to the Facebook website, you
see the replacement message.
To customize the URL web page blocked message:

2. Go to the Security section and select URL Block Page.
3. Set up a custom message for blocked pages.

To check webfilter logs in the GUI:
1. Go to Log & Report > Web Filter.
2. If there are too many log entries, click Add Filter and select Event Type > urlfilter to display logs generated by the
URL filter.
To check webfilter logs in the CLI:
FGT52E-NAT-WF # execute log filter category utm-webfilter
FGT52E-NAT-WF # execute log display
1: date=2019-04-22 time=11:48:43 logid="0315012544" type="utm" subtype="webfilter" event-

type="urlfilter" level="warning" vd="vdom1" eventtime=1555958923322174610 urlfilteridx=0 url-
source="Local URLfilter Block" policyid=1 sessionid=649063 srcip=10.1.200.15 srcport=50472
srcintf="wan2" srcintfrole="wan" dstip=157.240.18.35 dstport=443 dstintf="wan1" dstint-
frole="wan" proto=6 service="HTTPS" hostname="www.facebook.com" profile="webfilter" action-
n="blocked" reqtype="direct" url="/" sentbyte=1171 rcvdbyte=141 direction="outgoing" msg="URL
was blocked because it is in the URL filter list" crscore=30 craction=8 crlevel="high"
FortiGuard filter of Web Filter
To use this service, you must have a valid subscription on your FortiGate.
FortiGuard filter enhances the Web Filter features supplied with your FortiGate unit by sorting billions of web pages into
a wide range of categories that users can allow or block.
FortiGuard Web Filter services includes over 45 million individual website rating that applies to more than two billion
pages. When FortiGuard filter is enabled in a Web Filter and is applied to firewall policies, if a request for a web page
appears in traffic controlled by one of the firewall policies, the URL is sent to the nearest FortiGuard server. The URL
category or rating is returned. If the category is blocked, the FortiGate shows a replacement message in place of the
requested page. If the category is not blocked, the page request is sent to the requested URL as normal.

FortiGuard Web Filter action
You can select one of the following FortiGuard Web Filter actions:
FortiGuard Web Description

Filter Action
Allow Permit access to the sites in the category.
Block Prevent access to the sites in the category. Users trying to access a blocked site sees a
replacement message indicating the site is blocked.
Monitor Permits and logs access to sites in the category. You can enable user quotas when you
enable this action.
Warning Displays a message to the user allowing them to continue if they choose.
Authenticate Requires the user to authenticate with the FortiGate before allowing access to the category
or category group.
FortiGuard Web Filter categories
FortiGuard has many Web Filter categories including two local categories and a special remote category. For more
information on the different categories, see the table below.
FortiGuard Web Filter Where to find more information

category
All URL categories https://fortiguard.com/webfilter/categories.

Remote category External resources for Web Filter on page 374.
The priority of categories is local category > external category > FortiGuard built-in category. If a URL is configured as a
local category, it only follows the behavior of local category and not external or FortiGuard built-in category.
Sample configuration of blocking a web category
This example shows blocking a website based on its category (rating), for example, information technology.
To block a category in the GUI:
1. Go to Security Profiles > Web Filter and go to the FortiGuard category based filter section.
2. Open the General Interest - Business section by clicking the + icon beside it.

3. Select Information Technology and then select Block.
To block a category in the CLI:

edit "webfilter"
config ftgd-wf
unset options
config filters
edit 1
set category 52 <-- the pre-set id of "information technology" caterogy
set action block <-- set action to block
next
end
end
next
end
To validate that you have blocked a category:
1. Go to a website belonging to the blocked category, for example, www.fortinet.com, and you see a blocked page
and the category that is blocked.

To view the log of a blocked website in the GUI:
1. Go to Log & Report > Web Filter.
To view the log of a blocked website in the CLI:
FGT52E-NAT-WF # execute log filter category utm-webfilter
FGT52E-NAT-WF # execute log display

type="ftgd_blk" level="warning" vd="vdom1" eventtime=1555965984972459609 policyid=1 ses-
sionid=659263 srcip=10.1.200.15 srcport=49234 srcintf="wan2" srcintfrole="wan"
dstip=54.183.57.55 dstport=80 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTP" host-
name="www.fortinet.com" profile="webfilter" action="blocked" reqtype="direct" url="/" sent-
byte=386 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy"
method="domain" cat=52 catdesc="Information Technology"

Sample configuration of issuing a warning
This example shows issuing a warning when a user visits a website based on its category (rating), for example,
information technology.
To configure a warning in the GUI:
3. Select Information Technology and then select Warning.
4. Set the Warning Interval which is the interval when the warning page appears again after the user chooses to
continue.
To configure a warning in the CLI:

edit "webfilter"
config ftgd-wf
unset options
config filters
edit 1
set category 52
set action warning <-- set action to warning
next
end
end
next
end

To validate that you have configured the warning:
1. Go to a website belonging to the selected category, for example, www.fortinet.com, and you see a warning page
where you can choose to Proceed or Go Back.
Sample configuration of authenticating a web category
This example shows authenticating a website based on its category (rating), for example, information technology.
To authenticate a category in the GUI:
3. Select Information Technology and then select Authenticate.

4. Set the Warning Interval which is the interval when the authentication page appears again after authentication.
5. Click the + icon beside Selected User Group and select a user group. You must have a valid user group to use this
feature.
To authenticate a category in the CLI:

edit "webfilter"
config ftgd-wf
unset options
config filters
edit 1
set category 52
set action authenticate <-- set the action of authenticate
set auth-usr-grp "local_group" <-- user to authenticate
next
end
end
next
end
To validate that you have configured authentication:
1. Go to a website belonging to the selected category, for example, www.fortinet.com. First, you see a warning page
where you can choose to Proceed or Go Back.

2. Click Proceed to check that the authentication page appears.
3. Enter the username and password of the user group you selected, and click Continue.
If the credentials are correct, the traffic is allowed through.
Sample customization of the replacement page
When the FortiGuard Web Filter action is Block, Warning, or Authenticate, there is a Customize option for you to
customize the replace page.
To customize the replace page:
2. Right-click the item and select Customize.

3. A pane appears for you to customize the page.
Quota of Web Filter
In addition to using category and classification blocks and overrides to limit user access to URLs, you can set a daily
quota by category, category group, or classification. Quotas allow access for a specified length of time or a specific
bandwidth, and is calculated separately for each user. Quotas are reset everyday at midnight.
Quotas can be set only for the actions of Monitor, Warning, or Authenticate. When the quota is reached, the traffic is
blocked and the replacement page displays.
You can only use quotas when inspection mode is Proxy.
Sample topology

Sample configuration of setting a quota
This example shows setting a time quota for a category, for example, the Education category.
To configure a quota in the GUI:
2. Open the General Interest - Personal section by selecting the + icon beside it.
3. Select Education and then select Monitor.
4. In the Category Usage Quota section, select Create New.
5. In the right pane, select the Category field and then select Education.
6. For the Quota Type, select Time and set the Total quota to 5 minute(s).
7. Select OK and the Category Usage Quota section displays the quota.
8. Validate the configuration by visiting a website in the education category, for example https://www.harvard.edu/.
You can view websites in the education category.

9. Check the used and remaining quota in Monitor > FortiGuard Quota.
10. When the quota reaches its limit, traffic is blocked and the replacement page displays.
To configure a quota in the CLI:

edit "webfilter"
config ftgd-wf
unset options
config filters
edit 1
set category 30 <-- the id of education category
next
end
config quota
edit 1
set category 30
set type time
set duration 5m
next
end
end
next
end
Web content filter of Web Filter
You can control access to web content by blocking web pages containing specific words or patterns. This helps to
prevent access to pages with questionable material. You can specify words, phrases, patterns, wildcards and Perl
regular expressions to match content on web pages. You can use multiple web content filter lists and select the best
web content filter list for each Web Filter profile.

Pattern type
When you have created the Web Filter content list, you need to add web content patterns to it. There are two types of
patterns: wildcard and regular expression.
Wildcard
Use the wildcard setting to block or exempt one word or text strings of up to 80 characters. You can also use wildcard
symbols such as ? or * to represent one or more characters. For example, a wildcard expression forti*.com matches
fortinet.com and forticare.com. The * represents any character appearing any number of times.
Regular expression
Use the regular expression setting to block or exempt patterns of Perl expressions which use some of the same symbols
as wildcard expressions but for different purposes. In regular expressions, * represents the character before the symbol.
For example, forti*.com matches fortiii.com but not fortinet.com or fortiice.com. In this case, the symbol * represents i
appearing any number of times.
The maximum number of web content patterns in a list is 5000.
Content evaluation
The web content filter feature scans the content of every web page that is accepted by a security policy. The system
administrator can specify banned words and phrases and attach a numerical value, or score, to the importance of those
words and phrases. When the web content filter scan detects banned content, it adds the scores of banned words and
phrases found on that page. If the sum is higher than a threshold set in the Web Filter profile, FortiGate blocks the
page.
The default score for web content filter is 10 and the default threshold is 10. This means that by default, a web page is
blocked by a single match.
Banned words or phrases are evaluated according to the following rules:
l The score for each word or phrase is counted only once, even if that word or phrase appears many times in the web
page.
l The score for any word in a phrase without quotation marks is counted.
l The score for a phrase in quotation marks is counted only if it appears exactly as written.
Sample of applying banned pattern rules
The following table is an example of how rules are applied to the contents of a web page. For example, a web page
contains only this sentence:
The score for each word or phrase is counted only once, even if that word or phrase appears many times in the web
page.

Banned Assigned Score Threshold Comment

pattern score added to score
the sum
for the
entire
page
word 20 20 20 Appears twice but only counted once. Web page is

blocked.
word phrase 20 40 20 Each word appears twice but only counted once giving a
total score of 40. Web page is blocked.
word sentence 20 20 20 “word” appears twice, “sentence” does not appear, but
since any word in a phrase without quotation marks is
counted, the score for this pattern is 20. Web page is
blocked.
"word 20 0 20 This phrase does not appear exactly as written. Web page
sentence" is allowed.
"word or 20 20 20 This phrase appears twice but is counted only once. Web
phrase" page is blocked.
To configure web content filter in the GUI:
2. Enable Content Filter to display its options.
3. Select Create New to display the content filter options.

4. For Pattern Type, select Regular Expression and enter fortinet in the Pattern field.
l Leave Language as Western.
l Set Action to Block.
l Set Status to Enable.
5. Select OK to see the updated Static URL Filter section.
6. Validate the configuration by visiting a website with the word fortinet, for example, www.fortinet.com. The website
is blocked and a replacement page displays.
To configure web content filter in the CLI:
1. Create a content table:

config webfilter content
edit 1 <-- the id of this content
set name "webfilter"
config entries
edit "fortinet" <-- the banned word
set pattern-type regexp <-- the type is regular expression
set status enable
set lang western
set score 10 <-- the score for this word is 10
set action block
next
end

next
end
2. Attach the content table to the Web Filter profile:

edit "webfilter"
config web
set bword-threshold 10 <-- the threshold is 10
set bword-table 1 <-- the id of content table we created in the previous
step
end
config ftgd-wf
unset options
end
next
end
Advanced Filters 1
This topic gives examples of the following advanced filter features:

l Block malicious URLs discovered by FortiSandbox on page 362
l Allow websites when a rating error occurs on page 363
l Rate URLs by domain and IP address on page 363
l Block invalid URLs on page 364
l Rate images by URL on page 364
Block malicious URLs discovered by FortiSandbox
To use this feature, you must be registered to a FortiSandbox and be connected to it.
This feature blocks malicious URLs that FortiSandbox finds.
To enable this feature in the GUI:
2. Enable Block malicious URLs discovered by FortiSandbox.
To enable this feature in the CLI:

edit "webfilter"
config web
set blacklist enable
end

next
end
Allow websites when a rating error occurs
If you don't have a FortiGuard license but you have enabled services that need a FortiGuard license, such as FortiGuard
filter, then you'll get a rating error message.
Use this setting to allow access to websites that return a rating error from the FortiGuard Web Filter service.
1. Go to Security Profiles > Web Filter and go to the Rating Options section.
2. Enable Allow websites when a rating error occurs.

edit "webfilter"
config ftgd-wf
set options error-allow
end
next
end
Rate URLs by domain and IP address
If you enable this feature, in addition to only sending domain information to FortiGuard for rating, FortiGate always
sends both the URL domain name and the TCP/IP packet's IP address (except for private IP addresses) to FortiGuard
for the rating.
FortiGuard server might return a different category of IP address and URL domain. If they are different, FortiGate uses
the rating weight of the IP address or domain name to determine the rating result and decision. This rating weight is
hard-coded in FortiGate.
For example, if we use a spoof IP of Google as www.irs.gov, FortiGate will send both the IP address and domain name
to FortiGuard to get the rating. In this example, we get two different ratings, one is search engine and portals which
belongs to the IP of Google, another is government and legal organizations which belongs to www.irs.gov. As
the search engine and portals has a higher weight than government and legal organizations, this traffic will be rated
as search engine and portals and not rated as government and legal organizations.

2. Enable Rate URLs by domain and IP address.

edit "webfilter"
config ftgd-wf
set options rate-server-ip
end
next
end
Block invalid URLs
Use this feature to block websites when their SSL certificate CN field does not contain a valid domain name.
For example, this option blocks URLs which contains spaces. If there is a space in the URL, it must be written
as: http://www.example.com/space%20here.html.
2. Enable Block invalid URLs .

edit "webfilter"
set options block-invalid-url
next
end
Rate images by URL
This feature enable FortiGate to retrieve ratings for individual images in addition to websites. Images in a blocked
category are not displayed even if they are part of a site in an allowed category. Blocked images are replaced with blank
placeholders. These image file types are rated: GIF, JPEG, PNG, BMP, and TIFF.

This feature requires a valid FortiGuard license, otherwise rating errors will occur. By default, this feature is enabled.
For example, if the Other Adult Materials category is blocked, before enabling Rate images by URL, the image is not
blocked:
After enabling Rate images by URL, images in the Other Adult Materials category are blocked. For example:

2. Enable Rate images by URL.

edit "webfilter"
config ftgd-wf
unset options
set rate-image-urls enable
end
next
end
Advanced Filters 2
This topic gives examples of the following advanced filter features:

l Safe search on page 366
l YouTube education filters on page 367
l Restrict YouTube access on page 367
l YouTube channel filtering on page 368
l Log all search keywords on page 369
l Restrict Google account usage to specific domains on page 369
l HTTP POST Action on page 370
l Remove Java applets, remove ActiveX, and remove cookies on page 371
These advanced filters are only available when inspection mode is Proxy.
Safe search
This feature applies to popular search sites and prevents explicit websites and images from appearing in search results.
Supported search sites are:
l Google
l Yahoo
l Bing
l Yandex

1. Go to Security Profiles > Web Filter and go to the Search Engines section.
2. Enable Enforce 'Safe Search' on Google, Yahoo!, Bing, Yandex.

edit "webfilter"
config web
set safe-search url
end
next
end
YouTube education filters
Use these features to limit users' access to YouTube channels, such as in an education environment where you want
students and users to be able to access YouTube education videos but not other YouTube videos.
Restrict YouTube access
Formerly, YouTube for Schools was a way to access educational videos inside a school network. This YouTube feature
lets schools access educational videos on YouTube EDU and to specify the videos accessible within the school network.
When Google stopped supporting YouTube for Schools on July 1, 2016, YouTube safe search also stopped working.
Google provides information on restricting YouTube content such as Restrict YouTube content available to G Suite
users. At this time, the options Google offers to restrict inappropriate content includes: DNS, HTTP headers, and
Chromebooks..
2. Enable Restrict YouTube Access and select Strict or Moderate.

edit "webfilter"
config web
set youtube-restrict strict
end

next
end
YouTube channel filtering
This Web Filter feature is also called Restrict YouTube access to specific channels. Use this feature to block or only
allow matching YouTube channels.
The following identifiers are used:
given <channel-id>, affect on:
www.youtube.com/channel/<channel-id>
www.youtube.com/user/<user-id>
matches channel-id from <meta itemprop="channelId" content="UCGzuiiLdQZu9wxDNJHO_JnA">

www.youtube.com/watch?v=<string>
matches channel-id from <meta itemprop="channelId" content="UCGzuiiLdQZu9wxDNJHO_JnA">
1. Go to Security Profiles > Web Filter and go to the Proxy Options section.
2. Enable Restrict YouTube access to specific channels.
3. Select Create New and specify the Channel ID, for example, UCGzuiiLdQZu9wxDNJHO_JnA.
4. Select OK and the option shows the Channel ID and its Link.


edit "webfilter"
set youtube-channel-status whitelist <-- whitlist: only allow the traffic belongs to
this channel id and relative identifiers
blacklist: only block the traffic belongs to

this channel id and relative identifiers and allow the other traffic pass
config youtube-channel-filter
edit 1
set channel-id "UCGzuiiLdQZu9wxDNJHO_JnA"
next
end
next
end
Log all search keywords
Use this feature to log all search phrases.
2. Enable Log all search keywords.

edit "webfilter"
config web
set log-search enable
end
next
end
Restrict Google account usage to specific domains
Use this feature to block access to some Google accounts and services while allowing access to accounts in the
domains in the exception list.

2. Enable Restrict Google account usage to specific domains.
3. Select the + button and enter the domains that Google can access, for example, www.fortinet.com.
When you try to use Google services like Gmail, only traffic from the domain of www.fortinet.com can go through.
Traffic from other domains is blocked.
HTTP POST Action
Select the action to take with HTTP POST traffic. HTTP POST is the command used by your browser when you send
information, such as a form you have filled-out or a file you are uploading to a web server.
The action options are Allow or Block. The default is Allow.
2. For HTTP POST Action, select Allow or Block.

edit "webfilter"
set post-action [normal/block]
config ftgd-wf
unset options
end
next
end

Remove Java applets, remove ActiveX, and remove cookies
The Remove Java Applets feature filters java applets from web traffic. Websites using java applets might not function
properly if you enable this filter.
The Remove ActiveX feature filters ActiveX scripts from web traffic. Websites using ActiveX might not function properly
with if you enable this filter.
The Remove Cookies feature filters cookies from web traffic. Websites using cookies might not function properly if you
enable this filter.
2. Select the filters you want to use: Remove Java Applets, Remove ActiveX, and/or Remove Cookies.

edit "webfilter"
set options activexfilter cookiefilter javafilter <-- enable one or more of act-
ivexfilter cookiefilter javafilter.
config ftgd-wf
unset options
end
next
end

Web rating override
Web rating override requires a FortiGuard license.

This option is for you to categorize websites by different criteria. Even for the same criterion, an organization might want
to block most websites in a category while allowing access to specific URLs in that category.
For example, a website called example.com is in the subcategory of pornography and the organization uses FortiGuard
Web Filter to block access to sites in the category of pornography. However, in this example, example.com is a client
and that website is for artists that specialize in nudes and erotic images. In this example, there are two approaches. The
first is to use the web rating override function to assign example.com to the nudity and risque category instead of
pornography category to match the criteria that the organization goes by. The second approach is to assign the website
to a custom category that is not blocked because the website belongs to a client and staff need to access that website.
Another example from the reverse perspective is a school decides that a website specializing in selling books online
should not be accessible because it sells books with violent subject matter. Fortinet categorizes this website,
example2.com, as General Interest - Business with the subcategory of Shopping and Auction, which is a category that is
allowed. In this example, the school can reassign this website to the category Adult Material which is a blocked
category.
You can assign a website to a built-in category or a custom category.
Create a local custom category
You can create a custom or local category and assign a URL to it.
To create a custom category in the GUI:
1. Go to Security Profiles > Web Rating Overrides and click Custom Categories.
2. In the Custom Categories pane, click Create New.

3. Enter the category Name, for example, mylocalcategory.
4. Click OK.
The custom category appears in Web Filter under Local Categories where you can change the Action for that
category.
To create a custom category in the CLI:
config webfilter ftgd-local-cat

edit "custom1"
set id 140
next
edit "custom2"
set id 141
next
edit "mylocalcategory" <<---- the name of category you created
set id 142 <<---- the id for this category in Web Filter profile
next
end
To change the action to block for a custom category in the CLI:

edit "webfilter"
config ftgd-wf
unset options
config filters
edit 142 <<---- this is the id of local category
set action block <<---- set the action to block
next
end
end

next
end
Override URL category
You can override a URL to another category or to a custom category. This example shows overriding www.fortinet.com
to the custom category: mylocalcategory.
To override a URL category in the GUI:
1. Go to Security Profiles > Web Rating Overrides and click Create New.
2. In the New Web Rating Overrides pane, enter the URL you want to re-categorize.
3. To view the URL's current rating, click Lookup Rating.
4. In the Override to section:
a. For Category, select Custom Categories.
b. For Sub-Category, select mylocalcategory.
5. Click OK.
The URL www.fortinet.com now belongs to the mylocalcategory category.
To override a URL category in the CLI:
config webfilter ftgd-local-rating

edit "www.fortinet.com"
set rating 142 <<---- this is the id of mylocalcategory
next
end
External resources for Web Filter
Introduction
External Resources is a new feature introduced in FortiOS 6.0, which provides a capability to import an external blacklist
which sits on an HTTP server. This feature helps FortiGate retrieve a dynamic URL/Domain Name/IP Address/Malware
hash list from an external HTTP server periodically. FortiGate uses these external resources as Web Filter's remote
categories, DNS Filter's remote categories, policy address objects or AntiVirus profile's malware definitions. If the
external resource is updated, FortiGate objects will update dynamically.

External Resource are categorized into 4 types:

l URL list (Type=category)
l Domain Name List (Type=domain)
l IP Address list (Type=address)
l Malware hash list (Type=malware)
For Web Filter profile, it can use category type external resources. Category type external resources file is a URL entries
list in a plain text file.
When a category type external resource is configured in Web Filter profile, it will be treated as a Remote Category. If
the URL in a HTTP/HTTPS request matches the entry inside this external resource file, it will be treated as the Remote
Category and follow the action configured for this category in Web Filter profile.
External resource type category also can be used in ssl-ssh-profile configuration for category-based SSL-Exempt.
When a Remote Category is configured in ssl-ssh-profile SSL-Exempt, if a HTTPS request's URL matches in the
Remote Category’s entry list, HTTPS request with destination for this URL can be exempted from SSL Deep Inspection.
External Resources File Format
External Resources File should follow the following requirements:

l The external resource file is a plain text format file and each URL list/IP Address/Domain Name occupies a single
line.
l The file is limited to 10M, line is limited 128K (128 x 1024 entries), and the line length limit is 4K characters.
l The entries limited also follow table size limitation defined by CMDB per model.
l The external resource update period can be set to 1 minute, hourly, daily, weekly, or monthly (43200 min, 30 days).
l The external resource type as category (URL list) and domain (Domain Name list) share the category number range
192-221 (total 30 categories).
l There's no duplicated entry validation for external resources file (entry inside each file or inside different files).
For URL list (Type=category):
Scheme is optional, and will be truncated if found (http://, https:// is not needed).
Wildcard (*) is supported (from 6.2). It supports the '*' at beginning and ending of URL, and not in the middle of URL as
follows:
+ support *.domain2.com, domain.com.* + not support: domain3.*.com
IDN (International Domain Name) and UTF encoding URL is supported (from 6.2).
IPv4,IPv6 format URL is supported. IPv6 in URL list must in [ ] form.
Configure External Resources from CLI
We can use CLI to configure the external resources files that is located on external HTTP Server. Under Global,
configure the external resource file location and specify the resource type.
Web Filter will use category type external resources as Remote Categories. In the following example, it is configured a
file Ext-Resource-Type-as-Category-1.txt as type as category, it will be treated in Web Filter as Remote Category, the
category name configured as Ext-Resource-Type-as-Category-1 and category-id as 192:
edit "Ext-Resource-Type-as-Category-1"
set type category <----

set category 192 <----

set resource "http://172.16.200.66/external-resources/Ext-Resource-Type-as-Category-
1.txt"
set refresh-rate 1
next
end
Now in each VDOM, category type external resource can be used in Web Filter as Remote Cateogry. In the example
above, URL list in "Ext-Resource-Type-as-Category-1.txt" file will be treated as remote category (category-id 192).
Configure the action for this remote category in Web Filter profile and apply it in the policy:
edit "webfilter"
config ftgd-wf
unset options
config filters
edit 1
set category 2
set action warning
next
......
edit 24
set category 192 <----
set action block
next
edit 25
set category 221
set action warning
next
edit 26
set category 193
next
end
end
set log-all-url enable
next
end

edit 1
set name "WebFilter"
set dstintf "port9"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set logtraffic all
set webfilter-profile "webfilter"
set nat enable
next
end

Configure External Resources from GUI
Configure, edit or view the Entries for external resources from GUI.
1. GUI > Global > Fabric Connectors page:
2. GUI > Global > Fabric Connectors page > Create New. Click Create New button, and select Threat Feeds Type
FortiGuard Category.
3. GUI > Global > Fabric Connectors page. Enter the Resource Name, URL Location of the resource file, resource
authentication credential, Refresh Rate or comment, and click OK to finish the Threat Feeds configuration.

4. GUI > Global > Fabric Connectors page. After a few minutes, double-click the Threat Feeds Object you just
configured. It is shown in the Edit page. Click View Entries to view the entry list in the external resources file:
5. GUI > VDOM > Web Filter Profile page. The configured external resources is shown and configured in each Web
Filter Profile:

Log Example
If a HTTP/HTTPS request URL matched in Remote Category's entry list, it will override its original FGD URL rating and
it is treated as Remote Category.
GUI > VDOM > Log & Report > Web Filter:
CLI Example:

type="ftgd_blk" level="warning" vd="vdom1" eventtime=1547855353 policyid=1 sessionid=88922
srcip=10.1.100.18 srcport=39886 srcintf="port10" srcintfrole="undefined" dstip=216.58.193.67

dstport=443 dstintf="port9" dstintfrole="undefined" proto=6 service="HTTPS" host-

name="www.fortinet.com" profile="webfilter" action="blocked" reqtype="direct" url="/" sent-
byte=752 rcvdbyte=10098 direction="outgoing" msg="URL belongs to a denied category in policy"
method="domain" cat=192 catdesc="Ext-Resource-Type-as-Category-1"
Remote Category in ssl-ssh-profile category-based SSL-Exempt
Remote Category can be applied in ssl-ssh-profile category-based SSL-Exempt.

GUI > VDOM > Security Profiles > SSL/SSH Inspection:
HTTPS Request URL matched in this Remote Category will be exempted from SSL Deep Inspection.
Log example:

type="ssl-exempt" level="information" vd="vdom1" eventtime=1547856379 policyid=1 ses-
sionid=90080 srcip=10.1.100.18 srcport=39942 srcintf="port10" srcintfrole="undefined"
dstip=216.58.193.67 dstport=443 dstintf="port9" dstintfrole="undefined" proto=6 ser-
vice="HTTPS" hostname="www.fortinet.com" profile="webfilter" action="passthrough" req-
type="direct" url="/" sentbyte=517 rcvdbyte=0 direction="outgoing" msg="The SSL session was
exempted." method="domain" cat=192 catdesc="Ext-Resource-Type-as-Category-1" url-
source="exempt_type_user_cat"
Local Category and Remote Category Priority
Web Filter can have both local category and remote category at the same time. There's no duplication check between
local category URL override and remote category resource file. For example, a URL like www.example.com may be
shown both in remote category entry list and in FortiGate's local category URL override configuration. We recommend
avoiding this scenario since FortiGate does not check for duplicates. However, if a URL is duplicated in both local
category and remote category, it is rated as local category.

File filter for Web Filter
Introduction
File Filter is a new feature introduced in FortiOS 6.2, and provides the Web Filter profile with the capability to block files
passing through a FortiGate based on file type. In addition, the configuration for file type filtering has been greatly
simplified. In previous FortiOS versions, File Filtering could only be achieved by configuring a DLP (Data Leak
Prevention) sensor.
In FortiOS 6.2, HTTP and FTP File Filtering is configurable in Web Filter profile, and SMTP, POP3, IMAP file-filtering is
configurable in Email filter profile. Currently, File Filtering in Web Filter profile is based on file type (file's meta data)
only, and not on file size or file content. Users will still need to configure a DLP sensor to block files based on size or
content such as SSN numbers, credit card numbers or regexp.
FTP inspection and GUI configuration have yet to be implemented. In addition, Web Filter File Filtering will only work
on proxy mode policies.
File Types Supported
File Filter in Web Filter profile supports the following file types:
File Type Name Description
all Match any file
7z Match 7-zip files
arj Match arj compressed files
cab Match Windows cab files
lzh Match lzh compressed files
rar Match rar archives
tar Match tar files
zip Match zip files
bzip Match bzip files
gzip Match gzip files
bzip2 Match bzip2 files
xz Match xz files
bat Match Windows batch files
msc Match msc files
uue Match uue files
mime Match mime files
base64 Match base64 files
binhex Match binhex files

bin Match bin files
elf Match elf files
exe Match Windows executable files
hta Match hta files
html Match html files
jad Match jad files
class Match class files
cod Match cod files
javascript Match javascript files
msoffice Match MS-Office files. For example, doc, xls, ppt, and so on.
msofficex Match MS-Office XML files. For example, docx, xlsx, pptx, and so on.
fsg Match fsg files
upx Match upx files
petite Match petite files
aspack Match aspack files
prc Match prc files
sis Match sis files
hlp Match Windows help files
activemime Match activemime files
jpeg Match jpeg files
gif Match gif files
tiff Match tiff files
png Match png files
bmp Match bmp files
ignored Match ignored files
unknown Match unknown files
mpeg Match mpeg files
mov Match mov files
mp3 Match mp3 files
wma Match wma files

wav Match wav files
pdf Match pdf files
avi Match avi files
rm Match rm files
torrent Match torrent files
msi Match Windows Installer msi bzip files
mach-o Match Mach object files
dmg Match Apple disk image files
.net Match .NET files
xar Match xar archive files
chm Match Windows compiled HTML help files
iso Match ISO archive files
crx Match Chrome extension files
Configure File Filter from CLI
Using CLI, configuration for File Filtering is nested inside Web Filter profile's configuration.
In File filtering configuration, file filtering functionality and logging is independent of the Web Filter profile.
To block or log a file type, configure file filter entries. Within each entry, specify a file-type, action (log|block), protocol to
inspect (http|ftp), direction we want to inspect traffic (incoming|outgoing|any), and match only encrypted files. In
addition, in each file filter entry we can specify multiple file types. File filter entries are ordered, however, blocked will
take precedence over log.
In the CLI example below, we want to file filter the following using Web Filter profile:
1. Block PDFs from entering our leaving our network (filter1).
2. Log the download of some graphics file-types via HTTP (filter2).
3. Block EXE files from leaving to our network via FTP (filter3).
edit "webfilter-file-filter"
config file-filter
set status enable <-- Allow user to disable/enable file
filtering
set log enable <-- Allow user to disable/enable logging for
file filtering
set scan-archive-contents enable <-- Allow scanning of files inside archives
such as ZIP, RAR etc.
config entries
edit "filter1"
set comment "Block PDF files"
set protocol http ftp <-- Inspect HTTP and FTP traffic
set action block <-- Block file once file type is matched

set direction any <-- Inspect both incoming and outgoing traffic
set encryption any <-- Inspect both encrypted and un-encrypted
files
set file-type "pdf" <-- Choosing the file type to match
next
edit "filter2"
set comment "Log graphics files"
set protocol http <-- Inspect only HTTP traffic
set action log <-- Log file once file type is matched
set direction incoming <-- Only inspect incoming traffic
set encryption any
set file-type "jpeg" "png" "gif" <-- Multiple file types can be configured
in a single entry
next
edit "filter3"
set comment "Block upload of EXE files"
set protocol ftp <-- Inspect only FTP traffic
set action log
set direction outgoing <-- Inspect only outgoing traffic
set encryption any
set file-type "exe"
next
end
end
end
After configuring File Filter in Web Filter profile we must apply it to a firewall policy using the following command:
edit 1
set name "client-to-internet"
set srcintf "dmz"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set utm-inspection-mode proxy
set logtraffic all
set webfilter profile "webfilter-filefilter"
set nat enable
next
end

Log Example
GUI > VDOM > Log & Report > Web Filter:
Reliable Web Filter statistics
Introduction
FortiOS 6.2.0 provides command line tools to view the Web Filter statistics report. These command line tools currently
fall into either proxy-based or flow-based Web Filter statistics commands.
Proxy-based Web Filter statistics report
l The proxy-based Web Filter statistics command line tools are as follows. These commands are available in both
global or per-VDOM command lines.
#diagnose wad filter <----define the interested objects for output
(global) # diag wad ?
console-log Send WAD log messages to the console.
debug Debug setting.
stats Show statistics.
filter Filter for listing sessions or tunnels. <----use filter to filter-out
interested object and output
kxp SSL KXP diagnostics.
user User diagnostics.
memory WAD memory diagnostics.
restore Restore configuration defaults.
history Statistics history.
session Session diagnostics.
tunnel Tunnel diagnostics.
webcache Web cache statistics.
worker Worker diagnostics.
csvc Cache service diagnostics.

#diagnose wad stat filter list/clear <----list/clear Web Filter/DLP statistics report
l In the example below, there are two VDOMs using proxy-based policies which have Web Filter profiles enabled.
The command line can be used to view the proxy-based Web Filter statistics report.
(global) # diag wad filter ?
list Display current filter.
clear Erase current filter settings.
src Source address range to filter by.
dst Destination address range to filter by.
sport Source port range to filter by.
dport Destination port range to filter by.
vd Virtual Domain Name. <----filter for per-vdom or global
statistics report
explicit-policy Index of explicit-policy. -1 matches all.
firewall-policy Index of firewall-policy. -1 matches all.
drop-unknown-session Enable drop message unknown sessions.
negate Negate the specified filter parameter.
protocol Select protocols to filter by.
FGT_600D-ICAP-NAT (global) # diag wad filter vd

<vdom> Virtual Domain Name.
ALL all vdoms
root vdom
vdom1 vdom
FGT_600D-ICAP-NAT (global) # diag wad filter vd root <----filter-out root vdom

statistics
Drop_unknown_session is enabled.
FGT_600D-ICAP-NAT (global) # diag wad stats filter list

filtering of vdom root <----Displayed the WF statistics for root vdom
dlp = 0 <----Number of Reuqest that DLP Sensor processed;
content-type = 0 <----Number of Reuqest that matching content-type filter;
urls:
examined = 6 <----Number of Request that Proxy Web-Filter(all wad daemons)
examined;
allowed = 3 <----Number of Request that be allowed in the examined requests;
blocked = 0 <----Number of Request that be blocked in the examined requests;
logged = 0 <----Number of Request that be logged in the examined requests;
overridden = 0 <----Number of Request that be overrided to another Web Filter
profile in the examined requests;
FGT_600D-ICAP-NAT (global) # diag wad filter vd vdom1 <----filter-out vdom1 statistics

filtering of vdom vdom1 <----Displayed the WF statistics for vdom1
dlp = 0
content-type = 0
urls:
examined = 13
allowed = 2
blocked = 9
logged = 8
overridden = 0

FGT_600D-ICAP-NAT (global) # diag wad filter vd ALL

filtering of all accessible vdoms <----global statistics is sum of two VDOMs
dlp = 0
content-type = 0
urls:
examined = 19
allowed = 5
blocked = 9
logged = 8
overridden = 0
Flow-based Web Filter statistics report
l The flow-based Web Filter statistics command line tools are as follows. These commands are available in global
command lines only.
(global) # diag test app ipsmonitor
IPS Engine Test Usage:
1: Display IPS engine information

2: Toggle IPS engine enable/disable status
3: Display restart log
4: Clear restart log
5: Toggle bypass status
6: Submit attack characteristics now
10: IPS queue length
11: Clear IPS queue length
12: IPS L7 socket statistics
13: IPS session list
14: IPS NTurbo statistics
15: IPSA statistics
18: Display session info cache
19: Clear session info cache
21: Reload FSA malicious URL database
22: Reload whitelist URL database
24: Display Flow AV statistics
25: Reset Flow AV statistics
27: Display Flow urlfilter statistics
28: Reset Flow urlfilter statistics
29: Display global Flow urlfilter statistics <----List the Flow Web Filter
Statistics
30: Reset global Flow urlfilter statistics <----Reset the Flow Web Filter
Statistics
96: Toggle IPS engines watchdog timer
97: Start all IPS engines
98: Stop all IPS engines
99: Restart all IPS engines and monitor
l In the example below, there are two VDOMs using flow-based policies which have Web Filter profiles enabled. The
command line can be used to view the flow-based Web Filter statistics report.
(global) # diag test app ipsmonitor 29
Global URLF states:
request: 14 <----Number of Requests that Flow Web-Filter(all ips engines) received;

response: 14 <----Number of Response that Flow Web-Filter(all ips engines) sent;

pending: 0 <----Number of Requests that under processing at that moment;
request error: 0 <----Number of Request that have error;
response timeout: 0 <----Number of response that ips engine not been received in-
time;
blocked: 12 <----Number of Request that Flow Web-Filter blocked;
allowed: 2 <----Number of Request that Flow Web-Filter allowed;
DNS Filter
Introduction to DNS Filter
Most people who use the Internet use domain names. For example, people who access the Fortinet website type
www.fortinet.com into their web browser. However, on the Internet, all websites, computers, or devices actually use IP
addresses to locate the destination.
Internet uses DNS (Domain Name System) to translate domain names into IP addresses. For example, when you type
www.fortinet.com into your web browser, DNS maps this domain name to Fortinet's IP address to locate the Fortinet
website on the Internet.
If you cannot see DNS Filter under Security Profiles, go to System > Feature Visibility > Security Features section
and enable DNS Filter.
DNS primarily uses the UDP protocol on port 53 to serve the address resolve requests.
The FortiGate DNS Filter inspects the UDP protocol on port 53 traffic that traverse FortiGate, and based on the DNS
Filter profile configuration, makes the Allow/Monitor/Block or Redirect decision for the inspected traffic.
FortiGate DNS Filter has the following features:
l FortiGuard Filtering: filtering the DNS request based on the domain's FortiGuard rating.
l Botnet C&C Domain Blocking: block the DNS request for the known Botnet C&C domains.
l External Dynamic Category Domain Filtering: define your own domain category.
l DNS Safe Search: Enforce Google, Bing, and YouTube safe addresses for parental controls.
l Local Domain Filter: define your own domain list to block or allow.
l External IP Block List: define your IP block list to block resolved IPs that match this list.
l DNS Translation: map the resolved result to another IP you define.

Sample topology
The topics in this section use the following sample topology to explain how these DNS Filter features work and how to
configure it. In this sample topology, there is an internal network and a FortiGate used as a gateway device, with all
DNS traffic traversing the FortiGate.
How to configure and apply DNS Filter profile
To create or configure DNS Filter profile in the GUI:
1. Go to Security Profiles > DNS Filter.

2. You can modify the default DNS Filter and enable the options you want or you can click + at the top right to create a

new DNS Filter.
To create or configure DNS Filter profile in the CLI:
config dnsfilter profile

edit "demo"
set comment ''
config domain-filter
unset domain-filter-table
end
config ftgd-dns
config filters
edit 2
set category 2
set action monitor
next
edit 7
set category 7
set action block
next
...
edit 22
set category 0
set action monitor
next
end

end
set log-all-domain enable
set sdns-ftgd-err-log enable
set sdns-domain-log enable
set block-action redirect
set block-botnet enable
set safe-search enable
set redirect-portal 93.184.216.34
set redirect-portal6 ::
next
end
After you have created the DNS Filter profile, you can apply it to the policy. DNS filters also support IPv6 policies.
To apply DNS Filter profile to the policy in the GUI:
1. Go to Policy & Objects IPv4 Policy or IPv6 Policy.

2. In the Security Profiles section, enable DNS Filter and select the DNS filter.
To apply DNS Filter profile to the policy in the CLI:

edit 1
set name "Demo"
set dstintf "port9"
set srcaddr "all"
set dstaddr "all"

set action accept

set service "ALL"
set logtraffic all
set fsso disable
set dnsfilter-profile "demo" <<<====
set profile-protocol-options "default"
set ssl-ssh-profile "deep-inspection"
set nat enable
next
end
FortiGuard category-based DNS domain filtering
The FortiGate must have a FortiGuard Web Filter license to use FortiGuard Category Based
Filter.
You can use the FortiGuard category-based DNS Domain Filter to inspect DNS traffic. This makes use of FortiGuard's
continually updated domain rating database for more reliable protection.
To configure FortiGuard category-based DNS Domain Filter by GUI:
1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter.
2. Enable FortiGuard Category Based Filter.

3. Select the category and then select Allow, Monitor, or Block for that category.
4. If you select Block, there are two options:

l Redirect Portal IP. If the DNS query domain will be blocked, FortiGate will use portal IP to replace the
resolved IP in DNS response packet. You can use the default portal IP 208.91.112.55 or click Specify to enter
another portal IP.
l Block. Blocked DNS query has no response return and the DNS query client will time out.

To configure FortiGuard category-based DNS Domain Filter by CLI:

edit "demo"
set comment ''
config domain-filter
unset domain-filter-table
end
config ftgd-dns
config filters <<<==== FortiGuard Category Based Filter
edit 2
set category 2
set action monitor
next
edit 7
set category 7
set action monitor
next
...
edit 22
set category 0
set action monitor
next
end
end
set sdns-ftgd-err-log enable

set sdns-domain-log enable

set block-action redirect/block <<<==== You can specify Block or Redirect
set safe-search enable
set redirect-portal 93.184.216.34 <<<==== Specify Redirect portal-IP.
next
end
Sample
To see an example of how this works, from your internal network PC, use a command line tool such as dig or nslookup
to do DNS query for some domains, for example:
#dig www.example.com
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 61252
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 13; ADDITIONAL: 11
;; www.example.com. IN A
;; ANSWER SECTION:
www.example.com. 17164 IN A 93.184.216.34
;; AUTHORITY SECTION:
com. 20027 IN NS h.gtld-servers.net.
com. 20027 IN NS i.gtld-servers.net.
com. 20027 IN NS f.gtld-servers.net.
com. 20027 IN NS d.gtld-servers.net.
com. 20027 IN NS j.gtld-servers.net.
com. 20027 IN NS l.gtld-servers.net.
com. 20027 IN NS e.gtld-servers.net.
com. 20027 IN NS a.gtld-servers.net.
com. 20027 IN NS k.gtld-servers.net.
com. 20027 IN NS g.gtld-servers.net.
com. 20027 IN NS m.gtld-servers.net.
com. 20027 IN NS c.gtld-servers.net.
com. 20027 IN NS b.gtld-servers.net.
;; ADDITIONAL SECTION:
a.gtld-servers.net. 21999 IN A 192.5.6.30
a.gtld-servers.net. 21999 IN AAAA 2001:503:a83e::2:30
b.gtld-servers.net. 21997 IN A 192.33.14.30
b.gtld-servers.net. 21997 IN AAAA 2001:503:231d::2:30
c.gtld-servers.net. 21987 IN A 192.26.92.30
c.gtld-servers.net. 20929 IN AAAA 2001:503:83eb::30
d.gtld-servers.net. 3340 IN A 192.31.80.30
d.gtld-servers.net. 3340 IN AAAA 2001:500:856e::30
e.gtld-servers.net. 19334 IN A 192.12.94.30
e.gtld-servers.net. 19334 IN AAAA 2001:502:1ca1::30
f.gtld-servers.net. 3340 IN A 192.35.51.30
;; Received 509 B
;; Time 2019-04-05 09:39:33 PDT
;; From 172.16.95.16@53(UDP) in 3.8 ms

To check the DNS Filter log in the GUI:
1. Go to Log & Report > DNS Query to view the DNS traffic that just traverse the FortiGate and the FortiGuard rating
for this domain name.
To check the DNS log in the CLI:
#execute log filter category utm-dns
# execute log display

2 logs found.
2 logs returned.
1: date=2019-04-05 time=09:39:34 logid="1501054802" type="utm" subtype="dns" eventtype="dns-

response" level="notice" vd="vdom1" eventtime=1554482373 policyid=1 sessionid=50868 srcip-
p=10.1.100.18 srcport=34308 srcintf="port10" srcintfrole="undefined" dstip=172.16.95.16 dst-
port=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=17647
qname="www.example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="93.184.216.34" msg="Domain is
monitored" action="pass" cat=52 catdesc="Information Technology"

query" level="information" vd="vdom1" eventtime=1554482373 policyid=1 sessionid=50868 srcip-
qname="www.example.com" qtype="A" qtypeval=1 qclass="IN"
Botnet C&C domain blocking
FortiGuard Service continually updates the Botnet C&C domain list (Domain DB). The botnet C&C domain blocking
feature can block the botnet website access at the DNS name resolving stage. This provides additional protection for
your network.
To configure botnet C&C domain blocking in the GUI:
2. Enable Redirect botnet C&C requests to Block Portal.

3. Click the botnet package link to see the latest botnet C&C domain list.
Sample
To see an example of how this works, select a botnet domain from that list. Then from your internal network PC, use a
command line tool such as dig or nslookup to send a DNS query to traverse the FortiGate to see the query blocked as a
botnet domain. For example:
#dig canind.co
;; Flags: qr rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0
;; canind.co. IN A
;; ANSWER SECTION:
canind.co. 60 IN A 208.91.112.55 <<<==== botnet domain query
blocked, redirect with portal-IP.
;; Received 43 B
;; Time 2019-04-05 09:55:21 PDT
;; From 172.16.95.16@53(UDP) in 0.3 ms

1. Go to Log & Report > DNS Query to view the DNS query blocked as a botnet domain.
To check the DNS Filter log in the CLI:
FGT600D (vdom1) # exe log filter category utm-dns
FGT600D (vdom1) # exe log display

2 logs found.
2 logs returned.

response" level="warning" vd="vdom1" eventtime=1554421439 policyid=1 sessionid=14135 srcip-
qname="canind.co" qtype="A" qtypeval=1 qclass="IN" msg="Domain was blocked by dns botnet C&C"
action="redirect" botnetdomain="canind.co"

qname="canind.co" qtype="A" qtypeval=1 qclass="IN"
Botnet C&C IPDB blocking
FortiGate also maintains a botnet C&C IP address database (botnet IPDB). If a DNS query response IP address
(resolved IP address) matches an entry inside the botnet IPDB, this DNS query is also blocked by DNS Filter botnet C&C
blocking.
To view the botnet IPDB list in the CLI:
(global) # diag sys botnet list 9000 10

9000. proto=TCP ip=103.228.28.166, port=80, rule_id=7630075, name_id=3, hits=0

To see an example of how DNS Filter botnet C&C IPDB blocking works, select an IP address from the IPDB list and use
Internet reverse lookup service to find its corresponding domain name. Then from your internal network PC, use a
command line tool such as dig or nslookup to query this domain and see that it's blocked by DNS Filter botnet C&C
blocking. For example:
# dig cpe-98-25-53-166.sc.res.rr.com
;; cpe-98-25-53-166.sc.res.rr.com. IN A
;; ANSWER SECTION:
cpe-98-25-53-166.sc.res.rr.com. 60 IN A 208.91.112.55 <<<==== Since resolved
IP address match the botnet IPDB, dns query blocked with redirect portal IP.
;; Received 64 B
;; Time 2019-04-05 11:06:47 PDT
;; From 172.16.95.16@53(UDP) in 0.6 ms
1. Go to Log & Report > DNS Query to view the DNS query blocked by botnet C&C IPDB blocking.
To check the DNS Filter log in the CLI:

port=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=16265 qname="cpe-
98-25-53-166.sc.res.rr.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="93.184.216.34" msg-
g="Domain was blocked by dns botnet C&C" action="redirect" botnetip=98.25.53.166

port=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="demo" xid=16265 qname="cpe-
98-25-53-166.sc.res.rr.com" qtype="A" qtypeval=1 qclass="IN"
To check botnet activity:
1. Go to Dashboard > Status and see the Botnet Activity widget.

If you cannot find the Botnet Activity widget, click the Settings button at the bottom right, select Add Widget, and
add the Botnet Activity widget.

External Resources for DNS Filter
Introduction
External Resources is a new feature introduced in FortiOS 6.0. It provides a capability to dynamically import an external
blacklist into an HTTP server. This feature enables FortiGate to retrieve a dynamic URL/Domain Name/IP
Address/Malware hash list from an external HTTP server periodically. FortiGate uses these external resources as Web
Filter's remote categories, DNS Filter's remote categories, policy address objects, or antivirus profile's malware
definitions. If external resources are updated, FortiGate objects are also updated dynamically.
External Resource is divided into four types:
l URL list (Type=category)
l Domain Name List (Type=domain)
l IP Address list (Type=address)
l Malware hash list (Type=malware)
Remote categories and external IP block list
The DNS Filter profile can use two types of external resources: domain type and address type. Domain type resources
file is a domain name list and address type resources file is an IP address list.
When a domain type external resource is configured, it is treated as a Remote Category in DNS Filter profile. If the
domain name in DNS Query matches the entry in this external resource file, it is treated as the Remote Category and
follows the action configured for this category in DNS Filter profile.
When an address type external resource is configured, it can be enabled as external-ip-blocklist in DNS Filter profile. If
DNS resolved IP address in DNS response matches the entry in the external-ip-blocklist, this DNS Query is blocked by
DNS Filter.
External Resources file format
File format requirements for External Resources file:

l The file is in plain text format with each URL list/IP Address/Domain Name occupying one line.
l The file is limited to 10 MB, and each line is limited to 128 KB (128 X 1024 entries). Line length limit is 4 KB
characters.
l The entry limit also follows the table size limitation defined by CMDB per model.
l The External Resources update period can be set to 1 minute, hourly, daily, weekly, or monthly (43200 min, 30
days).
l The External Resources type as category (URL list) and domain (Domain Name list) share the category number

range 192-221 (total of 30 categories).

l There is no duplicated entry validation for External Resources file (entry inside each file or inside different files).
For Domain Name list (Type=domain):
l Simple wildcard is allowed in domain name list, from example: *.test.com.
l IDN (International Domain Name) is supported.
For IP Address list (Type=address):
l IP address can be single IP address, subnet address, or address range, for example, 192.168.1.1,
192.168.10.0/24,192.168.100.1-192.168.100.254.
l An address can be IPv4 or IPv6 address, for Type=address, IPv6 address does not need to be in [ ] format.
Configure External Resources from CLI
You can use CLI to configure External Resources files in an external HTTP server. Under Global, configure the External
Resources file location and specify the resource type. DNS Filter can use domain type and address type external
resources.
In the following example, configure a file "Ext-Resource-Type-as-Domain-1.txt" as type domain and it will be treated in
DNS Filter as Remote Category name as "Ext-Resource-Type-as-Domain-1" and category-id 194. Configure another
external resource file "Ext-Resource-Type-as-Address-1.txt" as type address, and this address object name is "Ext-
Resource-Type-as-Address-1":
edit "Ext-Resource-Type-as-Domain-1"
set type domain <<<====
set category 194 <<<====
set resource "http://172.16.200.66/external-resources/Ext-Resource-Type-as-Domain-1.txt"
set refresh-rate 1
next
edit "Ext-Resource-Type-as-Address-1"
set status enable
set type address <<<====
set username ''
set password
set comments ''
set resource "http://172.16.200.66/external-resources/Ext-Resource-Type-as-Address-
1.txt"
set refresh-rate 1
next
end
In each VDOM, domain type external resource can be used in DNS Filter as Remote Category. In the above example,
Domain Name list in "Ext-Resource-Type-as-Domain-1.txt" file is treated as remote category (category-id 194). IP
address list in "Ext-Resource-Type-as-Address-1.txt" file can be applied in DNS Filter as external-ip-blocklist. If DNS
resolved IP address matches any entry in the list in that file, the DNS query is blocked. You should configure the action
for this remote category and enable "external-ip-block-list" in a DNS Filter profile and apply it in the policy:
edit "default"
set comment "Default dns filtering."
config ftgd-dns
config filters
edit 1
set category 194 <<<==== domain list in Ext-Resource-Type-as-Domain-1.txt

treated as remote category 194

set action block
next
edit 2
set category 12
next
edit 3
next
end
end
set external-ip-blocklist "Ext-Resource-Type-as-Address-1" <<<==== IP address in "Ext-
Resource-Type-as-Address-1" file.
next
end

edit 1
set name "DNSFilter"
set dstintf "port9"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set logtraffic all
set dnsfilter-profile "default"
set nat enable
next
end
Configure External Resources from GUI
To configure, edit, or view the entries for external resources from GUI:
1. Go to Global > Security Fabric > Fabric Connectors.

2. Click Create New and in the Threat Feeds section, select Domain Name or IP Address.
3. Enter the Resource Name, URL, location of the resource file, resource authentication credentials, and Refresh
Rate; and click OK to finish the Threat Feeds configuration.
4. When the configuration is complete, double-click the Threat Feeds Object you just configured to open the Edit
page; then click View Entries to view the entry list in the external resources file.

5. Go to VDOM > DNS Filter and open a DNS Filter profile. The configured external resources displays and you can
apply it in each DNS Filter Profile: remote category or external IP block lists.
Log Example
Remote categories
In VDOM > Log & Report > DNS Query, some domains that match the Remote Category list are rated as Remote
Category, overriding their original domain rating.

CLI Example:

port=53 dstintf="port9" dstintfrole="undefined" proto=17 profile="default" xid=38234
qname="www.example.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="93.184.216.34" msg="Domain is
monitored" action="pass" cat=196 catdesc="Ext-Resource-Type-as-Domain-3"

External-IP-Block-Lists
You can use Address Type external resources as external-ip-blocklist in DNS Filter Profile. If DNS Query resolved IP
Address matches the entry in the external-ip-blocklist, this DNS query is blocked.
CLI Example:

qname="www.example.com" qtype="A" qtypeval=1 qclass="IN" msg="Domain was blocked because it is
in the domain-filter list" action="redirect" domainfilteridx=0 domainfilterlist="Ext-Resource-
Type-as-Address-1"


DNS safe search
Enable DNS Filter safe search so that FortiGate responds with the search engine's children and school safe domain or
IP address. Users might not be aware of this filter. Explicit contents are filtered by the search engine itself. This feature
isn’t 100% accurate but it can help you avoid explicit and inappropriate search results.
This feature currently supports Google, Bing, and YouTube.
To configure DNS Filter Safe Search on GUI:
2. Enable Enforce 'Safe search' on Google, Bing, YouTube.
3. For Restrict YouTube Access, select Strict or Moderate.
To configure DNS Filter Safe Search on CLI:

edit "demo"
config ftgd-dns
config filters
edit 2
set category 2
next
...
end
end
set safe-search enable <<<==== DNS Filter Safe Search option
next
end
Sample
To see an example of how this works, enable this option. Then from your internal network PC, use a command line tool
such as dig or nslookup to do a DNS query on www.bing.com. For example:
# dig www.bing.com

;; www.bing.com. IN A
;; ANSWER SECTION:
www.bing.com. 103 IN CNAME strict.bing.com. <<<====
strict.bing.com. 103 IN A 204.79.197.220
;; Received 67 B
;; Time 2019-04-05 14:34:52 PDT
;; From 172.16.95.16@53(UDP) in 196.0 ms
The DNS query for www.bing.com returns with a CNAME strict.bing.com, and A record for the CNAME. The user's web
browser then connects to this address with the same search engine UI but any explicit content search is filtered out.
Check the DNS Filter log for the message DNS Safe Search enforced.
To check the DNS Filter Safe Search log in the CLI:

qname="www.bing.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="204.79.197.220" msg="DNS Safe
Search enforced" action="pass" sscname="strict.bing.com" cat=41 catdesc="Search Engines and
Portals"

qname="www.bing.com" qtype="A" qtypeval=1 qclass="IN"
Additional information
For each search engine's safe search specifications, see its specification page:
l https://help.bing.microsoft.com/#apex/18/en-US/10003/0
l https://support.google.com/websearch/answer/510?co=GENIE.Platform%3DDesktop&hl=en
l https://support.google.com/youtube/answer/174084?co=GENIE.Platform%3DDesktop&hl=en
Local domain filter
In addition to FortiGuard's category-based domain filter, you can also can define your own local static domain filter to
allow or block specific domains.
To configure DNS local domain filter on GUI:
2. In the Static Domain Filter section, enable Domain Filter.

3. Click Create New to create your local domain filter entries.
To configure DNS local domain filter on CLI:
config dnsfilter domain-filter

edit 1
set name "demo"
set comment ''
config entries
edit 1
set domain "www.fortinet.com"
set type simple
set action allow
set status enable
next
edit 2
set domain "*.example.com"
set type wildcard
set action block
set status enable
next
edit 3
set domain "google"
set type regex
set action monitor
set status enable
next
end
next
end
To check the DNS local domain filter log in the GUI:
1. Go to Log & Report > DNS Query to view the DNS query log.
Since the local domain list "google" action is Monitor, it's blocked by FortiGuard category-based domain filter.

To check the DNS local domain filter log in the CLI:

qname="www.google.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="208.91.112.55" msg="Domain
belongs to a denied category in policy" action="redirect" cat=41 catdesc="Search Engines and
Portals"

qname="www.google.com" qtype="A" qtypeval=1 qclass="IN"

qname="www.example.com" qtype="A" qtypeval=1 qclass="IN" msg="Domain was blocked because it is
in the domain-filter list" action="redirect" domainfilteridx=1 domainfilterlist="demo"


response" level="information" vd="vdom1" eventtime=1554503810 policyid=1 sessionid=69118 srcip-
qname="www.fortinet.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="13.56.55.78, 54.183.57.55"
msg="Domain was allowed because it is in the domain-filter list" action="pass" domain-
filteridx=1 domainfilterlist="demo"

qname="www.fortinet.com" qtype="A" qtypeval=1 qclass="IN"
Sequence and priority
In DNS Filter, local domain filter has a higher priority than FortiGuard category-based domain filter.
A DNS query is scanned and matched with local domain filter first. If an entry matches and the local filter entry's action
is block, then that DNS query is blocked or redirected.
If local domain filter list has no match, then the FortiGuard category-based domain filter is used. If a DNS query domain
name rating belongs to the block category, this query is blocked or redirected. If the FortiGuard category-based filter has
no match, then the original resolved IP address is returned to the client DNS resolver.
The local domain filter action can be Block, Allow, or Monitor. If the local domain filter action is Allow and an entry
matches, it will skip the FortiGuard category-based domain filter and directly return to client DNS resolver. If the local

domain filter action is Monitor and an entry matches, it will go to FortiGuard category-based domain filter scanning and
matching.
DNS translation
Using this feature, you can translate a DNS resolved IP address to another IP address you specify.
For example, website A has a public address 1.2.3.4. However, when your internal network users visit this website, you
want them to connect to an internal host, say, 192.168.3.4. In this case, you can use DNS translation to translate the
DNS resolved address 1.2.3.4 to 192.168.3.4. Reverse use of DNS translation is also applicable, for example, if you
want public DNS query of your internal server to get a public IP address, then you can translate a DNS resolved private
IP to a public IP address.
This example configuration forces the DNS Filter profile to translate 93.184.216.34 (www.example.com) to
192.168.3.4. So when internal network users do DNS query for www.example.com, they do not get the original
www.example.com IP of 93.184.216.34. It will be replaced with 192.168.3.4.
To configure DNS translation on GUI:
1. Go to Security Profiles > DNS Filter and edit or create a DNS Filter profile.
2. Enable DNS Translation and click Create New.
3. Enter the Original Destination (the domain's original IP address), the Translated Destination IP address, and the
Network Mask (in most cases, it's 255.255.255.255).
To configure DNS translation on CLI:

edit "demo"
set comment ''
...
config dns-translation <<<====
edit 1
set src 93.184.216.34
set dst 192.168.3.4

set netmask 255.255.255.255

next
end
set redirect-portal 0.0.0.0
next
end
To check DNS translation using a command line tool before DNS translation:
# dig www.example.com
;; ANSWER SECTION:
example.com. 18578 IN NS b.iana-servers.net.
example.com. 18578 IN NS a.iana-servers.net.
;; Received 97 B
;; Time 2019-04-08 10:47:26 PDT
;; From 172.16.95.16@53(UDP) in 0.5 ms
To check DNS translation using a command line tool after DNS translation:
;; ANSWER SECTION:
www.example.com. 32491 IN A 192.168.3.4 <<<==== resolved IP translated
into 192.168.3.4
;; Received 97 B
;; Time 2019-04-08 11:11:41 PDT
;; From 172.16.95.16@53(UDP) in 0.5 ms
How DNS translation network mask work
The following is an example of DNS translation and result.

config dns-translation
edit 1

set src 93.184.216.34

set dst 1.2.3.4
next
end
;; ANSWER SECTION:
;; Received 97 B
;; Time 2019-04-08 12:04:30 PDT
;; From 172.16.95.16@53(UDP) in 2.0 ms
1) AND src(Orginal IP) with negative netmask (93.184.216.34 & ~255.255.224.0)
01011101.10111000.11011000.00100010 93.184.216.34 <-- ip
00000000.00000000.00011111.11111111 ~255.255.224.0 <-- ~netmask
-------------------------------------------------------- &
00000000.00000000.00011000.00100010 0.0.24.34 <- right bits
2) AND dst(Translated IP) with netmask

00000001.00000010.00000011.00000100 1.2.3.4 <- dst
11111111.11111111.11100000.00000000 255.255.224.0 <- netmask
-------------------------------------------------------- &
00000001.00000010.00000000.00000000 1.2.0.0 <- left bits
3) Final step 2 bitwise-OR 3:

00000000.00000000.00011000.00100010 0.0.24.34
00000001.00000010.00000000.00000000 1.2.0.0
-------------------------------------------------------- |
00000001.00000010.00011000.00100010 1.2.24.34
Use FortiGate as a DNS server
You can configure and use FortiGate as a DNS server in your network. When you enable DNS Service on a specific
interface, FortiGate will listen for DNS Service on that interface.
Depending on the configuration, DNS Service on FortiGate can work in three modes: Recursive, Non-Recursive, or
Forward to System DNS (server). For details on how to configure DNS Service on FortiGate, see the FortiGate System
Configuration Guide.
You can apply a DNS Filter profile to Recursive Mode and Forward to System DNS Mode. This is the same as FortiGate
working as a transparent DNS Proxy for DNS relay traffic.

To configure DNS Service on FortiGate using GUI:
1. Go to Network > DNS Servers.

2. In the DNS Service on Interface, click Create New and select an Interface.
The Recursive and Non-Recursive Mode is available only after you configure the DNS database.
To configure DNS Service on FortiGate using CLI:

edit "port10" <<<==== Enable DNS Serive on Interface
set mode forward-only
set dnsfilter-profile "demo" <<<==== apply DNS Filter Profile for the service
next
end
In this example, FortiGate port 10 is enabled as a DNS Service with the DNS Filter profile "demo". Suppose port 10 has
an IP address 10.1.100.5 and DNS Filter profile "demo" is set to block category 52 (Information Technology), then from
your internal network PC, use a command line tool such as dig or nslookup to do a DNS query. For example:
# dig @10.1.100.5 www.fortinet.com <<<====Specify FortiGate interface address as DNS Server
;; www.fortinet.com. IN A
;; ANSWER SECTION:
www.fortinet.com. 60 IN A 208.91.112.55 <<<==== DNS Filter profile
will filter the relay DNS traffic based on profile configuration. It blocked with redirect
portal IP
;; Received 50 B

;; Time 2019-04-08 14:36:34 PDT

;; From 10.1.100.5@53(UDP) in 13.6 ms
Troubleshooting DNS Filter
If you have trouble with the DNS Filter profile in your policy, start with the following troubleshooting steps:
l Check the connection between FortiGate and FortiGuard DNS rating server (SDNS server).
l Check that FortiGate has a valid FortiGuard Web Filter license.
l Check the FortiGate DNS Filter configuration.
Troubleshooting connection between FortiGate and FortiGuard SDNS server
Ensure FortiGate can connect to the FortiGuard SDNS server. By default, FortiGate uses UDP port 53 to connect to the
SDNS server.
To check the connection between FortiGate and the SDNS server in the CLI:
1. In the CLI Console, run the command diagnose test application dnsproxy 3 to find the FortiGuard
SDNS server.
worker idx: 0
vdom: root, index=0, is master, vdom dns is disabled, mip-169.254.0.1 dns_log=1
dns64 is disabled
vdom: vdom1, index=1, is master, vdom dns is enabled, mip-169.254.0.1 dns_log=1
dns64 is disabled
dns-server:208.91.112.220:53 tz=-480 req=0 to=0 res=0 rt=0 secure=1 ready=1 timer=0 probe=0
dns-server:208.91.112.53:53 tz=0 req=0 to=0 res=0 rt=0 secure=0 ready=1 timer=0 probe=0
dns-server:173.243.138.221:53 tz=-480 req=0 to=0 res=0 rt=0 secure=1 ready=1 timer=0
DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000
DNS FD: udp_s=13 udp_c=16:17 ha_c=21 unix_s=22, unix_nb_s=23, unix_nc_s=24
v6_udp_s=12, v6_udp_c=19:20, snmp=25, redir=14
DNS FD: tcp_s=27, tcp_s6=26, redir=28
FQDN: hash_size=1024, current_query=1024
DNS_DB: response_buf_sz=4096
FDG_SERVER:208.91.112.220:53
FGD_CATEGORY_VERSION:8
SERVER_LDB: gid=6f00, tz=-420, error_allow=0
FGD_REDIR:208.91.112.55

2. Check the FDG_SERVER line. The SDNS server IP address might be different depending on location. For this
example, it is:
FDG_SERVER:208.91.112.220:53
3. In the CLI Console under the management VDOM, run the command execute ping 208.91.112.220 to
check the communication between the FortiGate and the SDNS server.
4. Optionally, you can also check the communication using a PC on the internal network.
a. Disable the DNS Filter profile so that it does not affect your connection check.
b. Ping your ISP or a public DNS service provides's DNS server, for example, Google's public DNS server of
8.8.8.8:
#dig @8.8.8.8 www.fortinet.com
Or specify the SDNS server as DNS server:

c. Check that you can get domain www.fortinet.com A record from the DNS server which shows that UDP port 53
connection path is not blocked.
;; www.fortinet.com. IN A
;; ANSWER SECTION:
www.fortinet.com. 289 IN CNAME fortinet-prod4-858839915.us-west-
1.elb.amazonaws.com.
fortinet-prod4-858839915.us-west-1.elb.amazonaws.com. 51 IN A
52.8.142.247
fortinet-prod4-858839915.us-west-1.elb.amazonaws.com. 51 IN A
13.56.55.78
;; Received 129 B
;; Time 2019-04-29 14:13:18 PDT
;; From 8.8.8.8@53(UDP) in 13.2 ms
Checking FortiGuard DNS Rating Service license
The FortiGuard DNS Rating Service shares the license with FortiGuard Web Filter so you must have a valid Web Filter
license for the DNS Rating Service to work. While the license is shared, the DNS Rating Service uses a separate
connection mechanism from the Web Filter Rating.
To check the DNS Rating Service license in the CLI:
1. In the CLI Console, run the command diagnose test application dnsproxy 3.
2. Look for the LICENSE line and check that the license has not expired, for example:
3. Check the dns-server lines. Some dns-server lines show secure=1 ready=1. These lines show the
functioning SDNS servers. For example:

Checking FortiGate DNS Filter profile configuration
To check the FortiGate DNS Filter profile configuration:
1. Create a local domain filter and set the Action to Redirect to Block Portal.
See Local domain filter on page 407.
2. Apply this DNS Filter profile to the policy.
3. From the client PC, DNS query this domain.
If you get the profile's redirected portal address, that shows that the DNS Filter profile works as expected.
More troubleshooting steps
To reload the DNS proxy in the CLI:
(global)#diagnose test application dnsproxy 99
To debug DNS proxy details:
These commands might create more output in your console.

#diagnose debug application dnsproxy -1
#diagnose debug enable/disable
DNS proxy command reference
Use the following diagnose test application dnsproxy command line options to check DNS proxy status
and help with troubleshooting.
(global) # diagnose test application dnsproxy ?
worker idx: 0
1. Clear DNS cache
2. Show stats
3. Dump DNS setting
4. Reload FQDN
5. Requery FQDN
6. Dump FQDN
7. Dump DNS cache
8. Dump DNS DB
9. Reload DNS DB
10. Dump secure DNS policy/profile
11. Dump Botnet domain
12. Reload Secure DNS setting
13. Show Hostname cache
14. Clear Hostname cache
15. Show SDNS rating cache
16. Clear SDNS rating cache
17. DNS debug bit mask
99. Restart dnsproxy worker

Email filter
Email filtering
The FortiGate Email Filter can be configured to do AntiSpam and file-type based filtering. To enable email filtering,
create a profile using either the CLI or GUI, then use this profile in the firewall policy.
To configure the email filter profile in the CLI:
config emailfilter profile

edit "ProfileName"
set options ?
bannedword Content block.
spambwl Black/white list.
spamfsip Email IP address FortiGuard AntiSpam black list check.
spamfssubmit Add FortiGuard AntiSpam spam submission text.
spamfschksum Email checksum FortiGuard AntiSpam check.
spamfsurl Email content URL FortiGuard AntiSpam check.
spamhelodns Email helo/ehlo domain DNS check.
spamraddrdns Email return address DNS check.
spamrbl Email DNSBL & ORBL check.
spamhdrcheck Email mime header check.
spamfsphish Email content phishing URL FortiGuard AntiSpam check.
These options can be reorganized according to the source of the decision:

l Local options: The FortiGate qualifies the email based on local conditions like BWL, bannedwords, or DNS checks
(with the use of FortiGuard service).
bannedword Content block.
spambwl Black/white list.
spamhelodns Email helo/ehlo domain DNS check.
spamraddrdns Email return address DNS check.
spamhdrcheck Email mime header check.
l FortiGuard-based options: The FortiGate qualifies the email based on score or verdict returned from the
FortiGuard service.
spamfsip Email IP address FortiGuard AntiSpam black list check.
spamfssubmit Add FortiGuard AntiSpam spam submission text.
spamfschksum Email checksum FortiGuard AntiSpam check.
spamfsurl Email content URL FortiGuard AntiSpam check.
spamfsphish Email content phishing URL FortiGuard AntiSpam check.
l Third-party options: The FortiGate qualifies the email based on information from a third-party source (like ORB
list).
spamrbl Email DNSBL & ORBL check.

Local and FortiGuard black/white lists can be enabled and combined in a single profile. When
combined, the Local black/white list has a higher priority than the FortiGuard's black list during
a decision making process.
For example: If a client's IP address is black listed in FortiGuard servers, but the admin wants
to override this decision and allow the IP to pass through the filter, they can define the
IP address or subnet in a BWL with the clear action. Because the information coming from the
Local BWL has a higher priority than the FortiGuard service, the email will be considered
clean.
Filtering types
Local-based:
l BWL, black or white list: These lists can be made from emails or IP subnets to forbid OR allow them to
sending/receiving emails.
When referring to the IP address or email listed under a black or white list, email refers to
the "From:" address, and IP refers to the IP address of the source of the email. In an
SMTP case, the IP refers to the client's IP address, while in a POP3 and IMAP case, it
refers to the server's IP address.
l Bannedwords: The admin can define a list of banned words. Emails that contain any of these banned words are
considered as spam.
l DNS check: With spamhelodns and spamraddrdns, the FortiGate performs a standard DNS check on the
machine name used in the helo SMTP message, and/or the return-to field to determine if these names belong to a
registered domain. The FortiGate does not check the FortiGuard service during these operations.
FortiGuard-based:
l FortiGuard based options: FortiGate consults FortiGuard servers to help identify the spammers IP address or
emails, known phishing URLs, known spam URLs, known spam email checksums, etc.
Protocol tuning:
lProtocol tuning: In a profile, there are sections for SMTP, POP3, and IMAP. In each section, you can set an action
to either discard, tag, or pass the log for that protocol.
Webmail:
l Webmail detector: The email filter can also be configured to detect and log emails sent via Gmail and MSN-
Hotmail. Although these two interfaces do not use the standard email protocols (SMTP, POP3, or IMAP) and
instead use HTTPS, the email filter can still be configured to detect the emails sent and passed through the
FortiGate.
File-type:
l File-type based filtering: This can include emails which are undesired due to a file-type attachment that the
network admin qualifies as non-compatible with their business environment. The admin can define the undesired
file-types within the email filter profile and can associate an action to be taken for each file-type (for example: block
or log).
Both AntiSpam and file-type based filtering can be defined in a single profile, and will act
independent of one another.

Local-based filters
To configure the local-based AntiSpam filter in the CLI:
config emailfilter bwl
FGT-300D-SPAM (bwl) # edit 1

new entry '1' added
FGT-300D-SPAM (1) # set name myBWL
FGT-300D-SPAM (1) # config entries

config entries
edit 1
set status enable
set type ip
set action spam
set addr-type ipv4
set ip4-subnet 10.1.100.0 255.255.255.0
next
end

edit "myLocalEmailFilter"
set spam-filtering enable
set options spambwl spamhelodns spamraddrdns
config smtp
set action tag
end
set spam-bwl-table 1
next
end
edit 1
.....

set emailfilter-profile "myLocalEmailFilter"
next
end

To configure the local-based AntiSpam filter in the GUI:
1. Go to Security Profiles > Email Filter.

2. Click Create or select an existing profile and click Edit.
3. In the Firewall policy, create or edit a rule.

4. Set the inspection-mode to Proxy-based.

5. Enable the Email Filter option and select the profile previously created.
6. Set SSL Inspection to a profile that has deep SSL inspection enabled.
l Deep inspection is required if you intend to filter SMTP, POP3, IMAP, or any SSL/TLS encapsulated protocol.

l Below is an example of a profile with deep SSL inspection enabled.
To configure bannedwords in the CLI:
config emailfilter bword

edit 1
set name "banned"
config entries
edit 1
set pattern "undesired_word"
next
end
next
end

edit "myBannedWordsProfile"
config file-filter
set status disable

end
set options bannedword
set spam-bword-table 1
next
end
Once created, this profile should be set in the firewall policy.
Bannedwords can only be configured through the CLI.
FortiGuard-based filters
FortiGate consults FortiGuard servers to help identify the spammers IP address or emails, known phishing URLs, known
spam URLs, known spam email checksums, etc. FortiGuard servers have maintained databases that contain black lists
which are fed from Fortinet sensors and labs distributed all over the world.
To configure the FortiGuard filters in the CLI:

edit "myEmailFilterProfile"
set options spamfsip spamfssubmit spamfschksum spamfsurl spamrbl spamhdrcheck spamf-
sphish
next
end
To configure the FortiGuard filters in the GUI:

2. In the FortiGuard Spam Filtering Spam Filtering section, you can enable or disable the following filters:
l IP Address Check
l URL Check
l Detect Phising URLs in Email
l Email Checksum Check

l Spam Submission
File-type based filters
File-type based email filters can be used to filter out emails which are undesired due to a file-type attachment that the
network admin qualifies as non-compatible with their business environment. The admin can define the undesired file-
types within the email filter profile and can associate an action to be taken for each file-type (for example: block or log).
To configure file-type email filtering in the CLI:

edit "myEmailFileFilter"
config file-filter
config entries
edit "compressedFiles"
set action block
set file-type "7z" "rar" "zip"
next
end
end
next
end

To configure file-type email filtering in the GUI:

2. Enable File Filter.
3. Customize which files are scanned (Log/Scan Archived Contents) or click Create New to add a new entry.
Protocols and actions
In an email filtering profile, there are sections for SMTP, POP3, and IMAP protocols. In each section, you can set an
action to either discard, tag, or pass the log for that protocol.
CLI Example:
config smtp
set log enable
set action tag
end
Actions available for each protocol:
Protocol Available action
SMTP Pass: Allow spam email to pass through.

Tag: Tag spam email with configured text in the subject or header.
Discard: Discards (blocks) spam email.
POP3 & IMAP Pass: Allow spam email to pass through.
Tag: Tag spam email with configured text in the subject or header.
MAPI: Pass: Allow spam email to pass through.
Discard: Discards (blocks) spam email.

MAPI email filtering
MAPI is a proprietary protocol from Microsoft. It uses HTTPS to encapsulate email requests and responses between
Microsoft Outlook clients and Microsoft Exchange servers. The configuration of MAPI email filters are only possible
through the CLI.
To configure the MAPI email filter in the CLI:

edit "myMapiFilter"
set options spamfsip spamfssubmit spamfsurl spamfsphish
config mapi
set log enable
set action "discard or pass"
end
next
end
Webmail
The FortiGate email filter is intended to filter standard email protocols including SMTP, POP3, IMAP, and MAPI,
however, it can also be configured to detect and log emails sent through some webmail interfaces. The supported
webmail interfaces include Gmail and MSN-Hotmail.
FortiGate can only detect and log webmail emails. It does not discard or tag these emails.
To configure webmail filtering through the CLI:

edit "myWebMailDetector"
config msn-hotmail
set log enable
end
config gmail
set log enable
end
next
end
Checking the log
To check the email filter log in the CLI:
execute log filter category 5
execute log display

1 logs found.
1 logs returned.
1: date=2019-04-09 time=03:41:18 logid="0510020491" type="utm" subtype="emailfilter" event-

type="imap" level="notice" vd="vdom1" eventtime=1554806478647415130 policyid=1 sessionid=439
dstport=143 dstintf="port17" dstintfrole="undefined" proto=6 service="IMAPS" profile="822881"
action="blocked" from="[email protected]" to="[email protected]" recip-
ient="testpc3" direction="incoming" msg="from ip is in ip blacklist.(path black ip
172.16.200.9)" subject="testcase822881" size="525" attachment="no"
To check the email filter log in the GUI:
Go to Log & Report > Anti-Spam.
File Filter for email filter
Introduction
File Filter is a new feature introduced in FortiOS 6.2, and provides the Email filter profile with the capability to block files
passing through a FortiGate based on file type. In addition, the configuration for file type filtering has been greatly
simplified. In previous FortiOS versions, File Filtering could only be achieved by configuring a DLP (Data Leak
Prevention) sensor.
In FortiOS 6.2, HTTP and FTP File Filtering is configurable in Web Filter profile, and SMTP, POP3, IMAP file-filtering is
configurable in Email filter profile. In this article we will discuss Email filter File Filtering.
Currently, File Filtering in Email filter profile is based on file type (file's meta data) only, and not on file size or file
content. Users will still need to configure a DLP sensor to block files based on size or content such as SSN numbers,
credit card numbers or regexp.
GUI configuration have yet to be implemented. In addition, Email filter File Filtering will only work on proxy mode
policies.

File Types Supported
File Filter in Email filter profile supports the following file types:
all Match any file
7z Match 7-zip files
arj Match arj compressed files
cab Match Windows cab files
lzh Match lzh compressed files
rar Match rar archives
tar Match tar files
zip Match zip files
bzip Match bzip files
gzip Match gzip files
bzip2 Match bzip2 files
xz Match xz files
bat Match Windows batch files
msc Match msc files
uue Match uue files
mime Match mime files
base64 Match base64 files
binhex Match binhex files
bin Match bin files
elf Match elf files
exe Match Windows executable files
hta Match hta files
html Match html files
jad Match jad files
class Match class files
cod Match cod files
javascript Match javascript files
msoffice Match MS-Office files. For example, doc, xls, ppt, and so on.
msofficex Match MS-Office XML files. For example, docx, xlsx, pptx, and so on.

fsg Match fsg files
upx Match upx files
petite Match petite files
aspack Match aspack files
prc Match prc files
sis Match sis files
hlp Match Windows help files
activemime Match activemime files
jpeg Match jpeg files
gif Match gif files
tiff Match tiff files
png Match png files
bmp Match bmp files
ignored Match ignored files
unknown Match unknown files
mpeg Match mpeg files
mov Match mov files
mp3 Match mp3 files
wma Match wma files
wav Match wav files
pdf Match pdf files
avi Match avi files
rm Match rm files
torrent Match torrent files
msi Match Windows Installer msi bzip files
mach-o Match Mach object files
dmg Match Apple disk image files
.net Match .NET files
xar Match xar archive files
chm Match Windows compiled HTML help files

iso Match ISO archive files
crx Match Chrome extension files
Configure File Filter from CLI
Using CLI, configuration for File Filtering is nested inside Email filter profile's configuration.
In File filtering configuration, file filtering functionality and logging is independent of the Email filter profile.
To block or log a file type, we must configure file filter entries. Within each entry we can specify a file-type, action
(log|block), protocol to inspect (http|ftp), direction we want to inspect traffic (incoming|outgoing|any), and if we should
match only encrypted files. In addition, in each file filter entry we can specify multiple file types. File filter entries are
ordered, however, blocked will take precedence over log.
In the example CLI below we want to file filter the following using Email filter profile:
1. Block EXE files from received or sent out (filter1).
2. Log the sending of document files (filter2).
edit "emailfilter-file-filter"
config file-filter
set status enable <--- Allow user to disable/enable file fil-
tering
set log enable <--- Allow user to disable/enable logging for
file filtering
set scan-archive-contents enable <--- Allow scanning of files inside archives
such as ZIP, RAR
config entries
edit "filter1"
set comment "Block executable files"
set protocol smtp imap pop3 <--- Inspect all email traffic
set action block <--- Block file once file type is matched
set encryption any <--- Inspect both encrypted and un-encrypted
files
set file-type "exe" <--- Choosing the file type to match
next
edit "filter2"
set comment "Log document files"
set protocol smtp <--- Inspect only SMTP traffic
set action log <--- Log file once file type is matched
set encryption any
set file-type "pdf" "msoffice" "msofficex" <--- Multiple file types can be con-
figured in a single entry
next
end
end
end
After configuring File Filter in Email filter profile, we must apply it to a firewall policy.
edit 1
set name "client-to-internet"

set srcintf "port2"

set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set utm-inspection-mode proxy
set logtraffic all
set emailfilter profile "email-file-filter"
set nat enable
next
end
CLI Example:
File Filter action as "Block":

type="file_filter" level="warning" vd="vdom1" eventtime=1548458416 policyid=1 sessionid=2881
dstport=143 dstintf="port1" dstintfrole="undefined" proto=6 service="IMAP" action="blocked"
from="[email protected]" to="[email protected]" recipient="emailuser2" dir-
ection="incoming" subject="EXE file block" size="622346" attachment="yes" filename="putty.exe"
filtername="filter1" filetype="exe"
File Filter action as "Log":

type="file_filter" level="notice" vd="vdom1" eventtime=1548458596 policyid=1 sessionid=3205
dstport=25 dstintf="port1" dstintfrole="undefined" proto=6 service="SMTP" pro-
file="emailfilter-file-filter" action="detected" from="[email protected]" to="-
"[email protected]" sender="[email protected]"
recipient="[email protected]" direction="outgoing" subject="PDF file log" size-
e="390804" attachment="yes" filename="fortiauto.pdf" filtername="filter2" filetype="pdf"
Data Leak Prevention
The FortiGate Data Leak Prevention (DLP) system prevents sensitive data from leaving your network. Data matching
defined sensitive data patterns are blocked, logged, or allowed when passing through the FortiGate unit.
The DLP system is configured by creating individual filters based on file type, file size, a regular expression, an
advanced rule, or a compound rule in a DLP sensor, and assigning the sensor to a security policy.

A DLP sensor is made of filters that are configured within it. The filters examine traffic for:
l Known files used DLP Fingerprints
l Known files using DLP Watermark
l Files of a particular type
l Files with a particular name
l Files larger than a specified size
l Data matching a specified regular expression
l Credit card and SSN numbers
When a match to a filter is detected, the possible actions include:
l Allow: No action is taken, even if the pattern specified in the filter is matched.
l Log: The filter match is logged.
l Block: Traffic matching the filter is blocked.
l Quarantine IP address: Traffic matching the filter is blocked, and the client initiating the traffic is soure IP banned.
Filters are ordered, but there is no precedence between the possible actions
The primary use of the DLP feature is to stop sensitive data from the leaving the network. It can also be used to prevent
unwanted data from entering the network, and to archive some or all of the content that is passing through the
FortiGate device. DLP archiving is configured per filter, allowing for a single sensor that archives only the required data.
There are two forms of DLP archiving:
l Summary Only
A summary of all the activity that the sensor detected is recorded. For example, when an email message is
detected, the sender, recipient, message subject, and total size are recorded. When a user accesses the web,
every URL that they visit is recorded.
l Full
Detailed records of all the activity that the sensor detects is recorded. For example, when an email message is
detected, the message itself, including any attachments, is recorded. When a user accesses the web, every page
that they visit is archived.
Basic DLP filter types
Basic filter types can be configured using the GUI or CLI and include:
l File type and name
l File size

l Regular expression
l Credit card and SSN
File type and name
A file type filter allows you to block, allow, log, or quarantine based on the file type specified in the file filter list.
To configure file type and name filtering using the CLI:
1. Create a file pattern to filter files based on the file name patter or file type:
config dlp filepattern
edit <filepatern_entry_integer>
set name <string>
config entries
edit <file pattern>
set filter-type <type | pattern>
set file-type <file type>
next
end
next
end
For example, to filter for GIFs and PDFs:

config dlp filepattern
edit 11
set name “sample_config”
config entries
edit "*.gif"
set filter-type pattern
next
edit "pdf"
set filter-type type
set file-type pdf
next
end
next
end
2. Attach the file pattern to a DLP sensor, and specify the protocols and actions:
config dlp sensor
edit <string>
config filter
edit <integer>
set name <string>
set proto <smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi>
set filter-by file-type
set file-type 11 <-- Previously configured filepattern
set action <allow | log-only| block | quarantine-ip>
next
end
next
end

To configure file type and name filtering using the GUI:
1. Go to Security Profiles > Data Leak Prevention.

2. Click Create New. The New DLP Sensor page opens.
3. Click Add Filter in the filter table. The New Filter pane opens.
4. Set Type to Files and select Specify File Types.
5. Add file types by clicking in the File Types field and select file types from the side pane.
6. Add file name patterns by clicking in the File Name Patterns field:
a. In the side pane that opens, enter the pattern in the search bar.
b. Click Create.
c. Select the newly created pattern.

File size
A file size filter checks for files that exceed the specific size, and performs the DLP sensor's configured action on them.
To configure file size filtering using the CLI:
config dlp sensor

edit <string>
config filter
edit <integer>
set name <string>
set filter-by file-size <-- Match any file over with a size over the threshold
set file-type 11 <-- Previously configured filepattern
next
end
next
end
To configure file size filtering using the GUI:

4. Set Type to Files and select File size over.

5. Enter the maximum file size, in kilobytes, in the File size over field, then click OK.
Regular expression
A regular expression filter is used to filter files or messages based on the configured regular expression pattern.
To configure regular expression filtering using the CLI:
config dlp sensor

edit <string>
config filter
edit <integer>
set name <string>
set type <file | message> <-- Check contents of a file or of messages, web
pages, etc.
set filter-by regexp <-- Use a regular expression to match content
set regexp <regexp> <-- Input a regular expression pattern
next
end
next
end
To configure regular expression filtering using the GUI:

4. For filtering regular expressions in files, set Type to Files. For filtering in messages, set Type to Messages.
5. Select Regular Expression.

6. Enter the regular expression string in the Regular Expression field, then click OK.
Credit card and SSN
The credit card sensor can match the credit card number formats used by American Express, Mastercard, and Visa. It
can be used to filter files or messages.
The SSN sensor can be used to filter files or messages for Social Security Numbers.
To configure credit card or SSN filtering using the CLI:
config dlp sensor

edit <string>
config filter
edit <integer>
set name <string>
set type <file | message> <-- Check contents of a file, or of messages, web
pages, etc.
set filter-by < credit-card | ssn > <-- Match credit cards or social security
numbers

next
end
next
end
To configure credit card or SSN filtering using the GUI:

4. For filtering in files, set Type to Files. For filtering in messages, set Type to Messages.
5. Select Containing.
6. Select Credit Card # or SSN from the Containing drop-down list, then click OK.
DLP fingerprinting
DLP fingerprinting can be used to detect sensitive data. The file that the DLP sensor will filter for is uploaded and the
FortiGate generates and stores a checksum fingerprint. The FortiGate unit generates a fingerprint for all of the files that

are detected in network traffic, and compares all of the checksums stored in its database. If a match is found, the
configured action is taken.
Any type of file can be detected by DLP fingerprinting, and fingerprints can be saved for each revision of a file as it is
updated.
To use fingerprinting:
l Select the files to be fingerprinted by targeting a document source.
l Add fingerprinting filters to DLP sensors.
l Add the sensors to firewall policies that accept traffic that the fingerprinting will be applied on.
The document fingerprint feature requires a FortiGate device that has internal storage.
To configure a DLP fingerprint document:
config dlp fp-doc-source

edit <name_str>
set server-type smb
set server <string>
set period {none | daily | weekly | monthly}
set vdom {mgmt | current}
set scan-subdirectories {enable | disable}
set remove-deleted {enable | disable}
set keep-modified {enable | disable}
set username <string>
set file-path <string>
set file-pattern <string>
set sensitivity <Critical | Private | Warning>
set tod-hour <integer>
set tod-min <integer>
set weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday}
set date <integer>
next
end
Command Description
server-type smb The protocol used to communicate with document server. Only
Samba (SMB) servers are supported.
server <string> IPv4 or IPv6 address of the server.
period {none | daily | weekly | monthly} The frequency that the FortiGate checks the server for new or
changed files.
vdom {mgmt | current} The VDOM that can communicate with the file server.
scan-subdirectories {enable | disable} Enable/disable scanning subdirectories to find files.

Command Description
remove-deleted {enable | disable} Enable/disable keeping the fingerprint database up to date when a
file is deleted from the server.
keep-modified {enable | disable} Enable/disable keeping the old fingerprint and adding a new one
when a file is changed on the server.
username <string> The user name required to log into the file server.
password <password> The password required to log into the file server.
file-path <string> The path on the server to the fingerprint files.
file-pattern <string> Files matching this pattern on the server are fingerprinted.
sensitivity <Critical | Private | Warning> The sensitivity or threat level for matches with this fingerprint
database.
tod-hour <integer> Set the hour of the day. This option is only available when period is
not none.
tod-min <integer> Set the minute of the hour. This option is only available when
period is not none.
weekday {sunday | monday | tuesday | Set the day of the week. This option is only available when period
wednesday | thursday | friday | saturday} is weekly.
date <integer> Set the day of the month. This option is only available when period
is monthly.
To configure a DLP fingerprint sensor:
config dlp sensor

edit <sensor name>
config filter
edit <id number of filter>
set proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi}
set filter-by fingerprint
set sensitivity {Critical | Private | Warning}
set match-percentage <integer>
set action {allow | log-only | block | ban | quarantine-ip}
next
end
next
end
Command Description
proto {smtp | pop3 | imap http-get | http-post | The protocol to inspect.

ftp | nntp | mapi}
filter-by fingerprint Match against a fingerprint sensitivity.
sensitivity {Critical | Private | Warning} Select a DLP file pattern sensitivity to match.
match-percentage <integer> The percentage of the checksum required to match before the sensor

Command Description
is triggered.
action {allow | log-only | block | ban | The action to take with content that this DLP sensor matches.
quarantine-ip}
View the DLP fingerprint database on the FortiGate
The CLI debug command diagnose test application dlpfingerprint can be used to display the
fingerprint information that is on the FortiGate.
Fingerprint Daemon Test Usage;
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
1 : This menu
2 : Dump database
3 : Dump all files
5 : Dump all chunk
6 : Refresh all doc sources in all VDOMs
7 : Show the db file size and the limit
9 : Display stats
10 : Clear stats
99 : Restart this daemon
For example, option 3 will dump all fingerprinted files:

DLP_WANOPT-CLT (global) # diagnose test application dlpfingerprint 3
DLPFP diag_test_handler called
File DB:
---------------------------------------
id, filename, vdom, archive, deleted, scanTime, docSourceSrvr,
sensitivity, chunkCnt, reviseCnt,
1, /fingerprint/upload/1.txt, vdom1, 0, 0, 1494868196, 1, 2,
1, 0,
2, /fingerprint/upload/30percentage.xls, vdom1, 0, 0, 1356118250, 1, 2,
13, 0,
3, /fingerprint/upload/50.pdf, vdom1, 0, 0, 1356118250, 1, 2,
122, 0,
4, /fingerprint/upload/50.pdf.tar.gz, vdom1, 0, 0, 1356118250, 1, 2,
114, 0,
5, /fingerprint/upload/check-list_AL-SIP_HA.xls, vdom1, 0, 0, 1356118251, 1,
2, 32, 0,
6, /fingerprint/upload/clean.zip, vdom1, 0, 0, 1356118251, 1, 2,
1, 0,
7, /fingerprint/upload/compare.doc, vdom1, 0, 0, 1522097410, 1, 2,
18, 0,
8, /fingerprint/upload/dlpsensor-watermark.pdf, vdom1, 0, 0, 1356118250, 1,
2, 11, 0,
9, /fingerprint/upload/eicar.com, vdom1, 0, 0, 1356118250, 1, 2,
1, 0,
10, /fingerprint/upload/eicar.zip, vdom1, 0, 0, 1356118250, 1, 2,
1, 0,
11, /fingerprint/upload/EMAIL-CONTENT-ARCHIVE.ppt, vdom1, 0, 0, 1356118250, 1,
2, 11, 0,
12, /fingerprint/upload/encrypt.zip, vdom1, 0, 0, 1356118250, 1, 2,
77, 0,
13, /fingerprint/upload/extension_7_8_1.crx, vdom1, 0, 0, 1528751781, 1,
2, 2720, 0,
14, /fingerprint/upload/fingerprint.txt, vdom1, 0, 0, 1498582679, 1, 2,

37, 0,
15, /fingerprint/upload/fingerprint90.txt, vdom1, 0, 0, 1498582679, 1, 2,
37, 0,
16, /fingerprint/upload/fo2.pdf, vdom1, 0, 0, 1450488049, 1, 2,
1, 0,
17, /fingerprint/upload/foo.doc, vdom1, 0, 0, 1388538131, 1, 2,
9, 0,
18, /fingerprint/upload/fortiauto.pdf, vdom1, 0, 0, 1356118251, 1, 2,
146, 0,
19, /fingerprint/upload/image.out, vdom1, 0, 0, 1531802940, 1, 2,
5410, 0,
20, /fingerprint/upload/jon_file.txt, vdom1, 0, 0, 1536596091, 1, 2,
1, 0,
21, /fingerprint/upload/machotest, vdom1, 0, 0, 1528751955, 1, 2,
19, 0,
22, /fingerprint/upload/nntp-server.doc, vdom1, 0, 0, 1356118250, 1, 2,
17, 0,
23, /fingerprint/upload/notepad++.exe, vdom1, 0, 0, 1456090734, 1, 2,
1061, 0,
24, /fingerprint/upload/nppIExplorerShell.exe, vdom1, 0, 0, 1438559930, 1,
2, 5, 0,
25, /fingerprint/upload/NppShell_06.dll, vdom1, 0, 0, 1456090736, 1, 2,
111, 0,
26, /fingerprint/upload/PowerCollections.chm, vdom1, 0, 0, 1533336889, 1,
2, 728, 0,
27, /fingerprint/upload/reflector.dmg, vdom1, 0, 0, 1533336857, 1, 2,
21117, 0,
28, /fingerprint/upload/roxio.iso, vdom1, 0, 0, 1517531765, 1, 2,
49251,0,
29, /fingerprint/upload/SciLexer.dll, vdom1, 0, 0, 1456090736, 1, 2,
541, 0,
30, /fingerprint/upload/screen.jpg, vdom1, 0, 0, 1356118250, 1, 2,
55, 0,
31, /fingerprint/upload/Spec to integrate FASE into FortiOS.doc, vdom1, 0, 0,
1356118251, 1, 2, 31, 0,
32, /fingerprint/upload/subdirectory1/subdirectory2/subdirectory3/hibun.aea, vdom1, 0,
0, 1529019743, 1, 2, 1, 0,
33, /fingerprint/upload/test.pdf, vdom1, 0, 0, 1356118250, 1, 2,
5, 0,
34, /fingerprint/upload/test.tar, vdom1, 0, 0, 1356118251, 1, 2,
3, 0,
35, /fingerprint/upload/test.tar.gz, vdom1, 0, 0, 1356118250, 1, 2,
1, 0,
36, /fingerprint/upload/test1.txt, vdom1, 0, 0, 1540317547, 1, 2,
1, 0,
37, /fingerprint/upload/thousand-files.zip, vdom1, 0, 0, 1536611774, 1, 2,
241, 0,
38, /fingerprint/upload/Thumbs.db, vdom1, 0, 0, 1445878135, 1, 2,
3, 0,
39, /fingerprint/upload/widget.pdf, vdom1, 0, 0, 1356118251, 1, 2,
18, 0,
40, /fingerprint/upload/xx00-xx01.tar, vdom1, 0, 0, 1356118250, 1, 2,
5, 0,
41, /fingerprint/upload/xx02-xx03.tar.gz, vdom1, 0, 0, 1356118251, 1, 2,
1, 0,

DLP watermarking
Watermarking marks files with a digital pattern to designate them as proprietary to a specific company. A small pattern
is added to the file that is recognized by the DLP watermark filter, but is invisible to the end user (except for text files).
FortiExplorer client, or a Linux-based command line tool, can be used to add a watermark to the following file types:
l .txt
l .doc and .docx
l .pdf
l .ppt and .pptx
l .xls and .xlsx
The following information is covered in this section:
l Watermarking a file with FortiExplorer.
l Watermarking a file with the Linux tool.
l Configuring a DLP sensor to detect watermarked files.
FortiExplorer
In this example, a watermark will be added to small text file. The content of the file is:
This is to show how DLP watermarking is done using FortiExplorer.
FortiExplorer can also be used to watermark an entire directory.
To watermark the text file with FortiExplorer:
1. Open the FortiExplorer client.

2. Select DLP Watermark from the left side bar.
3. Set Apply Watermark To to Select File.

4. Browse for the file, copy the file's path into the Select File field.
5. Set the Sensitivity Level. The available options are: Critical, Private, and Warning.
6. Enter a company identifier in the Identifier field.
7. Select the Output Directory where the watermarked file will be saved.

8. Click Apply Watermark. The file is watermarked.
9. The watermarked file content is changed to:

This is to show how DLP watermarking is done using FortiExplorer.=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=identifier=FortiDemo sensitivity=Critical=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=
The watermark pattern is visible in text files. For all other supported file types, it is
invisible.
Linux-based command line tool
A Linux-based command line tool can be used to watermark files. The tool can be executed is a Linux environment by
passing in files or directories of files.
To download the tool:
1. Log in to Fortinet Service and Support. A valid support contract is required.

2. Go to Download > Firmware Images.

3. Select the Download tab, and go to FortiGate/v5.00/5.0/5.0.0/WATERMARK.
4. Download the fortinet-watermark-linux.out file.
To run the tool:
Enter the following to run the tool on a file:

watermark_linux_amd64 <options> -f <file name> -i <identifier> -l <sensitivity level>
Enter the following to run the tool on a directory:

watermark_linux_amd64 <options> -d <directory> -i <identifier> -l <sensitivity level>
The following options are available:
-h Print this help.

-I Watermark the file in place (don't make a copy of the file).
-o The output file or directory.
-e Encode <to non-readable>.
-i Add a watermark identifier.
-l Add a watermark sensitivity level.
-D Delete a watermark identifier.
-L Delete a watermark sensitivity level.

DLP watermark sensor
A DLP watermark sensor must be configured to detect watermarked files.
To configure a DLP watermark sensor:
config dlp sensor

edit <sensor name>
config filter
edit <id number of filter>
set proto {smtp | pop3 | imap http-get | http-post | ftp | nntp | mapi} <-- Pro-
tocol to inspect
set filter-by watermark
set sensitivity {Critical | Private | Warning}
set company-identifier <string>
set action {allow | log-only | block | ban | quarantine-ip}
next
end
next
end

Inspection Modes
This section contains the following topics:

l About FortiOS inspection modes on page 447
l Recipes for inspection modes:
l Explicit proxy authentication on page 840
l SSL Inspection on page 454
About FortiOS inspection modes
FortiOS supports the following types of inspection modes:

l Flow-based inspection
l Proxy-based inspection
l Flow mode inspection (default mode) on page 447
l Proxy mode inspection on page 448
l Inspection mode feature comparison on page 448
l Inspection mode differences for Antivirus on page 449
l Inspection mode differences for Data Leak Prevention on page 450
l Inspection mode differences for Email Filter on page 450
l Inspection mode differences for Web Filter on page 451
Flow mode inspection (default mode)
When a firewall policy’s inspection mode is set to flow, traffic flowing through the policy will not be buffered by the
FortiGate. Unlike proxy mode, the content payload passing through the policy will be inspected on a packet by packet
basis with the very last packet held by the FortiGate until the scan returns a verdict. If a violation is detected in the
traffic, a reset packet is issued to the receiver, which terminates the connection, and prevents the payload from being
sent successfully.
Because of this method, flow mode inspection cannot be as thorough as proxy mode inspection and will have some
feature limitations. For example, flow mode inspection determines a file’s size by identifying the file size information in
the protocol exchange. If a file’s size is not present in the protocol exchange, the file’s size cannot be identified. The
flow-based policy will automatically block or pass the file (based on the configuration) despite the file meeting the file
size requirements.
The objective of flow-based policy is to optimize performance and increase throughput. Although it is not as thorough as
a proxy-based policy, flow mode inspection is still very reliable.

Proxy mode inspection
When a firewall policy’s inspection mode is set to proxy, traffic flowing through the policy will be buffered by the
FortiGate for inspection. This means that the packets for a file, email message, or web page will be held by the
FortiGate until the entire payload is inspected for violations (virus, spam, or malicious web links). After FortiOS has
finished the inspection, the payload is either released to the destination (if traffic is clean) or dropped and replaced with
a replacement message (if traffic contains violations).
To optimize inspection, the policy can be configured to block or ignore files or messages that exceed a certain size. To
prevent the receiving end user from timing out, client comforting can be applied, which allows small portions of the
payload to be sent while it is undergoing inspection.
Proxy mode provides the most thorough inspection of the traffic; however, its thoroughness sacrifices performance,
making its throughput slower than that of a flow-mode policy. Under normal traffic circumstances, the throughput
difference between a proxy-based and flow-based policy is not significant.
Inspection mode feature comparison
The following table shows which UTM profile can be configured on a flow mode or proxy mode inspection policy.
Remember that some UTM profiles are hidden in the GUI, but can be configured by using the FortiOS CLI.
Flow Mode Inspection Policy Proxy Mode Inspection Policy
UTM Profile GUI CLI GUI CLI
Antivirus Yes (2) Yes (2) Yes Yes
Application Control Yes Yes Yes Yes
CIFS Inspection No No No (1) Yes
Data Leak Prevention No Yes (3) Yes Yes
DNS Filter Yes Yes Yes Yes
Email Filter No Yes (4) Yes Yes
ICAP No No Yes Yes
Intrusion Prevention System Yes Yes Yes Yes
SSL/SSH Inspection Yes Yes Yes Yes
VoIP No No Yes Yes
Web Filter Yes (5) Yes (5) Yes Yes
Web Application Firewall No No Yes Yes
1. CIFS inspection cannot be configured via GUI.

2. Some Antivirus features are not supported in flow mode inspection. See Inspection mode differences for Antivirus
on page 449.
3. Some Data Leak Prevention features are not supported in Flow mode inspection. See Inspection mode differences
for Data Leak Prevention on page 450.

4. Some Email filter features are not supported in Flow mode inspection. See Inspection mode differences for Email
Filter on page 450.
5. Some Web Filter features are not supported in Flow mode inspection. See Inspection mode differences for Web
Filter on page 451.
Inspection mode differences for Antivirus
This section identifies the behavioral differences between Antivirus operating in flow and proxy inspection.
Feature comparison between Antivirus inspection modes
The following table indicates which Antivirus features are supported by their designated scan modes.
Part1 Replacement Content Mobile Virus Sandbox NAC Quar-

Message Disarm Malware Outbreak Inspection antine
Proxy Yes Yes Yes Yes Yes Yes
Flow Full Mode Yes* No Yes Yes Yes Yes
Flow Quick Mode Yes* No No No Yes Yes
*IPS Engine caches the URL and a replacement message will be presented after the second attempt.
Part 2 Archive Emulator Client Com- Infection Heuristics Treat

Blocking forting Quarantine EXE as
Virus
Proxy Yes Yes Yes Yes (1) Yes Yes (2)
Flow Full Mode Yes Yes No Yes (1) Yes Yes (2)
Flow Quick Mode No No No No No No
1. Only available on FortiGate models with HDD or when FortiAnalyzer or FortiCloud is connected and enabled.
2. Only applies to inspection on IMAP, POP3, SMTP, and MAPI protocols.
Protocol comparison between Antivirus inspection modes
The following table indicates which protocols can be inspected by the designated Antivirus scan modes.
HTTP FTP IMAP POP3 SMTP NNTP MAPI CIFS
Proxy Yes Yes Yes Yes Yes Yes Yes Yes*
Flow Full Mode Yes Yes Yes Yes Yes No No Yes
Flow Quick Mode Yes Yes Yes Yes Yes No No Yes
* Proxy mode Antivirus inspection on CIFS protocol has the following limitations:
l Cannot detect infections within archive files
l Cannot detect oversized files

l Will block special archive types by default

l IPv6 is not supported yet (at the time of FOS v6.2.0 GA)
Other Antivirus differences between inspection modes
Flow Quick mode uses a separate pre-filtering database for malware detection as opposed to the full AV signature
database that Flow Full and Proxy mode inspection use.
Proxy mode uses pre-scanning and stream-based scanning for HTTP traffic. This allows archive files that exceed the
oversize limit to be uncompressed and scanned for infections.
Inspection mode differences for Data Leak Prevention
This section identifies the behavioral differences between Data Leak Prevention (DLP) operating in flow and proxy
inspection.
Feature comparison between DLP inspection modes
The following table indicates which DLP filters are supported by their designated inspection modes.
Credit SSN Filter Regex File- File-Pat- Fingerprint Watermark Encrypted File-

Card Filter Type tern Fil- Filter Filter Filter Size
Filter Filter ter Filter
Proxy Yes Yes Yes Yes Yes Yes Yes Yes Yes
Flow Yes Yes Yes No Yes No No Yes Yes*
*File-size filtering will only work if file size is present in the protocol exchange.
Protocol comparison between DLP inspection modes
The following table indicates which protocols can be inspected by DLP based on the specified inspection modes.
HTTP FTP IMAP POP3 SMTP NNTP MAPI CIFS
Proxy Yes Yes Yes Yes Yes Yes Yes No
Flow Yes Yes Yes Yes Yes No No No
Inspection mode differences for Email Filter
This section identifies the behavioral differences between Email Filter operating in flow and proxy inspection.

Feature comparison between Email Filter inspection modes
The following table indicates which Email Filters are supported by their designated inspection modes.
SMTP POP3 IMAP MAPI
Proxy Yes Yes Yes Yes
Flow Yes Yes Yes No
Feature comparison between Email Filter inspection modes
The following tables indicate which Email Filters are supported by the specified inspection modes for local filtering and
FortiGuard-assisted filtering.
Local Filtering Banned Black/ HELO/ Return DNSBL/ MIME File

Word White EHLO Address ORBL Header Filter
Check List DNS Check DNS Check Check Check
Proxy Yes Yes Yes Yes Yes Yes Yes
Flow Yes No No No No Yes No
FortiGuard-Ass- Phishing Anti-Spam Submit Spam Spam Email Spam

isted Filtering URL Check Black List to FortiGuard Checksum URL Check
Check Check
Proxy Yes Yes Yes Yes Yes
Flow No No No No No
Inspection mode differences for Web Filter
This section identifies the behavioral differences between Web Filter operating in flow and proxy inspection.
Feature comparison between Web Filter inspection modes
The following table indicates which Web Filter features are supported by their designated inspection modes.
FortiGuard Category Override File Search Static Rating Proxy

Category- Usage Blocked Filter Engines URL Filter Option Option
Based Fil- Quota Categories
ter
Proxy Yes Yes Yes Yes Yes Yes Yes Yes
Flow Yes (1) No Yes (2) No No Yes Yes No
1. Local Category and Remote Category filters do not support the warning and authenticate actions.
2. Local Category and Remote Category filters cannot be overridden.

Proxy mode inspection use case
Because proxy mode provides the most thorough inspection, it is recommended that you apply proxy inspection to
policies where preventing a data leak or malicious content is critical.
The following scenarios demonstrate common use cases for proxy inspection.
Scenario 1
Your organization deals with sensitive data on a regular basis and a data leak would significantly harm your business. At
the same time, you wish to protect your employees from malicious content, such as viruses and phishing emails, which
could be used to gain access to your network and the sensitive data on your systems.
In this scenario, a proxy inspection policy is recommended to prioritize network security. We want traffic inspection to be
as thorough as possible to avoid any data leaks from exiting the LAN and any malicious content from entering it. On this
policy, we will apply the virus filter, DLP filter, Web Filter, and email filter all operating in proxy mode.
Scenario 2
You have a corporate mail server in your domain, which is used by your employees for everyday business activities. You
want to protect your employees from phishing emails and viruses. At the same time, you want to also protect your web
servers from external attacks.

In this scenario, a proxy inspection policy is recommended to prioritize the safety of employee emails. Applying the
antivirus and email filter in this mode allows us to most reliably filter out any malware and spam emails received by the
mail servers via SMTP or MAPI. The IPS sensor can be used to prevent DOS attacks on the mail servers.
Flow mode inspection use case
It is recommended that flow inspection is applied to policies that prioritize traffic throughput, such as allowing
connections to be made towards a streaming or file server.
You have an application server which accepts connections from users for the daily quiz show app, HQ. Each HQ session
sees 500,000+ participants, and speed is very important because participants have less than 10 seconds to answer the
quiz show questions.
In this scenario, a flow inspection policy is recommended to prioritize throughput. The success of the application
depends on providing reliable service for large numbers of concurrent users. We will apply an IPS sensor to this policy to
protect the server from external DOS attacks.

SSL Inspection

l Certificate inspection on page 454
l Deep inspection on page 455
l Protecting SSL Server on page 458
Certificate inspection
FortiGate supports certificate inspection. The default configuration has a built-in certificate-inspection profile which you
can use directly. When you use certificate inspection, the FortiGate only inspects the header information of the packets.
If you do not want to deep scan for privacy reasons but you want to control web site access, you can use certificate-
inspection.
Inspect non-standard HTTPS ports
The built-in certificate-inspection profile is read-only and only listens on port 443. If you want to make changes, you
must create a new certificate inspection profile.
If you know the non-standard port that the web server uses, such as port 8443, you can add this port to the HTTPS field.
If you do not know which port is used in the HTTPS web server, you can select Inspect All Ports.

Block untrusted or allow invalid certificate
The default setting in the certificate-inspection profile is to block invalid certificates and allow untrusted certificates.
For example, the server certificate has expired but you still want to access this server until you have a new server
certificate. But because certificate inspection cannot do an exemption, you have to allow the invalid certificate in your
SSL profile. This means you need to create a new certificate inspection profile using the built-in read-only certificate-
inspection.
Deep inspection
You typically apply deep inspection to outbound policies where destinations are unknown. You can configure address
and web category white lists to bypass SSL deep inspection.

Reasons for using deep inspection
While Hypertext Transfer Protocol Secure (HTTPS) offers protection on the Internet by applying Secure Sockets Layer
(SSL) encryption to web traffic, encrypted traffic can be used to get around your network's normal defenses.
For example, you might download a file containing a virus during an e-commerce session, or you might receive a
phishing email containing a seemingly harmless download that, when launched, creates an encrypted session to a
command and control (C&C) server and downloads malware onto your computer. Because the sessions in these attacks
are encrypted, they might get past your network's security measures.
When you use deep inspection, the FortiGate impersonates the recipient of the originating SSL session, then decrypts
and inspects the content to find threats and block them. It then re-encrypts the content and sends it to the real recipient.
Deep inspection not only protects you from attacks that use HTTPS, it also protects you from other commonly-used
SSL-encrypted protocols such as SMTPS, POP3S, IMAPS, and FTPS.
Browser messages when using deep inspection
When FortiGate re-encrypts the content, it uses a certificate stored on the FortiGate such as Fortinet_CA_SSL,
Fortinet_CA_Untrusted, or your own CA certificate that you uploaded.
Because there is no Fortinet_CA_SSL in the browser trusted CA list, the browser displays an untrusted certificate
warning when it receives a FortiGate re-signed server certificate. To stop the warning messages, trust the FortiGate-
trusted CA Fortinet_CA_SSL and import it into your browser.
After importing Fortinet_CA_SSL into your browser, if you still get messages about untrusted certificate, it must be due
to Fortinet_CA_Untrusted. Never import the Fortinet_CA_Untrusted certificate into your browser.
To import Fortinet_CA_SSL into your browser:
1. On the FortiGate, go to Security Profiles > SSL/SSH Inspection and select deep-inspection.

2. The default CA Certificate is Fortinet_CA_SSL.

3. Select Download Certificate.
4. On the client PC, double-click the certificate file and select Open.

5. Select Install Certificate to launch the Certificate Import Wizard and use the wizard to install the certificate into
the Trusted Root Certificate Authorities store.
If a security warning appears, select Yes to install the certificate.
Exempt web sites from deep inspection
If you do not want to apply deep inspection for privacy or other reasons, you can exempt the session by address,
category, or white list.
If you know the address of the server you want to exempt, you can exempt that address. You can exempt specific
address type including IP address, IP address range, IP subnet, FQDN, wildcard-FQDN, and geography.
If you want to exempt all bank web sites, an easy way is to exempt the Finance and Banking category which includes all
finance and bank web sites identified in FortiGuard.

If you want to exempt commonly trusted web sites, you can bypass the SSL white list in the SSL/SSH profile. The white
list includes common web sites trusted by FortiGuard. Simply enable Reputable Websites.
Protecting SSL Server
You typically use the FortiGate Protecting SSL Server profile as an inbound policy for clients on the Internet accessing
the server on the internal side of the FortiGate.

Protecting SSL Server uses a server certificate to protect a single server.

If you do not want a client in the Internet accessing your internal server directly and you want FortiGate to simulate your
real server, you can use Protecting SSL Server.
To upload a server certificate into FortiGate and use that certificate in the SSL/SSH Inspection Profile:
1. Go to System > Certificates.

2. Select Import > Local Certificate and upload the certificate.
3. Go to Security Profiles > SSL/SSH Inspection and select Protecting SSL Server.
When you apply this Protecting SSL Server profile in a policy, FortiGate will send the server certificate to the client as
your server does.

Endpoint control and compliance
Dynamic policies - FortiClient EMS
The FortiClient EMS FSSO connector allows objects to be defined in FortiOS that map to tags and groups on EMS.
EMS dynamically updates these endpoint groups when host compliance or other events occur, causing FortiOS to
dynamically adjust its security policies based on the group definitions.
EMS supports creating compliance verification rules based on various criteria (see Provisioning on EMS on page 468).
When a FortiClient endpoint registers to EMS, EMS dynamically groups them based on these rules. FortiOS can receive
the dynamic endpoint groups from EMS as tags via the FSSO protocol using an FSSO agent that supports SSL and
imports trusted certificates.
After FortiOS pulls the tags from EMS, they can be used as members in user groups that can have dynamic firewall
policies applied to them. When an event occur, EMS sends an update to FortiOS, and the dynamic policies are updated.
The following instructions assume EMS is installed, configured, and has endpoints connected. For information on
configuring EMS, see the FortiClient EMS Administration Guide.
The following steps provide an example of configuring a dynamic policy:
1. Add a compliance verification rule in EMS on page 460
2. Configure an EMS FSSO agent on page 461
3. Configure user groups on page 462
4. Create a dynamic firewall policy on page 463
Add a compliance verification rule in EMS
This example creates a compliance verification rule that applies to endpoints that have Windows 10 installed.
For more information see Compliance verification in the FortiClient EMS Administration Guide.
To create a compliance verification rule in EMS:
1. In EMS, go to Compliance Verification > Compliance Verification Rules.

2. Click Add.
3. In the Name field, enter the desired rule name.
EMS uses the tag name to dynamically group endpoints, not the rule name configured in this field.
4. Turn Status on to enable the rule.
5. For Type, select Windows, Mac, or Linux. This affects what rule types are available. In this example, Windows is
selected.
6. From the Rule dropdown list, select the rule type and configure the related options. Ensure you click the + button
after entering each criterion.
In this example, OS Version is selected from the Rule dropdown list, and Windows 10 is selected from the OS
Version dropdown list.
7. Under Assign to, select All.

8. In the Tag endpoint as dropdown list, select an existing tag or enter a new tag. In this example, a new tag, WIN10_
EMS134, is created. EMS uses this tag to dynamically group together endpoints that satisfy the rule, as well as any
other rules that are configured to use this tag.
9. Click Save.
10. Go to Compliance Verification > Host Tag Monitor. All endpoints that have Windows 10 installed are shown
grouped by the WIN10_EMS134 tag.
Configure an EMS FSSO agent
In this example, the FSSO agent name is EMS_FSSO_connector, and the EMS server is located at 172.18.64.7.
To configure the EMS FSSO agent in FortiOS in the GUI:

3. In the SSO/Identity section, click Fortinet Single Sign-On Agent.
4. Fill in the Name, and Primary FSSO Agent server IP address or name and Password.
5. Set the User Group Source to Collector Agent.
User groups will be pushed to the FortiGate from the collector agent. Click Apply & Refresh to fetch group filters
from the collector agent.

6. Click OK.
To configure the EMS FSSO agent in FortiOS in the CLI:
config user fsso

edit "ems_QA_connector"
set server "172.18.64.7"
set password ******
set type fortiems
set ssl enable
next
end
Configure user groups
In this example, the user group is named ems_QA_group, and includes six dynamic endpoint groups that were pulled
from EMS as members.
To configure a user group based on EMS tags in the GUI:
1. Go to User & Device > User Groups.

3. In the Name field, enter ems_QA_group.
4. For Type, select Fortinet Single Sign-On (FSSO).
5. In the Members field, click +. The Select Entries pane appears. The dynamic endpoint groups pulled from
EMS have names that begin with TAG_, followed by the tag name in EMS.
6. Select the desired dynamic endpoint groups. Endpoints that currently belong to these groups in EMS will be
members of this FortiOS user group.

7. Click OK.
To configure a user group based on EMS tags in the CLI:
config user group

edit "ems_QA_group"
set group-type fsso-service
set authtimeout 0
set http-digest-realm ''
set member "TAG_FILE_QA_EMS" "TAG_LINUX1604_QA_EMS" "TAG_MACOS_QA_EMS" "TAG_WIN10_QA_
EMS" "TAG_WIN7_QA_EMS" "TAG_WINSCP_QA_EMS"
next
end
Create a dynamic firewall policy
You can now create a dynamic firewall policy for the user group. In this example, an IPv4 policy is created for the user
group.
To create a dynamic firewall policy for the user group in the GUI:

3. In the Source field, click +. The Select Entries pane opens.
a. On the User tab, select the ems_QA_group group.
b. Click Close.

4. Configure the other policy settings options as required.
5. Click OK.
6. Go to Policy & Objects > IPv4 Policy to ensure the policy was created and applied to the desired user group.
FortiOS will update this policy when it receives updates from EMS.
To create a dynamic firewall policy for the user group in the CLI:

edit 4
set name 44
set srcintf port12
set dstintf port11
set srcaddr "all" "ems_QA_group" "Win10_group"
set dstaddr pc5-address
set action accept
set schedule always
set service ALL
next
end
Diagnostics
To list endpoint records, use the following CLI command:

diagnose endpoint record-list
Record #1:
IP_Address = 10.1.100.120(3)
MAC_Address = 00:0c:29:36:4e:61
Host MAC_Address = 00:0c:29:36:4e:61
MAC list = 00-0c-29-36-4e-57;00-0c-29-36-4e-61;
VDOM = vdom1
EMS serial number: FCTEMS3688727941
Quarantined: no

Online status: online

On-net status: on-net
FortiClient connection route: Direct
FortiClient communication interface index: 19
DHCP server:
Dirty_onnet_addr: yes
FortiClient version: 6.2.0
AVDB version: 67.558
FortiClient app signature version: 14.586
FortiClient vulnerability scan engine version: 2.28
FortiClient feature version status: 0
FortiClient UID: FA4AFAF6F92442E69DC7D67ABE64BDBA (0)
FortiClient KA interval dirty: 0
FortiClient Full KA interval dirty: 0
Auth_AD_groups:
Auth_group: ems_QA_group
Auth_user: FRANK
Host_Name: DESKTOP-FJEVH8U
OS_Version: Microsoft Windows 10 Professional Edition, 64-bit (build 17763)
Host_Description: AT/AT COMPATIBLE
Domain:
Last_Login_User: frank
Host_Model: VMware Virtual Platform
Host_Manufacturer: VMware, Inc.
CPU_Model: Intel(R) Xeon(R) CPU E5-2630 v4 @ 2.20GHz
Memory_Size: 4096
Installed features: 375
Enabled features: 177
Last vul message received time: N/A
Last vul scanned time: N/A
Last vul statistic: critical=0, high=0, medium=0, low=0, info=0
Avatar source username: frank
Avatar source email:
Avatar source: Client Operating System
Phone number:
online records: 1; offline records: 0; quarantined records: 0
To list authenticated IPv4 users, use the following CLI command:

diagnose firewall auth list
2.2.2.1, JONATHANWONG
type: fsso, id: 0, duration: 18955, idled: 18955
server: ems_QA_connector
packets: in 0 out 0, bytes: in 0 out 0
10.1.100.111, FRANK111
group_id: 5
group_name: ems_QA_group
10.1.100.120, FRANK
group_id: 5

10.1.100.141, ADMINISTRATOR
group_id: 5
...
...
----- 23 listed, 0 filtered ------
FGT_EC_A (vdom1) # dia de authd fsso list

----FSSO logons----
IP: 2.2.2.1 User: JONATHANWONG Groups: 6B8028751BF3457BA172EE3795A2BDA8 Workstation:
VAN-201740-PC
IP: 10.1.100.111 User: FRANK111 Groups: ECF57781AE384D6A9A4D2D72CB5169C6+TAG_LINUX1604_
QA_EMS Workstation: FRANK111- VIRTUAL-MACHINE MemberOf: ems_QA_group
IP: 10.1.100.120 User: FRANK Groups: FA4AFAF6F92442E69DC7D67ABE64BDBA+TAG_WIN10_QA_EMS
Workstation: DESKTOP-FJEVH8U MemberOf: ems_QA_group
IP: 10.1.100.141 User: ADMINISTRATOR Groups: 6D21827915CE445F8A85F9E6BAA0C57A+TAG_VULN_
EMS_QA+TAG_WIN7_QA_EMS Workstation: LHWIN7A MemberOf: ems_QA_group
....
....
Total number of logons listed: 23, filtered: 0

----end of FSSO logons----
Per-policy disclaimer messages
FortiOS supports a customizable captive portal to direct users to install or enable required software.
Per-policy custom disclaimers in each VDOM are supported. For example, you may want to configure three firewall
policies, each of which matches traffic from endpoints with different FortiClient statuses:
Endpoint status FortiOS behavior
Endpoint does not have Traffic matches a firewall policy that displays an in-browser warning to install
FortiClient installed. FortiClient from the provided link.
Endpoint has FortiClient Traffic matches a dynamic firewall policy which allows the endpoint to reach its
installed, registered to EMS, and destination via this policy.
connected to the FortiGate.
Endpoint is deregistered from Traffic matches another dynamic firewall policy that displays warning to register
EMS and disconnected from the FortiClient to EMS.
FortiGate.
To enable per-policy disclaimer messages:
config user setting

set auth-cert "Fortinet_Factory"

set per-policy-disclaimer enable

end
To configure per-policy disclaimers in the GUI:
1. Enable the per-policy disclaimer messages.

3. Edit the policy that applies when an endpoint does not have FortiClient installed.
4. Under Disclaimer Options, enable Display Disclaimer.
5. Enable Customize Messages then click Edit Disclaimer Message. The default disclaimer message is shown.
6. Edit the message to warn users to install FortiClient, and provide the FortiClient download link.
7. Click Save.
8. Repeat steps 2-6 for each policy that requires a custom disclaimer message.
To configure per-policy disclaimers in the CLI:

edit 1
set name "111"
set uuid c3ad8da0-bd7c-51e8-c0da-fe9053bf35ae
set srcaddr "all"
set dstaddr "pc155_address"
set action accept
set service "ALL"
set wsso disable
set groups "ems_03_group"
set disclaimer enable
set replacemsg-override-group "test"
set nat enable

next
edit 4
set name "44"
set uuid 686ea2ca-348d-51e9-9dca-b2b4b4aabbe2
set srcaddr "all"
set dstaddr "pc5-address"
set action accept
set service "ALL"
set wsso disable
set groups "ems_03_group"
set disclaimer enable
set replacemsg-override-group "test2"
set nat enable
next
edit 6
set name "66"
set uuid f1034e52-36d5-51e9-fbae-da21922ccd10
set srcaddr "all"
set dstaddr "all"
set status disable
set service "ALL"
set logtraffic all
set fsso disable
set block-notification enable
set replacemsg-override-group "endpoint-override"
next
end
Provisioning on EMS
FortiClient EMS supports creating compliance verification rules based on:

l Certificate
l Logged in Domain
l File
l OS Version
l Running Process
l Registry Key

The rules are pulled by the FortiGate as TAGs, using the FSSO protocol. The FortiGate uses the TAGs as members in
user groups, and applies them to dynamic firewall policies to perform authentication.
For information about FortiClient EMS, see the FortiClient EMS Administration Guide.
To configure predefined compliance verification rules on EMS:
1. Create endpoint groups for different FortiClient endpoints.

2. Configure endpoint profiles, which are used in endpoint policies.
3. Configure telemetry gateway lists, which are also used in endpoint policies.

4. Configure endpoint policies, which assign endpoint profiles, gateways, and groups.
5. Configure FortiClient installers and deployment packages.

6. Enable the deployment function in certain endpoint profiles.

IPsec VPNs
Basic site-to-site VPN
IPsec VPN in an HA environment
This recipe provides sample configuration of site-to-site IPsec VPN in an HA environment. You must enable two options
to ensure IPsec VPN traffic does not interrupt during an HA failover:
l session-pickup under HA settings
l ha-sync-esp-seqno under IPsec phase1-interface settings
The following shows the sample network topology for this recipe:
You can configure IPsec VPN in an HA environment using the FortiOS GUI or CLI.
In this examples below, the VPN name for HQ1 is "to_HQ2", and the VPN name for HQ2 is "to_HQ1".
To configure IPsec VPN in an HA environment on the GUI:
1. Set up HA as described in the HA topics.

2. Set up IPsec VPN on HQ1 (the HA cluster):
a. Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
i. Enter a proper VPN name.
ii. For Template Type, choose Site to Site.
iii. For Remote Device Type, select FortiGate.
iv. For NAT Configuration, set No NAT Between Sites.
v. Click Next.
b. Configure the following settings for Authentication:
i. For Remote Device, select IP Address.
ii. In the IP address field, enter 172.16.202.1.
iii. In the Outgoing Interface field, enter port1.
iv. For Authentication Method, select Pre-shared Key.
v. In the Pre-shared Key field, enter an example key.
vi. Click Next.

IPsec VPNs 474
c. Configure the following settings for Policy & Routing:

i. From the Local Interface dropdown menu, select the desired local interface.
ii. Configure the Local Subnets as 10.1.100.0/24.
iii. Configure the Remote Subnets as 172.16.101.0/24.
iv. Click Create.
3. Set up IPsec VPN on HQ2:
iv. For NAT Configuration, set No NAT Between Sites.
v. Click Next.
ii. In the IP address field, enter 172.16.200.1.
iii. In the Outgoing Interface field, enter port13.
v. In the Pre-shared Key field, enter an example key.
vi. Click Next.
i. From the Local Interface dropdown menu, select the desired local interface. In this example, it is port9.
ii. Configure the Local Subnets as 172.16.101.0.
iii. Configure the Remote Subnets as 10.1.100.0
iv. Click Create.
To configure IPsec VPN in an HA environment using the CLI:
1. Configure HA. In this example, two FortiGates work in active-passive mode. The HA heartbeat interfaces are
WAN1 and WAN2:
config system ha
set group-name "FGT-HA"
set mode a-p
set password sample
set hbdev "wan1" 50 "wan2" 50
set session-pickup enable
set priority 200
set override-wait-time 10
end
2. Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. It can
work in static mode (as shown in the example), DHCP, or PPPoE mode. The IPsec tunnel is established over the
WAN interface.
a. Configure HQ1:
edit "port1"
set vdom "root"
set ip 172.16.200.1 255.255.255.0
next
end

IPsec VPNs 475

edit 1
set device "port1"
next
end
b. Configure HQ2:
edit "port25"
set vdom "root"
set ip 172.16.202.1 255.255.255.0
next
end
edit 1
set device "port25"
next
end
3. Configure the internal (protected subnet) interface. The internal interface connects to corporate internal network.
Traffic from this interface routes out the IPsec VPN tunnel.
a. Configure HQ1:
edit "dmz"
set vdom "root"
set ip 10.1.100.1 255.255.255.0
next
end
b. Configure HQ2:
edit "port9"
set vdom "root"
set ip 172.16.101.1 255.255.255.0
next
end
4. Configure the IPsec phase1-interface. In this example, PSK is used as the authentication method. Signature
authentication is also an option.
a. Configure HQ1:
edit "to_HQ2"
set peertype any
set net-device enable
set ha-sync-esp-seqno enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set psksecret sample
next
end
b. Configure HQ2:
edit "to_HQ1"
set peertype any

IPsec VPNs 476
set ha-sync-esp-seqno enable

next
5. Configure the IPsec phase2-interface:
a. Configure HQ1:
edit "to_HQ2"
set phase1name "to_HQ2"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305
set auto-negotiate enable
next
end
b. Configure HQ2:
edit "to_HQ1"
next
end
6. Configure static routes. Two static routes are added to reach the remote protected subnet. The blackhole route is
important to ensure that IPsec traffic does not match the default route when the IPsec tunnel is down.
a. Configure HQ1:
edit 2
set dst 172.16.101.0 255.255.255.0
set device "to_HQ2"
next
edit 3
set dst 172.16.101.0 255.255.255.0
set blackhole enable
set distance 254
next
end
b. Configure HQ2:
edit 2
set dst 10.1.100.0 255.255.255.0
set device "to_HQ1"
next
edit 3
set dst 10.1.100.0 255.255.255.0
set distance 254
next
end
7. Configure two firewall policies to allow bi-directional IPsec traffic flow over the IPsec tunnel:
a. Configure HQ1:
edit 1
set name "inbound"

IPsec VPNs 477
set srcintf "to_HQ2"

set dstintf "dmz"
set srcaddr "172.16.101.0"
set dstaddr "10.1.100.0"
set action accept
set service "ALL"
next
edit 2
set name "outbound"
set srcintf "dmz"
set dstintf "to_HQ2"
set srcaddr "10.1.100.0"
set dstaddr "172.16.101.0"
set action accept
set service "ALL"
next
end
b. Configure HQ2:
edit 1
set name "inbound"
set dstintf "port9"
set srcaddr "10.1.1.00.0"
set dstaddr "172.16.101.0"
set action accept
set service "ALL"
next
edit 2
set name "outbound"
set srcintf "port9"
set srcaddr "172.16.101.0"
set action accept
set service "ALL"
next
end
8. Run diagnose commands. These diagnose commands are useful to check IPsec phase1/phase2 interface
statuses, including the sequence number on the secondary FortiGate. The diagnose debug application
ike -1 command is the key to figure out why the IPsec tunnel failed to establish.
a. Run the HQ1 # diagnose vpn ike gateway list command. The system should return the following:
vd: root/0
name: to_HQ2
version: 1
interface: port1 11
addr: 172.16.200.1:500 -> 172.16.202.1:500
created: 5s ago
IKE SA: created 1/1 established 1/1 time 0/0/0 ms
IPsec SA: created 2/2 established 2/2 time 0/0/0 ms

IPsec VPNs 478
id/spi: 12 6e8d0532e7fe8d84/3694ac323138a024 direction: responder status:

established 5-5s ago = 0ms proposal: aes128-sha256 key: b3efb46d0d385aff-
7bb9ee241362ee8d lifetime/rekey: 86400/86124 DPD sent/recv: 00000000/00000000
b. Run the HQ1 # diagnose vpn tunnel list command. The system should return the following:
name=to_HQ2 ver=1 serial=1 172.16.200.1:0->172.16.202.1:0

bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_
dev frag-rfc accept_traffic=1
proxyid=to_HQ2 proto=0 sa=1 ref=2 serial=1 auto-negotiate
src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 options=18227 type=00
soft=0 mtu=1438 expire=42927/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0
life: type=01 bytes=0/0 timeout=42930/43200 dec: spi=ef9ca700 esp=aes key=16
a2c6584bf654d4f956497b3436f1cfc7
ah=sha1 key=20 82c5e734bce81e6f18418328e2a11aeb7baa021b
enc: spi=791e898e esp=aes key=16 0dbb4588ba2665c6962491e85a4a8d5a
ah=sha1 key=20 2054b318d2568a8b12119120f20ecac97ab730b3
ESP seqno synced to primary FortiGate every five minutes, and big gap between primary and secondary to
ensure that no packet is dropped after HA failover caused by tcp-replay. Check ESP sequence number synced
on secondary FortiGate.
c. Run the HQ1 # execute ha manage 0 admin command:
d. Run the HQ1-Slave # diagnose vpn tunnel list command. The system should return the
following:

seqno=47868c01 esn=0 replaywin_lastseq=00000000 itn=0
life: type=01 bytes=0/0 timeout=42930/43200 dec: spi=ef9ca700 esp=aes key=16
a2c6584bf654d4f956497b3436f1cfc7
OSPF with IPsec VPN to achieve network redundancy
This recipe provides sample configuration of using OSPF with IPsec VPN to achieve network redundancy. Route
selection is based on OSPF cost calculation. It is easy to achieve ECMP or primary/secondary routes by adjusting OSPF

IPsec VPNs 479
path cost.
As only partial configuration can be completed from the GUI, it is recommended to achieve this configuration via the
CLI commands as shown below.
To configure OSPF with IPsec VPN to achieve network redundancy using the CLI:
1. Configure the WAN interface and static route. Each FortiGate has two WAN interfaces connected to different ISPs.
The ISP1 link is for the primary FortiGate and the IPS2 link is for the secondary FortiGate:
a. Configure HQ1:
edit "port1"
set alias to_ISP1
set ip 172.16.200.1 255.255.255.0
next
edit "port2"
set alias to_ISP2
set ip 172.17.200.1 255.255.255.0
next
end
edit 1
set device "port1"
next
edit 2
set device "port2"
set priority 100
next
end
b. Configure HQ2:
edit "port25"
set alias to_ISP1
set ip 172.16.202.1 255.255.255.0
next
edit "port26"
set alias to_ISP2
set ip 172.17.202.1 255.255.255.0
next
end
edit 1

IPsec VPNs 480
set device "port25"

next
edit 2
set device "port26"
set priority 100
next
end
2. Configure the internal (protected subnet) interface:
a. Configure HQ1:
edit "dmz"
set ip 10.1.100.1 255.255.255.0
next
end
b. Configure HQ2:
edit "port9"
set ip 172.16.101.1 255.255.255.0
next
end
3. Configure IPsec phase1-interface and phase-2 interface. On each FortiGate, configure two IPsec tunnels: a
primary and a secondary:
a. Configure HQ1:
edit "pri_HQ2"
set peertype any
set psksecret sample1
next
edit "sec_HQ2"
set peertype any
next
end
edit "pri_HQ2"
set phase1name "pri_HQ2"
next
edit "sec_HQ2"
set phase1name "sec_HQ2"
next
end

IPsec VPNs 481
b. Configure HQ2:
edit "pri_HQ1"
set peertype any
next
edit "sec_HQ1"
set peertype any
next
end
edit "pri_HQ1"
next
edit "sec_HQ1"
next
end
4. Configure an inbound and outbound firewall policy for each IPsec tunnel:
a. Configure HQ1:
edit 1
set name "pri_inbound"
set srcintf "pri_HQ2"
set dstintf "dmz"
set srcaddr "172.16.101.0"
set action accept
set service "ALL"
next
edit 2
set name "pri_outbound"
set srcintf "dmz"
set dstintf "pri_HQ2"
set dstaddr "172.16.101.0"
set action accept
set service "ALL"
next

IPsec VPNs 482
edit 3
set name "sec_inbound"
set srcintf "sec_HQ2"
set dstintf "dmz"
set srcaddr "172.16.101.0"
set action accept
set service "ALL"
next
edit 4
set name "sec_outbound"
set srcintf "dmz"
set dstintf "sec_HQ2"
set dstaddr "172.16.101.0"
set action accept
set service "ALL"
next
end
b. Configure HQ2:
edit 1
set name "pri_inbound"
set srcintf "pri_HQ1"
set dstintf "port9"
set dstaddr "172.16.101.0"
set action accept
set service "ALL"
next
edit 2
set name "pri_outbound"
set srcintf "port9"
set dstintf "pri_HQ1"
set dstaddr "172.16.101.0"
set action accept
set service "ALL"
next
edit 3
set name "sec_inbound"
set srcintf "sec_HQ1"
set dstintf "port9"
set dstaddr "172.16.101.0"
set action accept
set service "ALL"
next
edit 4
set name "sec_outbound"
set srcintf "port9"
set dstintf "sec_HQ1"

IPsec VPNs 483
set srcaddr "172.16.101.0"

set action accept
set service "ALL"
next
end
5. Assign an IP address to the IPsec tunnel interface:
a. Configure HQ1:
edit "pri_HQ2"
set ip 10.10.10.1 255.255.255.255
set remote-ip 10.10.10.2 255.255.255.255
next
edit "sec_HQ2"
set ip 10.10.11.1 255.255.255.255
set remote-ip 10.10.11.2 255.255.255.255
next
end
b. Configure HQ2:
edit "pri_HQ1"
set ip 10.10.10.2 255.255.255.255
set remote-ip 10.10.10.1 255.255.255.255
next
edit "sec_HQ1"
set ip 10.10.11.2 255.255.255.255
set remote-ip 10.10.11.1 255.255.255.255
next
end
6. Configure OSPF:
a. Configure HQ1:
config router ospf
set router-id 1.1.1.1
config area
edit 0.0.0.0
next
end
config ospf-interface
edit "pri_HQ2"
set interface "pri_HQ2"
set cost 10
set network-type point-to-point
next
edit "sec_HQ2"
set interface "sec_HQ2"
set cost 20
next
end
config network
edit 1
set prefix 10.10.10.0 255.255.255.0
next
edit 2
set prefix 10.10.11.0 255.255.255.0

IPsec VPNs 484
next
edit 3
set prefix 10.1.100.0 255.255.255.0
next
end
end
b. Configure HQ2:
config router ospf
config area
edit 0.0.0.0
next
end
config ospf-interface
edit "pri_HQ1"
set interface "pri_HQ1"
set cost 10
next
edit "sec_HQ1"
set interface "sec_HQ1"
set cost 20
next
end
config network
edit 1
set prefix 10.10.10.0 255.255.255.0
next
edit 2
set prefix 10.10.11.0 255.255.255.0
next
edit 3
set prefix 172.16.101.0 255.255.255.0
next
end
end
7. Run diagnose/get commands to check VPN and OSPF states:
a. Run the HQ1 # diagnose vpn ike gateway list command. The system should return the following:
vd: root/0
name: pri_HQ2
version: 1
interface: port1 11
addr: 172.16.200.1:500 -> 172.16.202.1:500
virtual-interface-addr: 10.10.10.1 -> 10.10.10.2
created: 1024s ago
id/spi: 45 d184777257b4e692/e2432f834aaf5658 direction: responder status:
established 1024-1024s ago = 0ms proposal: aes128-sha256 key: 9ed41fb06c983344-
189538046f5ad204 lifetime/rekey: 86400/85105 DPD sent/recv: 00000003/00000000
vd: root/0
name: sec_HQ2
version: 1
interface: port2 12

IPsec VPNs 485
addr: 172.17.200.1:500 -> 172.17.202.1:500

virtual-interface-addr: 10.10.11.1 -> 10.10.11.2
created: 346s ago
id/spi: 48 d909ed68636b1ea5/163015e73ea050b8 direction: initiator status:
established 0-0s ago = 0ms proposal: aes128-sha256 key: b9e93c156bdf4562-
29db9fbafa256152 lifetime/rekey: 86400/86099 DPD sent/recv: 00000000/00000000
b. Run the HQ1 # diagnose vpn tunnel list command. The system should return the following:
name=pri_HQ2 ver=1 serial=1 172.16.200.1:0->172.16.202.1:0
proxyid=pri_HQ2 proto=0 sa=1 ref=2 serial=1 auto-negotiate
seqno=6a esn=0 replaywin_lastseq=00000067 itn=0
life: type=01 bytes=0/0 timeout=42932/43200 dec: spi=1071b4ee esp=aes key=16
032036b24a4ec88da63896b86f3a01db
ah=sha1 key=20 3962933e24c8da21c65c13bc2c6345d643199cdf
enc: spi=ec89b7e3 esp=aes key=16 92b1d85ef91faf695fca05843dd91626
ah=sha1 key=20 2de99d1376506313d9f32df6873902cf6c08e454
name=sec_HQ2 ver=1 serial=2 172.17.200.1:0->172.17.202.1:0
proxyid=sec_HQ2 proto=0 sa=1 ref=2 serial=1 auto-negotiate
life: type=01 bytes=0/0 timeout=42931/43200 dec: spi=1071b4ef esp=aes key=16
bcdcabdb7d1c7c695d1f2e0f5441700a
ah=sha1 key=20 e7a0034589f82eb1af41efd59d0b2565fef8d5da
enc: spi=ec89b7e4 esp=aes key=16 234240b69e61f6bdee2b4cdec0f33bea
ah=sha1 key=20 f9d4744a84d91e5ce05f5984737c2a691a3627e8
c. Run the HQ1 # get router info ospf neighbor command. The system should return the following:
OSPF process 0, VRF 0:

Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1. Full/ - 00:00:37 10.10.10.2 pri_HQ2
2.2.2.2 1. Full/ - 00:00:32 10.10.11.2 sec_HQ2
d. Run the HQ1 # get router info routing-table ospf command. The system should return the
following:
Routing table for VRF=0
O 172.16.101.0/24 [110/20] via 10.10.10.2, pri_HQ2 , 00:03:21
In case the primary tunnel is down after route convergence.

IPsec VPNs 486
e. Run the HQ1 # get router info routing-table ospf command. The system should return the
following:
O 172.16.101.0/24 [110/110] via 10.10.11.2, sec_HQ2 , 00:00:01
IPsec aggregate to achieve redundancy and traffic load-balancing
The recipe gives a sample configuration of using IPsec aggregate to achieve redundancy and traffic load-balancing:
l Multiple site-to-site IPsec VPN (net-device disable) tunnel interfaces as member of ipsec-aggregate
l Four load-balancing algorithms: round-robin (default), L3, L4, redundant
To configure IPsec aggregate to achieve redundancy and traffic load-balancing using the CLI:
1. Configure the WAN interface and static route. Each FortiGate has two WAN interfaces connected to different ISPs.
The ISP1 link is for the primary FortiGate and the IPS2 link is for the secondary FortiGate:
a. Configure HQ1:
edit "port1"
set alias to_ISP1
set ip 172.16.200.1 255.255.255.0
next
edit "port2"
set alias to_ISP2
set ip 172.17.200.1 255.255.255.0
next
end
edit 1
set device "port1"
next
edit 2
set device "port2"
set priority 100
next
end
b. Configure HQ2:
edit "port25"

IPsec VPNs 487
set alias to_ISP1

set ip 172.16.202.1 255.255.255.0
next
edit "port26"
set alias to_ISP2
set ip 172.17.202.1 255.255.255.0
next
end
edit 1
set device "port25"
next
edit 2
set device "port26"
set priority 100
next
end
2. Configure the internal (protected subnet) interface:
a. Configure HQ1:
edit "dmz"
set ip 10.1.100.1 255.255.255.0
next
end
b. Configure HQ2:
edit "port9"
set ip 172.16.101.1 255.255.255.0
next
end
3. Configure the IPsec phase-1 and phase-2 interfaces. On each FortiGate, configure two site-to-site phase-1
interfaces with net-device disable:
a. Configure HQ1:
edit "pri_HQ2"
set peertype any
next
edit "sec_HQ2"
set peertype any
next
end
edit "pri_HQ2"

IPsec VPNs 488

next
edit "sec_HQ2"
next
end
b. Configure HQ2:
edit "pri_HQ1"
set peertype any
next
edit "sec_HQ1"
set peertype any
next
end
edit "pri_HQ1"
next
edit "sec_HQ1"
next
end
4. Configure ipsec-aggregate:
a. Configure HQ1:
edit "agg_HQ2"
set member "pri_HQ2" "sec_HQ2"
next
end
b. Configure HQ2:
edit "agg_HQ1"
set member "pri_HQ" "sec_HQ1"

IPsec VPNs 489
next
end
5. Configure the firewall policy:
a. Configure HQ1:
edit 1
set name "inbound"
set srcintf "agg_HQ2"
set dstintf "dmz"
set srcaddr "172.16.101.0"
set action accept
set service "ALL"
next
edit 2
set name "outbound"
set srcintf "dmz"
set dstintf "agg_HQ2"
set dstaddr "172.16.101.0"
set action accept
set service "ALL"
next
end
b. Configure HQ2:
edit 1
set name "inbound"
set srcintf "agg_HQ1"
set dstintf "port9"
set dstaddr "172.16.101.0"
set action accept
set service "ALL"
next
edit 2
set name "outbound"
set srcintf "port9"
set dstintf "agg_HQ1"
set srcaddr "172.16.101.0"
set action accept
set service "ALL"
next
end
6. Assign an IP address to the ipsec-aggregate interface. In this example, OSPF runs over the ipsec-
aggregate interface. No IP address is required for the static route HQ1:
a. Configure HQ1:
edit "agg_HQ2"
set ip 10.10.10.1 255.255.255.255

IPsec VPNs 490
set remote-ip 10.10.10.2 255.255.255.255

next
end
b. Configure HQ2:
edit "agg_HQ1"
set ip 10.10.10.2 255.255.255.255
set remote-ip 10.10.10.1 255.255.255.255
next
end
7. Configure OSPF:
a. Configure HQ1:
config router ospf
config area
edit 0.0.0.0
next
end
config network
edit 1
set prefix 10.1.100.0 255.255.255.0
next
edit 2
set prefix 10.10.10.0 255.255.255.0
next
end
end
b. Configure HQ2:
config router ospf
config area
edit 0.0.0.0
next
end
config network
edit 1
set prefix 172.16.101.0 255.255.255.0
next
edit 2
set prefix 10.10.10.0 255.255.255.0
next
end
end
8. Run diagnose commands:
a. Run the diagnose vpn ike gateway list command. The system should return the following:
vd: root/0
name: pri_HQ2
version: 1
interface: port1 11
addr: 172.16.200.1:500 -> 172.16.202.1:500
created: 1520s ago
id/spi: 173 dcdede154681579b/e32f4c48c4349fc0 direction: responder status:
established 1498-1498s ago = 10ms proposal: aes128-sha256 key:

IPsec VPNs 491
d7230a68d7b83def-588b94495cfa9d38 lifetime/rekey: 86400/84631 DPD sent/recv:

0000000d/00000006
vd: root/0
name: sec_HQ2
version: 1
interface: port2 12
addr: 172.17.200.1:500 -> 172.17.202.1:500
created: 1520s ago
id/spi: 174 a567bd7bf02a04b5/4251b6254660aee2 direction: responder status:
established 1498-1498s ago = 10ms proposal: aes128-sha256 key:
9f44f500c28d8de6-febaae9d1e6a164c lifetime/rekey: 86400/84631 DPD sent/recv:
00000008/0000000c
b. Run the diagnose vpn tunnel list command. The system should return the following:
name=sec_HQ2 ver=1 serial=2 172.17.200.1:0->172.17.202.1:0
bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc
proxyid=sec_HQ2 proto=0 sa=1 ref=2 serial=2 auto-negotiate
life: type=01 bytes=0/0 timeout=42899/43200 dec: spi=1071b4f9 esp=aes key=16
1f4dbb78bea8e97650b52d8170b5ece7
ah=sha1 key=20 cd9bf2de0f49296cf489dd915d7baf6d78bc8f12
enc: spi=ec89b7ee esp=aes key=16 0546efecd0d1b9ba5944f635896e4404
ah=sha1 key=20 34599bc7dc25e1ce63ac9615bd50928ce0667dc8
name=pri_HQ2 ver=1 serial=1 172.16.200.1:0->172.16.202.1:0
bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc
proxyid=pri_HQ2 proto=0 sa=1 ref=2 serial=2 auto-negotiate
life: type=01 bytes=0/0 timeout=42900/43200 dec: spi=1071b4f8 esp=aes key=16
142cce377b3432ba41e64128ade6848c
ah=sha1 key=20 20e64947e2397123f561584321adc0e7aa0c342d
enc: spi=ec89b7ed esp=aes key=16 2ec13622fd60dacce3d28ebe5fe7ab14
ah=sha1 key=20 c1787497508a87f40c73c0db0e835c70b3c3f42d
c. Run the diagnose sys ipsec-aggregate list command. The system should return the following:
agg_HQ2 algo=RR member=2 run_tally=2
members:
pri_HQ2
sec_HQ2
d. Run the get router info ospf neighbor command. The system should return the following:
OSPF process 0, VRF 0:

IPsec VPNs 492
Neighbor ID Pri State Dead Time Address Interface

2.2.2.2 1. Full/ - 00:00:34 10.10.10.2 agg1_HQ2
e. Run the get router info routing-table ospf command. The system should return the following:
O 172.16.101.0/24 [110/20] via 10.10.10.2, agg1_HQ2 , 00:18:43
Redundant hub and spoke VPN
This recipe provides sample configuration of hub and spoke IPsec VPN. The following applies for this scenario:
l The spokes have two WAN interfaces and two IPsec VPN tunnels for redundancy.
l The secondary VPN tunnel is up only when the primary tunnel is down by dead peer detection.
To configure redundant hub and spoke VPN using the FortiOS CLI:
1. Configure the hub:

a. Configure the WAN, internal interface, and static route:
edit "port13"
set alias "WAN"
set ip 172.16.202.1 255.255.255.0
next
edit "port9"
set alias "Internal"
set ip 172.16.101.1 255.255.255.0
next
end
edit 1
set device "port13"
next
end

IPsec VPNs 493
b. Configure the IPsec phase1-interface and phase2-interface:

edit "hub"
set type dynamic
set peertype any
set dpd on-idle
set dpd-retryinterval 60
next
end
edit "hub"
set phase1name "hub"
next
end
c. Configure the firewall policy:
edit 1
set name "spoke-hub"
set srcintf "hub"
set dstintf "port9"
set srcaddr "all"
set dstaddr "172.16.101.0"
set action accept
set service "ALL"
next
edit 2
set name "spoke-spoke"
set srcintf "hub"
set dstintf "hub"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
next
end
2. Configure the spokes:
a. Configure the WAN, internal interface, and static route:
i. Configure Spoke1:
edit "port1"
set ip 172.16.200.1 255.255.255.0
next
edit "wan1"
set mode dhcp
set distance 10
set priority 100
next
edit "dmz"

IPsec VPNs 494
set ip 10.1.100.1 255.255.255.0

next
end
edit 1
set device "port1"
next
end
ii. Configure Spoke2:
edit "wan1"
set ip 172.16.200.3 255.255.255.0
next
edit "wan2"
set mode dhcp
set distance 10
set priority 100
next
edit "lan1"
set ip 192.168.4.1 255.255.255.0
next
end
edit 1
set device "wan1"
next
end
b. Configure IPsec phase1-interface and phase2-interface:
edit "primary"
set peertype any
next
edit "secondary"
set peertype any
set monitor "primary"
next
end
edit "primary"
set phase1name "primary"

IPsec VPNs 495
set src-subnet 10.1.100.0 255.255.255.0

next
edit "secondary"
set phase1name "secondary"
set src-subnet 10.1.100.0 255.255.255.0
next
end
edit "primary"
set peertype any
next
edit "secondary"
set peertype any
set monitor "primary"
next
end
edit "primary"
set phase1name "primary"
set src-subnet 192.168.4.0 255.255.255.0
next
edit "secondary"
set phase1name "secondary"
set src-subnet 192.168.4.0 255.255.255.0
next
end
c. Configure the firewall policy:
edit 1
set srcintf "dmz"
set dstintf "primary" "secondary"
set dstaddr "172.16.101.0"
set action accept

IPsec VPNs 496
set service "ALL"

next
end
edit 1
set srcintf "lan1"
set dstintf "primary" "secondary"
set dstaddr "172.16.101.0"
set action accept
set service "ALL"
next
end
d. Configure the static route:
edit 3
set dst 172.16.101.0 255.255.255.0
set distance 1
set device "primary"
next
edit 4
set dst 172.16.101.0 255.255.255.0
set distance 3
set device "secondary"
next
end
edit 3
set dst 172.16.101.0 255.255.255.0
set distance 1
set device "primary"
next
edit 4
set dst 172.16.101.0 255.255.255.0
set distance 3
set device "secondary"
next
end
3. Run diagnose and get commands:
a. Run the Spoke1 # diagnose vpn tunnel list command. The system should return the following:
name=primary ver=1 serial=1 172.16.200.1:0->172.16.202.1:0
proxyid=primary proto=0 sa=1 ref=2 serial=2 auto-negotiate
src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 options=18227
type=00 soft=0 mtu=1438 expire=41002/0B replaywin=2048

IPsec VPNs 497
life: type=01 bytes=0/0 timeout=42901/43200 dec: spi=0908732f esp=aes key=16

20770dfe67ea22dd8ec32c44d84ef4d5
ah=sha1 key=20 edc89fc2ec06309ba13de95e7e486f9b795b8707
enc: spi=a1d9eed1 esp=aes key=16 8eeea2526fba062e680d941083c8b5d1
ah=sha1 key=20 f0f5deaf88b2a69046c3154e9f751739b3f411f5
name=secondary ver=1 serial=2 172.17.200.1:0->172.16.202.1:0
bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev
frag-rfc accept_traffic=0
proxyid=secondary proto=0 sa=0 ref=2 serial=2 auto-negotiate
src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0
b. Run the Spoke1 # get router info routing-table static command. The system should
return the following:
................
S 172.16.101.0/24 [1/0] is directly connected, primary
Dialup VPN
FortiGate as dialup client
This recipe provides sample configuration of dialup IPsec VPN and the dialup client. In this example, a branch office
FortiGate connects via dialup IPsec VPN to the HQ FortiGate.
You can configure dialup IPsec VPN with FortiGate as the dialup client using the FortiOSGUI or CLI.
To configure IPsec VPN with FortiClient as the dialup client on the GUI:
1. Configure the dialup VPN server FortiGate:

iv. For NAT Configuration, select The remote site is behind NAT.
v. Click Next.

IPsec VPNs 498

i. For Incoming Interface, select the proper incoming interface.
ii. For Authentication Method, select Pre-shared Key.
iii. In the Pre-shared Key field, enter your-psk as the key.
iv. Click Next.
i. From the Local Interface dropdown menu, select the proper local interface.
ii. Configure the Local Subnets as 10.1.100.0/24.
iii. Configure the Remote Subnets as 172.16.101.0/24.
iv. Click Create.
2. Configure the dialup VPN client FortiGate:
iv. For NAT Configuration, select This site is behind NAT.
v. Click Next.
i. For IP Address, enter 11.101.1.1.
ii. For Outgoing Interface, enter port13.
iii. For Authentication Method, select Pre-shared Key.
iv. In the Pre-shared Key field, enter your-psk as the key.
v. Click Next.
i. From the Local Interface dropdown menu, select the proper local interface. In this example, it is port9.
iii. Configure the Remote Subnets as 10.1.100.0.
iv. Click Create.
To configure IPsec VPN with FortiClient as the dialup client using the CLI:
1. In the FortiOS CLI, configure the user, user group, and firewall address by running the following commands. Only
the HQ dialup server FortiGate needs this configuration. The address is an IP pool to assign an IP address for the
dialup client FortiGate.
config user local
edit "vpnuser1"
set type password
set passwd your-password
next
end
config user group
edit "vpngroup"
set member"vpnuser1"
next
end

IPsec VPNs 499
edit "client_range"
set type iprange
set end-ip 10.10.10.200
next
end
2. Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. It can
work in static mode (as shown in the example), DHCP, or PPPoE mode. The IPsec tunnel is established over the
WAN interface:
a. Configure the HQ FortiGate:
edit "wan1"
set vdom "root"
set ip 11.101.1 255.255.255.0
next
end
edit 1
set device "wan1"
next
end
b. Configure the branch office FortiGate:

edit "port13"
set vdom "root"
set ip 173.1.1.1 255.255.255.0
next
end
edit 1
set device "port13"
next
end
3. Configure the internal interface and protected subnet. The internal interface connects to the internal network.
Traffic from this interface will route out the IPsec VPN tunnel:
edit "dmz"
set vdom "root"
set ip 10.1.100.1 255.255.255.0
next
end
edit "10.1.100.0"
set subnet 10.1.100.0 255.255.255.0
next
end

IPsec VPNs 500

edit "port9"
set vdom "root"
set ip 172.16.101.1 255.255.255.0
next
end
edit "172.16.101.0"
set subnet 172.16.101.0 255.255.255.0
next
end
authentication is also an option:
edit "for_Branch"
set type dynamic
set mode aggressive
set peertype any
set mode-cfg enable
set add-route disable
set dpd on-idle
set xauthtype auto
set authusrgrp "vpngroup"
set assign-ip-from name
set dns-mode auto
set ipv4-split-include "10.1.100.0"
set ipv4-name "client_range"
set save-password enable
next
end

edit "to_HQ"
set mode aggressive
set peertype any
set mode-cfg enable
set xauthtype client
set authusr "vpnuser1"
set authpasswd vpnuser1-password
next
end

IPsec VPNs 501

edit "for_Branch_p2"
set phase1 name "for_Branch"
next
end

edit "to_HQ_p2"
set phase1name "to_HQ"
next
end
6. Configure the static routes on the branch office FortiGate. The blackhole route is important to ensure that IPsec
traffic does not match the default route when the IPsec tunnel is down:
edit 2
set dst 10.1.100.0 255.255.255.0
set device "to_HQ"
next
edit 3
set dst 10.1.100.0 255.255.255.0
set distance 254
next
end
7. Configure the firewall policy to allow the branch office to HQ network flow over the IPsec tunnel. This configuration
only supports traffic from the branch office FortiGate to the HQ FortiGate. Traffic is dropped from the HQ FortiGate
to the branch office FortiGate:
edit 1
set name "inbound"
set srcintf "for_Branch"
set dstintf "dmz"
set srcaddr "172.16.101.0"
set action accept
set service "ALL"
next
end

edit 1
set name "outbound"

IPsec VPNs 502
set srcintf "port9"

set dstintf "to_HQ"
set srcaddr "172.16.101.0"
set action accept
set service "ALL"
next
end
8. Run diagnose commands. These diagnose commands are useful to check the IPsec phase1/phase2 interface
status. The diagnose debug application ike -1 command is the key to figure out why the IPsec tunnel
failed to establish.
a. Run the diagnose vpn ike gateway list command on the HQ FortiGate. The system should return
the following:
vd: root/0
name: for_Branch_0
version: 1
interface: wan1 5
addr: 11.101.1.1:500 -> 173.1.1.1:500
created: 1972s ago
xauth-user: vpnuser1
assigned IPv4 address: 10.10.10.1/255.255.255.252
id/spi: 184 5b1c59fab2029e43/bf517e686d3943d2
direction: responder
status: established 1972-1972s ago = 10ms
proposal: aes128-sha256
key: 8046488e92499247-fbbb4f6dfa4952d0
lifetime/rekey: 86400/84157
DPD sent/recv: 00000020/00000000
b. Run the diagnose vpn tunnel list command on the HQ FortiGate. The system should return the
following:
name=for_Branch_0 ver=1 serial=9 11.101.1.1:0->173.1.1.1:0
bound_if=5 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/208 options
[00d0]=create_dev no-sysctlrgwy-chg
parent=for_Branch index=0
dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=31
proxyid=for_Branch_p2 proto=0 sa=1 ref=2 serial=1
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=3 options=226 type=00 soft=0 mtu=1438 expire=41297/0B replaywin=2048 seqno=9
esn=0 replaywin_lastseq=00000009 itn=0
dec: spi=747c10c6 esp=aes key=16 278c2430e09e74f1e229108f906603b0
ah=sha1 key=20 21dad76b008d1e8b8e53148a2fcbd013a277974a
enc: spi=ca646448 esp=aes key=16 b7801d125804e3610a556da7caefd765
ah=sha1 key=20 a70164c3094327058bd84c1a0c954ca439709206

IPsec VPNs 503
name=for_Branchver=1 serial=6 11.101.1.1:0->0.0.0.0:0

bound_if=5 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/16 options[0010]=create_
dev
run_tally=0
c. Run the diagnose vpn ike gateway list command on the branch office FortiGate. The system
should return the following:
vd: root/0
name: to_HQ
version: 1
interface: port13 42
addr: 173.1.1.1:500 -> 11.101.1.1:500
created: 2016s ago
id/spi: 93 5b1c59fab2029e43/bf517e686d3943d2
direction: initiator
key: 8046488e92499247-fbbb4f6dfa4952d0
DPD sent/recv: 00000000/00000020
d. Run the diagnose vpn tunnel list command on the branch office FortiGate. The system should
return the following:
name=to_HQver=1 serial=7 173.1.1.1:0->11.101.1.1:0
bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu
proxyid=to_HQ proto=0 sa=1 ref=2 serial=1
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
dec: spi=ca646448 esp=aes key=16 b7801d125804e3610a556da7caefd765
ah=sha1 key=20 a70164c3094327058bd84c1a0c954ca439709206
enc: spi=747c10c6 esp=aes key=16 278c2430e09e74f1e229108f906603b0
ah=sha1 key=20 21dad76b008d1e8b8e53148a2fcbd013a277974a
FortiClient as dialup client
This recipe provides sample configuration of dialup IPsec VPN with FortiClient as the dialup client.

IPsec VPNs 504
You can configure dialup IPsec VPN with FortiClient as the dialup client using the FortiOS GUI or CLI.
To configure IPsec VPN with FortiClient as the dialup client on the GUI:
1. In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
a. Enter a proper VPN name.
b. For Template Type, choose Remote Access.
c. For Remote Device Type, select Client-based > FortiClient.
d. Click Next.
2. Configure the following settings for Authentication:
a. For Incoming Interface, select wan1.
b. For Authentication Method, select Pre-shared Key.
c. In the Pre-shared Key field, enter your-psk as the key.
d. From the User Group dropdown list, select vpngroup.
e. Click Next.
3. Configure the following settings for Policy & Routing:
a. From the Local Interface dropdown menu, select lan.
b. Configure the Local Address as local_network.
c. Configure the Client Address Range as 10.10.2.1-10.10.2.200.
d. Keep the default values for the Subnet Mask, DNS Server, Enable IPv4 Split tunnel, and Allow Endpoint
Registration options.
e. Click Create.
To configure IPsec VPN with FortiClient as the dialup client using the CLI:
1. In the FortiOS CLI, configure the user and group by running the following commands:
config user local
edit "vpnuser1"
set type password
next
end
config user group
edit "vpngroup"
set member "vpnuser1"
next
end

IPsec VPNs 505
2. Configure the internal interface. The LAN interface connects to the corporate internal network. Traffic from this
interface will route out the IPsec VPN tunnel. Creating an address group for the protected network behind this
FortiGate will cause traffic to this network group to go through the IPsec tunnel:
edit "lan"
set vdom "root"
set ip 10.10.111.1 255.255.255.0
next
end

edit "local_subnet_1"
set ip 10.10.111.0 255.255.255.0
next
end

set ip 10.10.112.0 255.255.255.0
next
end
config firewall addrgrp

edit "local_network"
set member "local_subnet_1" "local_subnet_2"
next
end
3. Configure the WAN interface. The WAN interface is the interface connected to the ISP. It can work in static mode
(as shown in the example), DHCP, or PPPoE mode. The IPsec tunnel is established over the WAN interface.
edit "wan1"
set vdom "root"
set ip 172.20.120.123 255.255.255.0
next
end
4. Configure the client address pool. You must create a firewall address to assign an IP address to a client from the
address pool.
edit "client_range"
set type iprange
set comment "VPN client range"
set end-ip 10.10.2.200
next
end
edit "for_client"
set type dynamic

IPsec VPNs 506
set mode aggressive

set peertype any
set mode-cfg enable
set dpd on-idle
set xauthtype auto
set dns-mode auto
set ipv4-split-include "local_network"
set save-password enable
set psksecret your-psk
next
end

edit "for_client"
set phase1name "for_client"
next
end
7. Configure the firewall policy to allow client traffic flow over the IPsec VPN tunnel:
edit 1
set name "inbound"
set srcintf "for_client"
set dstintf "lan"
set srcaddr "client_range"
set dstaddr "local_network"
set action accept
set service "ALL"
next
end
8. Configure FortiClient. In this example, FortiClient (Windows) 6.0.3 build 0155 is used:
a. In FortiClient, go to Remote Access and select Add a new connection.
b. Set the Type to IPsec VPN and the Remote Gateway to the FortiGate IP address.
c. Set the Authentication Method to Pre-Shared Key and enter the key. Click Save.
d. Select the VPN, enter the username and password, then select Connect.
vd: root/0
name: for_client_0
version: 1

IPsec VPNs 507
interface: port1 15
addr: 172.20.120.123:4500 ->172.20.120.254:64916
created: 37s ago
xauth-user: vpnuser1
nat: me peer
id/spi: 1 b40a32d878d5e262/8bba553563a498f4
key: f4ad7ec3a4fcfd09-787e2e9b7bceb9a7-0dfa183240d838ba-41539863e5378381
DPD sent/recv: 00000000/00000a0e
=
=
name=for_client_0 ver=1 serial=3 172.20.120.123:4500->172.20.120.254:64916
bound_if=15 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/984 options
[03d8]=npucreate_dev no-sysctlrgwy-chgrport-chg frag-rfcaccept_traffic=1
parent=for_client index=0
natt: mode=keepalive draft=32 interval=10 remote_port=64916
proxyid=for_client proto=0 sa=1 ref=2 serial=1 add-route
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:10.10.1.1-10.10.1.1:0
SA: ref=4 options=2a6 type=00 soft=0 mtu=1422 expire=42867/0B replaywin=2048
dec: spi=36274d14 esp=aes key=16 e518b84b3c3b667b79f2e61c64a225a6
ah=sha1 key=20 9cceaa544ed042fda800c4fe5d3fd9d8b811984a
enc: spi=8b154deb esp=aes key=16 9d50f004b45c122e4e9fb7af085c457c
ah=sha1 key=20 f1d90b2a311049e23be34967008239637b50a328
npu_flag=02 npu_rgwy=172.20.120.254 npu_lgwy=172.20.120.123npu_selid=0 dec_npuid=2 enc_
npuid=0
name=for_clientver=1 serial=2 172.20.120.123:0->0.0.0.0:0
bound_if=15 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/536 options
[0218]=npucreate_dev frag-rfcaccept_traffic=1
iOS device as dialup client
This recipe provides sample configuration of dialup IPsec VPN with an iPhone or iPad as the dialup client.

IPsec VPNs 508
You can configure dialup IPsec VPN with an iOS device as the dialup client using the FortiOS GUI or CLI.
To configure IPsec VPN with an iOS device as the dialup client on the GUI:
1. In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
a. Enter a proper VPN name.
b. For Template Type, choose Remote Access.
c. For Remote Device Type, select Native > iOS Native.
d. For NAT Configuration, set No NAT Between Sites.
e. Click Next.
2. Configure the following settings for Authentication:
a. For Incoming Interface, select wan1.
b. For Authentication Method, select Pre-shared Key.
c. In the Pre-shared Key field, enter your-psk as the key.
d. From the User Group dropdown list, select vpngroup.
e. Deselect Require 'Group Name' on VPN client.
f. Click Next.
3. Configure the following settings for Policy & Routing:
a. From the Local Interface dropdown menu, select lan.
b. Configure the Local Address as local_network.
c. Configure the Client Address Range as 10.10.2.1-10.10.2.200.
d. Keep the default values for the Subnet Mask, DNS Server, and Enable IPv4 Split tunnel options.
e. Click Create.
To configure IPsec VPN with an iOS device as the dialup client using the CLI:
1. In the FortiOS CLI, configure the user and group by running the following commands:
config user local
edit "vpnuser1"
set type password
next
end
config user group
edit "vpngroup"
set member "vpnuser1"
next
end
2. Configure the internal interface. The LAN interface connects to the corporate internal network. Traffic from this
interface will route out the IPsec VPN tunnel. Creating an address group for the protected network behind this

IPsec VPNs 509
FortiGate will cause traffic to this network group to go through the IPsec tunnel:
edit "lan"
set vdom "root"
set ip 10.10.111.1 255.255.255.0
next
end

set ip 10.10.111.0 255.255.255.0
next
end

set ip 10.10.112.0 255.255.255.0
next
end
config firewall addrgrp

edit "local_network"
set member "local_subnet_1" "local_subnet_2"
next
end
3. Configure the WAN interface. The WAN interface is the interface connected to the ISP. It can work in static mode
(as shown in the example), DHCP, or PPPoE mode. The IPsec tunnel is established over the WAN interface.
edit "wan1"
set vdom "root"
set ip 172.20.120.123 255.255.255.0
next
end
4. Configure the client address pool. You must create a firewall address to assign an IP address to a client from the
address pool.
edit "client_range"
set type iprange
set comment "VPN client range"
set end-ip 10.10.2.200
next
end
edit "for_ios_p1"
set type dynamic
set peertype any
set mode-cfg enable

IPsec VPNs 510
set proposal aes256-sha256 aes256-md5 aes256-sha1

set dpd on-idle
set dhgrp 14 5 2
set xauthtype auto
set dns-mode auto
set ipv4-split-include "local_network"
set psksecret your-psk
next
end

edit "for_ios_p2"
set phase1name "for_ios_p1"
set pfs disable
set keepalive enable
next
end
7. Configure the firewall policy to allow client traffic flow over the IPsec VPN tunnel:
edit 1
set name "ios_vpn"
set srcintf "for_ios_p1"
set dstintf "lan"
set srcaddr "ios_range"
set dstaddr "local_network"
set action accept
set service "ALL"
next
end
8. Configure the iOS device:

a. In the iOS device, go to Settings > General > VPN and select Add VPN Configuration.
b. Set the Type to IPsec and enter a Description. Set the Server to the FortiGate's Internet-facing interface, and
enter the username in Account. Enter the user password, the preshared IPsec VPN secret, then select Done.
c. Ensure that the IPsec VPN configuration is highlighted (indicated by a checkmark), and select the Not
Connected button. The IPsec VPN connects with the user's credentials and secret. The status changes to
Connected, and a VPN icon appears at the top of the screen.
vd: root/0
name: for_ios_p1_0
version: 1

IPsec VPNs 511
interface: port1 15
addr: 172.20.120.123:4500 -> 172.20.120.254:64916
created: 17s ago
xauth-user: u1
nat: me peer
id/spi: 2 3c844e13c75591bf/80c2db92c8d3f602 direction: responder status: established
17-17s ago = 150ms proposal: aes256-sha256 key: 0032ea5ee160d775-51f3bf1f9909101b-
b89c7b5a77a07784-2c92cf9c921801ac lifetime/rekey: 3600/3312 DPD sent/recv:
00000000/00000000
=
=
name=for_ios_p1_0 ver=1 serial=172.20.120.123:4500->172.20.120.254:64916
bound_if=15 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/984 options[03d8]=npu
create_dev no-sysctl rgwy-chg rport-chg frag-rfc accept_traffic=1
parent=for_ios_p1 index=0
proxyid=for_ios_p1 proto=0 sa=1 ref=2 serial=1 add-route
src: 0:10.10.111.0-10.10.111.255:0 dst: 0:10.10.2.1-10.10.2.1:0 SA: ref=3 options=a7
type=00 soft=0 mtu=1422 expire=3564/0B replaywin=2048
life: type=01 bytes=0/0 timeout=3587/3600 dec: spi=36274d15 esp=aes key=32
5a599d796f8114c83d6589284f036fc33bdf4456541e2154b4ac2217b6aec869
ah=sha1 key=20 f1efdeb77d6f856a8dd3a30cbc23cb0f8a3e0340
enc: spi=00b0d9ab esp=aes key=32
e9232d7a1c4f390fd09f8409c2d85f80362d940c08c73f245908ab1ac3af322f
ah=sha1 key=20 a3890d6c5320756291cad85026d3a78fd42a1b42
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0 npu_flag=00 npu_rgwy=172.20.120.254 npu_
lgwy=172.20.120.123 npu_selid=1 dec_npuid=0 enc_npuid=0
ADVPN
ADVPN with BGP as the routing protocol
This recipe provides sample configuration of ADVPN with BGP as the routing protocol. The following options must be
enabled for this configuration:
l On the hub FortiGate, IPsec phase1-interface net-device disable must be run.
l IBGP must be used between the hub and spoke FortiGates.
l bgp neighbor-group/neighbor-range must be reused.

IPsec VPNs 512
To configure ADVPN with BGP as the routing protocol using the FortiOS CLI:
1. In the FortiOS CLI, configure hub FortiGate's WAN, internal interface, and static route:
edit "port9"
set alias "WAN"
set ip 22.1.1.1 255.255.255.0
next
edit "port10"
set ip 172.16.101.1 255.255.255.0
next
end
edit 1
set device "port9"
next
end
2. Configure the hub FortiGate:

a. Configure the hub FortiGate IPsec phase1-interface and phase2-interface:
edit "advpn-hub"
set type dynamic
set peertype any
set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1
3des-sha1
set dpd on-idle
set auto-discovery-sender enable
set tunnel-search nexthop
next

IPsec VPNs 513
end
edit "advpn-hub"
set phase1name "advpn-hub"
3des-sha256
next
end
b. Configure the hub FortiGate firewall policy:

edit 1
set name "spoke2hub"
set srcintf "advpn-hub"
set srcaddr "all"
set dstaddr "172.16.101.0"
set action accept
set service "ALL"
next
edit 2
set name "spoke2spoke"
set dstintf "advpn-hub"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
next
end
c. Configure the hub FortiGate's IPsec tunnel interface IP address:

edit "advpn-hub1"
set ip 10.10.10.254 255.255.255.255
set remote-ip 10.10.10.253 255.255.255.0
next
end
d. Configure the hub FortiGate's BGP:

config router bgp
set as 65412
config neighbor-group
edit "advpn"
set link-down-failover enable
set remote-as 65412
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 10.10.10.0 255.255.255.0
set neighbor-group "advpn"
next

IPsec VPNs 514
end
config network
edit 1
set prefix 172.16.101.0 255.255.255.0
next
end
end
3. Configure the spoke FortiGates:

a. Configure the spoke FortiGates' WAN, internal interfaces, and static routes:
edit "wan1"
set alias "primary_WAN"
set ip 15.1.1.2 255.255.255.0
next
edit "wan2"
set alias "secondary_WAN"
set ip 12.1.1.2 255.255.255.0
next
edit "internal"
set ip 10.1.100.1 255.255.255.0
next
end
edit 1
set device "wan2"
set distance 15
next
edit 2
set device "wan1"
next
end
ii. Configure the Spoke2:

edit "wan1"
set ip 13.1.1.2 255.255.255.0
next
edit "wan2"
set ip 17.1.1.2 255.255.255.0
next
edit "internal"
set ip 192.168.4.1 255.255.255.0
next
end
edit 1
set device "wan2"
set distance 15

IPsec VPNs 515
next
edit 2
set device "wan1"
next
end
b. Configure the spoke FortiGates' IPsec phase1-interface and phase2-interface:

edit "spoke1"
set peertype any
set dpd on-idle
set auto-discovery-receiver enable
next
edit "spoke1_backup"
set peertype any
set dpd on-idle
set monitor "spoke1"
next
end
edit "spoke1"
set phase1name "spoke1"
next
set phase1name "spoke1_backup"
next
end

edit "spoke2"
set peertype any

IPsec VPNs 516

set dpd on-idle
next
set peertype any
set dpd on-idle
next
end
edit "spoke2"
next
next
end
c. Configure the spoke FortiGates' firewall policies:

edit 1
set name "outbound_advpn"
set srcintf "internal"
set dstintf "spoke1" "spoke1_backup"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
next
edit 2
set name "inbound_advpn"
set srcintf "spoke1" "spoke1_backup"
set dstintf "internal"
set srcaddr "all"

IPsec VPNs 517
set dstaddr "all"

set action accept
set service "ALL"
next
end

edit 1
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
next
edit 2
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
next
end
d. Configure the spoke FortiGates' tunnel interface IP addresses:

edit "spoke1"
set ip 10.10.10.1 255.255.255.255
set remote-ip 10.10.10.254 255.255.255.0
next
set ip 10.10.10.2 255.255.255.255
set remote-ip 10.10.10.254 255.255.255.0
next
end

edit "spoke2"
set ip 10.10.10.3 255.255.255.255
set remote-ip 10.10.10.254 255.255.255.0
next
set ip 10.10.10.4 255.255.255.255
set remote-ip 10.10.10.254 255.255.255.0
next
end

IPsec VPNs 518
e. Configure the spoke FortiGates' BGP:

config router bgp
set as 65412
config neighbor
edit "10.10.10.254"
set advertisement-interval 1
set remote-as 65412
next
end
config network
edit 1
set prefix 10.1.100.0 255.255.255.0
next
end
end

config router bgp
set as 65412
config neighbor
edit "10.10.10.254"
set advertisement-interval 1
set remote-as 65412
next
end
config network
edit 1
set prefix 192.168.4.0 255.255.255.0
next
end
end
4. Run diagnose and get commands to check VPN and BGP states. All following commands should be run on
Spoke1:
a. Run the diagnose vpn tunnel list command on Spoke1. The system should return the following:
----
name=spoke1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0
create_dev frag-rfc accept_traffic=1
proxyid_num=1 child_num=1 refcnt=19 ilast=1 olast=1 ad=r/2

proxyid=spoke1 proto=0 sa=1 ref=6 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
seqno=a1 esn=0 replaywin_lastseq=00000002 itn=0

IPsec VPNs 519
dec: spi=c53a8f5b esp=aes key=16 cbe88682ad896a69290027b6dd8f7162

ah=sha1 key=20 7bb704b388f83783ac76c2ab0b6c9f7dcf78e93b
enc: spi=6e3633fc esp=aes key=16 1a0da3f4deed3d16becc9dda57537355
ah=sha1 key=20 368544044bd9b82592d72476ff93d5055056da8d
----
name=spoke1_backup ver=1 serial=1 12.1.1.2:0->22.1.1.1:0

proxyid=spoke1_backup proto=0 sa=0 ref=2 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
b. Run the get router info bgp summary command on Spoke1. The system should return the following:
BGP router identifier 7.7.7.7, local AS number 65412

BGP table version is 2
1 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS [[QualityAssurance62/MsgRcvd]]
[[QualityAssurance62/MsgSent]] [[QualityAssurance62/TblVer]] InQ OutQ Up/Down
State/PfxRcd
10.10.10.254 1. 65412 143 142 1. 1. 1. 00:24:45
2
Total number of neighbors 1
c. Run the get router info routing-table bgp command on Spoke1. The system should return the
following:
B 172.16.101.0/24 [200/0] via 10.10.10.254, spoke1, 00:23:57
B 192.168.4.0/24 [200/0] via 10.10.10.254, spoke1, 00:22:03
d. Generate traffic between the spokes, then check the shortcut tunnel and routing table. Run the diagnose
vpn tunnel list command on Spoke1. The system should return the following:
----

src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0

IPsec VPNs 520
SA:ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=345/0B replaywin=1024

seqno=10d esn=0 replaywin_lastseq=00000002 itn=0
dec: spi=c53a8f5b esp=aes key=16 cbe88682ad896a69290027b6dd8f7162
ah=sha1 key=20 7bb704b388f83783ac76c2ab0b6c9f7dcf78e93b
enc: spi=6e3633fc esp=aes key=16 1a0da3f4deed3d16becc9dda57537355
ah=sha1 key=20 368544044bd9b82592d72476ff93d5055056da8d
----

src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
----
name=spoke1_0 ver=1 serial=9 15.1.1.2:4500->13.1.1.2:4500
create_dev no-sysctl rgwy-chg frag-rfc accept_traffic=1
parent=spoke1 index=0
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
dec: spi=c53a8f5c esp=aes key=16 73fd9869547475db78851e6c057ad9b7
ah=sha1 key=20 6ad3a5b1028f6b33c82ba494a370f13c7f462635
enc: spi=79cb0f2b esp=aes key=16 52ab0acdc830d58c00e5956a6484654a
ah=sha1 key=20 baa82aba4106dc60618f6fe95570728656799239
e. Run the get router info routing-tale bgp command. The system should return the following:
B 172.16.101.0/24 [200/0] via 10.10.10.254, spoke1, 00:23:57
B 192.168.4.0/24 [200/0] via 10.10.10.3, spoke1_0 , 00:22:03
ADVPN with OSPF as the routing protocol
This recipe provides sample configuration of ADVPN with OSPF as the routing protocol. The following options must be

IPsec VPNs 521
l On the hub FortiGate, IPsec phase1-interface net-device enable must be run.

l OSPF must be used between the hub and spoke FortiGates.
To configure ADVPN with OSPF as the routing protocol using the FortiOS CLI:
edit "port9"
set alias "WAN"
set ip 22.1.1.1 255.255.255.0
next
edit "port10"
set ip 172.16.101.1 255.255.255.0
next
end
edit 1
set device "port9"
next
end

edit "advpn-hub"
set type dynamic
set peertype any
3des-sha1
set dpd on-idle

IPsec VPNs 522

next
end
edit "advpn-hub"
3des-sha256
next
end

edit 1
set srcaddr "all"
set dstaddr "172.16.101.0"
set action accept
set service "ALL"
next
edit 2
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
next
end

edit "advpn-hub1"
set ip 10.10.10.254 255.255.255.255
set remote-ip 10.10.10.253 255.255.255.0
next
end
d. Configure the hub FortiGate's OSPF:

config router ospf
config area
edit 0.0.0.0
next
end
config network
edit 1
set prefix 10.10.10.0 255.255.255.0
next

IPsec VPNs 523
edit 2
set prefix 172.16.101.0 255.255.255.0
next
end
end

edit "wan1"
set ip 15.1.1.2 255.255.255.0
next
edit "wan2"
set ip 12.1.1.2 255.255.255.0
next
edit "internal"
set ip 10.1.100.1 255.255.255.0
next
end
edit 1
set device "wan2"
set distance 15
next
edit 2
set device "wan1"
next
end

edit "wan1"
set ip 13.1.1.2 255.255.255.0
next
edit "wan2"
set ip 17.1.1.2 255.255.255.0
next
edit "internal"
set ip 192.168.4.1 255.255.255.0
next
end
edit 1
set device "wan2"
set distance 15
next
edit 2

IPsec VPNs 524

set device "wan1"
next
end

edit "spoke1"
set peertype any
set dpd on-idle
next
set peertype any
set dpd on-idle
next
end
edit "spoke1"
next
next
end

edit "spoke2"
set peertype any

IPsec VPNs 525

set dpd on-idle
next
set peertype any
set dpd on-idle
next
end
edit "spoke2"
next
next
end

edit 1
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
next
edit 2
set srcaddr "all"
set dstaddr "all"
set action accept

IPsec VPNs 526

set service "ALL"
next
end

edit 1
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
next
edit 2
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
next
end

edit "spoke1"
set ip 10.10.10.1 255.255.255.255
set remote-ip 10.10.10.254 255.255.255.0
next
set ip 10.10.10.2 255.255.255.255
set remote-ip 10.10.10.254 255.255.255.0
next
end

edit "spoke2"
set ip 10.10.10.3 255.255.255.255
set remote-ip 10.10.10.254 255.255.255.0
next
set ip 10.10.10.4 255.255.255.255
set remote-ip 10.10.10.254 255.255.255.0
next
end

IPsec VPNs 527
e. Configure the spoke FortiGates' OSPF:

config router ospf
config area
edit 0.0.0.0
next
end
config network
edit 1
set prefix 10.10.10.0 255.255.255.0
next
edit 2
set prefix 10.1.100.0 255.255.255.0
next
end
end

config router ospf
config area
edit 0.0.0.0
next
end
config network
edit 1
set prefix 10.10.10.0 255.255.255.0
next
edit 2
set prefix 192.168.4.0 255.255.255.0
next
end
end
4. Run diagnose and get commands to check VPN and OSPF states. All following commands should be run on
Spoke1:
----

src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0

IPsec VPNs 528
dec: spi=c53a8f78 esp=aes key=16 7cc50c5c9df1751f6497a4ad764c5e9a

ah=sha1 key=20 269292ddbf7309a6fc05871e63ed8a5297b5c9a1
enc: spi=6e363612 esp=aes key=16 42bd49bced1e85cf74a24d97f10eb601
ah=sha1 key=20 13964f166aad48790c2e551d6df165d7489f524b
----

src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
b. Run the get router info ospf neighbor command on Spoke1. The system should return the
following:
OSPF process 0, VRF 0: Neighbor ID Pri State Dead Time Address Interface 8.8.8.8 1.
Full/ - 00:00:35 10.10.10.254 spoke1 1.1.1.1 1. Full/ - 00:00:35 10.10.10.254 spoke1
c. Run the get router info routing-table ospf command on Spoke1. The system should return the
following:
O 172.16.101.0/24 [110/110] via 10.10.10.254, spoke1, 00:23:23
O 192.168.4.0/24 [110/110] via 10.10.10.254, spoke1, 00:22:35
----
----

src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
dec: spi=c53a8f78 esp=aes key=16 7cc50c5c9df1751f6497a4ad764c5e9a
ah=sha1 key=20 269292ddbf7309a6fc05871e63ed8a5297b5c9a1
enc: spi=6e363612 esp=aes key=16 42bd49bced1e85cf74a24d97f10eb601
ah=sha1 key=20 13964f166aad48790c2e551d6df165d7489f524b

IPsec VPNs 529
----

src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
----
name=spoke1_0 ver=1 serial=e 15.1.1.2:4500->13.1.1.2:4500
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
dec: spi=c53a8f79 esp=aes key=16 324f8cf840ba6722cc7abbba46b34e0e
ah=sha1 key=20 a40e9aac596b95c4cd83a7f6372916a5ef5aa505
enc: spi=ef3327b5 esp=aes key=16 5909d6066b303de4520d2b5ae2db1b61
ah=sha1 key=20 1a42f5625b5a335d8d5282fe83b5d6c6ff26b2a4
npu_flag=03 npu_rgwy=13.1.1.2 npu_lgwy=15.1.1.2 npu_selid=a dec_npuid=1 enc_npuid=1
e. Run the get router info routing-tale ospf command. The system should return the following:
O 172.16.101.0/24 [110/110] via 10.10.10.254, spoke1, 00:27:14
O 192.168.4.0/24 [110/110] via 10.10.10.3, spoke1_0, 00:26:26
ADVPN with RIP as the routing protocol
This recipe provides sample configuration of ADVPN with RIP as routing protocol. The following options must be
l On the hub FortiGate, IPsec phase1-interface net-device disable must be run.
l RIP must be used between the hub and spoke FortiGates.
l split-horizon-status enable must be run on the hub FortiGate.

IPsec VPNs 530
To configure ADVPN with RIP as the routing protocol using the FortiOS CLI:
edit "port9"
set alias "WAN"
set ip 22.1.1.1 255.255.255.0
next
edit "port10"
set ip 172.16.101.1 255.255.255.0
next
end
edit 1
set device "port9"
next
end

edit "advpn-hub"
set type dynamic
set peertype any
3des-sha1
set dpd on-idle
next

IPsec VPNs 531
end
edit "advpn-hub"
3des-sha256
next
end

edit 1
set srcaddr "all"
set dstaddr "172.16.101.0"
set action accept
set service "ALL"
next
edit 2
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
next
end

edit "advpn-hub1"
set ip 10.10.10.254 255.255.255.255
set remote-ip 10.10.10.253 255.255.255.0
next
end
d. Configure the hub FortiGate's RIP:

config router rip
set default-information-originate enable
config network
edit 1
set prefix 10.10.10.0 255.255.255.0
next
edit 2
set prefix 172.16.101.0 255.255.255.0
next
end
config interface
edit "advpn-hub"
set split-horizon-status disable
next

IPsec VPNs 532
end
end

edit "wan1"
set ip 15.1.1.2 255.255.255.0
next
edit "wan2"
set ip 12.1.1.2 255.255.255.0
next
edit "internal"
set ip 10.1.100.1 255.255.255.0
next
end
edit 1
set device "wan2"
set distance 15
next
edit 2
set device "wan1"
next
end

edit "wan1"
set ip 13.1.1.2 255.255.255.0
next
edit "wan2"
set ip 17.1.1.2 255.255.255.0
next
edit "internal"
set ip 192.168.4.1 255.255.255.0
next
end
edit 1
set device "wan2"
set distance 15
next
edit 2
set device "wan1"

IPsec VPNs 533
next
end

edit "spoke1"
set peertype any
set dpd on-idle
next
set peertype any
set dpd on-idle
next
end
edit "spoke1"
next
next
end

edit "spoke2"
set peertype any
set dpd on-idle

IPsec VPNs 534

next
set peertype any
set dpd on-idle
next
end
edit "spoke2"
next
next
end

edit 1
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
next
edit 2
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"

IPsec VPNs 535
next
end

edit 1
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
next
edit 2
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
next
end

edit "spoke1"
set ip 10.10.10.1 255.255.255.255
set remote-ip 10.10.10.254 255.255.255.0
next
set ip 10.10.10.2 255.255.255.255
set remote-ip 10.10.10.254 255.255.255.0
next
end

edit "spoke2"
set ip 10.10.10.3 255.255.255.255
set remote-ip 10.10.10.254 255.255.255.0
next
set ip 10.10.10.4 255.255.255.255
set remote-ip 10.10.10.254 255.255.255.0
next
end

IPsec VPNs 536
e. Configure the spoke FortiGates' RIP:

config router rip
config network
edit 1
set prefix 10.10.10.0 255.255.255.0
next
edit 2
set prefix 10.1.100.0 255.255.255.0
next
end
end

config router rip
config network
edit 1
set prefix 10.10.10.0 255.255.255.0
next
edit 2
set prefix 192.168.4.0 255.255.255.0
next
end
end
4. Run diagnose and get commands. All following commands should be run on Spoke1:
----

src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
dec: spi=c53a8f60 esp=aes key=16 6b54e32d54d039196a74d96e96d1cf14
ah=sha1 key=20 e4903474614eafc96eda6400a3a5e88bbcb26a7f
enc: spi=6e36349d esp=aes key=16 914a40a7993eda75c4dea2f42905f27d
ah=sha1 key=20 8040eb08342edea2dae5eee058fd054a46688267
----

IPsec VPNs 537

src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
b. Run the get router info rip database command on Spoke1. The system should return the
following:
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP
Network Next Hop Metric From If Time

Rc 10.1.100.0/24 1. internal
Rc 10.10.10.2/32 1. spoke1
R 172.16.101.0/24 10.10.10.254 1. 10.10.10.254 spoke1 02:28
R 192.168.4.0/24 10.10.10.254 1. 10.10.10.254 spoke1 02:44
c. Run the get router info routing-table rip command on Spoke1. The system should return the
following:
R 172.16.101.0/24 [120/2] via 10.10.10.254, spoke1, 00:08:38
R 192.168.4.0/24 [120/3] via 10.10.10.254, spoke1, 00:08:38
----

src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
seqno=4e esn=0 replaywin_lastseq=00000002 itn=0
dec: spi=c53a8f60 esp=aes key=16 6b54e32d54d039196a74d96e96d1cf14
ah=sha1 key=20 e4903474614eafc96eda6400a3a5e88bbcb26a7f
enc: spi=6e36349d esp=aes key=16 914a40a7993eda75c4dea2f42905f27d
ah=sha1 key=20 8040eb08342edea2dae5eee058fd054a46688267
----


IPsec VPNs 538

src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
----
name=spoke1_0 ver=1 serial=a 15.1.1.2:4500->13.1.1.2:4500
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
dec: spi=c53a8f61 esp=aes key=16 c66aa7ae9657068108ed47c048ff56b6
ah=sha1 key=20 60661c68e20bbc913c2564ade85e01ea3769e703
enc: spi=79cb0f30 esp=aes key=16 bf6c898c2e1c64baaa679ed5d79c3b58
ah=sha1 key=20 146ca78be6c34eedb9cd66cc328216e08682ecb1
e. Run the get router info routing-tale rip command. The system should return the following:
R 172.16.101.0/24 [120/2] via 10.10.10.254, spoke1, 00:09:04
R 192.168.4.0/24 [120/2] via 10.10.10.3, spoke1_0, 00:00:02
Overlay Controller VPN (OCVPN)
Full mesh OCVPN
This topic provides an example configuration of full mesh Overlay Controller VPN (OCVPN).
OCVPN is a cloud based solution to simplify IPsec VPN setup. When Overlay Controller VPN is enabled, IPsec phase1-
interfaces, phase2-interfaces, static routes, and firewall policies are generated automatically on all FortiGates that
belong to the same community network. A community network is defined as all FortiGates registered to FortiCare by
using the same FortiCare account.
If the network topology changes on any FortiGates in the community (such as changing a public IP address in DHCP
mode, adding or removing protected subnets, failing over in dual WAN), the IPsec-related configuration for all devices is
updated with Cloud assistance in self-learning mode. No intervention is required.
Full mesh IPsec tunnels are established between all FortiGates.

IPsec VPNs 539
License
l Free license: Three devices full mesh, 10 overlays, 16 subnets per overlay.
l Full License: Maximum of 16 devices, 10 overlays, 16 subnets per overlay.
Prerequisites
l All FortiGates must be running FortiOS version 6.2.0 or later.

l All FortiGates must have Internet access.
l All FortiGates must be registered on FortiCare by using the same FortiCare account.
Restrictions
l Non-root VDOM does not support OCVPN.

l FortiOS 6.2.x is not compatible with FortiOS 6.0.x.
Terminology
Poll-interval Used to define how often FortiGate tries to fetch OCVPN-related data from
OCVPN Cloud.
Role Used to specify the device OCVPN role of spoke, primary-hub, or secondary-hub.
Overlay Used to define network overlays and bind to subnets.
Subnet Internal network subnet (IPsec protected subnet). Traffic source from or
destination to this subnet will enter IPsec tunnel encrypted by IPsec SA.

IPsec VPNs 540
Sample Topology
The following shows an example of three FortiGate units registered on FortiCare by using the same FortiCare account.
Each FortiGate unit has one internal subnet, and no NAT exists between these three FortiGate units.
The steps below use the following overlays and subnets for the sample configuration:
l Branch1:
l Overlay name: QA. Local subnets: 10.1.100.0/24
l Overlay name: PM. Local subnets: 10.2.100.0/24
l Branch2:
l Overlay name: QA. Local interfaces: lan1
l Overlay name: PM. Local interfaces: lan2
l Branch3:
Before you begin, ensure all FortiGates are registered on FortiCare.
To register FortiGates on FortiCare:
1. Go to System > Fortiguard > License Information > FortiCare Support.

2. Select Register or Launch Portal to register.
3. Complete the options to register FortiGate on FortiCare.

IPsec VPNs 541
To enable OCVPN using the GUI:
1. Go to VPN > Overlay Controller VPN.
2. Create the first overlay by setting the following options and clicking OK:
a. Beside Status, click Enabled.
b. Beside Role, click Spoke.
c. In the Overlays section, click Create New to create a network overlay.
d. In the Name box, type a name, and input the subnets and/or choose internal interfaces.
The local subnet must be routable, and interfaces must have assigned IP addresses. Otherwise an error
message displays.

IPsec VPNs 542
3. Repeat this procedure until you create all the needed overlays.
To enable OCVPN using the CLI:
1. Ensure all FortiGates are registered on FortiCare.

2. Configure Branch1:
config vpn ocvpn
set status enable
config overlays
edit 1
set name "QA"
config subnets
edit 1
set subnet 10.1.100.0 255.255.255.0
next
end
next
edit 2
set name "PM"
config subnets
edit 1
set subnet 10.2.100.0 255.255.255.0
next
end
next
end
end

IPsec VPNs 543
config vpn ocvpn
set status enable
config overlays
edit 1
set name "QA"
config subnets
edit 1
set type interface
set interface "lan1"
next
end
next
edit 2
set name "PM"
config subnets
edit 1
set type interface
set interface "lan2"
next
end
next
end
end
config vpn ocvpn
set status enable
config overlays
edit 1
set name "QA"
config subnets
edit 1
set subnet 172.16.101.0 255.255.255.0
next
end
next
edit 1
set name "OM"
config subnets
edit 1
set subnet 172.16.102.0 255.255.255.0
next
end
next
end
end
Hub-spoke OCVPN with ADVPN shortcut
This topic provides a sample configuration of a hub-spoke One-Click VPN (OCVPN) with an Auto Discovery VPN
(ADVPN) shortcut. OCVPN automatically detects the network topology based on members' information. To form a hub-
spoke OCVPN, at least one device must announce its role as the primary hub, another device can work as the secondary
hub (for redundancy), while others function as spokes.

IPsec VPNs 544
License
l Free license: Hub-spoke network topology not supported.

l Full license: Maximum of 2 hubs, 10 overlays, 64 subnets per overlay; 512 spokes, 10 overlays, 16 subnets per
overlay.
Prerequisites
l All FortiGates are on FortiOS version 6.2.0 or later.

l All FortiGates must have Internet access.
Restrictions
l Non-root VDOM doesn't support OCVPN.

OCVPN device roles
l Primary hub
l Secondary hub
l Spoke (OCVPN default role)
Sample topology
Sample Configuration
The steps below use the following overlays and subnets for the sample configuration:
l Primary hub:

IPsec VPNs 545
l Secondary hub:
l Overlays are synced from primary hub.
l Spoke1:
l Spoke2:
l Overlay name: QA. Local interfaces lan1
l Overlay name: PM. Local interfaces lan2
Before you begin, ensure all FortiGates are registered on FortiCare.
To register FortiGates on FortiCare:
1. Go to System > Fortiguard > License Information > FortiCare Support.

2. Select either Register or Launch Portal to register.
3. Complete the options to register FortiGate on FortiCare.
To enable hub-spoke OCVPN through the GUI:
1. Configure the OCVPN primary hub:

a. Go to VPN > Overlay Controller VPN.
b. Enable Overlay Controller VPN and select Primary Hub as the role.
c. In the Overlays section, select Create New to create a network overlay.

d. Enter a name and the subnets and/or internal interfaces, then select OK.

IPsec VPNs 546
e. Select Apply to commit the configuration.
2. Configure the OCVPN secondary hub:

Overlays are synced from the primary hub and cannot be defined in the secondary hub.
b. Enable Overlay Controller VPN and select Secondary Hub as the role.
c. Select Apply to commit the configuration.
3. Configure the OCVPN spokes:

b. Enable Overlay Controller VPN and select Spoke as the role.
c. In the Overlays section, select Create New to create a network overlay.
d. Enter a name and the subnets and/or internal interfaces, then select OK.
The local subnet must be routable and the interface must have an IP address assigned, otherwise an error
message appears.

IPsec VPNs 547
e. Select Apply to commit the configuration.
To enable hub-spoke OCVPN through the CLI:
1. Configure the OCVPN primary hub:

config vpn ocvpn
set status enable
set role primary-hub
config overlays
edit 1
set name "QA"
config subnets
edit 1
set subnet 172.16.101.0 255.255.255.0
next
end
next
edit 2
set name "PM"
config subnets
edit 1
set subnet 172.16.102.0 255.255.255.0
next
end
next
end
end
2. Configure the OCVPN secondary hub:

config vpn ocvpn
set status enable
set role secondary-hub
end
3. Configure the OCVPN spoke1:

config vpn ocvpn
set status enable

IPsec VPNs 548
config overlays
edit 1
set name "QA"
config subnets
edit 1
set subnet 10.1.100.0 255.255.255.0
next
end
next
edit 2
set name "PM"
config subnets
edit 1
set subnet 10.2.100.0 255.255.255.0
next
end
next
end
end
4. Configure the OCVPN spoke2:

config vpn ocvpn
set status enable
config overlays
edit 1
set name "QA"
config subnets
edit 1
set subnet 192.168.4.0 255.255.255.0
next
end
next
edit 2
set name "PM"
config subnets
edit 1
set subnet 192.168.5.0 255.255.255.0
next
end
next
end
end
Hub-Spoke OCVPN with inter-overlay source NAT
This topic provides a sample configuration of Hub-Spoke OCVPN with inter-overlay source NAT. OCVPN isolates traffic
between overlays by default. With NAT enabled on Spokes and assign-ip enabled on Hub, you can have inter-
overlay communication.
Inter-overlay communication means devices from any source addresses and any source interfaces can communicate
with any devices in overlays' subnets when the overlay option assign-ip is enabled.
To enable 'NAT', disable 'auto-discovery' first.

IPsec VPNs 549
License
l Free license: Hub-spoke network topology not supported.

l Full License: Maximum of 2 hubs, 10 overlays, 64 subnets per overlay; 512 spokes, 10 overlays, 16 subnets per
overlay.
Prerequisites
l All FortiGate devices must be running FortiOS version 6.2.0 or later.

l All FortiGate devices must have Internet access.
Restrictions
l Non-root VDOM does not support OCVPN.

OCVPN device roles
l Primary-hub
l Secondary-hub
l Spoke (OCVPN default role)
Sample network topology
You can only configure this feature by using the CLI.

IPsec VPNs 550
To enable inter-overlay source NAT from CLI:
1. Configure the Primary-Hub, enable overlay QA, and configure assign-ip and IP range:
config vpn ocvpn
set status enable
set role primary-hub
config overlays
edit 1
set name "QA"
set assign-ip enable
set ipv4-start-ip 172.16.101.100
set ipv4-end-ip 172.16.101.200
config subnets
edit 1
set subnet 172.16.101.0 255.255.255.0
next
end
next
edit 2
set name "PM"
set assign-ip enable
config subnets
edit 1
set subnet 172.16.102.0 255.255.255.0
next
end
next
end
end
2. Configure the Secondary-Hub:

config vpn ocvpn
set status enable
set role secondary-hub
end
3. Configure Spoke1, and enable NAT on the spoke:

config vpn ocvpn
set status enable
set auto-discovery disable
set nat enable
config overlays
edit 1
set name "QA"
config subnets
edit 1
set subnet 10.1.100.0 255.255.255.0
next
end
next
edit 2
set name "PM"
config subnets
edit 1
set subnet 10.2.100.0 255.255.255.0

IPsec VPNs 551
next
end
next
end
end
4. Configure Spoke2, and enable NAT enabled on the spoke:

config vpn ocvpn
set status enable
set auto-discovery disable
set nat enable
config overlays
edit 1
set name "QA"
config subnets
edit 1
set subnet 192.168.4.0 255.255.255.0
next
end
next
edit 2
set name "PM"
config subnets
edit 1
set subnet 192.168.5.0 255.255.255.0
next
end
next
end
end
A firewall policy with NAT is generated on the spoke:

edit 9
set name "_OCVPN2-1.1_nat"
set uuid 3f7a84b8-3d36-51e9-ee97-8f418c91e666
set srcintf "any"
set dstintf "_OCVPN2-1.1"
set srcaddr "all"
set dstaddr "_OCVPN2-1.1_remote_networks"
set action accept
set service "ALL"
set comments "Generated by OCVPN Cloud Service."
set nat enable
next

IPsec VPNs 552
OCVPN portal
After you log into the OCVPN portal, the OCVPN license type and device information display. The device information
includes the device serial number, OCVPN role, hostname, public IP address, port number, and overlays.

IPsec VPNs 553
You can unregister an OCVPN device from the OCVPN portal under Device on the right pane.
The OCVPN diagram can show the OCVPN network topology.

IPsec VPNs 554
OCVPN troubleshooting
This document includes troubleshooting steps for the following OCVPN network topologies:
l Full mesh.
l Hub-spoke with ADVPN shortcut.
l Hub-spoke with inter-overlay source NAT.
For OCVPN configurations in different network topologies, please refer to the other OCVPN topics.
Full mesh network topology troubleshooting
l Branch_1 # diagnose vpn ocvpn status

Current State : Registered
Topology : Full-Mesh
Role : Spoke
Server Status : Up
Registration time : Thu Feb 28 18:42:25 2019
Update time : Thu Feb 28 15:57:18 2019
Poll time : Fri Mar 1 15:02:28 2019
l Branch_1 # diagnose vpn ocvpn show-meta

Topology :: auto
License :: full
Members :: 3
Max-free :: 3
l Branch_1 # diagnose vpn ocvpn show-overlays

QA
PM
l Branch_1 # diagnose vpn ocvpn show-members

Member: { "SN": "FG100D3G15801621", "IPv4": "172.16.200.1", "port": "500", "slot": 1000,
"overlay": [ { "id": 0, "name": "QA", "subnets": [ "10.1.100.0\/255.255.255.0" ], "ip_
range": "0.0.0.0-0.0.0.0" }, { "id": 1, "name": "PM", "subnets": [
"10.2.100.0\/255.255.255.0" ], "ip_range": "0.0.0.0-0.0.0.0" } ], "Name": "FortiGate-100D",
"topology_role": "spoke" }
Member: { "SN": "FG900D3915800083", "IPv4": "172.16.200.4", "port": "500", "slot": 1001,
"172.16.102.0\/255.255.255.0" ], "ip_range": "0.0.0.0-0.0.0.0" } ], "Name": "Branch3",
Member: { "SN": "FGT51E3U16001314", "IPv4": "172.16.200.199", "port": "500", "slot": 1002,
"192.168.5.0\/255.255.255.0" ], "ip_range": "0.0.0.0-0.0.0.0" } ], "Name": "Branch2",
l Branch_1 # dagnose vpn tunnel list

------------------------------------------------------
name=_OCVPN2-3.1 ver=2 serial=4 172.16.200.1:0->172.16.200.199:0 dst_mtu=1500

IPsec VPNs 555

proxyid=_OCVPN2-3.1 proto=0 sa=1 ref=2 serial=8 auto-negotiate
src: 0:10.1.100.0-10.1.100.255:0
dst: 0:192.168.4.0-192.168.4.255:0
dec: spi=c34bb752 esp=aes key=16 3c5ceeff3cac1eaa2702b5ccb713ab9b
ah=sha1 key=20 5903e358b3d8938ee64f0412887a0fe741ccb105
enc: spi=b5bd4fe1 esp=aes key=16 8ae97a8abe24dae725d614d2a6efdcb0
ah=sha1 key=20 9ec200d9c0cef9e1b7cf76e05dbf344c70f53214
src: 0:10.1.100.0/255.255.255.0:0
dst: 0:0.0.0.0/0.0.0.0:0
------------------------------------------------------

src: 0:10.1.100.0-10.1.100.255:0
dst: 0:172.16.101.0-172.16.101.255:0
dec: spi=c34bb750 esp=aes key=16 8c9844a8bcd3fda6c7bd8a4f2ec81ef1
ah=sha1 key=20 680c7144346f5b52126cbad9f325821b048c7192
enc: spi=f2d1f2d4 esp=aes key=16 f9625fc8590152829eb39eecab3a3999
ah=sha1 key=20 5df8447416da541fa54dde9fa3e5c35fbfc4723f
src: 0:10.1.100.0/255.255.255.0:0
dst: 0:0.0.0.0/0.0.0.0:0
------------------------------------------------------

src: 0:10.2.100.0-10.2.100.255:0
dst: 0:192.168.5.0-192.168.5.255:0

IPsec VPNs 556

dec: spi=c34bb753 esp=aes key=16 58ddfad9a3699f1c49f3a9f369145c28
ah=sha1 key=20 e749c7e6a7aaff119707c792eb73cd975127873b
enc: spi=b5bd4fe2 esp=aes key=16 8f2366e653f5f9ad6587be1ce1905764
ah=sha1 key=20 5347bf24e51219d483c0f7b058eceab202026204
src: 0:10.2.100.0/255.255.255.0:0
dst: 0:0.0.0.0/0.0.0.0:0
------------------------------------------------------

src: 0:10.2.100.0-10.2.100.255:0
dst: 0:172.16.102.0-172.16.102.255:0
dec: spi=c34bb751 esp=aes key=16 41449ee5ea43d3e1f80df05fc632cd44
ah=sha1 key=20 3ca2aea1c8764f35ccf987cdeca7cf6eb54331fb
enc: spi=f2d1f2d5 esp=aes key=16 9010dd57e502c6296b27a4649a45a6ba
ah=sha1 key=20 caf86a176ce04464221543f15fc3c63fc573b8ee
src: 0:10.2.100.0/255.255.255.0:0
dst: 0:0.0.0.0/0.0.0.0:0
l Branch_1 # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 172.16.200.254, port1

C 10.1.100.0/24 is directly connected, dmz
C 10.2.100.0/24 is directly connected, loop
C 11.101.1.0/24 is directly connected, wan1
S 192.168.5.0/24 [20/0] is directly connected, _OCVPN2-3.2
C 172.16.200.0/24 is directly connected, port1

IPsec VPNs 557
Hub-spoke with ADVPN shortcut troubleshooting
l Primary-Hub # diagnose vpn ocvpn status

Topology : Dual-Hub-Spoke
Role : Primary-Hub
Server Status : Up
Registration time : Sat Mar 2 11:31:54 2019
Poll time : Sat Mar 2 11:46:02 2019
l Spoke1 # diagnose vpn ocvpn status

Role : Spoke
Server Status : Up
l Primary-Hub # diagnose vpn ocvpn show-members

Member: { "sn": "FG900D3915800083", "ip_v4": "172.16.200.4", "port": 500, "slot": 0,
"172.16.102.0\/255.255.255.0" ], "ip_range": "0.0.0.0-0.0.0.0" } ], "name": "Primary-Hub",
"topology_role": "primary_hub", "eap": "disable", "auto_discovery": "enable" }
Member: { "sn": "FG100D3G15828488", "ip_v4": "172.16.200.2", "port": 500, "slot": 1,
"172.16.102.0\/255.255.255.0" ], "ip_range": "0.0.0.0-0.0.0.0" } ], "name": "Secondary-
Hub", "topology_role": "secondary_hub", "eap": "disable", "auto_discovery": "enable" }
"10.2.100.0\/255.255.255.0" ], "ip_range": "0.0.0.0-0.0.0.0" } ], "name": "Spoke1",
Member: { "sn": "FGT51E3U16001314", "ip_v4": "172.16.200.3", "port": 500, "slot": 1001,
l Primary-Hub # diagnose vpn ocvpn show-meta

Topology :: auto
License :: full
Members :: 4
Max-free :: 3
l Primary-Hub # diagnose vpn ocvpn show-overlays

QA
PM
l Spoke1 # diganose vpn tunnel list

------------------------------------------------------

IPsec VPNs 558


proxyid=_OCVPN2-0.0 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr
src: 0:10.1.100.0/255.255.255.0:0
dst: 0:0.0.0.0/0.0.0.0:0
dec: spi=048477c7 esp=aes key=16 240e064c0f1c980ca31980b9e7605c9d
ah=sha1 key=20 6ff022cbebcaff4c5de62eefb2e6180c40a3adb2
enc: spi=dfcffa86 esp=aes key=16 862208de164a02af377756c2bcabd588
ah=sha1 key=20 af6e54781fd42d7a2ba2119ec95d0f95629c8448
------------------------------------------------------

src: 0:10.1.100.0/255.255.255.0:0
dst: 0:0.0.0.0/0.0.0.0:0
------------------------------------------------------

src: 0:10.2.100.0/255.255.255.0:0
dst: 0:0.0.0.0/0.0.0.0:0
dec: spi=048477c8 esp=aes key=16 701ec608767f4988b76c2f662464e654
ah=sha1 key=20 93c65d106dc610d7ee3f04487f08601a9e00ffdd
enc: spi=dfcffa87 esp=aes key=16 02b2d04dce3d81ebab69e128d45cb7ca
ah=sha1 key=20 4a9283847f852c83a75691fad44d07d8409a2267
------------------------------------------------------

IPsec VPNs 559

src: 0:10.2.100.0/255.255.255.0:0
dst: 0:0.0.0.0/0.0.0.0:0
l Spoke1 # get router info routing-table all

S* 0.0.0.0/0 [10/0] via 172.16.200.254, port1

l Generate traffic from Spoke1 to Spoke2 to trigger the ADVPN shortcut and check the VPN tunnel and routing-table
again on Spoke1.
branch1 # diagnose vpn tunnel list
------------------------------------------------------
name=_OCVPN2-0.0_0 ver=2 serial=a 172.16.200.1:0->172.16.200.3:0 dst_mtu=1500
bound_if=11 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/720 options[02d0]=create_
dev no-sysctl rgwy-chg frag-rfc accept_traffic=1
parent=_OCVPN2-0.0 index=0
proxyid=_OCVPN2-0.0 proto=0 sa=1 ref=2 serial=1 auto-negotiate add-route adr
src: 0:10.1.100.0-10.1.100.255:0
dst: 0:192.168.4.0-192.168.4.255:0
dec: spi=048477c9 esp=aes key=16 27c35d53793013ef24cf887561e9f313
ah=sha1 key=20 2c8cfd328c3b29104db0ca74a00c6063f46cafe4
enc: spi=fb9e13fd esp=aes key=16 9d0d3bf6c84b7ddaf9d9196fe74002ed
ah=sha1 key=20 d1f541db787dea384c6a4df16fc228abeb7ae334
------------------------------------------------------

IPsec VPNs 560

src: 0:10.1.100.0/255.255.255.0:0
dst: 0:0.0.0.0/0.0.0.0:0
dec: spi=048477c7 esp=aes key=16 240e064c0f1c980ca31980b9e7605c9d
ah=sha1 key=20 6ff022cbebcaff4c5de62eefb2e6180c40a3adb2
enc: spi=dfcffa86 esp=aes key=16 862208de164a02af377756c2bcabd588
ah=sha1 key=20 af6e54781fd42d7a2ba2119ec95d0f95629c8448
------------------------------------------------------

src: 0:10.1.100.0/255.255.255.0:0
dst: 0:0.0.0.0/0.0.0.0:0
------------------------------------------------------

src: 0:10.2.100.0/255.255.255.0:0
dst: 0:0.0.0.0/0.0.0.0:0
dec: spi=048477c8 esp=aes key=16 701ec608767f4988b76c2f662464e654
ah=sha1 key=20 93c65d106dc610d7ee3f04487f08601a9e00ffdd
enc: spi=dfcffa87 esp=aes key=16 02b2d04dce3d81ebab69e128d45cb7ca
ah=sha1 key=20 4a9283847f852c83a75691fad44d07d8409a2267
------------------------------------------------------


IPsec VPNs 561

src: 0:10.2.100.0/255.255.255.0:0
dst: 0:0.0.0.0/0.0.0.0:0

S* 0.0.0.0/0 [10/0] via 172.16.200.254, port1

S 192.168.4.0/24 [15/0] via 172.16.200.3, _OCVPN2-0.0_0
l Simulate the primary hub being unavailable where all spoke's dialup VPN tunnels will switch to the secondary hub,
to check VPN tunnel status and routing-table.
------------------------------------------------------

src: 0:10.1.100.0/255.255.255.0:0
dst: 0:0.0.0.0/0.0.0.0:0
------------------------------------------------------

src: 0:10.1.100.0/255.255.255.0:0
dst: 0:0.0.0.0/0.0.0.0:0

IPsec VPNs 562
dec: spi=048477cd esp=aes key=16 9bb363a32378b5897cd42890c92df811

ah=sha1 key=20 2ed40583b9544e37867349b4adc7c013024d7e17
enc: spi=f345fb42 esp=aes key=16 3ea31dff3310b245700a131db4565851
ah=sha1 key=20 522862dfb232514b845e436133b148da0e67b7c4
------------------------------------------------------

src: 0:10.2.100.0/255.255.255.0:0
dst: 0:0.0.0.0/0.0.0.0:0
------------------------------------------------------

src: 0:10.2.100.0/255.255.255.0:0
dst: 0:0.0.0.0/0.0.0.0:0
dec: spi=048477cf esp=aes key=16 b6f0ca7564abcd8559b5b0ebb3fd04c1
ah=sha1 key=20 4130d040554b39daca72adac7583b9cc83cce3c8
enc: spi=f345fb43 esp=aes key=16 727582f20fcedff884ba693ed2164bcd
ah=sha1 key=20 b0a625803fde701ed9d28d256079e908954b7fc8

S* 0.0.0.0/0 [10/0] via 172.16.200.254, port1


IPsec VPNs 563
Hub-spoke with inter-overlay source NAT troubleshooting
l Primary-Hub # diagnose vpn ocvpn status

Role : Primary-Hub
Server Status : Up
Update time : Sat Mar 2 13:57:05 2019
l Spoke1 # dagnose vpn ocvpn status

Role : Spoke
Server Status : Up
l Primary-Hub # diagnose vpn ocvpn show-members

Member: { "sn": "FG900D3915800083", "ip_v4": "172.16.200.4", "port": 500, "slot": 0,
"172.16.102.0\/255.255.255.0" ], "ip_range": "172.16.102.100-172.16.102.200" } ], "name":
"Primary-Hub", "topology_role": "primary_hub", "eap": "disable", "auto_discovery": "enable"
}
"172.16.102.0\/255.255.255.0" ], "ip_range": "0.0.0.0-0.0.0.0" } ], "name": "Secondary-
Hub", "topology_role": "secondary_hub", "eap": "disable", "auto_discovery": "enable" }
Member: { "sn": "FGT51E3U16001314", "ip_v4": "172.16.200.3", "port": 500, "slot": 1001,
l Primary-Hub # diagnose vpn ocvpn show-meta

Topology :: auto
License :: full
Members :: 4
Max-free :: 3
l Primary-Hub # diagnose vpn ocvpn show-overlays

QA
PM

IPsec VPNs 564
l Spoke1 # diagnose vpn tunnel list

------------------------------------------------------
name=_OCVPN2-0.0 ver=2 serial=c 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500

src: 0:10.1.100.0/255.255.255.0:0
dst: 0:0.0.0.0/0.0.0.0:0
dec: spi=0484795d esp=aes key=16 10eeb76fadd49f00c333350d83509095
ah=sha1 key=20 971bde5dcfca7e52fd1573cb3489e9c855f6154e
enc: spi=dfcffaaa esp=aes key=16 d07a4dd683ee093af2dca9485aa436eb
ah=sha1 key=20 65369be35d5ecad8cae63557318419cd6005c230
proxyid=_OCVPN2-0.0_nat proto=0 sa=1 ref=2 serial=3 auto-negotiate
src: 0:172.16.101.101-172.16.101.101:0
dst: 0:0.0.0.0-255.255.255.255:0
dec: spi=04847961 esp=aes key=16 ea181036b02e8bc8711fb520b3e98a60
ah=sha1 key=20 b3c449d96d5d3f090975087a62447f6918ce7930
enc: spi=dfcffaac esp=aes key=16 f7ea5e42e9443698e6b8b32161ace40e
ah=sha1 key=20 a7e36dd1ec0bdb6eff0aa66e442707427400c700
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
------------------------------------------------------
name=_OCVPN2-1.0 ver=2 serial=e 172.16.200.1:0->172.16.200.2:0 dst_mtu=0

src: 0:10.1.100.0/255.255.255.0:0
dst: 0:0.0.0.0/0.0.0.0:0
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
------------------------------------------------------
name=_OCVPN2-0.1 ver=2 serial=b 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500

IPsec VPNs 565

src: 0:10.2.100.0/255.255.255.0:0
dst: 0:0.0.0.0/0.0.0.0:0
dec: spi=0484795e esp=aes key=16 106eaa95a2be64b566e7d1ca0aa88f6a
ah=sha1 key=20 5dddfba7070b03d5a31931d41db06ff96e7bc542
enc: spi=dfcffaab esp=aes key=16 29c774dbd7e54464ee298c381e71a94e
ah=sha1 key=20 c3da7372789c0a53b3752e69baaba1a42d798820
src: 0:172.16.102.101-172.16.102.101:0
dst: 0:0.0.0.0-255.255.255.255:0
dec: spi=04847962 esp=aes key=16 b7daa5807cfa86906592a012a9d2478f
ah=sha1 key=20 39c8bb4c9e3f1e9e451f22c58a172ff01155055d
enc: spi=dfcffaad esp=aes key=16 2ecc644def4cebe6b0c4b7729da43d8e
ah=sha1 key=20 469c6f319e83bd73468f55d430566afcd6215138
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
------------------------------------------------------
name=_OCVPN2-1.1 ver=2 serial=d 172.16.200.1:0->172.16.200.2:0 dst_mtu=0

src: 0:10.2.100.0/255.255.255.0:0
dst: 0:0.0.0.0/0.0.0.0:0
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
l Spoke1 # get router info routing-table all

S* 0.0.0.0/0 [10/0] via 172.16.200.254, port1


IPsec VPNs 566

C 172.16.101.101/32 is directly connected, _OCVPN2-0.1
C 172.16.102.101/32 is directly connected, _OCVPN2-0.0
l Spoke1 # show firewall policy

..............................
edit 9
set uuid 3f7a84b8-3d36-51e9-ee97-8f418c91e666
set srcintf "any"
set srcaddr "all"
set action accept
set service "ALL"
set nat enable
next
edit 12
set uuid 3fafec98-3d36-51e9-80c0-5d99325bad83
set srcintf "any"
set srcaddr "all"
set action accept
set service "ALL"
set nat enable
next
.................................
Authentication in VPN
IPsec VPN authenticating a remote FortiGate peer with a pre-shared key
This recipe provides sample configuration of IPsec VPN authenticating a remote FortiGate peer with a pre-shared key.

IPsec VPNs 567
You can configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOSGUI or
CLI.
To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key on the FortiOS GUI:
1. Configure the HQ1 FortiGate:

a. In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
iv. For NAT Configuration, select No NAT Between Sites.
v. Click Next.
ii. For the IP address, enter 172.16.202.1.
iii. For Outgoing interface, enter port1.
v. In the Pre-shared Key field, enter sample as the key.
vi. Click Next.
iv. Click Create.
v. Click Next.
ii. For the IP address, enter 172.16.2001.

IPsec VPNs 568
v. In the Pre-shared Key field, enter sample as the key.

vi. Click Next.
ii. Configure Local Subnets as 172.16.101.0.
iv. Click Create.
To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOS
CLI:
1. Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. The IPsec
tunnel is established over the WAN interface:
a. Configure HQ1:
edit "port1"
set vdom "root"
set ip 172.16.200.1 255.255.255.0
next
end
edit 1
set device "port1"
next
end
b. Configure HQ2:
edit "port25"
set vdom "root"
set ip 172.16.202.1 255.255.255.0
next
end
edit 1
set device "port25"
next
end
2. Configure the internal (protected subnet) interface. The internal interface connects to the corporate internal
network. Traffic from this interface routes out the IPsec VPN tunnel:
a. Configure HQ1:
edit "dmz"
set vdom "root"
set ip 10.1.100.1 255.255.255.0
next
end

IPsec VPNs 569
b. Configure HQ2:
edit "port9"
set vdom "root"
set ip 172.16.101.1 255.255.255.0
next
end

a. Configure HQ1:
edit "to_HQ2"
set peertype any
next
end
b. Configure HQ2:
edit "to_HQ1"
set peertype any
next
end

a. Configure HQ1:
edit "to_HQ2"
next
end
b. Configure HQ2:
edit "to_HQ2"
next
end

IPsec VPNs 570
5. Configure the static routes. Two static routes are added to reach the remote protected subnet. The blackhole route
is important to ensure that IPsec traffic does not match the default route when the IPsec tunnel is down:
a. Configure HQ1:
edit 2
set dst 172.16.101.0 255.255.255.0
set device "to_HQ2"
next
edit 3
set dst 172.16.101.0 255.255.255.0
set distance 254
next
end
b. Configure HQ2:
edit 2
set dst 10.1.100.0 255.255.255.0
set device "to_HQ1"
next
edit 3
set dst 10.1.100.0 255.255.255.0
set distance 254
next
end
6. Configure two firewall policies to allow bidirectional IPsec traffic flow over the IPsec VPN tunnel:
a. Configure HQ1:
edit 1
set name "inbound"
set dstintf "dmz"
set srcaddr "172.16.101.0"
set action accept
set service "ALL"
next
edit 2
set name "outbound"
set srcintf "dmz"
set dstaddr "172.16.101.0"
set action accept
set service "ALL"
next
end

IPsec VPNs 571
b. Configure HQ2:
edit 1
set name "inbound"
set dstintf "port9"
set dstaddr "172.16.101.0"
set action accept
set service "ALL"
next
edit 2
set name "outbound"
set srcintf "port9"
set srcaddr "172.16.101.0"
set action accept
set service "ALL"
next
end
7. Run diagnose commands. The diagnose debug application ike -1 command is the key to figure out
why the IPsec tunnel failed to establish. If the PSK failed to match, the following error shows up in the debug
output:
ike 0:to_HQ2:15037: parse error
ike 0:to_HQ2:15037: probable pre-shared secret mismatch'
The following commands are useful to check IPsec phase1/phase2 interface status.
a. Run the diagnose vpn ike gateway list command on HQ1. The system should return the following:
vd: root/0
name: to_HQ2
version: 1
interface: port1 11
addr: 172.16.200.1:500 -> 172.16.202.1:500
created: 5s ago
id/spi: 12 6e8d0532e7fe8d84/3694ac323138a024
key: b3efb46d0d385aff-7bb9ee241362ee8d
DPD sent/recv: 00000000/00000000
b. Run the diagnose vpn tunnel list command on HQ1. The system should return the following:
dev frag-rfcaccept_traffic=1

IPsec VPNs 572

src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
dec: spi=ef9ca700 esp=aes key=16 a2c6584bf654d4f956497b3436f1cfc7
IPsec VPN authenticating a remote FortiGate peer with a certificate
This recipe provides sample configuration of IPsec VPN authenticating a remote FortiGate peer with a certificate. The
certificate on one peer is validated by the presence of the CA certificate installed on the other peer.
You can configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOSGUI or
CLI.
To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key on the FortiOS GUI:
1. Import the certificate.

2. Configure user peers.
v. Click Next.
ii. For the IP address, enter 172.16.202.1.
iv. For Authentication Method, select Signature.
v. In the Certificate name field, select the imported certificate.

IPsec VPNs 573
vi. From the Peer Certificate CA dropdown list, select the desired peer CA certificate.
vii. Click Next.
iv. Click Create.
v. Click Next.
ii. For the IP address, enter 172.16.2001.
iv. For Authentication Method, select Signature.
v. In the Certificate name field, select the imported certificate.
vi. From the Peer Certificate CA dropdown list, select the desired peer CA certificate.
vii. Click Next.
ii. Configure Local Subnets as 172.16.101.0.
iv. Click Create.
To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOS
CLI:
1. Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. The IPsec
tunnel is established over the WAN interface:
a. Configure HQ1:
edit "port1"
set vdom "root"
set ip 172.16.200.1 255.255.255.0
next
end
edit 1
set device "port1"
next
end

IPsec VPNs 574
b. Configure HQ2:
edit "port25"
set vdom "root"
set ip 172.16.202.1 255.255.255.0
next
end
edit 1
set device "port25"
next
end
2. Configure the internal (protected subnet) interface. The internal interface connects to the corporate internal
network. Traffic from this interface routes out the IPsec VPN tunnel:
a. Configure HQ1:
edit "dmz"
set vdom "root"
set ip 10.1.100.1 255.255.255.0
next
end
b. Configure HQ2:
edit "port9"
set vdom "root"
set ip 172.16.101.1 255.255.255.0
next
end
3. Configure the import certificate and its CA certificate information. The certificate and its CA certificate must be
imported on the remote peer FortiGate and on the primary FortiGate before configuring IPsec VPN tunnels. If the
built-in Fortinet_Factory certificate and the Fortinet_CA CA certificate are used for authentication, you can skip this
step:
a. Configure HQ1:
config vpn certificate local
edit "test1"
...
set range global
next
end
config vpn certificate ca
edit "CA_Cert_1"
...
set range global
next
end
b. Configure HQ2:
config vpn certificate local
edit "test2"
...

IPsec VPNs 575
set range global

next
end
edit "CA_Cert_1"
...
set range global
next
end
4. Configure the peer user. The peer user is used in the IPsec VPN tunnel peer setting to authenticate the remote
peer FortiGate.
a. If not using the built-in Fortinet_Factory certificate and Fortinet_CA CA certificate, do the following:
i. Configure HQ1:
config user peer
edit "peer1"
set ca "CA_Cert_1"
next
end
ii. Configure HQ2:

config user peer
edit "peer2"
set ca "CA_Cert_1"
next
end
b. If the built-in Fortinet_Factory certificate and Fortinet_CA CA certificate are used for authentication, the peer
user must be configured based on Fortinet_CA:
i. Configure HQ1:
config user peer
edit "peer1"
set ca "Fortinet_CA"
next
end
ii. Configure HQ2:

config user peer
edit "peer2"
set ca "Fortinet_CA"
next
end

a. Configure HQ1:
edit "to_HQ2"
set authmethod signature
set certificate "test1"

IPsec VPNs 576
set peer "peer1"

next
end
b. Configure HQ2:
edit "to_HQ1"
set authmethod signature
set certificate "test2"
set peer "peer2"
next
end

a. Configure HQ1:
edit "to_HQ2"
next
end
b. Configure HQ2:
edit "to_HQ2"
next
end
7. Configure the static routes. Two static routes are added to reach the remote protected subnet. The blackhole route
is important to ensure that IPsec traffic does not match the default route when the IPsec tunnel is down:
a. Configure HQ1:
edit 2
set dst 172.16.101.0 255.255.255.0
set device "to_HQ2"
next
edit 3
set dst 172.16.101.0 255.255.255.0
set distance 254
next
end

IPsec VPNs 577
b. Configure HQ2:
edit 2
set dst 10.1.100.0 255.255.255.0
set device "to_HQ1"
next
edit 3
set dst 10.1.100.0 255.255.255.0
set distance 254
next
end
8. Configure two firewall policies to allow bidirectional IPsec traffic flow over the IPsec VPN tunnel:
a. Configure HQ1:
edit 1
set name "inbound"
set dstintf "dmz"
set srcaddr "172.16.101.0"
set action accept
set service "ALL"
next
edit 2
set name "outbound"
set srcintf "dmz"
set dstaddr "172.16.101.0"
set action accept
set service "ALL"
next
end
b. Configure HQ2:
edit 1
set name "inbound"
set dstintf "port9"
set dstaddr "172.16.101.0"
set action accept
set service "ALL"
next
edit 2
set name "outbound"
set srcintf "port9"
set srcaddr "172.16.101.0"

IPsec VPNs 578

set action accept
set service "ALL"
next
end
9. Run diagnose commands. The diagnose debug application ike -1 command is the key to figure out
why the IPsec tunnel failed to establish. If the remote FortiGate certificate cannot be validated, the following error
shows up in the debug output:
ike 0: to_HQ2:15314: certificate validation failed
The following commands are useful to check IPsec phase1/phase2 interface status.
a. Run the diagnose vpn ike gateway list command on HQ1. The system should return the following:
vd: root/0
name: to_HQ2
version: 1
interface: port1 11
addr: 172.16.200.1:500 -> 172.16.202.1:500
created: 7s ago
peer-id: C = CA, ST = BC, L = Burnaby, O = Fortinet, OU = QA, CN = test2
peer-id-auth: yes
id/spi: 15326 295be407fbddfc13/7a5a52afa56adf14 direction: initiator status:
established 7-7s ago = 70ms proposal: aes128-sha256 key: 4aa06dbee359a4c7-
43570710864bcf7b lifetime/rekey: 86400/86092 DPD sent/recv: 00000000/00000000 peer-id:
C = CA, ST = BC, L = Burnaby, O = Fortinet, OU = QA, CN = test2
b. Run the diagnose vpn tunnel list command on HQ1. The system should return the following:
dev frag-rfcaccept_traffic=1
proxyid=vpn-f proto=0 sa=1 ref=2 serial=1 auto-negotiate
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
dec: spi=72e87de7 esp=aes key=16 8b2b93e0c149d6f22b1c0b96ea450e6c
ah=sha1 key=20 facc655e5f33beb7c2b12e718a6d55413ce3efa2
enc: spi=5c52c865 esp=aes key=16 8d0c4e4adbf2338beed569b2b3205ece
ah=sha1 key=20 553331628612480ab6d7d563a00e2a967ebabcdd

IPsec VPNs 579
VXLAN over IPsec
VXLAN over IPsec tunnel
This recipe provides an example configuration of VXLAN over IPsec tunnel. VXLAN encapsulation is used in the
phase1-interface setting and virtual-switch is used to bridge the internal with VXLAN over IPsec tunnel.
The following shows the network topology for this example:
To configure GRE over an IPsec tunnel:
1. Configure the WAN interface and default route:

a. HQ1:
edit "port1"
set ip 172.16.200.1 255.255.255.0
next
end
edit 1
set device "port1"
next
end
b. HQ2:
edit "port25"
set ip 172.16.202.1 255.255.255.0
next
end
edit 1
set device "port25"
next
end

IPsec VPNs 580
2. Configure IPsec phase1-interface:

a. HQ1:
edit "to_HQ2"
set peertype any
set encapsulation VXLAN
set encapsulation-address ipv4
set encap-local-gw4 172.16.200.1
set encap-remote-gw4 172.16.202.1
next
end
edit "to_HQ2"
next
end
b. HQ2:
edit "to_HQ1"
set peertype any
set encapsulation VXLAN
set encapsulation-address ipv4
set encap-local-gw4 172.16.202.1
set encap-remote-gw4 172.16.200.1
next
end
edit "to_HQ1"
next
end

a. HQ1:
edit 1
set srcintf "dmz"
set action accept

IPsec VPNs 581
set service "ALL"

next
edit 2
set dstintf "dmz"
set action accept
set service "ALL"
next
end
b. HQ2:
edit 1
set srcintf "port9"
set action accept
set service "ALL"
next
edit 2
set dstintf "port9"
set action accept
set service "ALL"
next
end
4. Configure the virtual switch:

a. HQ1:
edit "VXLAN-HQ2"
set member "dmz" "to_HQ2"
set intra-switch-policy explicit
next
end
b. HQ2:
edit "VXLAN-HQ1"
set member "port9" "to_HQ1"
set intra-switch-policy explicit
next
end

IPsec VPNs 582
5. Optionally, view the VPN tunnel list on HQ1 with the diagnose vpn tunnel list command:
----
bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=VXLAN/2 options[0002]=
encap-addr: 172.16.200.1->172.16.202.1
proxyid=to_HQ2 proto=0 sa=1 ref=2 serial=1
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
seqno=e6e esn=0 replaywin_lastseq=0000000e itn=0
dec: spi=635e9bb1 esp=aes key=16 c8a374905ef9156e66504195f46a650c
ah=sha1 key=20 a09265de7d3b0620b45441fb5af44dab125f2afe
enc: spi=a4d0cd1e esp=aes key=16 e9d0f3f0bb7e15a833f80c42615a3b91
ah=sha1 key=20 609a315c385471b8909b771c76e4fa7214996e50
6. Optionally, view the bridge control interface on HQ1 with the diagnose netlink brctl name host
VXLAN-HQ1 command:
show bridge control interface VXLAN-HQ1 host.
fdb: size=2048, used=17, num=17, depth=1
Bridge VXLAN-a host table
port no device devname mac addr ttl attributes
1 1. dmz 00:0c:29:4e:33:c9 1. Hit(1)
1 1. dmz 00:0c:29:a8:c3:ea 105 Hit(105)
1 1. dmz 90:6c:ac:53:76:29 18 Hit(18)
1 1. dmz 08:5b:0e:dd:69:cb 1. Local Static
1 1. dmz 90:6c:ac:84:3e:5d 1. Hit(5)
1 1. dmz 00:0b:fd:eb:21:d6 1. Hit(0)
2 38 to_HQ2 56:45:c3:3f:57:b4 1. Local Static
1 1. dmz 00:0c:29:d2:66:40 78 Hit(78)
2 38 to_HQ2 90:6c:ac:5b:a6:eb 124 Hit(124)
1 1. dmz 00:0c:29:a6:bc:e6 19 Hit(19)
1 1. dmz 00:0c:29:f0:a2:e7 1. Hit(0)
1 1. dmz 00:0c:29:d6:c4:66 164 Hit(164)
1 1. dmz 00:0c:29:e7:68:19 1. Hit(0)
1 1. dmz 00:0c:29:bf:79:30 19 Hit(19)
1 1. dmz 00:0c:29:e0:64:7d 1. Hit(0)
1 1. dmz 36:ea:c7:30:c0:f1 25 Hit(25)
1 1. dmz 36:ea:c7:30:cc:71 1. Hit(0)
VXLAN over IPsec using a VTEP
This example is intended for network engineers who are familiar with the FortiGate platform. It does not include all of
the required configuration steps. The intention is to provide the information that you need to implement VXLAN over
IPsec VPN using a VXLAN Tunnel Endpoint (VTEP).

IPsec VPNs 583
This example covers a VXLAN over IPsec VPN configuration using the FortiGate as the VTEP. There is also an
alternative configuration method that directly encapsulates traffic in IPsec VPN without creating a VXLAN interface.
This example shows a specific configuration that uses a hub-and-spoke topology. However, the same logic can be
applied to a static VPN. In this example's hub-and-spoke topology, dialup VPN is convenient as it uses a single phase 1
dialup definition on the hub FortiGate, with additional spoke tunnels being added without any changes to the hub other
than adding a user account for each additional spoke.
This example consists of the following steps:
1. Configure IPsec VPN
2. Configure a VXLAN interface
3. Bind the VXLAN interface to the Ethernet port
4. Test the configuration
To configure IPsec VPN:
1. Configure the phase 1 and phase 2 interfaces on the hub and spoke FortiGates:
a. Run the following CLI commands on the hub FortiGate:
edit "SPOKES"
set type dynamic
set mode aggressive
set peertype one
set xauthtype auto
set authusrgrp "SPOKES"
set peerid "SPOKES"
set psksecret <SECRET>
next
end

IPsec VPNs 584
edit "SPOKES"
set phase1name "SPOKES"
next
end
b. Run the following CLI commands on the spoke FortiGates:

edit "HUB"
set mode aggressive
set peertype any
set localid "SPOKES"
set xauthtype client
set authusr "SPOKE1"
set authpasswd <SECRET>
set remote-gw <HUB_PUBLIC_IP>
set psksecret <SECRET>
next
end
edit "HUB"
set phase1name "HUB"
set src-subnet 192.168.255.2 255.255.255.255
next
end
The hub FortiGate inserts a reverse route pointing to newly established tunnel interfaces
for any of the subnets that the spoke FortiGate's source quick mode selectors provides.
This is why you should set the tunnel IP address here.
2. Configure the IPsec VPN policies on the hub and spoke FortiGates:
a. Run the following CLI commands on the hub FortiGate. This policy allows VXLAN traffic between spokes,
since spoke-to-spoke traffic is done through the hub:
edit 1
set name "VXLAN_SPOKE_to_SPOKE"
set srcintf "SPOKES"
set dstintf "SPOKES"
set srcaddr "NET_192.168.255.0"
set dstaddr "NET_192.168.255.0"
set action accept
set service "UDP_4789"
set logtraffic all
set fsso disable
next
end

IPsec VPNs 585
b. Run the following commands on the spoke FortiGates. Usually, a tunnel interface is required for the IPsec
VPN to establish a policy. In this example, the FortiGate issues the VXLAN tunnel, which ends at the remote
FortiGate's tunnel interface. This explicitly removes the requirement for allowing VXLAN traffic. This explains
how such a policy can be created:
edit 1
set name "FICTIVE_IPSEC_POLICY"
set srcintf "HUB"
set dstintf "HUB"
set srcaddr "none"
set dstaddr "none"
set action accept
set service "PING"
set logtraffic disable
set fsso disable
next
end
3. Configure the IPsec tunnel interfaces. IPsec tunnel interfaces are used to support VXLAN tunnel termination.
Therefore, you must set an IP address for each tunnel interface. You should also allow ping access for
troubleshooting purposes:
a. Run the following CLI commands on the hub FortiGate. The remote IP address is not used, but is necessary
for this configuration.
edit "SPOKES"
set vdom "root"
set ip 192.168.255.1 255.255.255.255
set type tunnel
set remote-ip 192.168.255.254 255.255.255.0
set snmp-index 12
next
end
b. Run the following CLI commands on the spoke FortiGates:

edit "HUB"
set vdom "root"
set ip 192.168.255.2 255.255.255.255
set type tunnel
set remote-ip 192.168.255.1 255.255.255.0
set snmp-index 12
next
end
To configure a VXLAN interface:
You must create a VXLAN interface and bind it to IPsec tunnel 1. All VXLAN interfaces share the same VXLAN Network
ID (VNI).

IPsec VPNs 586
1. Run the following CLI commands on the hub FortiGate. The remote IP address is the spokes' tunnel interfaces' IP
addresses.
config system VXLAN
edit "SPOKES_VXLAN"
set interface "SPOKES"
set vni 1
set remote-ip "192.168.255.2" "192.168.255.3"
next
end
2. Run the following CLI commands on the spoke FortiGates. The remote IP address is the hub's tunnel interface's IP
address.
config system VXLAN
edit "HUB_VXLAN"
set interface "HUB"
set vni 1
set remote-ip "192.168.255.1"
next
end
You can add another spoke's tunnel IP address to establish a VXLAN tunnel between spokes. For example, to add
another spoke's tunnel IP address to the above example, the set remote-ip command would be set
remote-ip "192.168.255.1" "192.168.255.3".
To add more remote IP addresses to a VXLAN interface, the interface cannot be in use.
You may want to provision future spokes' remote IP addresses at this point to avoid traffic
disruption in the future. Otherwise, you must delete the reference (the policy in this case)
before adding remote IP addresses.
To bind the VXLAN interface to the Ethernet port:
VXLAN encapsulates OSI layer 2 Ethernet frames within layer 3 IP packets. This is why you must bind the internal port
and VXLAN interface so that devices behind port1 have direct layer 2 access to remote peers over the VXLAN tunnel.
You can accomplish this using one of the following methods:
l Using a switch interface
l Using a virtual wire pair
Both methods are explained below.
To use a switch interface, run the following commands on the hub FortiGate:
edit "SW"
set vdom "root"
set member "port1" "SPOKES_VXLAN"
next
end
According to switch interface configuration, allowing intraswitch traffic is implicitly allowed

(default) or needs an explicit policy using the set intra-switch-policy explicit
command.
To use a virtual wire pair, run the following command on the spoke FortiGates:

IPsec VPNs 587
config system virtual-wire-pair

edit "VWP"
set member "HUB_VXLAN" "port1"
next
end
The virtual wire pair needs an explicit policy to allow traffic between interfaces:
To test the configuration:
1. Ping the hub FortiGate from the spoke FortiGate. The output should look as follows:
user@pc-spoke1:~$ ping 192.168.1.1 -c 3PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=1.24 ms
--- 192.168.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.672/0.923/1.243/0.239 ms
2. Sniff traffic on the hub FortiGate:

FGT-HUB # diagnose sniffer packet any 'icmp or (udp and port 4789)' 4 0 ainterfaces=[any]
filters=[icmp or (udp and port 4789)]
15:00:01.438230 SPOKES in 192.168.255.2.4790 -> 192.168.255.1.4789: udp 106
<<<<1
15:00:01.438256 SPOKES_VXLAN in 192.168.1.2 -> 192.168.1.1: icmp: echo request
<<<<2
15:00:01.438260 port1 out 192.168.1.2 -> 192.168.1.1: icmp: echo request
<<<<3
15:00:01.438532 port1 in 192.168.1.1 -> 192.168.1.2: icmp: echo reply
15:00:01.438536 SPOKES_VXLAN out 192.168.1.1 -> 192.168.1.2: icmp: echo reply
15:00:01.438546 SPOKES out 192.168.255.1.4851 -> 192.168.255.2.4789: udp 106
Troubleshooting
Understanding VPN related logs
This document provides some IPsec log samples:
IPsec phase1 negotiating
logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1544132571

logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remi-
p=11.101.1.1
locip=173.1.1.1 remport=500 locport=500 outintf="port13" cook-
ies="e41eeecb2c92b337/0000000000000000" user="N/A" group="N/A" xauthuser="N/A"

IPsec VPNs 588
xauthgroup="N/A" assignip=N/A vpntunnel="to_HQ" status="success" init="local" mod-

e="aggressive" dir="outbound" stage=1 role="initiator" result="OK"
IPsec phase1 negotiated

p=11.101.1.1
ies="e41eeecb2c92b337/1230131a28eb4e73" user="N/A" group="N/A" xauthuser="N/A" xau-
thgroup="N/A" assignip=N/A vpntunnel="to_HQ" status="success" init="local"
mode="aggressive" dir="outbound" stage=2 role="initiator" result="DONE"
IPsec phase1 tunnel up

logdesc="IPsec connection status changed" msg="IPsec connection status change" action="tunnel-
up" remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf="port13" cook-
ies="5b1c59fab2029e43/bf517e686d3943d2" user="N/A" group="N/A" xauthuser="N/A" xau-
thgroup="N/A" assignip=11.11.11.1 vpntunnel="to_HQ" tunnelip=N/A tunnelid=1530910918
tunneltype="ipsec" duration=0 sentbyte=0 rcvdbyte=0 nextstat=0
IPsec phase2 negotiate

p=11.101.1.1
thgroup="N/A" assignip=11.11.11.1 vpntunnel="to_HQ" status="success" init="local"
mode="quick" dir="outbound" stage=1 role="initiator" result="OK"
IPsec phase2 tunnel up

logdesc="IPsec phase 2 status changed" msg="IPsec phase 2 status change" action="phase2-up"
remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf="port13" cook-
thgroup="N/A" assignip=11.11.11.1 vpntunnel="to_HQ"
phase2_name="to_HQ"
IPsec phase2 sa install

logdesc="IPsec SA installed" msg="install IPsec SA" action="install_sa" remip=11.101.1.1 locip-
p=173.1.1.1
remport=500 locport=500 outintf="port13" cookies="5b1c59fab2029e43/bf517e686d3943d2" user-
r="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=11.11.11.1 vpntunnel="to_HQ"
role="initiator" in_spi="ca646448" out_spi="747c10c6"

IPsec VPNs 589
IPsec tunnel statistics

logdesc="IPsec tunnel statistics" msg="IPsec tunnel statistics" action="tunnel-stats" remi-
p=10.1.100.15 locip=172.16.200.4 remport=500 locport=500 outintf="mgmt1" cook-
ies="3539884dbd8f3567/c32e4c1beca91b36"
user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="L2tpoIPsec_
0" tunnelip=10.1.100.15 tunnelid=1530910802 tunneltype="ipsec" duration=6231 sentbyte=57343
rcvdbyte=142640 nextstat=60
IPsec phase2 tunnel down

logdesc="IPsec connection status changed" msg="IPsec connection status change" action="tunnel-
down" remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf="port13" cook-
ies="30820aa390687e39/886e72bf5461fb8d" user="N/A" group="N/A" xauthuser="N/A" xau-
thgroup="N/A" assignip=11.11.11.1 vpntunnel="to_HQ" tunnelip=N/A tunnelid=1530910786
tunneltype="ipsec" duration=6425 sentbyte=504 rcvdbyte=152 nextstat=0
IPsec phase1 sa deleted

logdesc="IPsec phase 1 SA deleted" msg="delete IPsec phase 1 SA" action="delete_phase1_sa"
remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf="port13" cook-
ies="30820aa390687e39/886e72bf5461fb8d" user="N/A" group="N/A" xauthuser="N/A" xau-
thgroup="N/A" assignip=11.11.11.1 vpntunnel="to_HQ"
IPsec related diagnose command
This document provides IPsec related diagnose commands.

1. Daemon IKE summary information list: diagnose vpn ike status
connection: 2/50
IKE SA: created 2/51 established 2/9 times 0/13/40 ms
IPsec SA: created 1/13 established 1/7 times 0/8/30 ms
2. IPsec phase1 interface status: diagnose vpn ike gateway list

vd: root/0
name: tofgtc
version: 1
addr: 173.1.1.1:500 -> 172.16.200.3:500
created: 4313s ago
IPsec SA: created 0/0
id/spi: 92 5639f7f8a5dc54c0/809a6c9bbd266a4b
key: 74aa3d63d88e10ea-8a1c73b296b06578
DPD sent/recv: 00000000/00000000

IPsec VPNs 590
vd: root/0
name: to_HQ
version: 1
addr: 173.1.1.1:500 -> 11.101.1.1:500
created: 1013s ago
id/spi: 95 255791bd30c749f4/c2505db65210258b
key: bb101b9127ed5844-1582fd614d5a8a33
DPD sent/recv: 00000000/00000010
3. IPsec phase2 tunnel status: diagnose vpn tunnel list

----
nname=L2tpoIPsec ver=1 serial=6 172.16.200.4:0->0.0.0.0:0
bound_if=4 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/24 options[0018]=npu create_
dev
run_tally=0
----
name=to_HQ ver=1 serial=7 173.1.1.1:0->11.101.1.1:0
proxyid=to_HQ proto=0 sa=1 ref=2 serial=1
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
dec: spi=ca64644a esp=aes key=16 6cc873fdef91337a6cf9b6948972c90f
ah=sha1 key=20 e576dbe3ff92605931e5670ad57763c50c7dc73a
enc: spi=747c10c8 esp=aes key=16 5060ad8d0da6824204e3596c0bd762f4
ah=sha1 key=20 52965cbd5b6ad95212fc825929d26c0401948abe
4. Packets encrypted/decrypted counter: diagnose vpn ipsec status

All ipsec crypto devices in use:
NP6_0:
Encryption (encrypted/decrypted)
null : 0 1.

IPsec VPNs 591
des : 0 1.
3des : 0 1.
aes : 0 1.
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
chacha20poly1305 : 0 1.
Integrity (generated/validated)
null : 0 1.
md5 : 0 1.
sha1 : 0 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
NP6_1:
null : 0 1.
des : 0 1.
3des : 0 1.
aes : 337152 46069
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
null : 0 1.
md5 : 0 1.
sha1 : 337152 46069
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
NPU Host Offloading:

null : 0 1.
des : 0 1.
3des : 0 1.
aes : 38 1.
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
null : 0 1.
md5 : 0 1.
sha1 : 38 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
CP8:
null : 0 1.
des : 0 1.
3des : 1337 1582

IPsec VPNs 592
aes : 71 11426
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
null : 0 1.
md5 : 48 28
sha1 : 1360 12980
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
SOFTWARE:
null : 0 1.
des : 0 1.
3des : 0 1.
aes : 0 1.
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
null : 0 1.
md5 : 0 1.
sha1 : 0 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
5. diagnose debug application ike -1

l diagnose vpn ike log-filter dst-addr4 11.101.1.1
l diagnose vpn ike log-filter src-addr4 173.1.1.1
# ike 0:to_HQ:101: initiator: aggressive mode is sending 1st message...
ike 0:to_HQ:101: cookie dff03f1d4820222a/0000000000000000
ike 0:to_HQ:101: sent IKE msg (agg_i1send): 173.1.1.1:500->11.101.1.1:500, len=912,
id=dff03f1d4820222a/0000000000000000
ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42....
ike 0: IKEv1 exchange=Aggressive id=dff03f1d4820222a/6c2caf4dcf5bab75 len=624
ike 0:to_HQ:101: initiator: aggressive mode get 1st response...
ike 0:to_HQ:101: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:to_HQ:101: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:to_HQ:101: DPD negotiated
ike 0:to_HQ:101: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 0:to_HQ:101: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0204
ike 0:to_HQ:101: peer supports UNITY
ike 0:to_HQ:101: VID FORTIGATE 8299031757A36082C6A621DE00000000
ike 0:to_HQ:101: peer is [[QualityAssurance62/FortiGate]]/FortiOS (v0 b0)
ike 0:to_HQ:101: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:to_HQ:101: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:to_HQ:101: peer identifier IPV4_ADDR 11.101.1.1
ike 0:to_HQ:101: negotiation result
ike 0:to_HQ:101: proposal id = 1:
ike 0:to_HQ:101: protocol id = ISAKMP:

IPsec VPNs 593
ike 0:to_HQ:101: trans_id = KEY_IKE.

ike 0:to_HQ:101: encapsulation = IKE/none
ike 0:to_HQ:101: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:to_HQ:101: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:to_HQ:101: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:to_HQ:101: type=OAKLEY_GROUP, val=MODP2048.
ike 0:to_HQ:101: ISAKMP SA lifetime=86400
ike 0:to_HQ:101: received NAT-D payload type 20
ike 0:to_HQ:101: received NAT-D payload type 20
ike 0:to_HQ:101: selected NAT-T version: RFC 3947
ike 0:to_HQ:101: NAT not detected
ike 0:to_HQ:101: ISAKMP SA dff03f1d4820222a/6c2caf4dcf5bab75 key
16:D81CAE6B2500435BFF195491E80148F3
ike 0:to_HQ:101: PSK authentication succeeded
ike 0:to_HQ:101: authentication OK
ike 0:to_HQ:101: add INITIAL-CONTACT
ike 0:to_HQ:101: sent IKE msg (agg_i2send): 173.1.1.1:500->11.101.1.1:500, len=172,
id=dff03f1d4820222a/6c2caf4dcf5bab75
ike 0:to_HQ:101: established IKE SA dff03f1d4820222a/6c2caf4dcf5bab75
ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:97d88fb4 len=92
ike 0:to_HQ:101: mode-cfg type 16521 request 0:
ike 0:to_HQ:101: mode-cfg type 16522 request 0:
ike 0:to_HQ:101: sent IKE msg (cfg_send): 173.1.1.1:500->11.101.1.1:500, len=108,
id=dff03f1d4820222a/6c2caf4dcf5bab75:97d88fb4
ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:3724f295 len=92
id=dff03f1d4820222a/6c2caf4dcf5bab75:3724f295
ike 0:to_HQ:101: initiating mode-cfg pull from peer
ike 0:to_HQ:101: mode-cfg request APPLICATION_VERSION
ike 0:to_HQ:101: mode-cfg request INTERNAL_IP4_ADDRESS
ike 0:to_HQ:101: mode-cfg request INTERNAL_IP4_NETMASK
ike 0:to_HQ:101: mode-cfg request UNITY_SPLIT_INCLUDE
ike 0:to_HQ:101: mode-cfg request UNITY_PFS
id=dff03f1d4820222a/6c2caf4dcf5bab75:3bca961f
ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:3bca961f len=172
ike 0:to_HQ:101: mode-cfg type 1 response 4:0B0B0B01
ike 0:to_HQ:101: mode-cfg received INTERNAL_IP4_ADDRESS 11.11.11.1
ike 0:to_HQ:101: mode-cfg type 2 response 4:FFFFFFFC
ike 0:to_HQ:101: mode-cfg received INTERNAL_IP4_NETMASK 255.255.255.252
ike 0:to_HQ:101: mode-cfg received UNITY_PFS 1
ike 0:to_HQ:101: mode-cfg type 28676 response
28:0A016400FFFFFF000000000000000A016500FFFFFF00000000000000
ike 0:to_HQ:101: mode-cfg received UNITY_SPLIT_INCLUDE 0 10.1.100.0/255.255.255.0:0 local
port 0
ike 0:to_HQ:101: mode-cfg received UNITY_SPLIT_INCLUDE 0 10.1.101.0/255.255.255.0:0 local
port 0
ike 0:to_HQ:101: mode-cfg received APPLICATION_VERSION 'FortiGate-100D
v6.0.3,build0200,181009 (GA)'
ike 0:to_HQ: mode-cfg add 11.11.11.1/255.255.255.252 to 'to_HQ'/58
ike 0:to_HQ: set oper up
ike 0:to_HQ: schedule auto-negotiate

IPsec VPNs 594
ike 0:to_HQ:101: no pending Quick-Mode negotiations

ike shrank heap by 159744 bytes
ike 0:to_HQ:to_HQ: IPsec SA connect 42 173.1.1.1->11.101.1.1:0
ike 0:to_HQ:to_HQ: using existing connection
# ike 0:to_HQ:to_HQ: config found
ike 0:to_HQ:to_HQ: IPsec SA connect 42 173.1.1.1->11.101.1.1:500 negotiating
ike 0:to_HQ:101: cookie dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01
ike 0:to_HQ:101:to_HQ:259: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0-
>0:0.0.0.0/0.0.0.0:0:0
ike 0:to_HQ:101: sent IKE msg (quick_i1send): 173.1.1.1:500->11.101.1.1:500, len=620,
id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01
ike 0: IKEv1 exchange=Quick id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01 len=444
ike 0:to_HQ:101:to_HQ:259: responder selectors 0:0.0.0.0/0.0.0.0:0->0:0.0.0.0/0.0.0.0:0
ike 0:to_HQ:101:to_HQ:259: my proposal:
ike 0:to_HQ:101:to_HQ:259: proposal id = 1:
ike 0:to_HQ:101:to_HQ:259: protocol id = IPSEC_ESP:
ike 0:to_HQ:101:to_HQ:259: PFS DH group = 14
ike 0:to_HQ:101:to_HQ:259: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:to_HQ:101:to_HQ:259: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259: type = AUTH_ALG, val=SHA1
ike 0:to_HQ:101:to_HQ:259: type = AUTH_ALG, val=SHA2_256
ike 0:to_HQ:101:to_HQ:259: type = AUTH_ALG, val=SHA2_256
ike 0:to_HQ:101:to_HQ:259: trans_id = ESP_AES_GCM_16 (key_len = 128)
ike 0:to_HQ:101:to_HQ:259: type = AUTH_ALG, val=NULL
ike 0:to_HQ:101:to_HQ:259: trans_id = ESP_AES_GCM_16 (key_len = 256)
ike 0:to_HQ:101:to_HQ:259: trans_id = ESP_CHACHA20_POLY1305 (key_len = 256)
ike 0:to_HQ:101:to_HQ:259: incoming proposal:
ike 0:to_HQ:101:to_HQ:259: proposal id = 1:
ike 0:to_HQ:101:to_HQ:259: protocol id = IPSEC_ESP:
ike 0:to_HQ:101:to_HQ:259: PFS DH group = 14
ike 0:to_HQ: schedule auto-negotiate
ike 0:to_HQ:101:to_HQ:259: replay protection enabled
ike 0:to_HQ:101:to_HQ:259: SA life soft seconds=42902.
ike 0:to_HQ:101:to_HQ:259: SA life hard seconds=43200.
ike 0:to_HQ:101:to_HQ:259: IPsec SA selectors #src=1 #dst=1
ike 0:to_HQ:101:to_HQ:259: src 0 4 0:0.0.0.0/0.0.0.0:0
ike 0:to_HQ:101:to_HQ:259: dst 0 4 0:0.0.0.0/0.0.0.0:0
ike 0:to_HQ:101:to_HQ:259: add IPsec SA: SPIs=ca64644b/747c10c9
ike 0:to_HQ:101:to_HQ:259: IPsec SA dec spi ca64644b key
16:D5C60F1A3951B288CE4DEC7E04D2119D auth 20:F872A7A26964208A9AA368A31AEFA3DB3F3780BC

IPsec VPNs 595
ike 0:to_HQ:101:to_HQ:259: IPsec SA enc spi 747c10c9 key

16:97952E1594F718128D9D7B09400856EA auth 20:4D5E5BC45A9D5A9A4631E911932F5650A4639A37
ike 0:to_HQ:101:to_HQ:259: added IPsec SA: SPIs=ca64644b/747c10c9
ike 0:to_HQ:101:to_HQ:259: sending SNMP tunnel UP trap
ike 0:to_HQ:101: sent IKE msg (quick_i2send): 173.1.1.1:500->11.101.1.1:500, len=76,
id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01
Other VPN topics
Tunneled Internet Browsing
This recipe provides an example configuration of tunneled internet browsing using a dialup VPN. To centralize network
management and control, all branch office traffic is tunneling to HQ, including Internet browsing.
The following shows the sample network topology for this example:
To configure a dialup VPN to tunnel Internet browsing using the GUI:
1. Configure the dialup VPN server FortiGate at HQ:

a. Go to VPN > IPsec Wizard, enter a VPN name (HQ in this example), make the following selections, and then
click Next:
l Site to Site to Template Type
l FortiGate to Remote Device Type
l The remote side is behind NAT to NAT Configuration
b. Make the following selections, and then click Next:
l Incoming Interface to port9
l Authentication Method to Pre-Shared Key
l Pre-shared Key to sample

IPsec VPNs 596
c. Make the following selections, and then click Create:

l Local Interface to port10
l Local Subnets to 172.16.101.0
l Remote Subnets to 0.0.0.0/0
l Internet Access to Share Local
Shared WAN to port9
l
2. Configure the dialup VPN client FortiGate at a branch:

a. Go to VPN > IPsec Wizard, enter a VPN name (Branch1 or Branch2 in this example), make the following
selections, then click Next:
l Site to Site to Template Type
l FortiGate to Remote Device Type
l This side is behind NAT to NAT Configuration
b. Make the following selections, and then click Next:
l IP Address to Remote Device, then enter the IP address: 22.1.1.1
l Outgoing Interface to wan1
l Authentication Method to Pre-shared Key
l Pre-shared Key to sample
c. Make the following selections, and then click Create:
l Local Interface to internal
l Local Subnets to 10.1.100.0/192.1684.0
l Remote Subnets to 0.0.0.0/0
l Internet Access to Use Remote
l Local Gateway to 15.1.1.1/13.1.1.1
To configure a dialup VPN to tunnel Internet browsing using the CLI:
1. Configure the WAN interface and static route on the FortiGate at HQ:
edit "port9"
set alias "WAN"
set ip 22.1.1.1 255.255.255.0
next
edit "port10"
set ip 172.16.101.1 255.255.255.0
next
end
edit 1
set device "port9"
next
end
2. Configure IPsec phase1-interface and phase2-interface configuration at HQ:

edit "HQ"
set type dynamic

IPsec VPNs 597

set peertype any
set dpd on-idle
next
end
edit "HQ"
set phase1name "HQ"
next
end
3. Configure the firewall policy at HQ:

edit 1
set srcintf "HQ"
set dstintf "port9" "port10"
set srcaddr "10.1.100.0" "192.168.4.0"
set dstaddr "all"
set action accept
set service "ALL"
set nat enable
next
end
4. Configure the WAN interface and static route on the FortiGate at the branches:
a. Branch1:
edit "wan1"
set ip 15.1.1.2 255.255.255.0
next
edit "internal"
set ip 10.1.100.1 255.255.255.0
next
end
edit 1
set device "wan1"
next
end
b. Branch2:
edit "wan1"
set ip 13.1.1.2 255.255.255.0
next
edit "internal"
set ip 192.168.4.1 255.255.255.0

IPsec VPNs 598
next
end
edit 1
set device "wan1"
next
end
5. Configure IPsec phase1-interface and phase2-interface configuration at the branches:

a. Branch1:
edit "branch1"
set peertype any
set dpd on-idle
next
end
edit "branch1"
set phase1name "branch1"
set src-subnet 10.1.100.0 255.255.255.0
next
end
b. Branch2:
edit "branch2"
set peertype any
set dpd on-idle
next
end
edit "branch2"
set phase1name "branch2"
set src-subnet 192.168.4.0 255.255.255.0
next
end

IPsec VPNs 599
6. Configure the firewall policy at the branches:

a. Branch1:
edit 1
set name "outbound"
set dstintf "branch1"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
next
edit 2
set name "inbound"
set srcintf "branch1"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
next
end
b. Branch2:
edit 1
set name "outbound"
set dstintf "branch2"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
next
edit 2
set name "inbound"
set srcintf "branch2"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
next
end
7. Configure the static routes at the branches:

a. Branch1:
edit 2
set dst 22.1.1.1/32

IPsec VPNs 600
set device "wan1"

set distance 1
next
edit 3
set device "branch1"
set distance 5
next
end
b. Branch2:
edit 2
set dst 22.1.1.1/32
set device "wan1"
set distance 1
next
edit 3
set device "branch2"
set distance 5
next
end
8. Optionally, view the VPN tunnel list on a branch with the diagnose vpn tunnel list command:
----
name=branch1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev

proxyid=branch1 proto=0 sa=1 ref=5 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
dec: spi=c53a8f7e esp=aes key=16 ecee0cd48664d903d3d6822b1f902fd2
ah=sha1 key=20 2440a189126c222093ca9acd8b37127285f1f8a7
enc: spi=6e3636fe esp=aes key=16 fdaa20bcc96f74ae9885e824d3efa29d
ah=sha1 key=20 70c0891c769ad8007ea1f31a39978ffbc73242d0
9. Optionally, view static routing table on a branch with the get router info routing-table static
command:
S* 0.0.0.0/0 [5/0] is directly connected, branch1
S* 22.1.1.1/32 [1/0] via 15.1.1.1, wan1

IPsec VPNs 601
VPN and ASIC offload
This recipe provides a brief introduction to VPN traffic offloading.
IPsec traffic processed by NPU
1. Check the device ASIC information. For example, a FortiGate 900D has an NP6 and a CP8.
# get hardware status
Model name: [[QualityAssurance62/FortiGate]]-900D
ASIC version: CP8
ASIC SRAM: 64M
CPU: Intel(R) Xeon(R) CPU E3-1225 v3 @ 3.20GHz
Number of CPUs: 4
RAM: 16065 MB
Compact Flash: 1925 MB /dev/sda
Hard disk: 244198 MB /dev/sdb
USB Flash: not available
Network Card chipset: [[QualityAssurance62/FortiASIC]] NP6 Adapter (rev.)
2. Check port to NPU mapping.

# diagnose npu np6 port-list
Chip XAUI Ports Max Cross-chip
Speed offloading
----
np6_0 0
1. port17 1G Yes
1. port18 1G Yes
1. port19 1G Yes
1. port20 1G Yes
1. port21 1G Yes
1. port22 1G Yes
1. port23 1G Yes
1. port24 1G Yes
1. port27 1G Yes
1. port28 1G Yes
1. port25 1G Yes
1. port26 1G Yes
1. port31 1G Yes
1. port32 1G Yes
1. port29 1G Yes
1. port30 1G Yes
1. portB 10G Yes
1.
----
np6_1 0
1. port1 1G Yes
1. port2 1G Yes
1. port3 1G Yes
1. port4 1G Yes
1. port5 1G Yes
1. port6 1G Yes
1. port7 1G Yes
1. port8 1G Yes

IPsec VPNs 602
1. port11 1G Yes
1. port12 1G Yes
1. port9 1G Yes
1. port10 1G Yes
1. port15 1G Yes
1. port16 1G Yes
1. port13 1G Yes
1. port14 1G Yes
1. portA 10G Yes
1.
----
3. Configure the option in IPsec phase1 settings to control NPU encrypt/decrypt IPsec packets (enabled by default).
config vpn ipsec phase1/phase1-interface
edit "vpn_name"
set npu-offload enable/disable
next
end
4. Check NPU offloading. The NPU encrypted/decrypted counter should tick. The npu_flag 03 flag means that the
traffic processed by the NPU is bi-directional.
----
name=test ver=2 serial=1 173.1.1.1:0->11.101.1.1:0
proxyid=test proto=0 sa=1 ref=4 serial=7
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
dec: spi=e313ac46 esp=aes key=16 0dcb52642eed18b852b5c65a7dc62958
ah=md5 key=16 c61d9fe60242b9a30e60b1d01da77660
enc: spi=706ffe03 esp=aes key=16 6ad98c204fa70545dbf3d2e33fb7b529
ah=md5 key=16 dcc3b866da155ef73c0aba15ec530e2e
FGT_900D # diagnose vpn ipsec st

NP6_0:
null : 0 1.
des : 0 1.
3des : 0 1.
aes : 0 1.
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.

IPsec VPNs 603
null : 0 1.
md5 : 0 1.
sha1 : 0 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
NP6_1:
null : 14976 15357
des : 0 1.
3des : 0 1.
aes : 1664 2047
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
null : 0 1.
md5 : 1664 2047
sha1 : 14976 15357
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.

null : 3 1.
des : 0 1.
3des : 0 1.
aes : 3 1.
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
null : 0 1.
md5 : 3 1.
sha1 : 3 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
CP8:
null : 1 1.
des : 0 1.
3des : 0 1.
aes : 1 1.
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
null : 0 1.

IPsec VPNs 604
md5 : 1 1.
sha1 : 1 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
SOFTWARE:
null : 0 1.
des : 0 1.
3des : 0 1.
aes : 0 1.
aes-gcm : 29882 29882
aria : 21688 21688
seed : 153774 153774
chacha20poly1305 : 29521 29521
null : 59403 59403
md5 : 0 1.
sha1 : 175462 175462
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
5. If traffic cannot be offloaded by the NPU, the CP will try to encrypt/decrypt the IPsec packets.
IPsec traffic processed by CP
1. Check the NPU flag and CP counter.

----
bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
seqno=20e3 esn=0 replaywin_lastseq=000020e3 itn=0
dec: spi=e313ac48 esp=aes key=16 393770842f926266530db6e43e21c4f8
ah=md5 key=16 b2e4e025e8910e95c1745e7855479cca
enc: spi=706ffe05 esp=aes key=16 7ef749610335f9f50e252023926de29e
ah=md5 key=16 0b81e4d835919ab2b8ba8edbd01aec9d
FGT-D # diagnose vpn ipsec status

NP6_0:

IPsec VPNs 605
null : 0 1.
des : 0 1.
3des : 0 1.
aes : 0 1.
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
null : 0 1.
md5 : 0 1.
sha1 : 0 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
NP6_1:
null : 14976 15357
des : 0 1.
3des : 0 1.
aes : 1664 2047
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
null : 0 1.
md5 : 1664 2047
sha1 : 14976 15357
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.

null : 3 1.
des : 0 1.
3des : 0 1.
aes : 3 1.
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
null : 0 1.
md5 : 3 1.
sha1 : 3 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
CP8:
null : 1 1.
des : 0 1.

IPsec VPNs 606
3des : 0 1.
aes : 8499 8499
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
null : 0 1.
md5 : 8499 8499
sha1 : 1 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
SOFTWARE:
null : 0 1.
des : 0 1.
3des : 0 1.
aes : 0 1.
aes-gcm : 29882 29882
aria : 21688 21688
seed : 153774 153774
chacha20poly1305 : 29521 29521
null : 59403 59403
md5 : 0 1.
sha1 : 175462 175462
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
2. Two options are used to control if the CP processes packets. If disabled, packets are processed by the CPU.
set ipsec-asic-offload disable
set ipsec-hmac-offload disable
end
IPsec traffic processed by CPU
IPsec traffic might be processed by the CPU for a number of reasons:

l Some low end models do not have NPUs
l NPU offloading and CP IPsec traffic processing manually disabled
l Some types of proposals - SEED, ARIA, chacha20poly1305 - are not supported by the NPU or CP
l NPU flag set to 00 and software encrypt/decrypt counter ticked
----
bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0

IPsec VPNs 607

src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
seqno=2d70 esn=0 replaywin_lastseq=00002d70 itn=0
dec: spi=e313ac4d esp=chacha20poly1305 key=36 812d1178784c1130d1586606e44e1b9ab157e31a09ed-
bed583be1e9cc82e8c9f2655a2cf
ah=null key=0
enc: spi=706ffe0a esp=chacha20poly1305 key=36 f2727e001e2243549b140f1614ae3d-
f82243adb070e60c33911f461b389b05a7a642e11a
ah=null key=0
FGT_900D # diagnose vpn ipsec status

NP6_0:
null : 0 1.
des : 0 1.
3des : 0 1.
aes : 0 1.
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
null : 0 1.
md5 : 0 1.
sha1 : 0 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
NP6_1:
null : 14976 15357
des : 0 1.
3des : 0 1.
aes : 1664 2047
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
null : 0 1.
md5 : 1664 2047
sha1 : 14976 15357
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.


IPsec VPNs 608
null : 3 1.
des : 0 1.
3des : 0 1.
aes : 3 1.
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
null : 0 1.
md5 : 3 1.
sha1 : 3 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
CP8:
null : 1 1.
des : 0 1.
3des : 0 1.
aes : 8865 8865
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
null : 0 1.
md5 : 8865 8865
sha1 : 1 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
SOFTWARE:
null : 0 1.
des : 0 1.
3des : 0 1.
aes : 531 531
aes-gcm : 29882 29882
aria : 21688 21688
seed : 153774 153774
chacha20poly1305 : 41156 41156
null : 71038 71038
md5 : 531 531
sha1 : 175462 175462
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.

IPsec VPNs 609
Disable automatic ASIC offloading
When auto-asic-offload is set to disable in the firewall policy, traffic is nt offloaded and the NPU hosting
counter is ticked.
# diagnose vpn ipsec status
NP6_0:
null : 0 1.
des : 0 1.
3des : 0 1.
aes : 0 1.
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
null : 0 1.
md5 : 0 1.
sha1 : 0 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
NP6_1:
null : 14976 15357
des : 0 1.
3des : 0 1.
aes : 110080 2175
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
null : 0 1.
md5 : 110080 2175
sha1 : 14976 15357
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.

null : 3 1.
des : 0 1.
3des : 0 1.
aes : 111090 1.
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
null : 0 1.
md5 : 111090 1.

IPsec VPNs 610
sha1 : 3 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
CP8:
null : 1 1.
des : 0 1.
3des : 0 1.
aes : 8865 8865
aes-gcm : 0 1.
aria : 0 1.
seed : 0 1.
null : 0 1.
md5 : 8865 8865
sha1 : 1 1.
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
SOFTWARE:
null : 0 1.
des : 0 1.
3des : 0 1.
aes : 539 539
aes-gcm : 29882 29882
aria : 21688 21688
seed : 153774 153774
chacha20poly1305 : 41259 41259
null : 71141 71141
md5 : 539 539
sha1 : 175462 175462
sha256 : 0 1.
sha384 : 0 1.
sha512 : 0 1.
GRE over IPsec
This recipe provides an example configuration of GRE over an IPsec tunnel. A static route over GRE tunnel is used, and
tunnel-mode is used in the phase2-interface settings.

IPsec VPNs 611
To configure GRE over an IPsec tunnel:
1. Enable subnet overlapping at both HQ1 and HQ2:

set allow-subnet-overlap enable
end
2. Configure the WAN interface and static route:

a. HQ1:
edit "port1"
set ip 172.16.200.1 255.255.255.0
next
edit "dmz"
set ip 10.1.100.1 255.255.255.0
next
end
edit 1
set device "port1"
next
end
b. HQ2:
edit "port25"
set ip 172.16.202.1 255.255.255.0
next
edit "port9"
set ip 172.16.101.1 255.255.255.0
next
end
edit 1

IPsec VPNs 612
set device "port25"

next
end
3. Configure IPsec phase1-interface and phase2-interface:

a. HQ1:
edit "greipsec"
set peertype any
next
end
edit "greipsec"
set phase1name "greipsec"
set protocol 47
next
end
b. HQ2:
edit "greipsec"
set peertype any
next
end
edit "greipsec"
set phase1name "greipsec"
set protocol 47
next
end
4. Configure IPsec tunnel interface IP address:

a. HQ1:
edit "greipsec"
set ip 10.10.10.1 255.255.255.255
set remote-ip 10.10.10.2 255.255.255.255
next
end

IPsec VPNs 613
b. HQ2:
edit "greipsec"
set ip 10.10.10.2 255.255.255.255
set remote-ip 10.10.10.1 255.255.255.255
next
end
5. Configure the GRE tunnel:

a. HQ1:
config system gre-tunnel
edit "gre_to_HQ2"
set interface "greipsec"
set local-gw 10.10.10.1
next
end
b. HQ2:
config system gre-tunnel
edit "gre_to_HQ1"
set interface "greipsec"
set local-gw 10.10.10.2
next
end

a. HQ1:
edit 1
set srcintf "dmz"
set dstintf "gre_to_HQ2"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
next
edit 2
set srcintf "gre_to_HQ2"
set dstintf "dmz"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
next
edit 3
set srcintf "greipsec"
set dstintf "greipsec"
set srcaddr "all"
set dstaddr "all"
set action accept

IPsec VPNs 614

set service "ALL"
next
end
b. HQ2:
edit 1
set srcintf "port9"
set dstintf "gre_to_HQ1"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
next
edit 2
set srcintf "gre_to_HQ1"
set dstintf "port9"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
next
edit 3
set srcintf "greipsec"
set dstintf "greipsec"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
next
end
7. Configure the static route:

a. HQ1:
edit 2
set dst 172.16.101.0 255.255.255.0
set device "gre_to_HQ2"
next
end
b. HQ2:
edit 2
set dst 10.1.100.0 255.255.255.0
set device "gre_to_HQ1"
next
end

IPsec VPNs 615
8. Optionally, view the VPN tunnel list on HQ1 with the diagnose vpn tunnel list command:
----
name=greipsec ver=1 serial=1 172.16.200.1:0->172.16.202.1:0
proxyid=greipsec proto=47 sa=1 ref=2 serial=2
src: 47:0.0.0.0/0.0.0.0:0
dst: 47:0.0.0.0/0.0.0.0:0
seqno=15c esn=0 replaywin_lastseq=0000015c itn=0
dec: spi=9897bd09 esp=aes key=16 5a60e67bf68379309715bd83931680bf
ah=sha1 key=20 ff35a329056d0d506c0bfc17ef269978a4a57dd3
enc: spi=e362f336 esp=aes key=16 5574acd8587c5751a88950e1bf8fbf57
ah=sha1 key=20 d57ec76ac3c543ac89b2e4d0545518aa2d06669b
9. Optionally, view static routing table on HQ1 with the get router info routing-table static
command:
S* 0.0.0.0/0 [10/0] via 172.16.200.3, port1
S 172.16.101.0/24 [10/0] is directly connected, gre_to_HQ2
LT2P over IPsec
This recipe provides an example configuration of LT2P over IPsec. A locally defined user is used for authentication, a
Windows PC or Android tablet is acting as the client, and net-device is set to enable in the phase1-interface
settings. If net-device is set to disable, only one device can establish an L2TP over IPsec tunnel behind the same
NAT device.

IPsec VPNs 616
To configure LT2P over an IPsec tunnel using the CLI:
1. Configure the WAN interface and static route on HQ:

edit "port9"
set alias "WAN"
set ip 22.1.1.1 255.255.255.0
next
edit "port10"
set ip 172.16.101.1 255.255.255.0
next
end
edit 1
set device "port9"
next
end
2. Configure IPsec phase1-interface and phase2-interface on HQ:

edit "L2tpoIPsec"
set type dynamic
set peertype any
set proposal aes256-md5 3des-sha1 aes192-sha1
set dpd on-idle
set dhgrp 2
next
end
edit "L2tpoIPsec"
set phase1name "L2tpoIPsec"
set proposal aes256-md5 3des-sha1 aes192-sha1
set pfs disable
set encapsulation transport-mode
set l2tp enable
next
end
3. Configure a user and user group on HQ:

config user local
edit "usera"
set type password
set passwd usera
next
end
config user group
edit "L2tpusergroup"
set member "usera"

IPsec VPNs 617
next
end
4. Configure L2TP on HQ:

config vpn l2tp
set status enable
set eip 10.10.10.100
set sip 10.10.10.1
set usrgrp "L2tpusergroup"
end
5. Configure a firewall address, that is applied in L2TP settings to assign IP addresses to clients once the L2TP tunnel
is established:
edit "L2TPclients"
set type iprange
set end-ip 10.10.10.100
next
end

edit 1
set name "Bridge_IPsec_port9_for_l2tp negotiation"
set srcintf "L2tpoIPsec"
set dstintf "port9"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "L2TP"
next
edit 2
set srcintf "L2tpoIPsec"
set srcaddr "L2TPclients"
set dstaddr "172.16.101.0"
set action accept
set service "ALL"
set nat enable
next
end
7. Optionally, view the VPN tunnel list on HQ with the diagnose vpn tunnel list command:
----
name=L2tpoIPsec_0 ver=1 serial=8 22.1.1.1:0->10.1.100.15:0
create_dev no-sysctl rgwy-chg
parent=L2tpoIPsec index=0

IPsec VPNs 618

proxyid=L2tpoIPsec proto=17 sa=1 ref=3 serial=1 transport-mode add-route
src: 17:22.1.1.1-22.1.1.1:1701
dst: 17:10.1.100.15-10.1.100.15:0
seqno=10c esn=0 replaywin_lastseq=000001d6 itn=0
dec: spi=ca646443 esp=3des key=24 af62a0fffe85d3d534b5bfba29307aafc8bfda5c3f4650dc
ah=sha1 key=20 89b4b67688bed9be49fb86449bb83f8c8d8d7432
enc: spi=700d28a0 esp=3des key=24 5f68906eca8d37d853814188b9e29ac4913420a9c87362c9
ah=sha1 key=20 d37f901ffd0e6ee1e4fdccebc7fdcc7ad44f0a0a
----
name=L2tpoIPsec_1 ver=1 serial=a 22.1.1.1:4500->22.1.1.2:64916
create_dev no-sysctl rgwy-chg rport-chg
parent=L2tpoIPsec index=1
proxyid=L2tpoIPsec proto=17 sa=1 ref=3 serial=1 transport-mode add-route
src: 17:22.1.1.1-22.1.1.1:1701
dst: 17:22.1.1.2-22.1.1.2:0
dec: spi=ca646446 esp=aes key=32
ea60dfbad709b3c63917c3b7299520ff7606756ca15d2eb7cbff349b6562172e
ah=md5 key=16 2f2acfff0b556935d0aab8fc5725c8ec
enc: spi=0b514df2 esp=aes key=32
a8a92c2ed0e1fd7b6e405d8a6b9eb3be5eff573d80be3f830ce694917d634196
ah=md5 key=16 e426c33a7fe9041bdc5ce802760e8a3d
8. Optionally, view the L2TP VPN status, by enabling debug (diagnose debug enable), then using the
diagnose vpn l2tp status command:
----
----
HQ # Num of tunnels: 2
----
Tunnel ID = 1 (local id), 42 (remote id) to 10.1.100.15:1701
control_seq_num = 2, control_rec_seq_num = 4,
last recv pkt = 2
Call ID = 1 (local id), 1 (remote id), serno = 0, dev=ppp1,
assigned ip = 10.10.10.2
data_seq_num = 0,
tx = 152 bytes (2), rx= 21179 bytes (205)
Tunnel ID = 3 (local id), 34183 (remote id) to 22.1.1.2:58825
control_seq_num = 2, control_rec_seq_num = 4,
last recv pkt = 2
Call ID = 3 (local id), 18820 (remote id), serno = 2032472593, dev=ppp2,

IPsec VPNs 619
assigned ip = 10.10.10.3
data_seq_num = 0,
tx = 152 bytes (2), rx= 0 bytes (0)
----
--VD 0: Startip = 10.10.10.1, Endip = 10.10.10.100
enforece-ipsec = false
----
To configure LT2P over an IPsec tunnel using the GUI:
1. Go to VPN > IPsec Wizard.
2. Enter a name for the VPN in the Name field. In this example L2tpoIPsec is used.
3. Set the following, then click Next:
l Template Type to Remote Access
l Remote Device Type to Native and Windows Native
4. Set the following, then click Next:
l Incoming Interface to port9
l Authentication Method to Pre-shared Key
l Pre-shared Key to your-psk
l User Group to L2tpusergroup
5. Set the following, then click Create:
l Local Interface as port10
l Local Address as 172.16.101.0
l Client Address Range as 10.10.10.1-10.10.10.100
l Subnet Mask is left as its default value.
Encryption algorithms
This recipe provides a brief introduction to IPsec phase1 and phase2 encryption algorithms and includes the following
sections:
l IKEv1 phase1 encryption algorithm on page 620

IPsec VPNs 620

IKEv1 phase1 encryption algorithm
The default encryption algorithm is:

aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
DES is a symmetric-key algorithm which means the same key is used for encrypting and decrypting data. FortiGate
supports:
l des-md5
l des-sha1
l des-sha256
l des-sha384
l des-sha512
3DES apply DES algorithm three times to each data. FortiGate supports:
l 3des-md5
l 3des-sha1
l 3des-sha256
l 3des-sha384
l 3des-sha512
AES is a symmetric-key algorithm with different key length: 128, 192, and 256 bits. FortiGate supports:
l aes128-md5
l aes128-sha1
l aes128-sha256
l aes128-sha384
l aes128-sha512
l aes192-md5
l aes192-sha1
l aes192-sha256
l aes192-sha384
l aes192-sha512
l aes256-md5
l aes256-sha1
l aes256-sha256
l aes256-sha384
l aes256-sha512
The ARIA algorithm is based on AES with different key length: 128, 192, and 256 bits. FortiGate supports:
l aria128-md5
l aria128-sha1
l aria128-sha256
l aria128-sha384
l aria128-sha512
l aria192-md5

IPsec VPNs 621
l aria192-sha1
l aria192-sha256
l aria192-sha384
l aria192-sha512
l aria256-md5
l aria256-sha1
l aria256-sha256
l aria256-sha384
l aria256-sha512
SEED is a symmetric-key algorithm. FortiGate supports:
l seed128-md5
l seed128-sha1
l seed128-sha256
l seed128-sha384
l seed128-sha512
Suite-B is a set of encryption algorithm, AES encryption with ICV in GCM mode. FortiGate supports Suite-B on new
kernel platforms only. IPsec traffic cannot offload to NPU. CP9 supports Suite-B offloading, otherwise packets are
encrypted and decrypted by software. FortiGate supports:
l suite-b-gcm-128
l suite-b-gcm-256

aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
In null encryption, IPsec traffic can offload NPU/CP. FortiGate supports:

l null-md5
l null-sha1
l null-sha256
l null-sha384
l null-sha512
In DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:
l des-null
l des-md5
l des-sha1
l des-sha256
l des-sha384
l des-sha512
In 3DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:
l 3des-null
l 3des-md5
l 3des-sha1
l 3des-sha256

IPsec VPNs 622
l 3des-sha384
l 3des-sha512
In AES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:
l aes128-null
l aes128-md5
l aes128-sha1
l aes128-sha256
l aes128-sha384
l aes128-sha512
l aes192-null
l aes192-md5
l aes192-sha1
l aes192-sha256
l aes192-sha384
l aes192-sha512
l aes256-null
l aes256-md5
l aes256-sha1
l aes256-sha256
l aes256-sha384
l aes256-sha512
In AESGCM encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:
l aes128gcm
l aes256gcm
In chacha20poly1305 encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:
l chacha20poly1305
In ARIA encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:
l aria128-null
l aria128-md5
l aria128-sha1
l aria128-sha256
l aria128-sha384
l aria128-sha512
l aria192-null
l aria192-md5
l aria192-sha1
l aria192-sha256
l aria192-sha384
l aria192-sha512
l aria256-null
l aria256-md5
l aria256-sha1
l aria256-sha256

IPsec VPNs 623
l aria256-sha384
l aria256-sha512
In SEED encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:
l seed-null
l seed-md5
l seed-sha1
l seed-sha256
l seed-sha384
l seed-sha512

aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
DES is a symmetric-key algorithm which means the same key is used for encrypting and decrypting data. FortiGate
supports:
l des-md5
l des-sha1
l des-sha256
l des-sha384
l des-sha512
3DES apply DES algorithm three times to each data. FortiGate supports:
l 3des-md5
l 3des-sha1
l 3des-sha256
l 3des-sha384
l 3des-sha512
AES is a symmetric-key algorithm with different key length: 128, 192, and 256 bits. FortiGate supports:
l aes128-md5
l aes128-sha1
l aes128-sha256
l aes128-sha384
l aes128-sha512
l aes128gcm-prfsha1
l aes128gcm-prfsha256
l aes192-md5
l aes192-sha1
l aes192-sha256
l aes192-sha384
l aes192-sha512
l aes256-md5

IPsec VPNs 624
l aes256-sha1
l aes256-sha256
l aes256-sha384
l aes256-sha512
l aes256gcm-prfsha1
The ARIA algorithm is based on AES with different key length: 128, 192, and 256 bits. FortiGate supports:
l aria128-md5
l aria128-sha1
l aria128-sha256
l aria128-sha384
l aria128-sha512
l aria192-md5
l aria192-sha1
l aria192-sha256
l aria192-sha384
l aria192-sha512
l aria256-md5
l aria256-sha1
l aria256-sha256
l aria256-sha384
l aria256-sha512
In chacha20poly1305 encryption algorithm, FortiGate supports:
l chacha20poly1305-prfsha1
SEED is a symmetric-key algorithm. FortiGate supports:
l seed128-md5
l seed128-sha1
l seed128-sha256
l seed128-sha384
l seed128-sha512
Suite-B is a set of encryption algorithm, AES encryption with ICV in GCM mode. FortiGate supports Suite-B on new
kernel platforms only. IPsec traffic cannot offload to NPU. CP9 supports Suite-B offloading, otherwise packets are
encrypted and decrypted by software. FortiGate supports:
l suite-b-gcm-128
l suite-b-gcm-256

IPsec VPNs 625

aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
In null encryption, IPsec traffic can offload NPU/CP. FortiGate supports:

l null-md5
l null-sha1
l null-sha256
l null-sha384
l null-sha512
In DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:
l des-null
l des-md5
l des-sha1
l des-sha256
l des-sha384
l des-sha512
In 3DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:
l 3des-null
l 3des-md5
l 3des-sha1
l 3des-sha256
l 3des-sha384
l 3des-sha512
In AES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:
l aes128-null
l aes128-md5
l aes128-sha1
l aes128-sha256
l aes128-sha384
l aes128-sha512
l aes192-null
l aes192-md5
l aes192-sha1
l aes192-sha256
l aes192-sha384
l aes192-sha512
l aes256-null
l aes256-md5
l aes256-sha1
l aes256-sha256
l aes256-sha384
l aes256-sha512

IPsec VPNs 626
In AESGCM encryption algorithm, IPsec traffic cannot offload NPU. CP9 supports AESGCM offloading. FortiGate
supports:
l aes128gcm
l aes256gcm
In chacha20poly1305 encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:
l chacha20poly1305
In ARIA encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:
l aria128-null
l aria128-md5
l aria128-sha1
l aria128-sha256
l aria128-sha384
l aria128-sha512
l aria192-null
l aria192-md5
l aria192-sha1
l aria192-sha256
l aria192-sha384
l aria192-sha512
l aria256-null
l aria256-md5
l aria256-sha1
l aria256-sha256
l aria256-sha384
l aria256-sha512
In SEED encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:
l seed-null
l seed-md5
l seed-sha1
l seed-sha256
l seed-sha384
l seed-sha512
Policy-based IPsec tunnel
This recipe provides an example configuration of policy-based IPsec tunnel. Site-to-site VPN between branch and HQ is
used and HQ is the IPsec concentrator.

IPsec VPNs 627
To configure a policy-based IPsec tunnel using the GUI:
1. Configure the IPsec VPN at HQ:

a. Go to VPN > IPsec Wizard, enter a VPN name (to_branch1 in this example), choose Custom, and then click
Next:
l Uncheck Enable IPsec Interface Mode.
l Choose Static IP Address as Remote Gateway.
l Enter IP address, in this example, 15.1.1.2.
l Choose port9 as interface.
l In this example, set Authentication Method to Pre-shared Key. In other cases, use the default.
l Click OK.
b. Go to VPN > IPsec Wizard, enter a VPN name (to_branch2 in this example), choose Custom, and then click
Next:
l Choose port9 as interface.
Click OK.
l
2. Configure the IPsec concentrator at HQ:

a. Go to VPN > IPsec Concentrator, enter a name, in this example, branch.
b. Add to_branch1 and to_branch2 as Members.
c. Click OK.
a. Choose the Incoming Interface, in this example, port10.
b. Choose the Outgoing Interface, in this example, port9.

IPsec VPNs 628
c. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
d. Select the VPN Tunnel, in this example, Branch1/Branch2.
e. In this example, turn on Allow traffic to be initiated from the remote site.
f. Click OK.
4. Configure IPsec VPN at branch 1:
a. Go to VPN > IPsec Wizard, enter a VPN name, (to_HQ in this example) choose Custom and then click Next.
l Choose wan1 as interface.
l Click OK.
a. Choose the Incoming Interface, in this example, internal.
b. Choose the Outgoing Interface, in this example, wan1.
d. Select the VPN Tunnel, in this example, to_HQ.
f. Click OK.
6. Configure IPsec VPN at branch 2:
a. Go to VPN > IPsec Wizard, enter a VPN name, (to_HQ in this example) choose Custom and then click Next.
l Choose wan1 as interface.
l In this example, set Authentication Method to Pre-shared Key and the Pre-shared Key is sample. In
other cases, use the default.
l Click OK.
a. Choose the Incoming Interface, in this example, internal.
b. Choose the Outgoing Interface, in this example, wan1.
d. Select the VPN Tunnel, in this example, to_HQ.
f. Click OK.
To configure a policy-based IPsec tunnel using the CLI:
1. Configure the HQ WAN interface and static route:

edit "port9"
set alias "WAN"
set ip 22.1.1.1 255.255.255.0
next

IPsec VPNs 629
edit "port10"
set ip 172.16.101.1 255.255.255.0
next
end
edit 1
set device "port9"
next
end
2. Configure the HQ IPsec phase1 and phase2:

config vpn ipsec phase1
edit "to_branch1"
set peertype any
next
edit "to_branch2"
set peertype any
next
end
edit "to_branch1"
set phase1name "to_branch1"
next
edit "to_branch2"
set phase1name "to_branch2"
next
end
3. Configure the HQ firewall policy:

edit 1
set dstintf "port9"
set srcaddr "all"
set action ipsec
set service "ALL"
set inbound enable
set vpntunnel "to_branch1"
next

IPsec VPNs 630
edit 2
set dstintf "port9"
set srcaddr "all"
set action ipsec
set service "ALL"
set inbound enable
set vpntunnel "to_branch2"
next
end
4. Configure the HQ concentrator:

config vpn ipsec concentrator
edit "branch"
set member "to_branch1" "to_branch2"
next
end
5. Configure the branch WAN interface and static route:

a. Branch1:
edit "wan1"
set ip 15.1.1.2 255.255.255.0
next
edit "internal"
set ip 10.1.100.1 255.255.255.0
next
end
edit 1
set device "wan1"
next
end
b. Branch2:
edit "wan1"
set ip 13.1.1.2 255.255.255.0
next
edit "internal"
set ip 192.168.4.1 255.255.255.0
next
end
edit 1
set device "wan1"
next
end

IPsec VPNs 631
6. Configure the branch IPsec phase1 and phase2:

a. Branch1:
edit "to_HQ"
set peertype any
next
end
edit "to_HQ"
next
end
b. Branch2:
edit "to_HQ"
set peertype any
next
end
edit "to_HQ"
next
end
7. Configure the branch firewall policy:

a. Branch1:
edit 1
set dstintf "wan1"
set dstaddr "all"
set action ipsec
set service "ALL"
set inbound enable
set vpntunnel "to_HQ"
next
end

IPsec VPNs 632
b. Branch2:
edit 1
set dstintf "wan1"
set dstaddr "all"
set action ipsec
set service "ALL"
set inbound enable
set vpntunnel "to_HQ"
next
end
8. Optionally, view the IPsec VPN tunnel list at HQ with the diagnose vpn tunnel list command:
----
name=to_branch1 ver=1 serial=4 22.1.1.1:0->15.1.1.2:0
bound_if=42 lgwy=static/1 tun=tunnel/1 mode=auto/1 encap=none/8 options[0008]=npu
proxyid=to_branch1 proto=0 sa=1 ref=3 serial=1
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
dec: spi=ca646442 esp=aes key=16 58c91d4463968dddccc4fd97de90a4b8
ah=sha1 key=20 c9176fe2fbc82ef7e726be9ad4af83eb1b55580a
enc: spi=747c10c4 esp=aes key=16 7cf0f75b784f697bc7f6d8b4bb8a83c1
ah=sha1 key=20 cdddc376a86f5ca0149346604a59af07a33b11c5
----
name=to_branch2 ver=1 serial=5 22.1.1.1:0->13.1.1.2:0
bound_if=42 lgwy=static/1 tun=tunnel/1 mode=auto/1 encap=none/8 options[0008]=npu
proxyid=to_branch2 proto=0 sa=1 ref=2 serial=1
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
dec: spi=ca646441 esp=aes key=16 57ab680d29d4aad4e373579fb50e9909
ah=sha1 key=20 12a2bc703d2615d917ff544eaff75a6d2c17f1fe
enc: spi=f9cffb61 esp=aes key=16 3d64da9feb893874e007babce0229259
ah=sha1 key=20 f92a3ad5e56cb8e89c47af4dac10bf4b4bebff16

IPsec VPNs 633
9. Optionally, view the IPsec VPN concentrator at HQ with the diagnose vpn concentrator list command:
list all ipsec concentrator in vd 0
name=branch ref=3 tuns=2 flags=0

SSL VPN
SSL VPN web mode for remote user
This topic provides a sample configuration of remote users accessing the corporate network through an SSL VPN by
web mode using a web browser.
WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE
mode. The SSL VPN connection is established over the WAN interface.
To configure SSL VPN using the GUI:
1. Configure the interface and firewall address.

Port1 interface connects to the internal network.
a. Go to Network > Interface and edit the wan1 interface.
b. Set IP/Network Mask to 172.20.120.123/255.255.255.0.
c. Edit port1 interface and set IP/Network Mask to 192.168.1.99/255.255.255.0.
d. Click OK.
e. Go to Firewall & Objects > Address and create address for internet subnet 192.168.1.0.
2. Configure user and user group.
a. Go to User & Device > User Definition to create a local user sslvpnuser1.
b. Go to User & Device > User Groups to create a group sslvpngroup with the member sslvpnuser1.

SSL VPN 635
3. Configure SSL VPN web portal.

a. Go to VPN > SSL-VPN Portals to create a web mode only portal my-web-portal.
b. Set Predefined Bookmarks for Windows server to type RDP.
4. Configure SSL VPN settings.
a. Go to VPN > SSL-VPN Settings.
b. Choose proper Listen on Interface, in this example, wan1.
c. Listen on Port 10443.
d. Choose a certificate for Server Certificate. The default is Fortinet_Factory.
e. Under Authentication/Portal Mapping, set default Portal Web-access for All Other Users/Groups.
f. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-Web-portal.
5. Configure SSL VPN firewall policy.
b. Fill in the firewall policy name. In this example: sslvpn web mode access.
c. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
d. Choose an Outgoing Interface. In this example: port1.
e. Set the Source to all and group to sslvpngroup.
f. In this example, the destination is the internal protected subnet 192.168.1.0.
g. Set Schedule to always, service to ALL, and Action to Accept.
h. Click OK.
To configure SSL VPN using the CLI:

edit "wan1"
set vdom "root"
set ip 172.20.120.123 255.255.255.0
next
end
Configure internal interface and protected subnet.

Connect Port1 interface to internal network.
edit "port1"
set vdom "root"
set ip 192.168.1.99 255.255.255.0
next
end
edit "192.168.1.0"
set subnet192.168.1.0 255.255.255.0
next
end

SSL VPN 636

config user local
edit "sslvpnuser1"
set type password
next
end
config user group
edit "sslvpngroup"
next
end
3. Configure SSL VPN web portal and predefine RDP bookmark for windows server.
config vpn ssl web portal
edit "my-web-portal"
set web-mode enable
config bookmark-group
edit "gui-bookmarks"
config bookmarks
edit "Windows Server"
set apptype rdp
set host "192.168.1.114"
set port 3389
set logon-user "your-windows-server-user-name"
set logon-password your-windows-server-password
next
end
next
end
next
end

config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set source-interface "wan1"
set source-address "all"
set source-address6 "all"
set default-portal "full-access"
config authentication-rule
edit 1
set groups "sslvpngroup"
set portal "my-web-portal"
next
end

Configure one firewall policy to allow remote user to access the internal network. Traffic is dropped from internal to
remote client.
edit 1

SSL VPN 637
set name "sslvpn web mode access"

set srcintf "ssl.root"
set dstintf "port1"
set srcaddr "all"
set groups “sslvpngroup”
set action accept
set service "ALL"
next
end
To see the results:
1. Open browser and log into the portal https://172.20.120.123:10443 using the credentials you've set up.
2. In the portal with the predefined bookmark, select the bookmark to begin an RDP session.
3. Go to VPN > Monitor > SSL-VPN Monitor to verify the list of SSL users.
4. Go to Log & Report > Traffic Log > Forward Traffic to view the details for the SSL entry.
SSL VPN tunnel mode
SSL VPN full tunnel for remote user
This topic provides a sample configuration of remote users accessing the corporate network and internet through an
SSL VPN by tunnel mode using FortiClient.

SSL VPN 638

d. Click OK.
a. Go to VPN > SSL-VPN Portals to create a tunnel mode only portal my-full-tunnel-portal.
b. Disable Split Tunneling.
4. SSL VPN settings configuration.
e. Under Authentication/Portal Mapping, set default Portal tunnel-access for All Other Users/Groups.
f. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-full-tunnel-portal.
5. SSL VPN firewall policy configuration.
b. Fill in the firewall policy name. In this example: sslvpn full tunnel access.
e. Set the source to all and group to sslvpngroup.
f. In this example, the destination is all.
g. Set schedule to always, service to ALL, and Action to Accept.
h. Click OK.

edit "wan1"
set vdom "root"
set ip 172.20.120.123 255.255.255.0
next
end
2. Configure internal interface and protected subnet, and connect port1 interface to internal network.
edit "port1"
set vdom "root"
set ip 192.168.1.99 255.255.255.0

SSL VPN 639
next
end

config user local
edit "sslvpnuser1"
set type password
next
end
config user group
edit "sslvpngroup"
next
end
4. Configure SSL VPN web portal and predefine RDP bookmark for windows server.
edit "my-full-tunnel-portal"
set tunnel-mode enable
set split-tunneling disable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
next
end

edit 1
set portal "my-full-tunnel-portal"
next
end
6. Configure one SSL VPN firewall policy to allow remote user to access the internal network. Traffic is dropped from
internal to remote client.
edit 1
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"

SSL VPN 640
next
end
To see the results:
1. Download FortiClient from www.forticlient.com.

2. Open the FortiClient Console and go to Remote Access.
3. Add a new connection.
4. Set VPN Type to SSL VPN, set Remote Gateway to the IP of the listening FortiGate interface, in this example:
172.20.120.123.
5. Select Customize Port and set it to 10443.
6. Save your settings.
7. Use the credentials you've set up to connect to the SSL VPN tunnel.
8. After connection, all traffic except the local subnet will go through the tunnel FGT.
10. In FGT, go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL entry.
SSL VPN split tunnel for remote user
This topic provides a sample configuration of remote users accessing the corporate network and internet through an
SSL VPN by tunnel mode using FortiClient but accessing the Internet without going through the SSL VPN tunnel.


SSL VPN 641

d. Click OK.
e. Go to Firewall & Objects > Address and create an address for internet subnet 192.168.1.0.
a. Go to VPN > SSL-VPN Portals to create a tunnel mode only portal my-split-tunnel-portal.
b. Enable Split Tunneling.
c. Select Routing Address.
f. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-split-tunnel-portal.
b. Fill in the firewall policy name. In this example: sslvpn split tunnel access.
h. Click OK.

edit "wan1"
set vdom "root"
set ip 172.20.120.123 255.255.255.0
next
end
2. Configure internal interface and protected subnet. Then connect port1 interface to internal network.
edit "port1"
set vdom "root"
set ip 192.168.1.99 255.255.255.0
next
end
edit "192.168.1.0"

SSL VPN 642
set subnet 192.168.1.0 255.255.255.0

next
end

config user local
edit "sslvpnuser1"
set type password
next
end
config user group
edit "sslvpngroup"
next
end

edit "my-split-tunnel-portal"
set split-tunneling enable
set split-tunneling-routing-address "192.168.1.0"
next
end

edit 1
set portal "my-split-tunnel-portal"
next
end
edit 1
set dstintf "port1"
set srcaddr "all"
set action accept

SSL VPN 643
set service "ALL"

next
end
To see the results:

l Set VPN Type to SSL VPN .
l Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 172.20.120.123.
7. After connection, traffic to 192.168.1.0 goes through the tunnel. Other traffic goes through local gateway.
8. In FGT, go to VPN > Monitor > SSL-VPN Monitor to verify the list of SSL users.
SSL VPN tunnel mode host check
This topic provides a sample configuration of remote users accessing the corporate network through an SSL VPN by
tunnel mode using FortiClient with AV host check.


SSL VPN 644

d. Click OK.
3. SSL VPN web portal configuration.
a. Go to VPN > SSL-VPN Portals to create a tunnel mode only portal my-split-tunnel-portal.
b. Enable Split Tunneling.
c. Select Routing Address.
f. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-split-tunnel-portal.
b. Fill in the firewall policy name. In this example: sslvpn tunnel access with av check.
h. Click OK.
6. Configure SSL VPN web portal to enable AV host-check.
a. Open the CLI Console at the top right of the screen.
b. Enter the following commands to enable the host to check for compliant AntiVirus software on the user’s
computer:
edit my-split-tunnel-access
set host-check av
end

edit "wan1"
set vdom "root"
set ip 172.20.120.123 255.255.255.0

SSL VPN 645
next
end
2. Configure internal interface and protected subnet. Then connect port1 interface to internal network.
edit "port1"
set vdom "root"
set ip 192.168.1.99 255.255.255.0
next
end
edit "192.168.1.0"
set subnet 192.168.1.0 255.255.255.0
next
end

config user local
edit "sslvpnuser1"
set type password
next
end
config user group
edit "sslvpngroup"
next
end

edit "my-split-tunnel-portal"
set split-tunneling-routing-address "192.168.1.0"
next
end

edit 1
set portal "my-split-tunnel-portal"
next
end

SSL VPN 646
edit 1
set dstintf "port1"
set srcaddr "all"
set action accept
set service "ALL"
next
end
7. Configure SSL VPN web portal to enable the host to check for compliant AntiVirus software on the user’s computer:
edit my-split-tunnel-access
set host-check av
end
To see the results:

If the user's computer has AntiVirus software installed, a connection is established; otherwise FortiClient shows a
compliance warning.
7. After connection, traffic to 192.168.1.0 goes through the tunnel. Other traffic goes through local gateway.
SSL VPN multi-realm
This sample recipe shows how to create a multi-realm SSL VPN that provides different portals for different user groups.

SSL VPN 647

d. Click OK.
e. Go to Firewall & Objects > Address and create an address for internet QA_subnet with subnet
192.168.1.0/24 and HR_subnet with subnet 10.1.100.0/24.
a. Go to User & Device > User Definition to create local users qa-user1 and hr-user1.
b. Go to User & Device > User Groups to create separate user groups for web-only and full-access portals:
l QA_group with member qa-user1.
l HR_group with the member hr-user1.
3. SSL VPN web portal configuration.
a. Go to VPN > SSL-VPN Portals to create portal qa-tunnel.
b. Enable tunnel-mode.
c. Create a portal hr-web with web-mode enabled.
4. SSL VPN realms configuration.
a. Go to System > Feature Visibility to enable SSL-VPN Realms.
b. Go to VPN > SSL-VPN Realms to create realms for qa and hr.
e. Under Authentication/Portal Mapping, set default Portal Web-access for All Other Users/Groups.

SSL VPN 648
f. Create new Authentication/Portal Mapping for group QA_group mapping portal qa-tunnel.
g. Specify realm with qa.
h. Add another entry for group HR_group mapping portal hr-web.
i. Specify realm with hr.
b. Create a firewall policy for QA access.
c. Fill in the firewall policy name. In this example: QA sslvpn tunnel mode access.
d. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
e. Choose an Outgoing Interface. In this example: port1.
f. Set the source to all and group to QA_group.
g. In this example, the destination is the internal protected subnet QA_subnet.
h. Set schedule to always, service to ALL, and Action to Accept.
i. Click OK.
j. Create a firewall policy for HR access.
k. Fill in the firewall policy name. In this example: HR sslvpn web mode access.
l. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
m. Choose an Outgoing Interface. In this example: port1.
n. Set the source to all and group to HR_group.
o. In this example, the destination is the internal protected subnet HR_subnet.
p. Set schedule to always, service to ALL, and Action to Accept.
q. Click OK.

edit "wan1"
set vdom "root"
set ip 172.20.120.123 255.255.255.0
next
end
2. Configure internal interface and protected subnet, then connect port1 interface to internal network.
edit "port1"
set vdom "root"
set ip 192.168.1.99 255.255.255.0
next
end
edit "QA_subnet"
set subnet 192.168.1.0 255.255.255.0
next
edit "HR_subnet"
set subnet 10.1.100.0 255.255.255.0
next
end

SSL VPN 649

config user local
edit "qa_user1"
set type password
next
end
config user group
edit "QA_group"
set member "qa_user1"
next
end
config user local
edit "hr_user1"
set type password
next
end
config user group
edit "HR_group"
set member "hr_user1"
next
end

edit "qa-tunnel"
set split-tunneling-routing-address "QA_subnet"
next
end
edit "hr-web"
set web-mode enable
next
end
5. Configure SSL VPN realms.

Using the GUI is the easiest way to configure SSL VPN realms.
a. Go to System > Feature Visibility to enable SSL-VPN Realms.
b. Go to VPN > SSL-VPN Realms to create realms for qa and hr.
edit 1

SSL VPN 650
set groups "QA_group"

set portal "qa-tunnel"
set realm qa
next
edit 2
set groups "HR_group"
set portal "hr-web"
set realm hr
next
end
7. Configure two SSL VPN firewall policies to allow remote QA user to access internal QA network and HR user to
access HR network.
edit 1
set name "QA sslvnpn tunnel access"
set dstintf "port1"
set srcaddr "all"
set dstaddr "QA_subnet"
set groups “QA_group”
set action accept
set service "ALL"
next
edit 2
set name "HR sslvpn web access"
set dstintf "port1"
set srcaddr "all"
set dstaddr "HR_subnet"
set groups “HR_group”
set action accept
set service "ALL"
next
end
To see the results for QA user:

l Set Remote Gateway to https://172.20.120.123:10443/qa..
If the user's computer has AntiVirus software installed, a connection is established; otherwise FortiClient shows a
compliance warning.
7. After connection, traffic to subnet 192.168.1.0 goes through the tunnel.
9. In FGT, go to Log & Report > Traffic Log > Forward Traffic and view the details of the traffic.

SSL VPN 651
To see the results for HR user:
1. In a web browser, log into the portal https://172.20.120.123:10443/hr using the credentials you've set up to
connect to the SSL VPN tunnel.
3. Go to Log & Report > Traffic Log > Forward Traffic and view the details of the traffic.
SSL VPN authentication
SSL VPN with certificate authentication
This topic provides a sample configuration of SSL VPN that requires users to authenticate using a certificate.

d. Click OK.
2. Install the server certificate.
The server certificate is used for encrypting SSL VPN traffic and will be used for authentication.
a. Go to System > Feature Visibility and ensure Certificates is enabled.
b. Go to System > Certificates and select Import > Local Certificate.
l Set Type to Certificate.
l Choose the Certificate file and the Key file for your certificate, and enter the Password.
l If desired, you can change the Certificate Name.
The server certificate now appears in the list of Certificates.

SSL VPN 652
3. Install the CA certificate.

The CA certificate is the certificate that signed both the server certificate and the user certificate. In this example, it
is used to authenticate SSL VPN users.
a. Go to System > Certificates and select Import > CA Certificate.
b. Select Local PC and then select the certificate file.
The CA certificate now appears in the list of External CA Certificates. In the example, it is called CA_Cert_1.
4. Configure PKI users and a user group.
To use certificate authentication, PKI users must be created in the CLI. Use the CLI console to enter the following
commands:
config user peer
edit pki01
set ca CA_Cert_1
set subject User01
end
l Ensure the subject matches the name of the user certificate. In this example, User01.
Now that you have created a PKI user, a new menu is added to the GUI.
a. Go to User & Device > PKI to see the new user.
b. Edit the user account and expand Two-factor authentication.
c. Enable Require two-factor authentication and set a Password for the account.
d. Go to User & Device > User > User Groups and create a group sslvpngroup.
e. Add the PKI user pki01 to the group.
a. Go to VPN > SSL-VPN Portals to edit the full-access portal.
This portal supports both web and tunnel mode.
b. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.
d. Set Server Certificate to the authentication certificate.
e. Enable Require Client Certificate.
f. Under Authentication/Portal Mapping, set default Portal web-access for All Other Users/Groups.
g. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal full-access.
b. Fill in the firewall policy name. In this example: sslvpn certificate auth.
d. Set the Source Address to all and Source User to sslvpngroup.
e. Set the Outgoing Interface to the local network interface so that the remote user can access the internal
network. In this example: port1.
f. Set Destination Address to the internal protected subnet 192.168.1.0.
h. Enable NAT.

SSL VPN 653
i. Configure any remaining firewall and security options as desired.

j. Click OK.

edit "wan1"
set vdom "root"
set ip 172.20.120.123 255.255.255.0
next
end
2. Configure internal interface and protected subnet., then connect port1 interface to internal network.
edit "port1"
set vdom "root"
set ip 192.168.1.99 255.255.255.0
next
end
edit "192.168.1.0"
set subnet192.168.1.0 255.255.255.0
next
end

The server certificate is used for encrypting SSL VPN traffic and will be used for authentication. It is easier to install
the server certificate from GUI. However, CLI can import a p12 certificate from a tftp server.
If you want to import a p12 certificate, put the certificate server_certificate.p12 on your tftp server, then run
following command on the FortiGate.
execute vpn certificate local import tftp server_certificate.p12 <your tftp_server> p12
<your password for PKCS12 file>
To check server certificate is installed:

show vpn certificate local server_certificate

The CA certificate is the certificate that signed both the server certificate and the user certificate. In this example, it
is used to authenticate SSL VPN users.
It is easier to install the server certificate from GUI. However, CLI can import a CA certificates from a tftp server.
If you want to import a CA certificate, put the CA certificate on your tftp server, then run following command on the
FortiGate.
execute vpn certificate ca import tftp <your CA certificate name> <your tftp server>
To check that a new CA certificate is installed:

show vpn certificate ca

config user peer
edit pki01

SSL VPN 654
set ca CA_Cert_1
set subject User01
set two-factor enable
set passwd <your-password>
end
config user group
edit "sslvpngroup"
set member "pki01"
next
end

edit "full-access"
set web-mode enable
next
end

set servercert "server_certificate"
set default-portal "web-access"
set reqclientcert enable
edit 1
set portal "full-access"
next
end
8. Configure one SSL VPN firewall policy to allow remote user to access the internal network.
edit 1
set dstintf "port1"
set srcaddr "all"
set action accept
set service "ALL"
set nat enable
next
end

SSL VPN 655
Sample installation
To use the user certificate, you must first install it on the user’s PC. When the user tries to authenticate, the user
certificate is checked against the CA certificate to verify that they match.
Every user should have a unique user certificate. This allows you to distinguish each user and revoke a specific user’s
certificate, such as if a user no longer has VPN access.
To install the user certificate on Windows 7, 8, and 10:
1. Double-click the certificate file to open the Import Wizard.

2. Use the Import Wizard to import the certificate into the Personal store.
To install the user certificate on Mac OS X:
1. Open the certificate file, to open Keychain Access.

2. Double-click the certificate.
3. Expand Trust and select Always Trust.
To see the results of tunnel connection:

2. Open the FortiClient Console and go to Remote Access > Configure VPN.
5. Enable Client Certificate and select the authentication certificate.
If the certificate is correct, you can connect.
To see the results of web portal:
1. In a web browser, log into the portal http://172.20.120.123:10443.

A message requests a certificate for authentication.
2. Select the user certificate.
3. Enter your user credentials.
If the certificate is correct, you can connect to the SSL VPN web portal.
To check the SSL VPN connection using the GUI:
2. Go to Log & Report > VPN Events and view the details for the SSL connection log.

SSL VPN 656
To check the SSL VPN connection using the CLI:
get vpn ssl monitor

SSL VPN Login Users:
Index User Auth Type Timeout From HTTP in/out HTTPS in/out
0 pki01,cn=User01 1(1) 229 10.1.100.254 0/0 0/0
1 pki01,cn=User01 1(1) 291 10.1.100.254 0/0 0/0
SSL VPN sessions:

Index User Source IP Duration I/O Bytes Tunnel/Dest IP
0 pki01,cn=User01 10.1.100.254 9 22099/43228 10.212.134.200
SSL VPN with LDAP-integrated certificate authentication
This topic provides a sample configuration of SSL VPN that requires users to authenticate using a certificate with LDAP
UserPrincipalName checking.
This sample uses Windows 2012R2 Active Directory acting as both the user certificate issuer, the certificate authority,
and the LDAP server.
In this sample, the User Principal Name is included in the subject name of the issued certificate. This is the user field
we use to search LDAP in the connection attempt.
To use the user certificate, you must first install it on the user’s PC. When the user tries to authenticate, the user
certificate is checked against the CA certificate to verify that they match.
Every user should have a unique user certificate. This allows you to distinguish each user and revoke a specific user’s
certificate, such as if a user no longer has VPN access.
To install the server certificate:
The server certificate is used for encrypting SSL VPN traffic and will be used for authentication.

SSL VPN 657
1. Go to System > Feature Visibility and ensure Certificates is enabled.

2. Go to System > Certificates and select Import > Local Certificate.
l Set Type to Certificate.
l Choose the Certificate file and the Key file for your certificate, and enter the Password.
l If desired, you can change the Certificate Name.
The server certificate now appears in the list of Certificates.
To install the CA certificate:
The CA certificate is the certificate that signed both the server certificate and the user certificate. In this example, it is
used to authenticate SSL VPN users.
1. Go to System > Certificates and select Import > CA Certificate.
2. Select Local PC and then select the certificate file.

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or
PPPoE mode. The SSL VPN connection is established over the WAN interface.
d. Click OK.
2. Configure the LDAP server.
a. Go to User & Device > LDAP Servers > Create New.
l Specify Name and Server IP/Name.
l Set Distinguished Name to dc=fortinet-fsso,dc=com.
l Set Bind Type to Regular.
l Set Username to cn=admin,ou=testing,dc=fortinet-fsso,dc=com.
l Set password.
To use certificate authentication, PKI users must be created in the CLI. Use the CLI console to enter the following
commands:
config user peer
edit user1
set ca CA_Cert_1
set ldap-server "ldap-AD"
set ldap-mode principal-name
end
Now that you have created a PKI user, a new menu is added to the GUI.
a. Go to User & Device > PKI to see the new user.
b. Go to User & Device > User > User Groups and create a group sslvpn-group.

SSL VPN 658
c. Add the PKI peer object you created as a local member of the group.
d. Add a remote group on the LDAP server and select the group of interest.
You need these users to be members using the LDAP browser window.
e. Enable Require Client Certificate.
f. Under Authentication/Portal Mapping, set default Portal web-access for All Other Users/Groups.
g. Create new Authentication/Portal Mapping for group sslvpn-group mapping portal full-access.
d. Set the Source Address to all and Source User to sslvpn-group.
h. Enable NAT.
j. Click OK.

edit "wan1"
set vdom "root"
set ip 172.20.120.123 255.255.255.0
next
end
edit "port1"
set vdom "root"
set ip 192.168.1.99 255.255.255.0
next
end
edit "192.168.1.0"

SSL VPN 659
set subnet192.168.1.0 255.255.255.0

next
end

config user ldap
edit "ldap-AD"
set server "172.18.60.206"
set cnid "cn"
set dn "dc=fortinet-fsso,dc=com"
set type regular
set username "cn=admin,ou=testing,dc=fortinet-fsso,dc=com"
set password ldap-server-password
next
end

config user peer
edit user1
set ca CA_Cert_1
set ldap-server "ldap-AD"
set ldap-mode principal-name
end
config user group

edit "sslvpn-group"
set member "ldap-AD" "test3"
config match
edit 1
set server-name "ldap-AD"
set group-name "CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM"
next
end
next
end

edit "full-access"
set web-mode enable
next
end

set reqclientcert enable

SSL VPN 660
edit 1
set groups "sslvpn-group"
next
end
edit 1
set dstintf "port1"
set srcaddr "all"
set groups “sslvpn-group”
set action accept
set service "ALL"
set nat enable
next
end

l Set the connection name.
5. Enable Client Certificate and select the authentication certificate.
Connecting to the VPN only requires the user's certificate. It does not require username or password.
1. In a web browser, log into the portal http://172.20.120.123:10443.

A message requests a certificate for authentication.
2. Select the user certificate.
You can connect to the SSL VPN web portal.
2. Go to Log & Report > VPN Events to view the details of the SSL VPN connection event log.
3. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.
To check the SSL VPN connection using the CLI:
Below is a sample output of diag debug app fnbamd -1 while the user connects. This is a shortened output
sample of a few locations to show the important parts. This sample shows lookups to find the group memberships (three

SSL VPN 661
groups total) of the user and that the correct group being found results in a match.
[1148] fnbamd_ldap_recv-Response len: 16, svr: 172.18.60.206
[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-result
[864] fnbamd_ldap_parse_response-ret=0
[1386] __fnbamd_ldap_primary_grp_next-Auth accepted
[910] __ldap_rxtx-Change state to 'Done'
[843] __ldap_rxtx-state 23(Done)
[925] fnbamd_ldap_send-sending 7 bytes to 172.18.60.206
[937] fnbamd_ldap_send-Request is sent. ID 5
[753] __ldap_stop-svr 'ldap-AD'
[53] ldap_dn_list_del_all-Del CN=test3,OU=Testing,DC=Fortinet-FSSO,DC=COM
[399] ldap_copy_grp_list-copied CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM
[399] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=Fortinet-FSSO,DC=COM
[2088] fnbamd_auth_cert_check-Matching group 'sslvpn-group'
[2007] __match_ldap_group-Matching server 'ldap-AD' - 'ldap-AD'
[2015] __match_ldap_group-Matching group 'CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM' -
'CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM'
[2091] fnbamd_auth_cert_check-Group 'sslvpn-group' matched
[2120] fnbamd_auth_cert_result-Result for ldap svr[0] 'ldap-AD' is SUCCESS
[2126] fnbamd_auth_cert_result-matched user 'test3', matched group 'sslvpn-group'
You can also use diag firewall auth list to validate that a firewall user entry exists for the SSL VPN user and
is part of the right groups.
SSL VPN with FortiToken Mobile Push authentication
This topic provides a sample configuration of SSL VPN that uses FortiToken Mobile Push two-factor authentication. If
you enable push notifications, the user can easily accept or deny the authentication request.


SSL VPN 662

d. Click OK.
2. Register FortiGate for FortiCare Support.
To add or download a Mobile token on FortiGate, FortiGate must be registered for FortiCare Support. If your
FortiGate is registered, skip this step.
a. Go to Dashboard > Licenses.
b. Hover the pointer on FortiCare Support to check if FortiCare registered. If not, click it and select Register.
3. Add FortiToken Mobile to FortiGate.
If your FortiGate has FortiToken installed, skip this step.
a. Go to User & Device > FortiTokens and click Create New.
b. Select Mobile Token and type in Activation Code.
c. Every FortiGate has two free Mobile Tokens. Go to User & Device > FortiTokens and click Import Free Trial
Tokens.
4. Enable FortiToken Mobile Push.
To use FTM-push authentication, use CLI to enable FTM-Push in the FortiGate.
a. Ensure server-ip is reachable from the Internet and enter the following CLI commands:
config system ftm-push
set server-ip 172.20.120.123
set status enable
end
b. Go to Network > Interfaces.

c. Edit the wan1 interface.
d. Under Administrative Access > IPv4, select FTM.
e. Click OK.
b. Enter the user's Email Address.
c. Enable Two-factor Authentication and select one Mobile token from the list,
d. Enable Send Activation Code from Email.
e. Click Next and click Submit.
f. Go to User & Device > User Groups to create a group sslvpngroup with the member sslvpnuser1.
6. Activate the Mobile token.
a. When the user sslvpnuser1 is created, an email is sent to the user's email address. Follow the instructions to
install your FortiToken Mobile application on your device and activate your token.

SSL VPN 663

e. Under Authentication/Portal Mapping, set default Portal web-access for All Other Users/Groups.
f. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal full-access.
h. Enable NAT.
j. Click OK.

edit "wan1"
set vdom "root"
set ip 172.20.120.123 255.255.255.0
next
end
edit "port1"
set vdom "root"
set ip 192.168.1.99 255.255.255.0
next
end
edit "192.168.1.0"
set subnet192.168.1.0 255.255.255.0
next
end
3. Register FortiGate for FortiCare Support.

To add or download a Mobile token on FortiGate, FortiGate must be registered for FortiCare Support. If your
FortiGate is registered, skip this step.
diagnose forticare direct-registration product-registration -a "your [email protected]" -p
"your password" -T "Your Country/Region" -R "Your Reseller" -e 1
4. Add FortiToken Mobile to FortiGate.

a. If your FortiGate has FortiToken installed, skip this step.
execute fortitoken-mobile import <your FTM code>

SSL VPN 664
b. Every FortiGate has two free Mobile Tokens. You can download the free token.
execute fortitoken-mobile import 0000-0000-0000-0000-0000
5. Enable FortiToken Mobile Push.

a. To use FTM-push authentication, ensure server-ip is reachable from the Internet and enable FTM-Push in
the FortiGate.
config system ftm-push
set server-ip 172.20.120.123
set status enable
end
b. Enable FTM service on WAN interface.

edit "wan1"
append allowaccess ftm
next
end

config user local
edit "sslvpnuser1"
set type password
set two-factor fortitoken
set fortitoken <select mobile token for the option list>
set email-to <user's email address>
set passwd <user's password>
next
end
config user group
edit "sslvpngroup"
set member "sslvpnuser1"
next
end
7. Activate the Mobile token.

a. When the user sslvpnuser1 is created, an email is sent to the user's email address. Follow the instructions to
install your FortiToken Mobile application on your device and activate your token.
edit "full-access"
set web-mode enable
next
end


SSL VPN 665

edit 1
next
end
edit 1
set dstintf "port1"
set srcaddr "all"
set action accept
set service "ALL"
set nat enable
next
end
1. From a remote device, open a web browser and log into the SSL VPN web portal http://172.20.120.123:10443.
2. Log in using the sslvpnuser1 credentials.
The FortiGate pushes a login request notification through the FortiToken Mobile application.
3. Check your mobile device and select Approve.
When the authentication is approved, sslvpnuser1 is logged into the SSL VPN portal.
4. On the FortiGate, go to Monitor > SSL-VPN Monitor to confirm the user connection.

6. Log in using the sslvpnuser1 credentials and click FTM Push.
The FortiGate pushes a login request notification through the FortiToken Mobile application.
When the authentication is approved, sslvpnuser1 is logged into the SSL VPN tunnel.
1. Go to VPN > Monitor > SSL-VPN Monitor to verify the user’s connection.

SSL VPN 666
To check the web portal login using the CLI:
get vpn ssl monitor

0 sslvpnuser1 1(1) 229 10.1.100.254 0/0 0/0
SSL VPN sessions:

To check the tunnel login using the CLI:
get vpn ssl monitor

0 sslvpnuser1 1(1) 291 10.1.100.254 0/0 0/0
SSL VPN sessions:

0 sslvpnuser1 10.1.100.254 9 22099/43228 10.212.134.200
SSL VPN with RADIUS on FortiAuthenticator
This topic provides a sample configuration of SSL VPN that uses FortiAuthenticator as a RADIUS authentication server.
To configure FortiAuthenticator using the GUI:
1. Create a user on the FortiAuthenticator.

a. On the FortiAuthenticator, go to Authentication > User Management > Local Users to create a user
sslvpnuser1.
b. Enable Allow RADIUS authentication and click OK to access additional settings.
c. Go to Authentication > User Management > User Groups to create a group sslvpngroup.
d. Add sslvpnuser1 to the group by moving the user from Available users to Selected users.

SSL VPN 667
2. Create the RADIUS client (FortiGate) on the FortiAuthenticator.

a. On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients to add the FortiGate as a
RADIUS client OfficeServer).
b. Enter the FortiGate IP address and set a Secret.
The secret is a pre-shared secure password that the FortiGate uses to authenticate to the FortiAuthenticator.
c. Set Realms to local | Local users.

d. Click OK.
2. Create a RADIUS user and user group .
a. On the FortiGate, go to User & Device > RADIUS Servers to create a user to connect to the RADIUS server
(FortiAuthenticator).
b. For Name, use FAC-RADIUS.
c. Enter the IP address of the FortiAuthenticator, and enter the Secret created above.
d. Click Test Connectivity to ensure you can connect to the RADIUS server.
e. Select Test User Credentials and enter the credentials for sslvpnuser1.
The FortiGate can now connect to the FortiAuthenticator as the RADIUS client.
f. Go to User & Device > User Groups and click Create New to map authenticated remote users to a user group
on the FortiGate.
g. For Name, use SSLVPNGroup.
h. In Remote Groups, click Add.
i. In the Remote Server dropdown list, select FAC-RADIUS.
j. Leave the Groups field blank.

SSL VPN 668

h. Enable NAT.
j. Click OK.

edit "wan1"
set vdom "root"
set ip 172.20.120.123 255.255.255.0
next
end
edit "port1"
set vdom "root"
set ip 192.168.1.99 255.255.255.0
next
end
edit "192.168.1.0"
set subnet192.168.1.0 255.255.255.0
next
end
3. Create a RADIUS user and user group.

config user radius
edit "FAC-RADIUS"
set server "172.20.120.161"
set secret <FAC client secret>
next
end
config user group

edit "sslvpngroup"
set member "FAC-RADIUS"
next
end

SSL VPN 669

edit "full-access"
set web-mode enable
next
end

edit 1
next
end
edit 1
set dstintf "port1"
set srcaddr "all"
set action accept
set service "ALL"
set nat enable
next
end

l Set Remote Gateway to 172.20.120.123.

SSL VPN 670

6. Log in using the sslvpnuser1 credentials and check that you are logged into the SSL VPN tunnel.
get vpn ssl monitor

0 sslvpnuser1 1(1) 229 10.1.100.254 0/0 0/0
SSL VPN sessions:

get vpn ssl monitor

0 sslvpnuser1 1(1) 291 10.1.100.254 0/0 0/0
SSL VPN sessions:

0 sslvpnuser1 10.1.100.254 9 22099/43228 10.212.134.200
SSL VPN with RADIUS and FortiToken mobile push on FortiAuthenticator
This topic provides a sample configuration of SSL VPN that uses FortiAuthenticator as a RADIUS authentication server
and FortiToken Mobile Push two-factor authentication. If you enable push notifications, the user can easily accept or
deny the authentication request.

SSL VPN 671
To configure FortiAuthenticator using the GUI:
1. Add a FortiToken mobile license on the FortiAuthenticator.

a. On the FortiAuthenticator, go to Authentication > User Management > FortiTokens.
c. Set Token type to FortiToken Mobile and enter the FortiToken Activation codes.
2. Create the RADIUS client (FortiGate) on the FortiAuthenticator.
a. On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients to add the FortiGate as a
RADIUS client OfficeServer).
b. Enter the FortiGate IP address and set a Secret.
The secret is a pre-shared secure password that the FortiGate uses to authenticate to the FortiAuthenticator.
c. Set Authentication method to Enforce two-factor authentication.
d. Select Enable FortiToken Mobile push notifications authentication.
e. Set Realms to local | Local users.
3. Create a user and assign FortiToken Mobile to the user on the FortiAuthenticator.
a. On the FortiAuthenticator, go to Authentication > User Management > Local Users to create a user
sslvpnuser1.
b. Enable Allow RADIUS authentication and click OK to access additional settings.
c. Enable Token-based authentication and select to deliver the token code by FortiToken.
d. Select the FortiToken added from the FortiToken Mobile dropdown menu.
e. Set Delivery method to Email and fill in the User Information section.
f. Go to Authentication > User Management > User Groups to create a group sslvpngroup.
g. Add sslvpnuser1 to the group by moving the user from Available users to Selected users.
4. Install the FortiToken Mobile application on your smartphone, for Android or iOS.
The FortiAuthenticator sends the FortiToken Mobile activation to the user’s email address.
5. Activate the FortiToken Mobile through the FortiToken Mobile application by either entering the activation code or
by scanning the QR code.

d. Click OK.
a. On the FortiGate, go to User & Device > RADIUS Servers to create a user to connect to the RADIUS server
(FortiAuthenticator).
b. For Name, use FAC-RADIUS.

SSL VPN 672
c. Enter the IP address of the FortiAuthenticator, and enter the Secret created above.
d. Click Test Connectivity to ensure you can connect to the RADIUS server.
e. Select Test User Credentials and enter the credentials for sslvpnuser1.
The FortiGate can now connect to the FortiAuthenticator as the RADIUS client.
f. Go to User & Device > User Groups and click Create New to map authenticated remote users to a user group
on the FortiGate.
g. For Name, use SSLVPNGroup.
h. In Remote Groups, click Add.
i. In the Remote Server dropdown list, select FAC-RADIUS.
j. Leave the Groups field blank.
h. Enable NAT.
j. Click OK.

edit "wan1"
set vdom "root"
set ip 172.20.120.123 255.255.255.0
next
end

SSL VPN 673
edit "port1"
set vdom "root"
set ip 192.168.1.99 255.255.255.0
next
end
edit "192.168.1.0"
set subnet192.168.1.0 255.255.255.0
next
end

config user radius
edit "FAC-RADIUS"
set server "172.20.120.161"
set secret <FAC client secret>
next
end
config user group

edit "sslvpngroup"
set member "FAC-RADIUS"
next
end

edit "full-access"
set web-mode enable
next
end

edit 1
next
end
edit 1

SSL VPN 674

set dstintf "port1"
set srcaddr "all"
set action accept
set service "ALL"
set nat enable
next
end
The FortiAuthenticator pushes a login request notification through the FortiToken Mobile application.
When the authentication is approved, sslvpnuser1 is logged into the SSL VPN portal.

6. Log in using the sslvpnuser1 credentials and click FTM Push.
The FortiAuthenticator pushes a login request notification through the FortiToken Mobile application.
When the authentication is approved, sslvpnuser1 is logged into the SSL VPN tunnel.
get vpn ssl monitor

0 sslvpnuser1 1(1) 229 10.1.100.254 0/0 0/0
SSL VPN sessions:


SSL VPN 675
To check the tunnel login on CLI:
get vpn ssl monitor

0 sslvpnuser1 1(1) 291 10.1.100.254 0/0 0/0
SSL VPN sessions:

0 sslvpnuser1 10.1.100.254 9 22099/43228 10.212.134.200
SSL VPN with local user password policy
This topic provides a sample configuration of SSL VPN for users with passwords that expire after two days. Users are
warned after one day about the password expiring. The password policy can be applied to any local user password. The
password policy cannot be applied to a user group or a local remote user such as LDAP/RADIUS/TACACS+.
In FortiOS 6.2, users are warned after one day about the password expiring and have one day to renew it. When the
expiration time is reached, the user cannot renew the password and must contact the administrator for assistance.
In FortiOS 6.0/5.6, users are warned after one day about the password expiring and have to renew it. When the
expiration time is reached, the user can still renew the password.


SSL VPN 676
d. Click OK.
a. Go to User & Device > User Definition to create a local user.
b. Enter the user's Email Address.
c. If you want, enable Two-factor Authentication,
d. Click Next and click Submit.
e. Go to User & Device > User Groups to create a user group and add that local user to it.
3. Configure and assign the password policy using the CLI.
a. Configure a password policy that includes an expiration date and warning time. The default start time for the
password is the time the user was created.
config user password-policy
edit "pwpolicy1"
set expire-days 2
set warn-days 1
next
end
b. Assign the password policy to the user you just created.

config user local
edit "sslvpnuser1"
set type password
set passwd-policy "pwpolicy1"
next
end

h. Enable NAT.

SSL VPN 677

j. Click OK.

edit "wan1"
set vdom "root"
set ip 172.20.120.123 255.255.255.0
next
end
edit "port1"
set vdom "root"
set ip 192.168.1.99 255.255.255.0
next
end
edit "192.168.1.0"
set subnet192.168.1.0 255.255.255.0
next
end

config user local
edit "sslvpnuser1"
set type password
next
end
config user group
edit "sslvpngroup"
next
end
4. Configure and assign the password policy.

edit "pwpolicy1"
set expire-days 2
set warn-days 1
next
end

config user local
edit "sslvpnuser1"
set type password

SSL VPN 678
next
end

edit "full-access"
set web-mode enable
next
end

edit 1
next
end
edit 1
set dstintf "port1"
set srcaddr "all"
set action accept
set service "ALL"
set nat enable
next
end
To see the results of the SSL VPN web connection:
When the warning time is reached , the user is prompted to enter a new password.
In FortiOS 6.2, when the expiration time is reached, the user cannot renew the password and must contact the
administrator.
In FortiOS 6.0/5.6, when the expiration time is reached, the user can still renew the password.

SSL VPN 679
To see the results of the SSL VPN tunnel connection:

When the warning time is reached , the user is prompted to enter a new password.
To check that login failed due to password expired on GUI:
1. Go to Log & Report > VPN Events to see the SSL VPN alert labeled ssl-login-fail.
2. Click Details to see the log details about the Reason sslvpn_login_password_expired.
get vpn ssl monitor

0 sslvpnuser1 1(1) 229 10.1.100.254 0/0 0/0
SSL VPN sessions:

get vpn ssl monitor

0 sslvpnuser1 1(1) 291 10.1.100.254 0/0 0/0
SSL VPN sessions:

0 sslvpnuser1 10.1.100.254 9 22099/43228 10.212.134.200
To check the FortiOS 6.2 login password expired event log:
FG201E4Q17901354 # execute log filter category event
FG201E4Q17901354 # execute log filter field subtype vpn
FG201E4Q17901354 # execute log filter field action ssl-login-fail

SSL VPN 680
FG201E4Q17901354 # execute log display

1: date=2019-02-15 time=10:57:56 logid="0101039426" type="event" subtype="vpn" level="alert"
vd="root" eventtime=1550257076 logdesc="SSL VPN login fail" action="ssl-login-fail" tun-
neltype="ssl-web" tunnelid=0 remip=10.1.100.254 user="u1" group="g1" dst_host="N/A" reas-
on="sslvpn_login_password_expired" msg="SSL user failed to logged in"
SSL VPN with RADIUS password renew on FortiAuthenticator
This topic provides a sample configuration of SSL VPN for RADIUS users with Force Password Change on next logon.
In this example, the RADIUS server is a FortiAuthenticator. A user test1 is configured on FortiAuthenticator with Force
password change on next logon.

d. Click OK.
2. Create a RADIUS user.
a. Go to User & Device > RADIUS Servers to create a user.
b. Set Authentication method to MS-CHAP-v2.
c. Enter the IP/Name and Secret.
d. Click Create.
Password renewal only works with the MS-CHAP-v2 authentication method.

SSL VPN 681
e. To enable the password-renew option, use these CLI commands.

config user radius
edit "fac"
set server "172.20.120.161"
set secret <fac radius password>
set auth-type ms_chap_v2
set password-renewal enable
next
end
3. Configure user group.

a. Go to User & Device > User Groups to create a user group.
b. For the Name, enter fac-group.
c. In Remote Groups, click Add to add Remote Server you just created.
f. Create new Authentication/Portal Mapping for group fac-group mapping portal full-access.
b. Fill in the firewall policy name, in this example, sslvpn certificate auth.
d. Set the Source Address to all and Source User to fac-group.
network, in this example, port1.
h. Enable NAT.
j. Click OK.

edit "wan1"
set vdom "root"
set ip 172.20.120.123 255.255.255.0
next
end

SSL VPN 682
edit "port1"
set vdom "root"
set ip 192.168.1.99 255.255.255.0
next
end
edit "192.168.1.0"
set subnet192.168.1.0 255.255.255.0
next
end
3. Configure the RADIUS server.

config user radius
edit "fac"
set server "172.18.58.107"
set secret <fac radius password>
set auth-type ms_chap_v2
next
end

config user group
edit "fac-group"
set member "fac"
next
end

edit "full-access"
set web-mode enable
next
end

edit 1
set groups "fac-group"
next
end

SSL VPN 683
edit 1
set dstintf "port1"
set srcaddr "all"
set groups “fac-group”
set action accept
set service "ALL"
set nat enable
next
end

edit "wan1"
set vdom "root"
set ip 172.20.120.123 255.255.255.0
next
end
edit "port1"
set vdom "root"
set ip 192.168.1.99 255.255.255.0
next
end
edit "192.168.1.0"
set subnet192.168.1.0 255.255.255.0
next
end

config user local
edit "sslvpnuser1"
set type password
next
end
config user group
edit "sslvpngroup"
next
end
4. Configure and assign the password policy.


SSL VPN 684

edit "pwpolicy1"
set expire-days 2
set warn-days 1
next
end

config user local
edit "sslvpnuser1"
set type password
next
end

edit "full-access"
set web-mode enable
next
end

edit 1
next
end
edit 1
set dstintf "port1"
set srcaddr "all"
set action accept
set service "ALL"
set nat enable
next
end

SSL VPN 685
2. Log in using the test1 credentials.
Use a user which is configured on FortiAuthenticator with Force password change on next logon.
3. Click Login. You are prompted to enter a new password.

l Set Remote Gateway to the IP of the listening FortiGate interface, in this example, 172.20.120.123.
6. Log in using the test1 credentials.
You are prompted to enter a new password.
get vpn ssl monitor

0 test1 1(1) 229 10.1.100.254 0/0 0/0
SSL VPN sessions:

get vpn ssl monitor

0 test1 1(1) 291 10.1.100.254 0/0 0/0
SSL VPN sessions:

0 test1 10.1.100.254 9 22099/43228 10.212.134.200

SSL VPN 686
SSL VPN with LDAP user password renew
This topic provides a sample configuration of SSL VPN for LDAP users with Force Password Change on next logon. In
this example, the LDAP server is a Windows 2012 AD server. A user ldu1 is configured on Windows 2012 AD server with
Force password change on next logon.
You must have generated and exported a CA certificate from the AD server and then have imported it as an external CA
certificate into the FortiGate.

d. Click OK.
2. Import CA certificate into FortiGate.
a. Go to System > Features Visibility and enable Certificates.
b. Go to System > Certificates and select Import > CA Certificate.
c. Select Local PC and then select the certificate file.
d. If you want, you can use CLI commands to rename the system-generated CA_Cert_1 to be more descriptive:
rename CA_Cert_1 to LDAPS-CA
end

SSL VPN 687
3. Configure the LDAP user.

a. Go to User & Device > LDAP Servers > Create New.
l Specify Name and Server IP/Name.
l Specify Common Name Identifier, Distinguished Name.
l Set Bind Type to Regular.
l Specify Username and Password.
l Enable Secure Connection and set Protocol to LDAPS.
l For Certificate, select LDAP server CA LDAPS-CA from the list.
b. To enable the password-renew option, use these CLI commands.
config user ldap
edit "ldaps-server"
set password-expiry-warning enable
next
end

a. Go to User & Device > User Groups to create a user group.
b. Enter a Name.
c. In Remote Groups, click Add to add ldaps-server.
f. Create new Authentication/Portal Mapping for group ldaps-group mapping portal full-access.
b. Fill in the firewall policy name, in this example, sslvpn certificate auth.
d. Set the Source Address to all and Source User to ldaps-group.
network, in this example, port1.
h. Enable NAT.
j. Click OK.

SSL VPN 688

edit "wan1"
set vdom "root"
set ip 172.20.120.123 255.255.255.0
next
end
edit "port1"
set vdom "root"
set ip 192.168.1.99 255.255.255.0
next
end
edit "192.168.1.0"
set subnet192.168.1.0 255.255.255.0
next
end
3. Import CA certificate into FortiGate.

a. Go to System > Features Visibility and enable Certificates.
b. Go to System > Certificates and select Import > CA Certificate.
c. Select Local PC and then select the certificate file.
d. If you want, you can use CLI commands to rename the system-generated CA_Cert_1 to be more descriptive:
rename CA_Cert_1 to LDAPS-CA
end

config user ldap
edit "ldaps-server"
set server "172.20.120.161"
set cnid "cn"
set dn "cn=Users,dc=qa,dc=fortinet,dc=com"
set type regular
set username "CN=Administrator,cn=users,DC=qa,DC=fortinet,DC=com"
set password ENC
Uf/OvqAbjSpeZz4wv9Tapl3xyMn1DGSTSxb2ZAB5dA5kVd0wVsGaeAhuX1Hl7mRtJQdRL8L2mzSfV6NTyQsdJ8E+rZy
mImS2rfQg0OZ0IRRYKp0v3qFXgsmW9x9xRP2u79OcpUR5JmnnW8DFnK9jSUGix+DvYpbBn8EwweoDQq55Ej9FLwKSBY
iYZs18V9ktSxT49w==
set group-member-check group-object
set secure ldaps
set ca-cert "LDAPS-CA"
set port 636
set password-expiry-warning enable
next
end

SSL VPN 689

config user group
edit "ldaps-group"
set member "ldaps-server"
next
end

edit "full-access"
set web-mode enable
next
end

edit 1
set groups "ldaps-group"
next
end
edit 1
set dstintf "port1"
set srcaddr "all"
set groups “ldaps-group”
set action accept
set service "ALL"
set nat enable
next
end
2. Log in using the ldu1 credentials.
Use a user which is configured on FortiAuthenticator with Force password change on next logon.
3. Click Login. You are prompted to enter a new password.

SSL VPN 690

l Set Remote Gateway to the IP of the listening FortiGate interface, in this example, 172.20.120.123.
6. Log in using the ldu1 credentials.
You are prompted to enter a new password.
get vpn ssl monitor

0 ldu1 1(1) 229 10.1.100.254 0/0 0/0
SSL VPN sessions:

get vpn ssl monitor

0 ldu1 1(1) 291 10.1.100.254 0/0 0/0
SSL VPN sessions:

0 ldu1 10.1.100.254 9 22099/43228 10.212.134.200
SSL VPN troubleshooting
This topic provides a tips for SSL VPN troubleshooting.

SSL VPN 691
Diagnose commands
SSL VPN debug command
Use the following diagnose commands to identify SSL VPN issues. These commands enable debugging of SSL VPN
with a debug level of -1. The -1 debug level produces detailed results.
diagnose debug application sslvpn -1
diagnose debug enable
The CLI displays debug output similar to the following:

FGT60C3G10002814 # [282:root]SSL state:before/accept initialization (172.20.120.12)
[282:root]SSL state:SSLv3 read client hello A (172.20.120.12)
[282:root]SSL state:SSLv3 write server hello A (172.20.120.12)
[282:root]SSL state:SSLv3 write change cipher spec A (172.20.120.12)
[282:root]SSL state:SSLv3 write finished B (172.20.120.12)
[282:root]SSL state:SSLv3 flush data (172.20.120.12)
[282:root]SSL state:SSLv3 read finished A:system lib(172.20.120.12)
[282:root]SSL state:SSLv3 read finished A (172.20.120.12)
[282:root]SSL state:SSL negotiation finished successfully (172.20.120.12)
[282:root]SSL established: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
To disable the debug:
diagnose debug disable

diagnose debug reset
Remote user authentication debug command
Use the following diagnose commands to identify remote user authentication issues.
diagnose debug application fnbamd -1
diagnose debug reset
Common issues
To troubleshoot getting no response from the SSL VPN URL:
1. Go to VPN > SSL-VPN Settings.

a. Check the SSL VPN port assignment.
b. Check the Restrict Access settings to ensure the host you are connecting from is allowed.
2. Go to Policy > IPv4 Policy or Policy > IPv6 policy.
a. Check that the policy for SSL VPN traffic is configured correctly.
b. Check the URL you are attempting to connect to. It should follow this pattern:
https://<FortiGate IP>:<Port>
c. Check that you are using the correct port number in the URL. Ensure FortiGate is reachable from the
computer.
ping <FortiGate IP>

SSL VPN 692
d. Check the browser has TLS 1.1, TLS 1.2, and TLS 1.3 enabled.
To troubleshoot FortiGate connection issues:
1. Check the Release Notes to ensure that the FortiClient version is compatible with your version of FortiOS.
2. FortiClient uses IE security setting, In IE Internet Option > Advanced > Security, check that Use TLS 1.1 and Use
TLS 1.2 are enabled.
3. Check that SSL VPN ip-pools has free IPs to sign out. The default ip-pools SSLVPN_TUNNEL_ADDR1 has 10 IP
addresses.
4. Export and check FortiClient debug logs.
a. Go to File > Settings.
b. In the Logging section, enable Export logs.
c. Set the Log Level to Debug and select Clear logs.
d. Try to connect to the VPN.
e. When you get a connection error, select Export logs.
To troubleshoot SSL VPN hanging or disconnecting at 98%:
1. A new SSL VPN driver was added to FortiClient 5.6.0 and later to resolve SSL VPN connection issues. If your
FortiOS version is compatible, upgrade to use one of these versions.
2. Latency or poor network connectivity can cause the default login timeout limit to be reached on the FortiGate. In
FortiOS 5.6.0 and later, use the following commands to allow a user to increase timers related to SSL VPN login.
set login-timeout 180 (default is 30)
set dtls-hello-timeout 60 (default is 10)
end
To troubleshoot tunnel mode connections shutting down after a few seconds:
This might occur if there are multiple interfaces connected to the Internet, for example, SD-WAN. This can cause the
session to become “dirty”. To allow multiple interfaces to connect, use the following CLI commands.
If you are using a FortiOS 6.0.1 or later:
edit <name>
set preserve-session-route enable
next
end
If you are using a FortiOS 6.0.0 or earlier:

set route-source-interface enable
end
To troubleshoot users being assigned to the wrong IP range:
1. Go to VPN > SSL-VPN Portals and VPN > SSL-VPN Settings and ensure the same IP Pool is used in both
places.
Using the same IP Pool prevents conflicts. If there is a conflict, the portal settings are used.

SSL VPN 693
To troubleshoot slow SSL VPN throughput:
Many factors can contribute to slow throughput.

This recommendation is try improving throughput by using the FortiOS Datagram Transport Layer Security (DTLS)
tunnel option, available in FortiOS 5.4 and above.
DTLS allows the SSL VPN to encrypt the traffic using TLS and uses UDP as the transport layer instead of TCP. This
avoids retransmission problems that can occur with TCP-in-TCP.
FortiClient 5.4.0 to 5.4.3 uses DTLS by default. FortiClient 5.4.4 and later uses normal TLS, regardless of the DTLS
setting on the FortiGate.
To use DTLS with FortiClient:
1. Go to File > Settings and enable Preferred DTLS Tunnel.
To enable DTLS tunnel on FortiGate, use the following CLI commands:
set dtls-tunnel enable
end

VM
Amazon Web Services
See the FortiOS 6.2.0 AWS Cookbook.
Microsoft Azure
See the FortiOS 6.2.0 Azure Cookbook.
Google Cloud Platform
See the FortiOS 6.2.0 GCP Cookbook.
Oracle OCI
See the FortiOS 6.2.0 OCI Cookbook.
AliCloud
See the FortiOS 6.2.0 AliCloud Cookbook.
Private cloud
See the FortiOS 6.2.0 VMware ESXi Cookbook.
FortiGate multiple connector support
This guide shows how to configure Fabric connectors and resolve dynamic firewall addresses through the configured
Fabric connector in FortiOS.

VM 695
FortiOS supports multiple Fabric connectors including public connectors (AWS, Azure, GCP, OCI, AliCloud) and private
connectors (Kubernetes, VMware ESXi, VMware NSX, OpenStack, Cisco ACI, Nuage). FortiOS also supports multiple
instances for each type of Fabric connector.
This guide uses an Azure Fabric connector as an example. The configuration procedure for all supported Fabric
connectors is the same. In the following topology, the FortiGate accesses the Azure public cloud through the Internet:
This process consists of the following:

1. Configure the interface.
2. Configure a static route to connect to the Internet.
3. Configure two Azure Fabric connectors with different client IDs.
4. Check the configured Fabric connectors.
5. Create two firewall addresses.
6. Check the resolved firewall addresses after the update interval.
7. Run diagnose commands.
To configure the interface:
1. In FortiOS, go to Network > Interfaces.

2. Edit port1:
a. From the Role dropdown list, select WAN.
b. In the IP/Network Mask field, enter 10.6.30.4/255.255.255.0 for the interface connected to the Internet.
To configure a static route to connect to the Internet:
1. Go to Network > Static Routes. Click Create New.

2. In the Destination field, enter 0.0.0.0/0.0.0.0.
3. From the Interface dropdown list, select port1.
4. In the Gateway Address field, enter 10.60.30.254.
To configure two Azure Fabric connectors with different client IDs:

2. Click Create New. Configure the first Fabric connector:
a. Select Microsoft Azure.
b. In the Name field, enter azure1.
c. In the Status field, select Enabled.
d. From the Server region dropdown list, select Global.
e. In the Tenant ID field, enter the tenant ID. In this example, it is 942b80cd-1b14-42a1-8dcf-4b21dece61ba.
f. In the Client ID field, enter the client ID. In this example, it is 14dbd5c5-307e-4ea4-8133-68738141feb1.
g. In the Client secret field, enter the client secret.

VM 696
h. Leave the Resource path disabled.

i. Click OK.
3. Click Create New. Configure the second Fabric connector:
a. Select Microsoft Azure.
b. In the Name field, enter azure2.
c. In the Status field, select Enabled.
d. From the Server region dropdown list, select Global.
e. In the Tenant ID field, enter the tenant ID. In this example, it is 942b80cd-1b14-42a1-8dcf-4b21dece61ba.
f. In the Client ID field, enter the client ID. In this example, it is 3baf0a6c-44ff-4f94-b292-07f7a2c36be6.
g. In the Client secret field, enter the client secret.
h. Leave the Resource path disabled.
i. Click OK.
To check the configured Fabric connectors:

2. Click the Refresh icon in the upper right corner of each configured Fabric connector. A green up arrow appears in
the lower right corner, meaning that both Fabric connectors are connected to the Azure cloud using different client
IDs.
To create two firewall addresses:
This process creates two Fabric connector firewall addresses to associate with the configured Fabric connectors.
2. Click Create New > Address. Configure the first Fabric connector firewall address:
a. In the Name field, enter azure-address-1.
b. From the Type dropdown list, select Fabric Connector address.
c. From the SDN Connector dropdown list, select azure1.
d. For SDN address type, select Private.
e. From the Filter dropdown list, select the desired filter.
f. For Interface, select any.
g. Click OK.
3. Click Create New > Address. Configure the second Fabric connector firewall address:
a. In the Name field, enter azure-address-1.
b. From the Type dropdown list, select Fabric Connector address.
c. From the SDN Connector dropdown list, select azure2.
d. For SDN address type, select Private.
e. From the Filter dropdown list, select the desired filter.
f. For Interface, select any.
g. Click OK.
To check the resolved firewall addresses after the update interval:
By default, the update interval is 60 seconds.

VM 697

2. Hover over the created addresses. The firewall address that the configured Fabric connectors resolved display.
Run the show sdn connector status command. Both Fabric connectors should appear with a status of
connected.
Run the diagnose debug application azd -1 command. The output should look like the following:
Level2-downstream-D # diagnose debug application azd -1
...
azd sdn connector azure1 start updating IP addresses
azd checking firewall address object azure-address-1, vd 0
IP address change, new list:
10.18.0.4
...
To restart the Azure Fabric connector daemon, run the diagnose test application azd 99 command.

WiFi 698
WiFi
FortiAP management
Configuring the FortiGate interface to manage FortiAP units
This guide describes how to configure a FortiGate interface to manage FortiAPs.
Based on the above topology, this example uses port16 as the interface used to manage connection to FortiAPs.
1. You must enable a DHCP server on port16:
a. In FortiOS, go to Network > Interfaces.
b. Double-click port16.
c. In the IP/Network Mask field, enter an IP address for port16.
d. Enable DHCP Server, keeping the default settings.
2. If desired, you can enable the VCI-match feature using the CLI. When VCI-match is enabled, only devices with a
VCI name that matches the preconfigured string can acquire an IP address from the DHCP server. To configure
VCI-match, run the following commands:
edit 1
set interface port16
set vci-match enable
set vci-string "FortiAP"
next
end
3. As it is a minimum management requirement that FortiAP establish a CAPWAP tunnel with the FortiGate, you
must enable CAPWAP access on port16 to allow it to manage FortiAPs:
b. Double-click port16.
c. Under Administrative Access, select CAPWAP.
d. Click OK.
4. To create a new FortiAP entry automatically when a new FortiAP unit is discovered, run the following command. By
default, this option is enabled.
edit port16
set allow-access capwap
set ap-discover enable|disable
next
end
5. To allow FortiGate to authorize a newly discovered FortiAP to be controlled by the FortiGate, run the following
command. By default, this option is disabled.

WiFi 699

edit port16
set allow-access capwap
set auto-auth-extension-device enable|disable
next
end
Discovering, authorizing, and deauthorizing FortiAP units
Discovering a FortiAP unit
For a FortiGate acting as an AP controller (AC) to discover a FortiAP unit, the FortiAP must be able to reach the AC. A
FortiAP with the factory default configuration has various ways of acquiring an AC's IP address to reach it.
AC discovery type Description
Auto The FortiAP attempts to be discovered in the below ways sequentially within an
endless loop.
Static The FortiAP sends discover requests to a preconfigured IP address that an

AC owns.
DHCP The FortiAP acquires the IP address of an AC in DHCP option 138 (the factory
default) of a DHCP offer, which the FortiAP acquires its own IP address from.
DNS The FortiAP acquires the AC's IP address by resolving a preconfigured FQDN.
FortiCloud FortiCloud discovers the FortiAP.
Broadcast FortiAP is discovered by sending broadcasts in its local subnet.
Multicast FortiAP is discovered by sending discovery requests to a multicast address of

224.0.1.140, which is the factory default.

WiFi 700
AC actions when a FortiAP attempts to get discovered
Enable the ap-discover setting on the AC for the interface designed to manage FortiAPs:
edit "lan"
set ap-discover enable
next
end
The set ap-discover enable setting allows the AC to create an entry in the Managed FortiAPs table when it
receives the FortiAP's discovery request. The ap-discover setting is enabled by the factory default settings. When
the FAP entry is created automatically, it is marked as discovered status, and is pending for administrator's
authorization, unless the following setting is present.
edit "lan"
set auto-auth-extension-device enable
next
end
The above set auto-auth-extension-device enable setting will allow AC authorize an new discovered FAP
automatically without administrator's manual authorization operation. The auto-auth-extension-device setting
is disabled by factory default.
Authorize a discovered FAP
Once the FAP discovery request is received by AC, an FAP entry will be added to Managed FAP table, and shown on
GUI > Managed FortiAP list page.

WiFi 701
To authorize the specific AP, click to select the FAP entry, then click Authorize button on the top of the table or
Authorize entry in the pop-out menu.
Through GUI, authorization can also be done in FAP detail panel, under Action menu.
The authorization can also be done through CLI with follow commands.

WiFi 702
config wireless-controller wtp

edit "FP423E3X16000320"
set admin enable
next
end
De-authorize a managed FAP
To de-authorize a managed FAP, click to select the FAP entry, then click Deauthorize button on the top of the table or
Deauthorize entry in the pop-out menu.
Through GUI, de-authorization can also be done in FAP detail panel, under Action menu.

WiFi 703
The de-authorization can also be done through CLI with follow commands.
edit "FP423E3X16000320"
set admin discovered
next
end
Set up a mesh connection between FortiAP units
To set up a WiFi mesh connection, a minimum of three devices are required:

1. A FortiGate as the AP Controller (AC)
2. A FortiAP as the Mesh Root AP (MRAP)
3. A FortiAP as a Mesh Leaf AP (MLAP).

WiFi 704
Configuring the AC
These instructions assume that the MRAP is already being managed by the AC (see Configuring the FortiGate interface
to manage FortiAP units on page 698 and Discovering, authorizing, and deauthorizing FortiAP units on page 699).
To configure the AC:
1. Go to WiFi & Switch Controller > SSID and create a mesh SSID.
2. Go to WiFi & Switch Controller > Managed FortiAPs, edit the MRAP, and assign the mesh SSID to the MRAP,
and wait for a connection.
Configuring the MLAP
The MLAP can be configured to use the mesh link as its Main uplink or a Backup link for Ethernet connections.

WiFi 705
To configure the MLAP:
1. On the FortiAP, go to Connectivity.
2. Set Uplink to Mesh or Ethernet with mesh backup support.

3. Enter a mesh SSID and password.
4. Optionally, select Ethernet Bridge (see Main uplink on page 705). This option is not available if Uplink is set to
Ethernet with mesh backup support.
Once the MLAP has joined the AC, it can be managed in the same way as a wired AP.
A mesh SSID can also be assigned to an MLAP for other downstream MLAPs, creating a multi-hop WiFi mesh network.
The maximum hop count has a default value of 4, and can be configured in the FAP console with the following
commands:
cfg -a MESH_MAX_HOPS=n
cfg -c
Main uplink
When a mesh link is set as the main uplink of the MLAP, the Ethernet port on the MLAP can be set up as a bridge to the
mesh link. This allows downstream wired devices to use the mesh link to connect to the network.
To enable a mesh Ethernet bridge, select Ethernet Bridge in the FortiAP Connectivity section in the GUI, or use the
following console commands:
cfg -a MESH_ETH_BRIDGE=1
cfg -c
Backup link for Ethernet connections
When a mesh link is set to be the backup link for an Ethernet connection, the mesh link will not be established unless
the Ethernet connection goes offline. When a mesh link is in this mode, the Ethernet port cannot be used as a bridge to
the mesh link.

WiFi 706
SSID authentication
Replacing the Fortinet_Wifi certificate
These instruction apply to FortiWiFi devices using internal WiFi radios and
FortiGate/FortiWiFi devices configured as WiFi Controllers that are managing FortiAP
devices, and have WiFi clients that are connected to WPA2-Enterprise SSID and
authenticated with local user groups.
On FortiOS, the built-in Fortinet_Wifi certificate is a publicly signed certificate that is only used in WPA2-Enterprise
SSIDs with local user-group authentication. The default WiFi certificate configuration is:
set wifi-ca-certificate "Fortinet_Wifi_CA"
set wifi-certificate "Fortinet_Wifi"
end
WiFi administrators must consider the following factors:

l The Fortinet_Wifi certificate is issued to Fortinet Inc. with common name (CN) auth-cert.fortinet.com. If a
company or organization requires their own CN in their WiFi deployment, they must replace it with their own
certificate.
l The Fortinet_Wifi certificate has an expire date. When it is expiring, it must be renewed or replaced with a new
certificate.
To replace the Fortinet_Wifi certificate:
1. Get new certificate files, including a root CA certificate, a certificate signed by the CA, and the corresponding
private key file:
Purchase a publicly signed certificate from a commercial certificate service provider, or generate a self-signed
certificate.
2. Import the new certificate files into FortiOS:
a. On the FortiGate, go to System > Certificates.
If VDOMs are enable, got to Global > System > Certificates.
b. Click Import > CA Certificate.

WiFi 707
c. Set the Type to File and upload the CA certificate file from the management computer.
d. Click OK.
The imported CA certificate is named CA_Cert_N, or G_CA_Cert_N when VDOMs are enabled, where N
starts from 1 and increments for each imported certificate, and G stands for global range.
e. Click Import > Local Certificate.
f. Set the Type to Certificate, upload the certificate file and key file, enter the password, and enter the certificate
name.
g. Click OK.
The imported certificates are listed on the Certificates page.
3. Change the WiFi certificate settings:
a. Go to System > Settings and scroll down to the WiFi Settings section.
b. In the WiFi certificate drop-down, select the imported local certificate.

WiFi 708
c. In the WiFi CA certificate drop-down, select the imported CA certificate.
d. Click Apply.
The following CLI command can also be used to change the WiFi certificate settings:
set wifi-ca-certificate <name of the imported CA certificate>
set wifi-certificate <name of the imported certificate signed
by the CA>
end
Notes
If necessary, the factory default certificates can also be used to replace the certificates:
set wifi-ca-certificate "Fortinet_CA"
set wifi-certificate "Fortinet_Factory"
end
As the factory default certificates are self-signed, WiFi clients will need to accept it at the
connection prompt, or import the Fortinet_CA certificate to validate it.
If the built-in Fortinet_Wifi certificate has expired and not been renewed or replaced, WiFi
clients can still connect to the WPA2-Enterprise SSID with local user-group authentication by
ignoring any prompted warning messages or bypassing Validate server certificate (or similar)
options.
The Fortinet_Wifi certificate can be updated automatically through the FortiGuard service
certificate bundle update.

WiFi 709
Deploying WPA2-Personal SSID to FortiAP units
The guide provides simple configuration instructions for developing WPA2-Personal SSID with FortiAP. The steps
include creating an SSID, selecting the SSID for the FortiAP, and creating a policy from the SSID to the Internet.
The following shows a simple network topology for this recipe:
To deploy WPA2-Personal SSID to FortiAP units on the FortiOS GUI:
1. Create a WPA2-Personal SSID:

a. Go to WiFi & Switch Controller > SSID, select SSID, then click Create New.
b. Enter the desired interface name. For Traffic mode, select Tunnel.
c. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can
modify the DHCP IP address range manually.
d. In the SSID field, enter the desired SSID name. For Security, select WPA2 Personal.
e. In the Pre-Shared Key field, enter the password. The password must be 8 to 63 characters long, or exactly 64
academical digits.
f. Click OK.
2. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed
FortiAP-320C and a "FAP320C-default" profile that is applied to the FortiAP-320C. Do one of the following:
a. Select the SSID by editing the FortiAP:
i. Go to WiFi & Switch Controller > Managed FortiAPs. Select the FortiAP-320C and click Edit.
ii. Ensure that Managed AP Status is Connected.
iii. Under WiFi Setting, ensure that the configured FortiAP profile is the desired profile, in this case
FAP320C-default. Click Edit entry.
iv. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to select
the Fortinet-PSK SSID.
v. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to select the
Fortinet-PSK SSID.
vi. Click OK.
b. Select the SSID by editing the FortiAP profile:
i. Go to WiFi & Switch Controller > FortiAP Profile. Select the FAP320C-default profile, then click Edit.
ii. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create
iii. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create
iv. Click OK.
3. Create the SSID-to-Internet firewall policy:
a. Go to Policy & Objects > IPv4 Policy, then click Create New.
b. Enter the desired policy name.

WiFi 710
c. From the Incoming Interface dropdown list, select the source interface, such as wifi-vap.
d. From the Outgoing Interface dropdown list, select the destination interface, such as wan1.
e. In the Source and Destination fields, select all. In the Service field, select ALL. If desired, you can configure
different values for these fields.
f. Click OK.
To deploy WPA2-Personal SSID to FortiAP units using the FortiOS CLI:
1. Create a WPA2-Personal SSID:

a. Create a VAP interface named "wifi-vap":
config wireless-controller vap
edit "wifi-vap"
set ssid "Fortinet-psk"
set security wpa2-only-personal
set passphrase fortinet
next
end
b. Configure an IP address and enable DHCP:
edit "wifi-vap"
set ip 10.10.80.1 255.255.255.0
next
end
edit 1
set interface "wifi-vap"
config ip-range
edit 1
set end-ip 10.10.80.254
next
end
next
end
FortiAP-320C and a "FAP320C-default" profile that is applied to the FortiAP-320C:
edit "FP320C3X14000640"
set admin enable
set wtp-profile "FAP320C-default"
next
end
config wireless-controller wtp-profile
edit "FAP320C-default"
config radio-1
set vap-all disable
set vaps "wifi-vap"
end
config radio-2
set vap-all disable

WiFi 711
set vaps "wifi-vap"

end
next
end
edit 1
set name "WiFi to Internet"
set srcintf "wifi-vap"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set fsso disable
set nat enable
next
end
Deploying WPA2-Enterprise SSID to FortiAP units
The guide provides simple configuration instructions for developing WPA2-Enterprise SSID with FortiAP. The steps
include creating an SSID, selecting the SSID for the FortiAP, and creating a policy from the SSID to the Internet.
To deploy WPA2-Enterprise SSID to FortiAP units on the FortiOS GUI:
1. Create an SSID as WPA2-Enterprise. Do one of the following:

a. Create an SSID as WPA2-Enterprise with authentication from a RADIUS server:
i. Create a RADIUS server:
i. Go to User & Device > RADIUS Servers, then click Create New.
ii. Enter a server name.
iii. In the Primary Server > IP/Name field, enter the IP address or server name.
iv. In the Primary Server > Secret field, enter the secret key.
v. Click Test Connectivity to verify the connection with the RADIUS server.
vi. Click Test User Credentials to verify that the user account can be authenticated with the
RADIUS server.
vii. Click OK.

WiFi 712
ii. Create a WPA2-Enterprise SSID:

i. Go to WiFi & Switch Controller > SSID, select SSID, then click Create New.
ii. Enter the desired interface name. For Traffic mode, select Tunnel.
iii. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default.
You can modify the DHCP IP address range manually.
iv. In the SSID field, enter the desired SSID name. For Security, select WPA2 Enterprise.
v. In the Authentication field, select RADIUS Server. From the dropdown list, select the
RADIUS server created in step i.
vi. Click OK.
b. Create an SSID as WPA2-Enterprise with authentication from a user group:
i. Create a user group:
i. Go to User & Device > User Groups, then click Create New.
ii. Enter the desired group name.
iii. For Type, select Firewall.
iv. For Remote Groups, click the + button. In the dropdown list, select the desired RADIUS server. Click
OK.
v. Click OK.
ii. Create a WPA2-Enterprise SSID:
1. Go to WiFi & Switch Controller > SSID, select SSID, then click Create New.
2. Enter the desired interface name. For Traffic mode, select Tunnel.
3. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default.
You can modify the DHCP IP address range manually.
4. In the SSID field, enter the desired SSID name. For Security, select WPA2 Enterprise.
5. In the Authentication field, select RADIUS Server. From the dropdown list, select the
RADIUS server created in step i.
6. Click OK.
iv. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to select
v. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to select the
Fortinet-PSK SSID.
vi. Click OK.
iv. Click OK.

WiFi 713

f. Click OK.
To deploy WPA2-Enterprise SSID to FortiAP units using the FortiOS CLI:
1. Create a RADIUS server:

config user radius
edit "wifi-radius"
set server "172.16.200.55"
set secret fortinet
next
end
2. Create a user group:
config user group
edit "group-radius"
set member "wifi-radius"
next
end
3. Create a WPA2-Enterprise SSID:
a. Create an SSID with authentication from the RADIUS server:
edit "wifi-vap"
set ssid "Fortinet-Ent-Radius"
set security wpa2-only-enterprise
set auth radius
set radius-server "wifi-radius"
next
end
b. Create an SSID with authentication from the user group:
edit "wifi-vap"
set ssid "Fortinet-Ent-Radius"
set security wpa2-only-enterprise
set auth usergroup
set usergroup "group-radius"
next
end
c. Configure an IP address and enable DHCP:
edit "wifi-vap"
set ip 10.10.80.1 255.255.255.0
next
end
edit 1

WiFi 714

config ip-range
edit 1
set end-ip 10.10.80.254
next
end
next
end
edit "FP320C3X14000640"
set admin enable
next
end
config radio-1
set vap-all disable
set vaps "wifi-vap"
end
config radio-2
set vap-all disable
set vaps "wifi-vap"
end
next
end
edit 1
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set fsso disable
set nat enable
next
end
Deploying captive portal SSID to FortiAP units
The guide provides simple configuration instructions for developing captive portal SSID with FortiAP. The steps include
creating an SSID, selecting the SSID for the FortiAP, and creating a policy from the SSID to the Internet.

WiFi 715
To deploy captive portal SSID to FortiAP units on the FortiOS GUI:
1. Create a local user:

a. Go to User & Device > User Definition, then click Create New.
b. In the Users/Groups Creation Wizard, select Local User, then click Next.
c. Enter the desired values in the Username and Password fields, then click Next.
d. On the Contact Info tab, fill in any information as desired, then click Next. You do not need to configure any
contact information for the user.
e. On the Extra Info tab, set the User Account Status to Enabled.
f. If the desired user group already exists, enable User Group, then select the desired user group.
g. Click Submit.
a. Go to User & Device > User Groups, then click Create New.
b. Enter the desired group name.
c. For Type, select Firewall.
d. For Members, click the + button. In the dropdown list, select the local user created in step 1. Click OK.
e. Click OK.
3. Create a captive portal SSID:
a. Go to WiFi & Switch Controller > SSID, select SSID, then click Create New.
b. Enter the desired interface name. For Traffic mode, select Tunnel.
c. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can
modify the DHCP IP address range manually.
d. In the SSID field, enter the desired SSID name. For Captive Portal, select Security.
e. Configure the portal type as one of the following:
i. For Portal Type, select Authentication. In the User Group dropdown list, select the user group created in
step 2.
ii. For Portal Type, select Disclaimer + Authentication. In the User Group dropdown list, select the user
group created in step 2.
iii. For Portal Type, select Disclaimer Only.
iv. To configure the portal type as email collection, go to System > Feature Visibility, and enable Email
Collection, then select Email Collection for Portal Type.
f. Click OK.

WiFi 716
iv. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create
v. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create
vi. Click OK.
iv. Click OK.
f. Click OK.
To deploy captive portal SSID to FortiAP units using the FortiOS CLI:
1. Create a local user:

config user local
edit "local"
set type password
set passwd 123456
next
end
config user group
edit "group-local"
set member "local"
next
end
3. Create a captive portal SSID. Do one of the following:
a. Create a captive portal SSID with portal type Authentication:
edit "wifi-vap"
set ssid "Fortinet-Captive"
set security captive-portal
set portal-type auth
set selected-usergroups "group-local"
next
end
b. Create a captive portal SSID with portal type Disclaimer + Authentication:

WiFi 717
edit "wifi-vap"
set portal-type auth+disclaimer
set selected-usergroups "group-local"
next
end
c. Create a captive portal SSID with portal type Disclaimer Only:
edit "wifi-vap"
set portal-type disclaimer
next
end
d. Create a captive portal SSID with portal type Email Collection:
edit "wifi-vap"
set portal-type email-collect
next
end
e. Configure an IP address and enable DHCP:
edit "wifi-vap"
set ip 10.10.80.1 255.255.255.0
next
end
edit 1
config ip-range
edit 1
set end-ip 10.10.80.254
next
end
next
end
edit "FP320C3X14000640"
set admin enable
next
end
config radio-1
set vap-all disable

WiFi 718
set vaps "wifi-vap"

end
config radio-2
set vap-all disable
set vaps "wifi-vap"
end
next
end
edit 1
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set fsso disable
set nat enable
next
end
Configuring quarantining on SSID
This guide provides instructions on simple configuration for on SSID. Consider the following for this feature:
l The quarantine function only works with SSID tunnel mode.
l The quarantine function is independent of SSID security mode.
To quarantine a wireless client on the FortiOS GUI:
1. In FortiOS, go to the policy applied to the SSID and enable All Sessions for Log Allowed Traffic.
2. Edit the SSID:
a. Go to WiFi & Switch Controller > SSID, and select the desired SSID.
b. Enable Device Detection.
c. Enable Quarantine Host.
d. Click OK.

WiFi 719
3. Quarantine a wireless client:

a. Do one of the following:
i. Go to Security Fabric > Physical Topology. View the topology by access device.
ii. Go to FortiView > Traffic from LAN/DMZ > Source.
iii. Go to FortiView > Traffic from LAN/DMZ > WiFi Clients.
b. Right-click the wireless client, then click Quarantine Host.
To quarantine a wireless client using the FortiOS CLI:
1. Under global quarantine settings, enable quarantine:

set quarantine enable
end
2. Under virtual access point (VAP) settings, enable quarantine:
edit wifi-vap
set quarantine enable
next
end
3. Quarantine a wireless client. The example client has the MAC address b4:ae:2b:cb:d1:72:
config targets
edit "DESKTOP-Surface"
config macs
edit b4:ae:2b:cb:d1:72
set description "Surface"
next
end
next
end
end
Configuring MAC filter on SSID
This guide provides instructions on simple configuration for enabling MAC filter on SSID. Consider the following for this
feature:
l The MAC filter function is independent of the SSID security mode.
l To enable MAC filter on SSID, you must first configure the wireless controller address and wireless controller
address group. This is covered in the CLI instructions below.

WiFi 720
To block a specific client from connecting to the SSID using MAC filter:
1. Create a wireless controller address with the same MAC address as the client and set the policy to deny. In this
example, the client's MAC address is b4:ae:2b:cb:d1:72:
config wireless-controller address
edit "client_1"
set mac b4:ae:2b:cb:d1:72
set policy deny
next
end
2. Create a wireless controller address group. Select the above address. Set the default policy to allow:
config wireless-controller addrgrp
edit mac_grp
set addresses "client_1"
set default-policy allow
next
end
3. On the virtual access point, select the created address group:
edit wifi-vap
set address-group "mac_grp"
next
end
After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) is denied from connecting to SSID Fortinet-
psk. Other clients, such as a client with MAC address e0:33:8e:e9:65:01, can connect.
To allow a specific client to connect to the SSID using MAC filter:
1. Create a wireless controller address with the same MAC address as the client and set the policy to deny. In this
example, the client's MAC address is b4:ae:2b:cb:d1:72:
config wireless-controller address
edit "client_1"
set mac b4:ae:2b:cb:d1:72
set policy deny
next
end
2. Create a wireless controller address group. Select the above address. Set the default policy to deny:
config wireless-controller addrgrp
edit mac_grp

WiFi 721
set addresses "client_1"

set default-policy deny
next
end
3. On the virtual access point, select the created address group:
edit wifi-vap
set address-group "mac_grp"
next
end
After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) can connect to SSID Fortinet-psk. Other
clients, such as a client with MAC address e0:33:8e:e9:65:01, are denied from connecting.
Support for WPA3 on FAP
This feature is implemented on FortiOS 6.2.0 B0816 and FAP-S/W2 6.2.0 b0218. In October 2017, Mathy Vanhoef
published a document that exposed a flaw in WPA2 networks known as Key Reinstallation Attack (KRACK). To avoid the
attack, the Wi-Fi Alliance announced in January that WPA2 enhancements and a new WPA3 standard were coming in
2018.
The Wi-Fi Alliance defines three areas for improvement:

l Enhanced Open: The Wi-Fi Alliance proposes using Opportunistic Wireless Encryption (OWE) (RFC 8110)to
improve security in such networks.
l WPA3 Personal: WPA3-Personal utilizes Simultaneous Authentication of Equals (SAE).
l WPA3 Enterprise: WPA3-Enterprise contains a new 192-bit security level.
All three areas incorporate Protected Management Frames (PMF) as a prerequisite to protect management frame
integrity.
Configuration
1. WPA3 OWE
a. WPA3 OWE only: only Client which support WPA3 can connect with this SSID.
edit "80e_owe"
set ssid "80e_owe"
set security owe
set pmf enable
next
end
b. WPA3 OWE TRANSITION: Client connected with normal OPEN or OWE depends on its capability. If client
can support WPA3, it will connect with owe standard. If client not support WPA3, it will connect with Open
SSID.

WiFi 722

edit "80e_open"
set ssid "80e_open"
set security open
set owe-transition enable
set owe-transition-ssid "wpa3_open"
next
edit "wpa3_owe_tr"
set ssid "wpa3_open"
set broadcast-ssid disable
set security owe
set pmf enable
set owe-transition enable
set owe-transition-ssid "80e_open"
next
2. WPA3 SAE
a. WPA3 SAE: Client with WPA3 support can connect with the SSID.
edit "80e_sae"
set ssid "80e_sae"
set security wpa3-sae
set pmf enable
set sae-password 12345678
next
end
b. WPA3 SAE TRANSITION: There are two passwords in the SSID. Client will connect with WPA2 PSK if
passphrase is used. Client will connect with WPA3 SAE if sae-password is used.
edit "80e_sae-tr"
set ssid "80e_sae-transition"
set security wpa3-sae-transition
set pmf optional
set passphrase 11111111
set sae-password 22222222
next
end
3. WPA3 Enterprise: When select security as wpa3-enterprise, the auth type can choose either radius authentication
or local user authentication.
edit "80e_wpa3"
set ssid "80e_wpa3"
set security wpa3-enterprise
set pmf enable
set auth radius
set radius-server "wifi-radius"
next

WiFi 723
edit "80e_wpa3_user"
set ssid "80e_wpa3_user"
set security wpa3-enterprise
set pmf enable
set auth usergroup
set usergroup "usergroup"
next
end
Statistics
WiFi client monitor
The following shows a simple network topology when using FortiAPs with FortiGate:
To view connected WiFi clients on the FortiGate unit, go to Monitor > WiFi Client Monitor. The following columns
display:
Column Description
SSID SSID that the client connected to, such as the tunnel, bridge, or mesh.
FortiAP Serial number of the FortiAP unit that the client connected to.
User Username if using WPA enterprise authentication.
IP IP address assigned to the wireless client.
Device Wireless client device type.
Channel FortiAP operation channel.
Auth Authentication type used.
Channel WiFi radio channel in use.
Bandwidth Tx/Rx Client received and transmitted bandwidth in Kbps.
Signal Strength/Noise Signal-to-noise ratio in decibels calculated from signal strength and noise level.
Association Time How long the client has been connected to this AP.
Device OS Wireless device OS.
Manufacturer Wireless device manufacturer.
MIMO Wireless device MIMO information.

WiFi 724
WiFi health monitor
The following shows a simple network topology when using FortiAPs with FortiGate:
The Monitor > WiFi Health Monitor page displays the following charts:
l Active Clients: Currently active clients on each FortiAP
l AP Status: APs by status, sorted by those that have been up for over 24 hours, rebooted in the past 24 hours, and
down/missing
l Channel Utilization: Allow users to view 10-20 most and least utilized channels for each AP radio and a third
histogram view showing utilization counts

WiFi 725
l Client Count: Shows client count over time. Can view for the past hour, day, or 30 days.
l Login Failures: Time, SSID, hostname, and username for failed login attempts. The widget also displays the AP
name and group of FortiAP units with failed login attempts.
l Top Wireless Interference: Separate widgets for 2.4 GHz and 5 GHz bands. This requires spectrum analysis to
be enabled on the radios.
WiFi maps
WiFi maps allow you to place FortiAP units on a map, such as an office floor plan. This allows you to know where the
FortiAPs are and get their operating statuses at a glance.
To configure WiFi maps on the FortiOS GUI:
1. Create a WiFi map:

a. In FortiOS, go to WiFi & Switch Controller > WiFi Maps.
b. Click the Add Map button.
c. Specify the desired map name.
d. Upload the image file.
e. If desired, enable the Image grayscale option.
f. Set the Image opacity.
2. Place the FortiAP units on the map:
a. Unlock the map by clicking the lock icon in the top left corner.
b. Click Unplaced AP(s) beside the lock icon. This displays a list of candidate APs.

WiFi 726
c. Drag and drop the candidate FortiAPs from the list to the map as desired.
d. Once all desired FortiAPs have been placed on the map, lock the map.
3. Hover the cursor over a FortiAP icon to view the operating data per FortiAP unit.
4. To configure AP settings, click the FortiAP icon for that unit.
5. You can show numerical operating data on the FortiAP icons such as the client count, channel, operating TX power,
and channel utilization using the options in the dropdown list above the map.
To configure WiFi maps using the FortiOS CLI:
You can only upload the WiFi map image file using the FortiOS CLI.
config wireless-controller region
edit <MAP_NAME>
set grayscale enable|disable
set opacity 100 <0-100>
next
end
edit <FAP_SN>
set region <MAP_NAME
set region-x "0.419911" <0-1>
set region-y "0.349466" <0-1>
next
end
Fortinet Security Fabric
The following shows a simple network topology when using FortiAP as part of the Security Fabric:
The Security Fabric > Settings page on the root FortiGate lists all FortiAP devices on the CSF root and leaf.

WiFi 727
The Security Fabric > Physical Topology view on the root FortiGate shows the devices in the Security Fabric and the
devices they are connected to.
Wireless security
Enabling rogue AP scan
The guide provides simple configuration instructions for enabling ap-scan on FortiAP. The steps include creating a
WIDS profile and selecting the WIDS profile on the managed FortiAP.
To enable rogue AP scan on the FortiOS GUI:
1. Create a WIDS profile:
a. In FortiOS, go to WiFi & Switch Controller > WIDS Profiles. Click Create New.
b. Enable Enable Rogue AP Detection.
c. Complete the configuration, then click OK.
2. Select the WIDS profile for the managed FortiAP:
a. Go to WiFi & Switch Controller > FortiAP Profiles.
b. Select the FortiAP profile applied to the managed FortiAP, then click Edit.
c. Enable WIDS Profile. Select the profile created in step 1. Click OK.
To enable rogue AP scan using the FortiOS CLI:
config wireless-controller wids-profile
edit "example-wids-profile"
set ap-scan enable
next
end
edit "example-FAP-profile"
config platform
set type <FAP-model-number>

WiFi 728
end
set handoff-sta-thresh 55
set ap-country US
config radio-1
set band 802.11n
set wids-profile "example-wids-profile"
set vap-all disable
end
config radio-2
set band 802.11ac
set vap-all disable
end
next
end
Enabling rogue AP suppression
The guide provides simple configuration instructions for suppressing rogue APs on FortiAP. The steps include creating a
WIDS profile and suppressing rogue APs.
To enable rogue AP suppression on the FortiOS GUI:
b. For Sensor Mode, select Foreign and Home Channels.
c. Enable Enable Rogue AP Detection.
d. Complete the configuration, then click OK.
2. Select the WIDS profile for the managed FortiAP. The monitoring radio must be in Dedicated Monitor mode:
c. Select Dedicated Monitor on Radio 1 or Radio 2.
d. Enable WIDS Profile. Select the profile created in step 1. Click OK.
3. Suppress FortiAP:
a. Go to Monitor > Rogue AP Monitor.
b. Right-click the desired SSID, then select Mark as Rogue.
c. Right-click the SSID again, then select Suppress AP.
To enable rogue AP scan using the FortiOS CLI:
config wireless-controller wids-profile
edit "example-wids-profile"
set sensor-mode both
set ap-scan enable
next
end
config platform

WiFi 729

end
config radio-1
set mode monitor
end
next
end
3. Suppress FortiAP:
config wireless-controller ap-status
edit 1
set bssid 90:6c:ac:da:a7:f1
set ssid "example-SSID"
set status suppressed
next
end
Wireless Intrusion Detection System
The guide provides simple configuration instructions for enabling a Wireless Intrusion Detection System (WIDS) profile
on FortiAP.
To enable a WIDS profile on the FortiOS GUI:
b. In the Name field, enter the desired name.
c. Under Intrusion Detection Settings, enable all intrusion types as desired.
d. Complete the configuration, then click OK.
c. Enable WIDS Profile. Select the profile created in step 1. Click OK.
To enable a WIDS profile using the FortiOS CLI:

config platform
end
set handoff-sta-thresh 55
set ap-country US
config radio-1
set band 802.11n
set vap-all disable
end
config radio-2
set band 802.11ac
set vap-all disable

WiFi 730
end
next
end
Other
UTM security profile groups on FortiAP-S
This guide provides instructions for simple configuration of security profile groups for FortiAP, including creating security
profile groups and selecting profile groups for the SSID.
This feature only works for local bridge SSIDs.
To configure UTM security profile groups on the FortiOS GUI:
1. Create a security profile group:

a. Go to WiFi & Switch Controller > Security Profile Groups, then click Create New.
b. Enter the desired interface name. Configure logging as desired.
c. Enable Antivirus, Web Filter, Application, IPS, or Botnet, then select the desired profile.
2. Create a local bridge mode SSID and enable security profile groups:
a. Go to WiFi & Switch Controller > SSID. Select SSID, then click Create New.
b. Enter the desired interface name. For Traffic mode, select Bridge.
c. In the SSID field, enter the desired SSID name. Configure security as desired.
d. Enable Security Profile Group, then select the group created in step 1.
e. Click OK.
3. Select the SSID on a managed FortiAP by editing the FortiAP profile. The following configuration is based on a
example using a managed FortiAP-320C and a "FAP320C-default" profile that is applied to the FortiAP-320C:
a. Go to WiFi & Switch Controller > FortiAP Profile. Select the FAP320C-default profile, then click Edit.
b. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the
Fortinet-PSK SSID.
c. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the
Fortinet-PSK SSID.
d. Click OK.
To configure UTM security profile groups using the FortiOS CLI:
1. Create a security profile group:

config wireless-controller utm-profile
edit "wifi-UTM"
set ips-sensor "default"
set application-list "default"
set antivirus-profile "default"
set webfilter-profile "default"

WiFi 731
set scan-botnet-connections block

next
end
2. Create a local bridge mode SSID and enable security profile groups:
edit "wifi-vap"
set ssid "SSID-UTM"
set passphrase 12345678
set local-bridging enable
set utm-profile "wifi-UTM"
next
end
3. Select the SSID on a managed FortiAP by editing the FortiAP profile. The following configuration is based on a
example using a managed FortiAP-320C and a "FAP320C-default" profile that is applied to the FortiAP-320C:
edit "FP320C3X14000640"
set admin enable
next
end
config radio-1
set vap-all disable
set vaps "wifi-vap"
end
config radio-2
set vap-all disable
set vaps "wifi-vap"
end
next
end
1+1 fast failover between FortiGate WiFi controllers
The following shows a simple network topology for this recipe. The primary and secondary FortiGates should reach the
FortiAP at the physical level:
The following takes place in the event of a failover:

1. The primary FortiGate syncs the wireless configuration to the secondary FortiGate.
2. If the primary FortiGate fails, the secondary FortiGate takes over management of the FortiAP. The client can still

WiFi 732
connect with the SSID from the FortiAP and pass traffic.

3. When the primary FortiGate is back online, it returns to managing the FortiAP.
In the CLI samples below, the primary FortiGate has an IP address of 10.43.1.80, while the secondary FortiGate has an
IP address of 10.43.1.62.
To configure the primary FortiGate:
config wireless-controller inter-controller

set inter-controller mode 1+1
set inter-controller key 123456
config inter-controller-peer
edit 1
set peer-ip 10.43.1.62
set peer-priority secondary
next
end
To configure the secondary FortiGate:
config wireless-controller inter-controller

set inter-controller mode 1+1
set inter-controller key 123456
set inter-controller-pri secondary
config inter-controller-peer
edit 1
set peer-ip 10.43.1.80
next
end
1. On the primary FortiGate, run the diag wireless-controller wlac -c ha command. The output should
resemble the following:
WC fast failover info
cfg iter: 1 (age=17995, size=220729, fp=0x5477e28)
dhcpd_db iter: 123 (age=132, size=1163, fp=0x5435930)
dhcpd_ipmac iter: 123 (age=132, size=2860, fp=0x587d848)
mode: 1+1-ffo
pri: primary
key csum: 0x9c99
max: 10
wait: 10
peer cnt: 1
FWF60E4Q16027198: 10.43.1.62:5245 secondary UP (age=0)
2. On the secondary FortiGate, run the diag wireless-controller wlac -c ha command. The output
should resemble the following:
WC fast failover info
mode: 1+1-ffo
status: monitoring
pri: secondary
key csum: 0x9c99
max: 10
wait: 10
peer cnt: 1

WiFi 733
FWF60E4Q16027198: 10.43.1.62:5245 secondary UP (age=0)
CAPWAP Offloading (NP6 only)
Simple Network Topology
NP6 offloading over CAPWAP traffic is supported by all the FortiGate high-level models and most middle-level models.
NP6 offloading over CAPWAP configuration
1. NP6 session fast path requirements:

config system npu
set capwap-offload enable
end
2. Enable the capwap-offload option in system npu configuration.

edit 1
set auto-asic-offload enable
next
end
3. NP6 offloading over CAPWAP traffic is supported:

l only with traffic from Tunnel mode VAP.
l dtls-policy is clear-text or ipsec-vpn in wireless-controller wtp-profile configuration.
l Traffic is not offloaded when dtls-policy=dtls-enable
l Traffic is not offloaded with fragment.
Verify the system session of NP6 offloading
l check the system session, when dtls-policy=clear-text to verify npu info: flag=0x81/0x89, offload=8/8
FG1K2D3I16800192 (vdom1) # diag sys session list
session info: proto=6 proto_state=01 duration=21 expire=3591 tim

flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty npu f00
statistic(bytes/packets/allow_err): org=16761744/11708/1 reply=5
orgin->sink: org pre->post, reply pre->post dev=57->37/37->57
gwy=172.16.200.44/10.65.1.2
hook=post dir=org act=snat 10.65.1.2:50452->172.16.200.44:5001(1
hook=pre dir=reply act=dnat 172.16.200.44:5001->172.16.200.65:50
serial=00009a97 tos=ff/ff app_list=0 app=0 url_cat=0

WiFi 734
dd_type=0 dd_mode=0
npu_state=0x000c00
npu info: flag=0x81/0x89, offload=8/8, ips_offload=0/0, epid=158
vlan=0x0000/0x0000
vlifid=216/158, vtag_in=0x0000/0x0000 in_npu=2/2, out_npu=2/2, f
total session 1
l check the system session, when dtls-policy=ipsec-vpn to verify npu info: flag=0x81/0x82, offload=8/8
FG1K2D3I16800192 (vdom1) # diag sys session list
session info: proto=6 proto_state=01 duration=7 expire=3592 time

flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/wlc-004100_0 vlan_cos=0/
state=log may_dirty npu f00
statistic(bytes/packets/allow_err): org=92/2/1 reply=92/2/1 tupl
orgin->sink: org pre->post, reply pre->post dev=57->37/37->57
gwy=172.16.200.44/10.65.1.2
hook=post dir=org act=snat 10.65.1.2:50575->172.16.200.44:5001(1
hook=pre dir=reply act=dnat 172.16.200.44:5001->172.16.200.65:50
serial=0000a393 tos=ff/ff app_list=0 app=0 url_cat=0
dd_type=0 dd_mode=0
npu_state=0x000c00
npu info: flag=0x81/0x82, offload=8/8, ips_offload=0/0, epid=158
vlan=0x0000/0x0000
vlifid=216/158, vtag_in=0x0000/0x0000 in_npu=2/2, out_npu=2/2, f
total session 1

Switch Controller
The Switch Controller function, also known as FortiLink, is used to remotely manage FortiSwitch unit. In the most
common layer 2 scenario, the FortiGate that is acting as a switch controller is connected to distribution FortiSwitch
units. The distribution FortiSwitch units are in the top tier of stacks of FortiSwitch units and connected downwards with
Convergent or Access layer FortiSwitch units. To leverage CAPWAP and the Fortinet proprietary FortiLink protocol, data
and control planes are established between the FortiGate and FortiSwitch units.
FortiLink allows administrators to create and manage different VLANs, and apply the full-fledged security functions of
FortiOS to them, such as 802.1X authentication and firewall policies. Most of the security control capabilities on the
FortiGate are extended to the edge of the entire network, combining FortiGate, FortiSwitch, and FortiAP devices, and
providing secure, seamless, and unified access control to users.
Standalone FortiGate as switch controller
The following recipes provide instructions on configuring a standalone FortiGate as a switch controller:
l Standalone FortiGate as switch controller
l Multiple FortiSwitches managed via hardware/software switch on page 738
l Multiple FortiSwitches in tiers via aggregate interface with redundant link enabled on page 742
l Multiple FortiSwitches in tiers via aggregate interface with MCLAG enabled only on distribution on page 746
Standalone FortiGate as switch controller
In this example, one FortiSwitch is managed by a standalone FortiGate. The FortiGate uses an aggregate interface to
operate as a switch controller. This configuration might be used in branch office. It might also be used before increasing
the number of connected FortiSwitch units and evolving to a multi-tier structure.
Prerequisites:
l The FortiGate model supports an aggregate interface.

l FortiSwitch units have been upgraded to latest released software version.
l Layer-3 path/route in the management VDOM is available to Internet so that the FortiSwitch units can synchronize
NTP.

Change the FortiSwitch management mode to FortiLink:
Enter the following CLI commands on the FortiSwitch:

set switch-mgmt-mode fortilink
end
This operation will cleanup all of the configuration and reboot the system!
Do you want to continue? (y/n)y
Backing up local mode config before entering FortiLink mode....
If the FortiSwitch ports used for the FortiLink connection have auto-discovery-fortilink enabled, executing
authorization on FortiGate will trigger the transformation to FortiLink mode automatically.
config switch interface
edit "port1"
set auto-discovery-fortilink enable
……
next
end
Create an aggregate interface and designate it as Fortilink interface on the FortiGate:
Using the CLI:

edit "aggr1"
set vdom "vdom1"
set fortilink enable
set type aggregate
next
end
Using the GUI:

1. Go to WiFi & Switch Controller > FortiLink Interface.
2. In Interface members, select an existing aggregate interface (if there is one) or select one or more physical ports to
create an aggregate interface.
3. Configure other fields as necessary.
4. Click OK.
Discover and authorize the FortiSwitch:
Using the CLI:

config switch-controller managed-switch
edit "FSWSerialNum"
set fsw-wan1-admin enable
……
next
end
Check the CLI output for Connection: Connected to show that FortiLink is up:
execute switch-controller get-conn-status FSWSerialNum

Get managed-switch S248EPTF18001384 connection status:

Admin Status: Authorized
Connection: Connected
Image Version: S248EP-v6.2.0-build143,190107 (Interim)
Remote Address: 2.2.2.2
Join Time: Fri Jan 11 15:22:32 2019
interface status duplex speed fortilink stacking poe status

port1 up full 1000Mbps no no Delivering Power
port2 down N/A 0 no no Searching
……
Using the GUI:

1. Go to WiFi & Switch Controller > Managed FortiSwitch.
2. Click Authorize and wait for a few minutes for the connection to be established.
When FortiLink between the FortiGate and FortiSwitch is established, the Link-up ports change to green and the
POE port that is supplying power changes to blue. The dotted line between the FortiGate and FortiSwitch changes
to a solid line. The Connection status shows that FortiLink is up.
Extend the security perimeter to the edge of FortiSwitch:
1. Configure the VLAN arrangement.

a. On the FortiGate, go to WiFi & Switch Controller > FortiSwitch VLANs.
b. Configure the VLAN interfaces that are applied on FortiSwitch.
On FortiGate, these switch VLAN interfaces are treated as layer-3 interfaces and are available to be applied by
firewall policy and other security controls in FortiOS. This means that security boundary is extended to
FortiSwitch.
2. Configure FortiSwitch ports.
a. On the FortiGate, go to WiFi & Switch Controller > FortiSwitch Ports.
b. Select one or more FortiSwitch ports and assign them to the switch VLAN.
c. You can also select POE/DHCP Snooping, STP, and other parameters for the FortiSwitch ports to show their
real-time status such as link status, data statistics, etc.
3. Configure access authentication.
a. On the FortiGate, go to WiFi & Switch Controller > FortiSwitch Security Policies.
b. Configure the 802.1X security policies.
c. Select Port-based or MAC-based mode and select User groups from the existing VDOM.
d. Configure other fields as necessary.
e. Go to WiFi & Switch Controller > FortiSwitch Ports.
f. Select one or more FortiSwitch ports, click + in the Security Policy column, then make a selection from the
pane.
Troubleshooting
Authorized FortiSwitch always offline
If an authorized FortiSwitch is always offline, go to the FortiGate CLI and use the command below to see all the
checkpoints. Inspect each checkpoint to find the cause of the problem.
execute switch-controller diagnose-connection S248EPTF18001384

Fortilink interface ... OK

aggr1 enabled
DHCP server ... OK

aggr1 enabled
NTP server ... OK

aggr1 enabled
NTP server sync ... OK
synchronized: yes, ntpsync: enabled, server-mode: enabled
ipv4 server(ntp1.fortiguard.com) 208.91.113.70 -- reachable(0x80) S:2 T:128

no data
no data
ipv4 server(ntp2.fortiguard.com) 208.91.112.51 -- reachable(0xff) S:2 T:66 selected
server-version=4, stratum=2
reference time is dfe3aec5.744404e6 -- UTC Sat Jan 12 00:09:41 2019
clock offset is -0.320411 sec, root delay is 0.054535 sec
root dispersion is 0.533081 sec, peer dispersion is 11495 msec
ipv4 server(ntp1.fortiguard.com) 208.91.112.50 -- reachable(0xff) S:2 T:66

HA mode ... disabled
Fortilink
Status ... SWITCH_AUTHORIZED_READY
Last keepalive ... 1 seconds ago
CAPWAP
Status ... CONNECTED
PING 2.2.2.2 (2.2.2.2): 56 data bytes


5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.1/6.3/13.9 ms
Multiple FortiSwitches managed via hardware/software switch
This example provides a recommended configuration of FortiLink where multiple FortiSwitches are managed by a
standalone FortiGate as switch controller via hardware or software switch interface; such as when you need multiple
distribution FortiSwitches but lack supporting aggregate on FortiGate.

Prerequisites:
l The FortiGate model supports hardware or software switch interface.

NTP.

end
edit "port1"
……
next
end
Create hardware or software switch interface and designate it as FortiLink interface on the FortiGate:
Create a hardware switch using the CLI:

config system virtual-switch
edit "hardswitch1"
set physical-switch "sw0"
config port
edit "port11"
next
edit "port12"
next
end
next
end
Create a software switch using the CLI:


edit "softswitch1"
set vdom "vdom1"
next
end
Using the GUI:

2. In Interface members, select an existing hardware/software switch interface (if there is one) or select one or more
physical ports to create a hardware/software switch interface.
4. Click OK.
Using the CLI:

edit "FSWSerialNum"
……
next
end


……
Using the GUI:



FortiSwitch.
pane.
Troubleshooting
Bind FortiLink on hardware switch interface
Fortinet recommends binding FortiLink on the hardware switch interface. Since the hardware switch interface can
leverage hardware chips to forward traffic, it does not consume CPU capacity, unlike a software switch.

hardswitch1 enabled
DHCP server ... OK

hardswitch1 enabled
NTP server ... OK

hardswitch1 enabled

no data

no data

Fortilink
CAPWAP
PING 2.2.2.2 (2.2.2.2): 56 data bytes


Multiple FortiSwitches in tiers via aggregate interface with redundant link

enabled
This example provides a recommended configuration of FortiLink where multi-tier FortiSwitches are managed by a
standalone FortiGate as switch controller via aggregate interface, where the FortiGate can provide redundant links to
multiple distribution FortiSwitches.
Prerequisites:

NTP.


end
edit "port1"
……
next
end
Using the CLI:

edit "aggr1"
set vdom "vdom1"
set type aggregate
set fortilink-split-interface enable
next
end
Using the GUI:

2. In Interface members, select one or more physical ports that are connected to different distribution FortiSwitches
to create an aggregate interface.
3. Enable FortiLink split interface.
5. Click OK.

Using the CLI:

edit "FSWSerialNum"
……
next
end


……
Using the GUI:


FortiSwitch.


pane.
Troubleshooting

aggr1 enabled
DHCP server ... OK

aggr1 enabled
NTP server ... OK

aggr1 enabled

no data
no data

Fortilink
CAPWAP
PING 2.2.2.2 (2.2.2.2): 56 data bytes




Multiple FortiSwitches in tiers via aggregate interface with MCLAG enabled only
on distribution
This example provides a recommended configuration of FortiLink where multi-tier FortiSwitches are managed by a
standalone FortiGate as switch controller via aggregate interface, where the FortiGate can provide active-active links to
two distribution FortiSwitches connected to each other by MCLAG.
Prerequisites:

NTP.
l For the FortiSwitch D series, the models above 4 just support MCLAG. For the FortiSwitch E series, the models
above 2 just support MCLAG.

end
edit "port1"
……

next
end
Using the CLI:

edit "aggr1"
set vdom "vdom1"
set type aggregate
set fortilink-split-interface disable
next
end
fortilink-split-interface must be disabled for MCLAG to work.

Using the GUI:
3. Disable FortiLink split interface.
5. Click OK.
Using the CLI:

edit "FSWSerialNum"
……
next
end


……
Using the GUI:


Enable MCLAG on the ICL link between the distribution FortiSwitch devices:
conf switch trunk

edit "4DN4K15000008-0"
set mclag-icl enable
next
end
When you enable mclag-icl, MCLAG on the FortiLink interface is enabled automatically and active-active backup
links between the distribution FortiSwitches are established.

FortiSwitch.
pane.
Troubleshooting

aggr1 enabled

DHCP server ... OK

aggr1 enabled
NTP server ... OK

aggr1 enabled

no data
no data

Fortilink
CAPWAP
PING 2.2.2.2 (2.2.2.2): 56 data bytes


HA (A-P) mode FortiGate pairs as switch controller
The following recipes provide instructions on configuring a FortiGate HA in Active-Passive (A-P) mode as a switch
controller:
l Multiple FortiSwitches managed via hardware/software switch on page 750
l Multiple FortiSwitches in tiers via aggregate interface with redundant link enabled on page 754

l Multiple FortiSwitches in tiers via aggregate interface with MCLAG enabled only on distribution on page 759
Multiple FortiSwitches managed via hardware/software switch
This example provides a recommended configuration of FortiLink where multiple FortiSwitches are managed by an A-P
mode HA cluster of FortiGates as switch controller via hardware or software switch interface. An example of common
usage is when you need multiple distribution FortiSwitches but lack supporting aggregate on the FortiGate pairs.
Prerequisites:
l The FortiGate model supports hardware or software switch interface.

NTP.

end
edit "port1"
……
next
end
Set up an A-P mode HA cluster:
See HA active-passive cluster setup on page 254.

Create hardware or software switch interface and designate it as FortiLink interface on the FortiGate:
Create a hardware switch using the CLI:

config system virtual-switch
edit "hardswitch1"
set physical-switch "sw0"
config port
edit "port11"
next
edit "port12"
next
end
next
end
Create a software switch using the CLI:

edit "softswitch1"
set vdom "vdom1"
next
end
Using the GUI:

2. In Interface members, select an existing hardware/software switch interface (if there is one) or select one or more
physical ports to create a hardware/software switch interface.
4. Click OK.
Using the CLI:

edit "FSWSerialNum"
……
next
end




……
Using the GUI:


FortiSwitch.
pane.
Troubleshooting
Bind FortiLink on hardware switch interface
Fortinet recommends binding FortiLink on the hardware switch interface. Since the hardware switch interface can
leverage hardware chips to forward traffic, it does not consume CPU capacity, unlike a software switch.

hardswitch1 enabled

DHCP server ... OK

hardswitch1 enabled
NTP server ... OK

hardswitch1 enabled

no data
no data

Fortilink
CAPWAP
PING 2.2.2.2 (2.2.2.2): 56 data bytes


HA sync fails
If HA sync fails, use the command below to diagnose and locate the cause.
# diagnose system ha checksum cluster
================== FG5H0E39179XXX9 ==================

is_manage_master()=1, is_root_master()=1
debugzone
global: 2b e9 81 38 c2 9d 4f db b7 0e 1f 49 42 c6 1e fb
vdom5: 3d dc e7 70 69 22 c3 12 a7 ac 68 06 21 21 ef 8f
vdom3: 89 59 1f 45 7a 75 ae fc 71 bc 42 f4 5e c2 47 c8
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
root: af a6 48 c5 c2 9a 8b 81 a5 53 fb 27 e9 ae 01 6a
all: 89 1f 63 77 48 8a 30 ee 57 06 ca eb 71 e6 8e ad
checksum
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
================== FG5H0E391790XXX4 ==================
debugzone
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
checksum
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
Multiple FortiSwitches in tiers via aggregate interface with redundant link

enabled
This example provides a recommended configuration of FortiLink where multi-tier FortiSwitches are managed by an A-P
mode HA cluster of FortiGates as switch controller via aggregate interface, where each FortiGate cluster member can
provide redundant links to multiple (>=2) distribution FortiSwitches.
Prerequisites:

NTP.


end
edit "port1"
……
next
end
Using the CLI:

edit "aggr1"
set vdom "vdom1"
set type aggregate
set fortilink-split-interface enable
next
end
Using the GUI:

3. Enable FortiLink split interface.


5. Click OK.
Using the CLI:

edit "FSWSerialNum"
……
next
end


……
Using the GUI:


FortiSwitch.


pane.
Troubleshooting

aggr1 enabled
DHCP server ... OK

aggr1 enabled
NTP server ... OK

aggr1 enabled

no data
no data

Fortilink
CAPWAP


PING 2.2.2.2 (2.2.2.2): 56 data bytes


HA sync fails
================== FG5H0E39179XXX9 ==================
debugzone
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
checksum
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
================== FG5H0E391790XXX4 ==================
debugzone
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
checksum

vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
Multiple FortiSwitches in tiers via aggregate interface with MCLAG enabled only
on distribution
This example provides a recommended configuration of FortiLink where multi-tier FortiSwitches are managed by an A-P
mode HA cluster of FortiGates as switch controller via aggregate interface, where FortiGates provide active-active links
to two distribution FortiSwitches connected to each other by MCLAG.
Prerequisites:

NTP.

end
edit "port1"
……

next
end
Using the CLI:

edit "aggr1"
set vdom "vdom1"
set type aggregate
next
end

Using the GUI:
5. Click OK.
Using the CLI:

edit "FSWSerialNum"
……
next
end




……
Using the GUI:

conf switch trunk

edit "4DN4K15000008-0"
next
end

FortiSwitch.
pane.
Troubleshooting


aggr1 enabled
DHCP server ... OK

aggr1 enabled
NTP server ... OK

aggr1 enabled

no data
no data

Fortilink
CAPWAP
PING 2.2.2.2 (2.2.2.2): 56 data bytes


HA sync fails

================== FG5H0E39179XXX9 ==================
debugzone
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
checksum
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
================== FG5H0E391790XXX4 ==================
debugzone
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
checksum
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
Multiple FortiSwitches in tiers via aggregate interface with MCLAG enabled on all
tiers
This example provides a recommended configuration of FortiLink where multi-tier FortiSwitch devices are managed by
an A-P mode HA cluster of FortiGates acting as a switch controller via an aggregate interface. The FortiGates provide A-
A links to two distribution FortiSwitches that are connected to each other by MCLAG. All access FortiSwitch devices
have A-A links with two upper tier FortiSwitches, as long as the MCLAG-ICL has been enabled between the upper tiers.

Prerequisites:

NTP.

end
edit "port1"
……
next
end
Using the CLI:

edit "aggr1"
set vdom "vdom1"
set type aggregate


next
end

Using the GUI:
5. Click OK.
Using the CLI:

edit "FSWSerialNum"
……
next
end


……
Using the GUI:

conf switch trunk

edit "4DN4K15000008-0"

next
end

FortiSwitch.
pane.
Troubleshooting

aggr1 enabled
DHCP server ... OK

aggr1 enabled
NTP server ... OK

aggr1 enabled

no data


no data

Fortilink
CAPWAP
PING 2.2.2.2 (2.2.2.2): 56 data bytes


HA sync fails
# diagnose sys ha checksum cluster
================== FG5H0E39179XXX9 ==================
debugzone
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
checksum

vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
================== FG5H0E391790XXX4 ==================
debugzone
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
checksum
vdom2: b2 a5 f3 e7 85 02 62 e5 2a 23 23 64 04 66 76 cc
vdom1: 1f b5 11 61 31 c4 0c 72 2e 97 8d d8 45 7e d6 0c
Authentication and security
The following recipes provide instructions on configuring switch related authentication and security:
l MAC-based 802.1X authentication on page 768
l Port-based 802.1X authentication on page 772
l MAC layer control - Sticky MAC and MAC Learning-limit on page 775
l Quarantine on page 776
MAC-based 802.1X authentication
This example show how to configure MAC-based 802.1X authentication to managed FortiSwitch ports when using
FortiLink. Managed FortiSwitch devices will authenticate and record the MAC addresses of user devices. If there is a
hub after the FortiSwitch that connects multiple user devices, each device can access the network after passing
authentication.
Prerequisites:
l The certificates and authentication protocol supported by the supplicant software and RADIUS server are
compatible.
l The managed FortiSwitches using FortiLink act as authenticators.

Create a firewall policy to allow the RADIUS authentication related traffic from the Fortilink interface to the
outbound interface on the FortiGate:

edit 0
set srcintf "fortilink-interface"
set dstintf "outbound-interface-to-RadiusSVR"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "RADIUS"
set nat enable
next
end
Designate a RADIUS server and create a user group:
Using the CLI:

config user radius
edit "Radius1"
set server "172.18.60.203"
set secret ENC 1dddddd
next
end
config user group
edit "Radius-Grp1"
set member "Radius1"
next
end
Using the GUI:

1. On the FortiGate, go to User & Device > RADIUS Servers.
2. Edit an existing server, or create a new one.
3. If necessary, add a Name for the server.
4. Set the IP/Name to 172.18.60.203 and Secret to 1dddddd .
6. Click OK.

8. Create a new group, and add the RADIUS server to the Remote Groups list.
9. Click OK.
Use the new user group in a security policy:
Using the CLI:

config switch-controller security-policy 802-1X
edit "802-1X-policy-default"
set security-mode 802.1X-mac-based
set user-group "Radius-Grp1"
set mac-auth-bypass disable
set open-auth disable
set eap-passthru enable
set guest-vlan disable
set auth-fail-vlan disable
set framevid-apply enable
set radius-timeout-overwrite disable
next
end
Configure the guest VLAN, authentication fail VLAN, and other parameters as needed.
Using the GUI:
1. Go to WiFi & Switch Controller > FortiSwitch Security Policies
2. Use the default 802-1X-policy-default, or create a new security policy.
3. Use the RADIUS server group in the policy.
4. Set the Security mode to MAC-based.
6. Click OK.
Apply the security policy to the ports of the managed FortiSwitches:
Using the CLI:

edit S248EPTF1800XXXX
config ports
edit "port6"
set port-security-policy "802-1X-policy-default"
next

end
next
end
On the FortiSwitch, check the configuration:

edit "port6"
set allowed-vlans 4093
set untagged-vlans 4093
set security-groups "Radius-Grp1"
set snmp-index 6
config port-security
set guest-auth-delay 30
set port-security-mode 802.1X-mac-based
set auth-fail-vlanid 200
set guest-vlanid 100
end
next
end
Using the GUI:

1. On the FortiGate, go to WiFi & Switch Controller > FortiSwitch VLANs.
2. Configure the VLAN interfaces that are applied on FortiSwitch.
firewall policy and other security controls in FortiOS. This means that security boundary is extended to FortiSwitch.
Execute 802.1X authentication on a user device:
On Linux, run wpa_supplicant:

wpa_supplicant -c /etc/wpa_supplicant/local_supplicant.conf -D wired -i eth2 -dd
On the FortiGate, view the status of the 802.1X authentication:

diagnose switch-controller switch-info 802.1X
Managed Switch : S248EPTF1800XXXX
port6 : Mode: mac-based (mac-by-pass disable) -----> MAC-based

Link: Link up
Port State: authorized: ( ) -----> Showing authorized means auth
passed. Otherwise, shown failed
EAP pass-through mode : Enable
Native Vlan : 1
Allowed Vlan list: 1,4093
Untagged Vlan list: 1,4093
Guest VLAN :
Auth-Fail Vlan :
Switch sessions 1/240, Local port sessions:1/20

Client MAC Type Vlan Dynamic-Vlan

00:0c:29:d4:4f:3c 802.1x 1 0 -----> User device of auth
passed can access the network. Its MAC address is recored, while other User Devices under
same FSW ports still not allowed to access.
Sessions info:
00:0c:29:d4:4f:3c Type=802.1x,MD5,state=AUTHENTICATED,etime=6,eap_cnt=3
params:reAuth=3600
Port-based 802.1X authentication
This example show how to configure Port-based 802.1X authentication to managed FortiSwitch ports when using
FortiLink. Managed FortiSwitch devices will authenticate user devices per each FortiSwitch port. If there is a hub after
the FortiSwitch that connects multiple user devices to the same port, they can all access the network after
authentication, which is not recommended from a security perspective.
Prerequisites:
l The certificates and authentication protocol supported by the supplicant software and RADIUS server are
compatible.
l The managed FortiSwitches using FortiLink act as authenticators.
Create a firewall policy to allow the RADIUS authentication related traffic from the Fortilink interface to the
outbound interface on the FortiGate:

edit 0
set srcintf "fortilink-interface"
set dstintf "outbound-interface-to-RadiusSVR"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "RADIUS"
set nat enable
next
end
Designate a RADIUS server and create a user group:
Using the CLI:

config user radius
edit "Radius1"

set server "172.18.60.203"

set secret ENC 1dddddd
next
end
config user group
edit "Radius-Grp1"
set member "Radius1"
next
end
Using the GUI:

1. On the FortiGate, go to User & Device > RADIUS Servers.
2. Edit an existing server, or create a new one.
3. If necessary, add a Name for the server.
4. Set the IP/Name to 172.18.60.203 and Secret to 1dddddd .
6. Click OK.
8. Create a new group, and add the RADIUS server to the Remote Groups list.
9. Click OK.
Use the new user group in a security policy:
Using the CLI:

config switch-controller security-policy 802-1X
edit "802-1X-policy-default"
set security-mode 802.1X
set user-group "Radius-Grp1"
next
end
Configure the guest VLAN, authentication fail VLAN, and other parameters as needed.
Using the GUI:

1. Go to WiFi & Switch Controller > FortiSwitch Security Policies

2. Use the default 802-1X-policy-default, or create a new security policy.
3. Use the RADIUS server group in the policy.
4. Set the Security mode to Port-based.
6. Click OK.
Apply the security policy to the ports of the managed FortiSwitches:
Using the CLI:

config ports
edit "port6"
set port-security-policy "802-1X-policy-default"
next
end
next
end
Using the GUI:

1. On the FortiGate, go to WiFi & Switch Controller > FortiSwitch VLANs.
2. Configure the VLAN interfaces that are applied on FortiSwitch.
firewall policy and other security controls in FortiOS. This means that security boundary is extended to FortiSwitch.
Execute 802.1X authentication on a user device:
On Linux, run wpa_supplicant:

wpa_supplicant -c /etc/wpa_supplicant/local_supplicant.conf -D wired -i eth2 -dd
On the FortiGate, view the status of the 802.1X authentication:

diagnose switch-controller switch-info 802.1X Managed Switch : S248EPTF18001384
port6 : Mode: port-based (mac-by-pass disable)

Link: Link up
Port State: authorized: ( )
Dynamic Authorized Vlan : 0
EAP pass-through mode : Enable
Native Vlan : 1
Allowed Vlan list: 1,4093
Untagged Vlan list: 4093
Guest VLAN :
Auth-Fail Vlan :
Sessions info:
00:0c:29:d4:4f:3c Type=802.1x,MD5,state=AUTHENTICATED,etime=0,eap_cnt=6
params:reAuth=3600

MAC layer control - Sticky MAC and MAC Learning-limit
Persistent MAC learning, or Sticky MAC, is a port security feature that lets an interface retain dynamically learned MAC
addresses when a switch is restarted, or an interface goes down and then is brought back online.
Enabling Sticky MAC along with MAC Learning-limit restricts the number of MAC addresses that are learned. This
prevents layer 2 Denial of Service (DoS) attacks, overflow attacks on the Ethernet switching table, and DHCP starvation
attacks by limiting the number of MAC addresses that are allowed while still allowing the interface to learn a specified
number of MAC addresses. The interface is secured because, after the specified limit has been reached, additional
devices cannot connect to the port. Interfaces can be allowed to learn the MAC address of trusted workstations and
servers from the time that the interfaces are connected to the network, until the MAC address limit is reached.
Prerequisites
l Sticky MAC save is hardware and CPU intensive if there are too many entries.
l Dual chip device models (X48 and XX48 FortiSwitch models) do not support MAC Learning-limit on VLANs, but still
support it on FortiSwitch ports.
Enable Sticky MAC on the FortiSwitch ports view:

edit S248EPTF18001384
config ports
edit port6
set sticky-mac enable
next
end
next
end
Check the MAC-table on the FortiSwitch to see that the status of related MAC items on the Sticky MAC enabled
ports has changed from dynamic to static:
Before Sticky-MAC is enabled:
diagnose switch mac-address list
MAC: 08:5b:0e:06:6a:d4 VLAN: 1 Port: port1(port-id 1) Flags: 0x00030440 [ hit dynamic
src-hit native move ]
After Sticky-MAC is enabled:

diagnose switch mac-address list
MAC: 00:0c:29:d4:4f:3c VLAN: 1 Port: port6(port-id 6) Flags: 0x00000020 [ static ]
Save Sticky-MAC items into the database and delete others:
Saving Sticky-MAC items from the running memory into the database, and deleting unsaved items, will ensure that,
even after the FortiSwitch is rebooted, the trusted MAC addresses will be kept and will not need to be relearned.
execute switch-controller switch-action sticky-mac save all S248EPTF1800XXXX
S248EPTF1800XXXX: Save started...

Warning: Please wait save will take longer time upto 30 seconds...
Collecting config data....Done
Collecting hardware data....Done
Saving....Done
Sticky MAC entries saved = 1 ----------------> Number of saved Sticky MAC items is shown
execute switch-controller switch-action sticky-mac delete-unsaved all S248EPTF1800XXXX
Configure the MAC Learning-limit under the VLAN or managed FortiSwitch ports view:
VLAN view:
edit vsw.aggr1
set switch-controller-learning-limit 10
next
end
Ports view:
config ports
edit port6
set learning-limit 11
next
end
next
end
Quarantine
When the FortiGate detects devices that have lower trust scores, lack mandatory installed software, or are sending out
malicious traffic, an administrator can quarantine the device from the normal switch VLAN to the quarantine VLAN. This
can limit the device's access, or provide them specific information on the quarantine portal page.
To quarantine an active device:
Using the CLI, based on the device's MAC address:

config targets
edit "manual-qtn-1"
set description "Manually quarantined"
config macs
edit 00:0c:29:d4:4f:3c

set description "manual-qtn "

next
end
next
end
end
Using the GUI:

1. On the FortiGate, go to Security Fabric > Physical Topology, or Security Fabric > Logical Topology.
2. Mouse over the bubble of an active device, and select Quarantine Host from the right-click menu.
3. Click OK in the Quarantine Host page to quarantine the device.
The quarantined device is moved to the quarantine VLAN, and the configuration of the FortiSwitch port does not
change.
The quarantined device gets its IP address from the DHCP server on the quarantine VLAN interface. The network
locations that the device can access depends on the firewall policies that are configured for the quarantine VLAN
interface. By default, the device must acknowledge and accept the information on the Quarantine Portal before it can
access any part of the network.
Release or clear the quarantine targets:
Using the CLI:

config targets
delete "manual-qtn-1"
...
end
end
config targets
purge
end
end
Using the GUI:

1. Go to Monitor > Quarantine Monitor.
2. Delete the quarantine targets as needed, or click Remove All to delete all the targets.
Flow and Device Detection
The following recipes provide information on flow and device detection:

l Data statistic on page 778
l Security Fabric showing on page 779

Data statistic
This example shows a FortiLink scenario where the FortiGate acts as the switch controller that collects the data
statistics of managed FortiSwitch ports. This is counted by each FortiSwitch and concentrated in the controller.
Sample topology
To show data statistics using the GUI:
1. Go to WiFi & Switch Controller > FortiSwitch Ports.

2. Select Configure Table.
3. Select Bytes, Errors and Packets to make them visible.
The related data statistic of each managed FortiSwitch port is shown.
To show data statistics using the CLI:
diag switch-controller switch-info port-stats S248EPTF180XXXX
......
Port(port50) is Admin up, line protocol is down

Interface Type is Gigabit Media Independent Interface(GMII)
Address is 70:4C:A5:E0:F3:8D, loopback is not set
MTU 9216 bytes, Encapsulation IEEE 802.3/Ethernet-II
full-duplex, 1000 Mb/s, link type is manual
input : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes
0 unicasts, 0 multicasts, 0 broadcasts, 0 unknowns
output : 0 bytes, 0 packets, 0 errors, 0 drops, 0 oversizes
0 unicasts, 0 multicasts, 0 broadcasts
0 fragments, 0 undersizes, 0 collisions, 0 jabbers
......

Security Fabric showing
This example shows one of the key components in the concept of Security Fabric: FortiSwitches in FortiLink. In the
FortiGate GUI, you can see the whole picture of the Security Fabric working for your network security.
Sample topology
To show Security Fabric information:
1. Go to Security Fabric > Physical Topology.

2. To see the connection between FortiGates and managed FortiSwitches, hover the pointer over the icons to see
information about each network element.

Log and report
Logging and reporting are useful components to help you understand what is happening on your network, and to inform
you about certain network activities, such as the detection of a virus, a visit to an invalid website, an intrusion, a failed
log in attempt, and myriad others.
Logging records the traffic that is passing through, starting from, or ending on the FortiGate device, and the actions that
the FortiGate device took during the traffic scanning process. After this information is recorded in a log message, it is
stored in a log file that is stored on a log device (a central storage location for log messages). FortiGate devices support
several different log devices, such as FortiAnalyzer, FortiGateCloud, and Syslog servers. A FortiGate's system memory
and local disk can also be configured to store logs, and is also considered a log device.
Reports are used to show recorded activity in a more readable format. A report gathers all the log information that it
needs, then presents it in a graphical format, with a customizable design and automatically generated charts showing
what is happening on the network. Reports can be generated on FortiGate devices with disk logging, and on
FortiAnalyzer devices.
A more comprehensive reporting and monitoring tool for the network is FortiView. It integrates real-time and historical
data into a single view on the FortiGate. For more information, see FortiView on page 130.
Configure multiple FortiAnalyzers on a multi-VDOM FortiGate
This topic shows a sample configuration of multiple FortiAnalyzers on a multi-VDOM FortiGate.

In this example:
l The FortiGate has three VDOMs:
l Root (management VDOM)
l VDOM1
l VDOM2
l There are four FortiAnalyzers.
These IP addresses are used as examples in the instructions below.
l FAZ1: 172.16.200.55
l FAZ2: 172.18.60.25
l FAZ3: 192.168.1.253
l FAZ4: 192.168.1.254
l Set up FAZ1 and FAZ2 under global.
l These two collect logs from the root VDOM and VDOM2.
l FAZ1 and FAZ2 must be accessible from management VDOM root.
l Set up FAZ3 and FAZ4 under VDOM1.
l These two collect logs from VDOM1.
l FAZ3 and FAZ4 must be accessible from VDOM1.

Log and report 781
To set up FAZ1 as global FortiAnalyzer 1 from the GUI:
Prerequisite: FAZ1 must be reachable from the management root VDOM.

1. Go to Global > Log & Report > Log Settings.
2. Enable Send logs to FortiAnalyzer/FortiManager.
3. Enter the FortiAnalyzer IP.
In this example: 172.16.200.55.
4. For Upload option, select Real Time.
5. Select Apply.
To set up FAZ2 as global FortiAnalyzer 2 from the CLI:
Prerequisite: FAZ2 must be reachable from the management root VDOM.

config log fortianalyzer2 setting
set status enable
set server "172.18.60.25"
set upload-option realtime
end
To set up FAZ3 and FAZ4 as VDOM1 FortiAnalyzer 1 and FortiAnalyzer 2:
Prerequisite: FAZ3 and FAZ4 must be reachable from VDOM1.

config log setting
set faz-override enable
end
config log fortianalyzer override-setting

set status enable
set server "192.168.1.253"
end
config log fortianalyzer2 override-setting

set status enable
set server "192.168.1.254"
end
Diagnose command to check FortiAnalyzer connectivity
To use the diagnose command to check FortiAnalyzer connectivity:
1. Check global FortiAnalyzer status:

FGTA(global) # diagnose test application miglogd 1
faz: global , enabled
server=172.16.200.55, realtime=3, ssl=1, state=connected, src=, mgmt_name=FGh_Log_
root_172.16.200.55, reliable=1
status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=N
SNs: last sn update:1369 seconds ago.

Log and report 782
Sn list:
queue: qlen=0.
filter: severity=6, sz_exclude_list=0
voip dns ssh ssl
subcategory:
traffic: forward local multicast sniffer
anomaly: anomaly
server: global, id=0, fd=90, ready=1, ipv6=0, 172.16.200.55/514

oftp-state=5
faz2: global , enabled
Sn list:
queue: qlen=0.
voip dns ssh ssl
subcategory:
anomaly: anomaly

oftp-state=5
2. Check VDOM1 override FortiAnalyzer status:

FGTA(global) # diagnose test application miglogd 3101
faz: vdom, enabled, override
Sn list:
(FAZ-VM0000000001,age=17s)
queue: qlen=0.
voip dns ssh ssl
subcategory:
anomaly: anomaly
server: vdom, id=0, fd=72, ready=1, ipv6=0, 192.168.1.253/514

oftp-state=5
faz2: vdom, enabled, override
Sn list:
(FL-1KET318000008,age=17s)
queue: qlen=0.
voip dns ssh ssl

Log and report 783
subcategory:
anomaly: anomaly
server: vdom, id=1, fd=97, ready=1, ipv6=0, 192.168.1.254/514

oftp-state=5
faz3: vdom, disabled, override
Supported log types to FortiAnalyzer, Syslog, and FortiAnalyzer

Cloud
This topic describes which log messages are supported by each logging destination.
Log Type FortiAnalyzer Syslog FortiAnalyzer Cloud
Traffic Yes Yes No
Event Yes Yes Yes
Virus Yes Yes No
Webfilter Yes Yes No
IPS Yes Yes No
Emailfilter Yes Yes No
Anomaly Yes Yes No
VOIP Yes Yes No
DLP Yes Yes No
App-Ctrl Yes Yes No
WAF Yes Yes No
GTP Yes Yes No
DNS Yes Yes No
SSH Yes Yes No
SSL Yes Yes No
CIFS No Yes No

Log and report 784
Sample logs by log type
This topic provides a sample raw log for each subtype and the configuration requirements.
Type and Subtype
Traffic Logs > Forward Traffic
Log configuration requirements

edit 1
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set logtraffic all
set application-list "g-default"
set nat enable
next
end
Sample log
date=2019-05-10 time=11:37:47 logid="0000000013" type="traffic" subtype="forward" level-

l="notice" vd="vdom1" eventtime=1557513467369913239 srcip=10.1.100.11 srcport=58012 srcint-
f="port12" srcintfrole="undefined" dstip=23.59.154.35 dstport=80 dstintf="port11"
dstintfrole="undefined" srcuuid="ae28f494-5735-51e9-f247-d1d2ce663f4b" dstuuid="ae28f494-5735-
51e9-f247-d1d2ce663f4b" poluuid="ccb269e0-5735-51e9-a218-a397dd08b7eb" sessionid=105048 pro-
to=6 action="close" policyid=1 policytype="policy" service="HTTP" dstcountry="Canada" srccoun-
try="Reserved" trandisp="snat" transip=172.16.200.2 transport=58012 appid=34050
app="HTTP.BROWSER_Firefox" appcat="Web.Client" apprisk="elevated" applist="g-default" dur-
ation=116 sentbyte=1188 rcvdbyte=1224 sentpkt=17 rcvdpkt=16 utmaction="allow" countapp=1
osname="Ubuntu" mastersrcmac="a2:e9:00:ec:40:01" srcmac="a2:e9:00:ec:40:01" srcserver=0 utm-
ref=65500-742
Type and Subtype
Traffic Logs > Local Traffic
config log setting

set local-in-allow enable
set local-in-deny-unicast enable
set local-in-deny-broadcast enable
set local-out enable
end

Log and report 785
Sample log
date=2019-05-10 time=11:50:48 logid="0001000014" type="traffic" subtype="local" level="notice"

vd="vdom1" eventtime=1557514248379911176 srcip=172.16.200.254 srcport=62024 srcintf="port11"
srcintfrole="undefined" dstip=172.16.200.2 dstport=443 dstintf="vdom1" dstintfrole="undefined"
sessionid=107478 proto=6 action="server-rst" policyid=0 policytype="local-in-policy" ser-
vice="HTTPS" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" app="Web Management
(HTTPS)" duration=5 sentbyte=1247 rcvdbyte=1719 sentpkt=5 rcvdpkt=6 appcat="unscanned"
Type and Subtype
Traffic Logs > Multicast Traffic
config firewall multicast-policy

edit 1
set dstaddr 230-1-0-0
set dstintf port3
set srcaddr 172-16-200-0
set srcintf port25
set action accept
set log enable
next
end
config sys setting
set multicast-forward enable
end
Sample log
date=2019-03-31 time=06:42:54 logid="0002000012" type="traffic" subtype="multicast" level-

l="notice" vd="vdom1" eventtime=1554039772 srcip=172.16.200.55 srcport=60660 srcintf="port25"
srcintfrole="undefined" dstip=230.1.1.2 dstport=7878 dstintf="port3" dstintfrole="undefined"
sessionid=1162 proto=17 action="accept" policyid=1 policytype="multicast-policy" ser-
vice="udp/7878" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=22 sent-
byte=5940 rcvdbyte=0 sentpkt=11 rcvdpkt=0 appcat="unscanned"
Type and Subtype
Traffic Logs > Sniffer Traffic
config firewall sniffer

edit 3
set logtraffic all
set ips-sensor-status enable
set ips-sensor "sniffer-profile"
next
end

Log and report 786
Sample log
date=2019-05-10 time=14:18:54 logid="0004000017" type="traffic" subtype="sniffer" level-

l="notice" vd="root" eventtime=1557523134021045897 srcip=208.91.114.4 srcport=50463 srcint-
dstintfrole="undefined" sessionid=2193276 proto=6 action="accept" policyid=3 poli-
cytype="sniffer" service="HTTPS" dstcountry="United States" srccountry="Canada" trandis-
p="snat" transip=0.0.0.0 transport=0 duration=10 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0
appcat="unscanned" utmaction="allow" countips=1 crscore=5 craction=32768 sentdelta=0 rcvd-
delta=0 utmref=65162-7772
Type and Subtype
Event Logs > System Events

set event enable
set system enable
end
Sample log
date=2019-05-13 time=11:20:54 logid="0100032001" type="event" subtype="system" level-

l="information" vd="vdom1" eventtime=1557771654587081441 logdesc="Admin login successful"
sn="1557771654" user="admin" ui="ssh(172.16.200.254)" method="ssh" srcip=172.16.200.254 dstip-
p=172.16.200.2 action="login" status="success" reason="none" profile="super_admin" msg-
g="Administrator admin logged in successfully from ssh(172.16.200.254)"
Type and Subtype
Event Logs > Router Events

set event enable
set router enable
end
config router bgp
set log-neighbour-changes enable
end
config router ospf

set log-neighbour-changes enable
end
Sample log
date=2019-05-13 time=14:12:26 logid="0103020301" type="event" subtype="router" level="warning"

vd="root" eventtime=1557781946677737955 logdesc="Routing log" msg="OSPF: RECV[Hello]: From
31.1.1.1 via port9:172.16.200.1: Invalid Area ID 0.0.0.0"

Log and report 787
Type and Subtype
Event Logs > VPN Events

set event enable
set vpn enable
end
Sample log
date=2019-05-13 time=14:21:42 logid="0101037127" type="event" subtype="vpn" level="notice" vd=-

="root" eventtime=1557782502722231889 logdesc="Progress IPsec phase 1" msg="progress IPsec
phase 1" action="negotiate" remip=50.1.1.101 locip=50.1.1.100 remport=500 locport=500 outint-
f="port14" cookies="9091f4d4837ea71c/0000000000000000" user="N/A" group="N/A" xauthuser="N/A"
xauthgroup="N/A" assignip=N/A vpntunnel="test" status="success" init="local" mode="main" dir-
r="outbound" stage=1 role="initiator" result="OK"
Type and Subtype
Event Logs > User Events

set event enable
set user enable
end
Sample log
date=2019-05-13 time=15:55:56 logid="0102043008" type="event" subtype="user" level="notice"

vd="root" eventtime=1557788156913809277 logdesc="Authentication success" srcip=10.1.100.11
dstip=172.16.200.55 policyid=1 interface="port10" user="bob" group="local-group1" auth-
proto="TELNET(10.1.100.11)" action="authentication" status="success" reason="N/A" msg="User
bob succeeded in authentication"
Type and Subtype
Event Logs > Endpoint Events

set event enable
set endpoint enable
end

Log and report 788
Sample log
date=2019-05-14 time=08:32:13 logid="0107045057" type="event" subtype="endpoint" level-

l="information" vd="root" eventtime=1557847933900764210 logdesc="FortiClient connection added"
action="add" status="success" license_limit="unlimited" used_for_type=4 connection_type-
e="sslvpn" count=1 user="skubas" ip=172.18.64.250 name="VAN-200957-PC" fctu-
id="52C66FE08F724FE0B116DAD5062C96CD" msg="Add a FortiClient Connection."
date=2019-05-14 time=08:19:38 logid="0107045058" type="event" subtype="endpoint" level-
l="information" vd="root" eventtime=1557847179037488154 logdesc="FortiClient connection
closed" action="close" status="success" license_limit="unlimited" used_for_type=5 connection_
type="sslvpn" count=1 user="skubas" ip=172.18.64.250 name="VAN-200957-PC" fctu-
id="52C66FE08F724FE0B116DAD5062C96CD" msg="Close a FortiClient Connection."
Type and Subtype
Event Logs > HA Events

set event enable
set ha enable
end
Sample log
date=2019-05-10 time=09:53:21 logid="0108037892" type="event" subtype="ha" level="notice" vd=-

="root" eventtime=1557507201608871077 logdesc="Virtual cluster member state moved" msg-
g="Virtual cluster's member state moved" ha_role="master" vcluster=1 vcluster_state="work"
vcluster_member=0 hostname="FW_QA4" sn="FG2K5E3916900348"
date=2019-05-10 time=09:53:18 logid="0108037894" type="event" subtype="ha" level="critical"
vd="root" eventtime=1557507199208575235 logdesc="Virtual cluster member joined" msg="Virtual
cluster detected member join" vcluster=1 ha_group=0 sn="FG2K5E3916900286"
Type and Subtype
Event Logs > Security Rating Events

set event enable
set security-rating enable
end
Sample log
date=2019-05-13 time=14:40:59 logid="0110052000" type="event" subtype="security-rating" level-

l="notice" vd="root" eventtime=1557783659536252389 logdesc="Security Rating summary" auditid-
d=1557783648 audittime=1557783659 auditscore="5.0" criticalcount=1 highcount=6 mediumcount=8
lowcount=0 passedcount=38

Log and report 789
Type and Subtype
Event Logs > WAN Opt & Cache Events

set event enable
set wan-opt enable
end
Sample log
date=2019-05-14 time=09:37:46 logid="0105048039" type="event" subtype="wad" level="error" vd=-

="root" eventtime=1557851867382676560 logdesc="SSL fatal alert sent" session_id=0 policyid=0
srcip=0.0.0.0 srcport=0 dstip=208.91.113.83 dstport=636 action="send" alert="2" desc-
c="certificate unknown" msg="SSL Alert sent"
date=2019-05-10 time=15:48:31 logid="0105048038" type="event" subtype="wad" level="error" vd=-
="root" eventtime=1557528511221374615 logdesc="SSL Fatal Alert received" session_id=5f88ddd1
policyid=0 srcip=172.18.70.15 srcport=59880 dstip=91.189.89.223 dstport=443 action="receive"
alert="2" desc="unknown ca" msg="SSL Alert received"
Type and Subtype
Event Logs > Wireless

set event enable
set wireless-activity enable
end
config wireless-controller log

set status enable
end
Sample log
date=2019-05-13 time=11:30:08 logid="0104043568" type="event" subtype="wireless" level-

l="warning" vd="vdom1" eventtime=1557772208134721423 logdesc="Fake AP on air" ssid="fortinet"
bssid="90:6c:ac:89:e1:fa" aptype=0 rate=130 radioband="802.11n" channel=6 action="fake-ap-on-
air" manuf="Fortinet, Inc." security="WPA2 Personal" encryption="AES" signal=-93 noise=-95
live=353938 age=505 onwire="no" detectionmethod="N/A" stamac="N/A" apscan="N/A" sndetec-
ted="N/A" radioiddetected=0 stacount=0 snclosest="FP320C3X17001909" radioidclosest=0
apstatus=0 msg="Fake AP On-air fortinet 90:6c:ac:89:e1:fa chan 6 live 353938 age 505"
Type and Subtype
Event Logs > SDN Connector

Log and report 790

set event enable
set connector enable
end
Sample log
date=2019-05-13 time=16:09:43 logid="0112053200" type="event" subtype="connector" level-

l="information" vd="root" eventtime=1557788982 logdesc="IP address added" cfgobj="aws1" action-
n="object-add" addr="54.210.36.196" cldobjid="i-0fe5a1ef16bb94796" netid="vpc-97e81cee"
msg="connector object discovered in addr-obj aws1, 54.210.36.196"
date=2019-05-13 time=16:09:43 logid="0112053201" type="event" subtype="connector" level-
l="information" vd="root" eventtime=1557788982 logdesc="IP address removed" cfgobj="aws1"
action="object-remove" addr="172.31.31.101" cldobjid="i-0fe5a1ef16bb94796" netid="vpc-
97e81cee" msg="connector object removed in addr-obj aws1, 172.31.31.101"
Type and Subtype
Event Logs > FortiExtender Events

set event enable
set fortiextender enable
end
Sample log
date=2019-05-13 time=17:03:27 logid="0111046409" type="event" subtype="fortiextender" level-

l="information" vd="root" eventtime=1557792205 logdesc="Remote FortiExtender info activity"
sn="FX04DA4N17000026" ip=192.168.1.111 action="Cellular Data Statistics" imei-
i="359073060033366" imsi="302720502331361" iccid="89302720403038146410" phonenum-
ber="+16045067526" carrier="Rogers" plan="KPLan-1" service="LTE" rcvdbyte=0 sentbyte=0
msg="FX04DA4N17000026 INFO: SIM2 LTE, rx=0, tx=0, rx_diff=0, tx_diff=0"
date=2019-05-13 time=17:03:23 logid="0111046409" type="event" subtype="fortiextender" level-
l="information" vd="root" eventtime=1557792203 logdesc="Remote FortiExtender info activity"
sn="FX04DA4N17000026" ip=192.168.1.111 action="Cellular Connected" imei="359073060033366" imsi-
i="302720502331361" iccid="89302720403038146410" phonenumber="+16045067526" carrier="Rogers"
plan="KPLan-1" apn="N/A" service="LTE" msg="FX04DA4N17000026 STATE: sim with
imsi:302720502331361 in slot:2 on carrier:Rogers connected"
Type and Subtype
Security Logs > Antivirus
config antivirus profile

edit "test-av"
config http

Log and report 791
set options scan

end
set av-virus-log enable
set av-block-log enable
next
end

edit 1
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set av-profile "test-av"
set logtraffic utm
set nat enable
next
end
Sample log
date=2019-05-13 time=11:45:03 logid="0211008192" type="utm" subtype="virus" event-

type="infected" level="warning" vd="vdom1" eventtime=1557773103767393505 msg="File is infec-
ted." action="blocked" service="HTTP" sessionid=359260 srcip=10.1.100.11 dstip=172.16.200.55
srcport=60446 dstport=80 srcintf="port12" srcintfrole="undefined" dstintf="port11" dstint-
frole="undefined" policyid=4 proto=6 direction="incoming" filename="eicar.com" quarskip="File-
was-not-quarantined." virus="EICAR_TEST_FILE" dtype="Virus" ref-
f="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url-
l="http://172.16.200.55/virus/eicar.com" profile="g-default" agent="curl/7.47.0"
analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" ana-
lyticssubmit="false" crscore=50 craction=2 crlevel="critical"
# Corresponding Traffic Log #
dstintfrole="undefined" srcuuid="48420c8a-5c88-51e9-0424-a37f9e74621e" dstuuid="187d6f46-5c86-
51e9-70a0-fadcfc349c3e" poluuid="3888b41a-5c88-51e9-cb32-1c32c66b4edf" sessionid=359260 pro-
to=6 action="close" policyid=4 policytype="policy" service="HTTP" dstcountry="Reserved"
srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=60446 appid=15893 app-
p="HTTP.BROWSER" appcat="Web.Client" apprisk="medium" applist="g-default" duration=1 sent-
byte=412 rcvdbyte=2286 sentpkt=6 rcvdpkt=6 wanin=313 wanout=92 lanin=92 lanout=92
utmaction="block" countav=1 countapp=1 crscore=50 craction=2 osname="Ubuntu" mas-
tersrcmac="a2:e9:00:ec:40:01" srcmac="a2:e9:00:ec:40:01" srcserver=0 utmref=65497-770
Type and Subtype
Security Logs > Web Filter

Log and report 792

edit "test-webfilter"
set web-content-log enable
set web-filter-activex-log enable
set web-filter-command-block-log enable
set web-filter-cookie-log enable
set web-filter-applet-log enable
set web-filter-jscript-log enable
set web-filter-js-log enable
set web-filter-vbs-log enable
set web-filter-unknown-log enable
set web-filter-referer-log enable
set web-filter-cookie-removal-log enable
set web-url-log enable
set web-invalid-domain-log enable
set web-ftgd-err-log enable
set web-ftgd-quota-usage enable
next
end

edit 1
set name "v4-out"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set logtraffic utm
set webfilter-profile "test-webfilter"
set nat enable
next
end
Sample log
date=2019-05-13 time=16:29:45 logid="0316013056" type="utm" subtype="webfilter" event-

type="ftgd_blk" level="warning" vd="vdom1" eventtime=1557790184975119738 policyid=1 ses-
sionid=381780 srcip=10.1.100.11 srcport=44258 srcintf="port12" srcintfrole="undefined"
dstip=185.244.31.158 dstport=80 dstintf="port11" dstintfrole="undefined" proto=6 ser-
vice="HTTP" hostname="morrishittu.ddns.net" profile="test-webfilter" action="blocked" req-
type="direct" url="/" sentbyte=84 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied
category in policy" method="domain" cat=26 catdesc="Malicious Websites" crscore=30 crac-
tion=4194304 crlevel="high"
# Corresponding traffic log #
dstintfrole="undefined" srcuuid="ae28f494-5735-51e9-f247-d1d2ce663f4b" dstuuid="ae28f494-5735-
51e9-f247-d1d2ce663f4b" poluuid="ccb269e0-5735-51e9-a218-a397dd08b7eb" sessionid=381780 pro-
to=6 action="close" policyid=1 policytype="policy" service="HTTP" dstcountry="Germany"

Log and report 793
srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=44258 duration=5 sent-

byte=736 rcvdbyte=3138 sentpkt=14 rcvdpkt=5 appcat="unscanned" utmaction="block" countweb=1
crscore=30 craction=4194304 osname="Ubuntu" mastersrcmac="a2:e9:00:ec:40:01" srcmac-
c="a2:e9:00:ec:40:01" srcserver=0 utmref=65497-796
Type and Subtype
Security Logs > DNS Query

edit "dnsfilter_fgd"
config ftgd-dns
end
next
end

edit 1
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set dnsfilter-profile "dnsfilter_fgd"
set logtraffic utm
set nat enable
next
end
Sample log
date=2019-05-15 time=15:05:49 logid="1501054802" type="utm" subtype="dns" eventtype="dns-

response" level="notice" vd="vdom1" eventtime=1557957949740931155 policyid=1 sessionid=6887
dstport=53 dstintf="port11" dstintfrole="undefined" proto=17 profile="dnsfilter_fgd" srcmac-
c="a2:e9:00:ec:40:41" xid=57945 qname="changelogs.ubuntu.com" qtype="AAAA" qtypeval=28 qclass-
s="IN" ipaddr="2001:67c:1560:8008::11" msg="Domain is monitored" action="pass" cat=52
catdesc="Information Technology"
date=2019-05-15 time=15:05:49 logid="1500054000" type="utm" subtype="dns" eventtype="dns-
query" level="information" vd="vdom1" eventtime=1557957949653103543 policyid=1 sessionid=6887
dstport=53 dstintf="port11" dstintfrole="undefined" proto=17 profile="dnsfilter_fgd" srcmac-
c="a2:e9:00:ec:40:41" xid=57945 qname="changelogs.ubuntu.com" qtype="AAAA" qtypeval=28 qclass-
s="IN"
# Corresponding traffic log #
date=2019-05-15 time=15:08:49 logid="0000000013" type="traffic" subtype="forward"

Log and report 794
level="notice" vd="vdom1" eventtime=1557958129950003945 srcip=10.1.100.22 srcport=50002 srcint-

f="port12" srcintfrole="undefined" dstip=172.16.100.100 dstport=53 dstintf="port11" dstint-
frole="undefined" srcuuid="ae28f494-5735-51e9-f247-d1d2ce663f4b" dstuuid="ae28f494-5735-51e9-
f247-d1d2ce663f4b" poluuid="ccb269e0-5735-51e9-a218-a397dd08b7eb" sessionid=6887 proto=17
action="accept" policyid=1 policytype="policy" service="DNS" dstcountry="Reserved" srccoun-
try="Reserved" trandisp="snat" transip=172.16.200.2 transport=50002 duration=180 sentbyte=67
rcvdbyte=207 sentpkt=1 rcvdpkt=1 appcat="unscanned" utmaction="allow" countdns=1 osname-
e="Linux" mastersrcmac="a2:e9:00:ec:40:41" srcmac="a2:e9:00:ec:40:41" srcserver=0 utm-
ref=65495-306
Type and Subtype
Security Logs > Application Control
# log enabled by default in application profile entry

edit "block-social.media"
set other-application-log enable
config entries
edit 1
set category 2 5 6 23
set log enable
next
end
next
end

edit 1
set name "to_Internet"
set dstintf "port9"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set logtraffic utm
set application-list "block-social.media"
set nat enable
next
end
Sample log
date=2019-05-15 time=18:03:36 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="app-

ctrl-all" level="information" vd="root" eventtime=1557968615 appid=40568 srcip=10.1.100.22
dstip=195.8.215.136 srcport=50798 dstport=443 srcintf="port10" srcintfrole="lan" dstint-
f="port9" dstintfrole="wan" proto=6 service="HTTPS" direction="outgoing" policyid=1 ses-
sionid=4414 applist="block-social.media" appcat="Web.Client" app="HTTPS.BROWSER" action="pass"

Log and report 795
hostname="www.dailymotion.com" incidentserialno=1962906680 url="/" msg="Web.Client:

HTTPS.BROWSER," apprisk="medium" scertcname="*.dailymotion.com" scertissuer="DigiCert SHA2
High Assurance Server CA"
ctrl-all" level="warning" vd="root" eventtime=1557968615 appid=16072 srcip=10.1.100.22 dstip-
p=195.8.215.136 srcport=50798 dstport=443 srcintf="port10" srcintfrole="lan" dstintf="port9"
dstintfrole="wan" proto=6 service="HTTPS" direction="incoming" policyid=1 sessionid=4414
applist="block-social.media" appcat="Video/Audio" app="Dailymotion" action="block" host-
name="www.dailymotion.com" incidentserialno=1962906682 url="/" msg="Video/Audio: Dailymotion,"
apprisk="elevated"
ctrl-all" level="warning" vd="root" eventtime=1557968615 appid=16072 srcip=10.1.100.22 dstip-
p=195.8.215.136 srcport=50798 dstport=443 srcintf="port10" srcintfrole="lan" dstintf="port9"
dstintfrole="wan" proto=6 service="HTTPS" direction="incoming" policyid=1 sessionid=4414
applist="block-social.media" appcat="Video/Audio" app="Dailymotion" action="block" host-
name="www.dailymotion.com" incidentserialno=1962906681 url="/" msg="Video/Audio: Dailymotion,"
apprisk="elevated"
l="notice" vd="root" eventtime=1557968619 srcip=10.1.100.22 srcport=50798 srcintf="port10"
srcintfrole="lan" dstip=195.8.215.136 dstport=443 dstintf="port9" dstintfrole="wan" poluuid-
d="d8ce7a90-7763-51e9-e2be-741294c96f31" sessionid=4414 proto=6 action="client-rst" policyid=1
policytype="policy" service="HTTPS" dstcountry="France" srccountry="Reserved" trandisp="snat"
transip=172.16.200.10 transport=50798 appid=16072 app="Dailymotion" appcat="Video/Audio"
apprisk="elevated" applist="block-social.media" appact="drop-session" duration=5 sentbyte=1150
rcvdbyte=7039 sentpkt=13 utmaction="block" countapp=3 devtype="Unknown" devcategory="None" mas-
tersrcmac="00:0c:29:51:38:5e" srcmac="00:0c:29:51:38:5e" srcserver=0 utmref=0-330
Type and Subtype
Security Logs > Intrusion Prevention
# log enabled by default in ips sensor
config ips sensor

edit "block-critical-ips"
config entries
edit 1
set severity critical
set status enable
set action block
set log enable
next
end
next
end

edit 1
set dstintf "port9"

Log and report 796
set srcaddr "all"

set dstaddr "all"
set action accept
set service "ALL"
set logtraffic utm
set ips-sensor "block-critical-ips"
set nat enable
next
end
Sample log
date=2019-05-15 time=17:56:41 logid="0419016384" type="utm" subtype="ips" event-

type="signature" level="alert" vd="root" eventtime=1557968201 severity="critical" srcip-
p=10.1.100.22 srccountry="Reserved" dstip=172.16.200.55 srcintf="port10" srcintfrole="lan"
dstintf="port9" dstintfrole="wan" sessionid=4017 action="dropped" proto=6 service="HTTP" poli-
cyid=1 attack="Adobe.Flash.newfunction.Handling.Code.Execution" srcport=46810 dstport=80 host-
name="172.16.200.55" url="/ips/sig1.pdf" direction="incoming" attackid=23305 profile="block-
critical-ips" ref="http://www.fortinet.com/ids/VID23305" incidentserialno=582633933 msg-
g="applications3: Adobe.Flash.newfunction.Handling.Code.Execution," crscore=50 craction=4096
crlevel="critical"
d="d8ce7a90-7763-51e9-e2be-741294c96f31" sessionid=4017 proto=6 action="close" policyid=1 poli-
cytype="policy" service="HTTP" dstcountry="Reserved" srccountry="Reserved" trandisp="snat"
transip=172.16.200.10 transport=46810 duration=89 sentbyte=565 rcvdbyte=9112 sentpkt=9 rcvdp-
kt=8 appcat="unscanned" utmaction="block" countips=1 crscore=50 craction=4096 dev-
type="Unknown" devcategory="None" mastersrcmac="00:0c:29:51:38:5e" srcmac="00:0c:29:51:38:5e"
srcserver=0 utmref=0-302
Type and Subtype
Security Logs > Anomaly
config firewall DoS-policy

edit 1
set srcaddr "all"
set dstaddr "all"
set service "ALL"
config anomaly
edit "icmp_flood"
set status enable
set log enable
set action block
set threshold 50
next
end

Log and report 797
next
end
Sample log
date=2019-05-13 time=17:05:59 logid="0720018433" type="utm" subtype="anomaly" event-

type="anomaly" level="alert" vd="vdom1" eventtime=1557792359461869329 severity="critical"
srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55 srcintf="port12" srcint-
frole="undefined" sessionid=0 action="clear_session" proto=1 service="PING" count=1 attack-
k="icmp_flood" icmpid="0x1474" icmptype="0x08" icmpcode="0x00" attackid=16777316 policyid=1
policytype="DoS-policy" ref="http://www.fortinet.com/ids/VID16777316" msg="anomaly: icmp_
flood, 51 > threshold 50" crscore=50 craction=4096 crlevel="critical"
Type and Subtype
Security Logs > Data Leak Prevention
config dlp sensor

edit "dlp-file-type-test"
set comment ''
set replacemsg-group ''
config filter
edit 1
set name ''
set severity medium
set type file
set proto http-get http-post ftp
set filter-by file-type
set file-type 1
set archive enable
set action block
next
end
set dlp-log enable
next
end

edit 1
set dstintf "port9"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set logtraffic utm
set dlp-sensor "dlp-file-type-test"
set nat enable

Log and report 798
next
end
Sample log
date=2019-05-15 time=17:45:30 logid="0954024576" type="utm" subtype="dlp" eventtype="dlp"

level="warning" vd="root" eventtime=1557967528 filteridx=1 dlpextra="dlp-file-size11" fil-
tertype="file-type" filtercat="file" severity="medium" policyid=1 sessionid=3423 epoch-
h=1740880646 eventid=0 srcip=10.1.100.22 srcport=50354 srcintf="port10" srcintfrole="lan"
dstip=52.216.177.83 dstport=443 dstintf="port9" dstintfrole="wan" proto=6 service="HTTPS" file-
type="pdf" direction="incoming" action="block" hostname="fortinetweb.s3.amazonaws.com" url-
l="/docs.fortinet.com/v2/attachments/be3d0e3d-4b62-11e9-94bf-00505692583a/FortiOS_6.2.0_Log_
Reference.pdf" agent="Wget/1.17.1" filename="FortiOS_6.2.0_Log_Reference.pdf" filesize=16360
profile="dlp-file-type-test"
d="d8ce7a90-7763-51e9-e2be-741294c96f31" sessionid=3423 proto=6 action="server-rst" policyid=1
policytype="policy" service="HTTPS" dstcountry="United States" srccountry="Reserved" trandis-
p="snat" transip=172.16.200.10 transport=50354 duration=5 sentbyte=2314 rcvdbyte=5266 sen-
tpkt=33 rcvdpkt=12 appcat="unscanned" wanin=43936 wanout=710 lanin=753 lanout=753
utmaction="block" countdlp=1 crscore=5 craction=262144 crlevel="low" devtype="Unknown" devc-
ategory="None" mastersrcmac="00:0c:29:51:38:5e" srcmac="00:0c:29:51:38:5e" srcserver=0 utm-
ref=0-152
Type and Subtype
Security Logs > SSH

Security Logs > SSL
config ssh-filter profile

edit "ssh-deepscan"
set block shell
set log shell
set default-command-log disable
next
end

edit 1
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set ssh-filter-profile "ssh-deepscan"

Log and report 799
set ssl-ssh-profile "ssl"

set nat enable
next
end
For SSL-Traffic-log, enable logtraffic all

edit 1
set srcintf "dmz"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set logtraffic all
set nat enable
next
end
For SSL-UTM-log
#EVENTTYPE="SSL-ANOMALIES"
By default, ssl-anomalies-log is enabled.

config firewall ssl-ssh-profile
edit "deep-inspection"
set comment "Read-only deep inspection profile."
set server-cert-mode re-sign
set caname "Fortinet_CA_SSL"
set untrusted-caname "Fortinet_CA_Untrusted"
set ssl-anomalies-log enable
set ssl-exemptions-log disable
set rpc-over-https disable
set mapi-over-https disable
set use-ssl-server disable
next
end
# EVENTTYPE="SSL-EXEMPT"
Need to enable ssl-exemptions-log to generate ssl-utm-exempt log.

config firewall ssl-ssh-profile
edit "deep-inspection"
set comment "Read-only deep inspection profile."
set server-cert-mode re-sign
set caname "Fortinet_CA_SSL"
set untrusted-caname "Fortinet_CA_Untrusted"
set ssl-anomalies-log enable
set ssl-exemptions-log enable
set rpc-over-https disable
set mapi-over-https disable

Log and report 800
set use-ssl-server disable

next
end
Sample log for SSH
date=2019-05-15 time=16:18:17 logid="1601061010" type="utm" subtype="ssh" eventtype="ssh-chan-

nel" level="warning" vd="vdom1" eventtime=1557962296 policyid=1 sessionid=344 profile="ssh-
deepscan" srcip=10.1.100.11 srcport=43580 dstip=172.16.200.44 dstport=22 srcintf="port21"
srcintfrole="undefined" dstintf="port23" dstintfrole="undefined" proto=6 action="blocked" dir-
ection="outgoing" login="root" channeltype="shell"
l="notice" vd="vdom1" eventtime=1557962298 srcip=10.1.100.11 srcport=43580 srcintf="port21"
srcintfrole="undefined" dstip=172.16.200.44 dstport=22 dstintf="port23" dstint-
frole="undefined" poluuid="49871fae-7371-51e9-17b4-43c7ff119195" sessionid=344 proto=6 action-
n="close" policyid=1 policytype="policy" service="SSH" dstcountry="Reserved"
srccountry="Reserved" trandisp="snat" transip=172.16.200.171 transport=43580 duration=8 sent-
byte=3093 rcvdbyte=2973 sentpkt=18 rcvdpkt=16 appcat="unscanned" utmaction="block" countssh=1
utmref=65535-0
Sample log for SSL
For SSL-Traffic-log

l="notice" vd="root" eventtime=1558026506763925658 srcip=10.1.100.66 srcport=38572 srcint-
f="dmz" srcintfrole="dmz" dstip=104.154.89.105 dstport=443 dstintf="wan1" dstintfrole="wan"
poluuid="a17c0a38-75c6-51e9-4c0d-d547347b63e5" sessionid=100 proto=6 action="server-rst" poli-
cyid=1 policytype="policy" service="HTTPS" dstcountry="United States" srccountry="Reserved"
trandisp="snat" transip=172.16.200.11 transport=38572 duration=5 sentbyte=930 rcvdbyte=6832
sentpkt=11 rcvdpkt=19 appcat="unscanned" wanin=1779 wanout=350 lanin=754 lanout=754 utmac-
tion="block" countssl=1 crscore=5 craction=262144 crlevel="low" utmref=65467-0
For SSL-UTM-log
#EVENTTYPE="SSL-ANOMALIES"
date=2019-03-28 time=10:44:53 logid="1700062002" type="utm" subtype="ssl" eventtype="ssl-anom-

alies" level="warning" vd="vdom1" eventtime=1553795092 policyid=1 sessionid=10796 ser-
vice="HTTPS" srcip=10.1.100.66 srcport=43602 dstip=104.154.89.105 dstport=443 srcintf="port2"
srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 action="blocked" msg-
g="Server certificate blocked" reason="block-cert-invalid"
g="Server certificate blocked" reason="block-cert-untrusted"
g="Server certificate blocked" reason="block-cert-req"

Log and report 801

vice="SMTPS" profile="block-unsupported-ssl" srcip=10.1.100.66 srcport=41296
dstip=172.16.200.99 dstport=8080 srcintf="port2" srcintfrole="undefined" dstintf=unknown-0
dstintfrole="undefined" proto=6 action="blocked" msg="Connection is blocked due to unsupported
SSL traffic" reason="malformed input"
g="Server certificate blocked" reason="block-cert-sni-mismatch"
g="Certificate blacklisted" certhash="1115ec1857ed7f937301ff5e02f6b0681cf2ec4e" reason="Other"
# EVENTTYPE="SSL-EXEMPT"
date=2019-03-28 time=11:06:05 logid="1701062003" type="utm" subtype="ssl" eventtype="ssl-

exempt" level="notice" vd="vdom1" eventtime=1553796363 policyid=1 sessionid=11871 ser-
srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 action="exempt" msg-
g="SSL connection exempted" reason="exempt-whitelist"
g="SSL connection exempted" reason="exempt-addr"
g="SSL connection exempted" reason="exempt-ftgd-cat"
Type and Subtype
Security Logs > CIFS
config cifs profile

edit "cifs"
set server-credential-type none
config file-filter
set status enable
set log enable
config entries
edit "1"
set comment ''
set action block
set direction any
set file-type "msoffice"
next

Log and report 802
end
end
next
end

edit 1
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set cifs-profile "cifs"
set ssl-ssh-profile "ssl"
set nat enable
next
end
Sample log
date=2019-05-15 time=16:28:17 logid="1800063000" type="utm" subtype="cifs" eventtype="cifs-

filefilter" level="warning" vd="vdom1" eventtime=1557962895 msg="File was blocked by file fil-
ter." direction="incoming" action="blocked" service="CIFS" srcip=10.1.100.11 dstip-
p=172.16.200.44 srcport=56348 dstport=445 srcintf="port21" srcintfrole="undefined"
dstintf="port23" dstintfrole="undefined" policyid=1 proto=16 profile="cifs" filesize="13824"
filename="sample\\test.xls" filtername="1" filetype="msoffice"
Troubleshooting
The following topics provide information about troubleshooting logging and reporting:
l Log-related diagnose commands on page 802
l Back up log files or dump log messages on page 808
Log-related diagnose commands
This topic shows commonly used examples of log-related diagnose commands.

Use the following diagnose commands to identify log issues:
l The following commands enable debugging log daemon (miglogd) at the proper debug level:
diagnose debug application miglogd x

Log and report 803
l The following commands display different status/stats of miglogd at the proper level:
diagnose test application miglogd x
To get the list of available levels, press Enter after diagnose test/debug application miglogd. The
following are some examples of commonly use levels.
If the debug log display does not return correct entries when log filter is set:
diagnose debug application miglogd 0x1000
For example, use the following command to display all login system event log:
exe log filter device disk
exe log filter category event
exe log filter field action login
exe log display
Files to be searched:
file_no=65523, start line=0, end_line=237
session ID=1, total logs=3697
back ground search. process ID=26240, session_id=1
start line=1 view line=10
( action "login" )
ID=1, total=3697, checked=238, found=5
You can check and/or debug FortiGate to FortiAnalyzer connection status.
To show connect status with detailed information:
diagnose test application miglogd 1
faz: global , enabled

vdom1_172.18.64.234, reliable=0, sni_prefix_type=none, required_entitlement=none
status: ver=6, used_disk=0, total_disk=0, global=0, vfid=0 conn_verified=Y
Sn list:
(FL-8HFT718900132,age=107s)
queue: qlen=0.

Log and report 804

voip dns ssh ssl cifs
subcategory:
anomaly: anomaly

oftp-state=5
To collect debug information when FortiAnalyzer is enabled:
diagnose debug application miglogd 0x100
FGT-B-LOG (global) # <16208> miglog_start_rmt_conn()-1552: setting epoll_hd:0x7fc364e125e0 to

_rmt_connect
<16209> miglog_start_rmt_conn()-1552: setting epoll_hd:0x7f72647715e0 to _rmt_connect
<16206> miglog_start_rmt_conn()-1552: setting epoll_hd:0x141f69e0 to _rmt_connect
<16209> _rmt_connect()-1433: oftp is ready.
<16209> _rmt_connect()-1435: xfer_status changed from 2 to 2 for global-faz
<16209> _rmt_connect()-1439: setting epoll_hd:0x7f72647715e0 to _rmt_recv
<16209> _check_oftp_certificate()-248: checking sn:FL-8HFT718900132 vs cert sn:FL-
8HFT718900132
<16209> _check_oftp_certificate()-252: Verified the certificate of peer (172.18.64.234) to
match sn=FL-8HFT718900132
<16209> _faz_post_connection()-292: Certificate verification:enabled, Faz verified:1
<16209> _send_queue_item()-518: xfer_status changed from 2 to 1 for global-faz
<16209> _send_queue_item()-523: type=0, cat=0, logcount=0, len=0
<16209> _oftp_send()-487: dev=global-faz type=17 pkt_len=34
<16209> _oftp_send()-487: opt=253, opt_len=10

<16208> _rmt_connect()-1439: setting epoll_hd:0x7fc364e125e0 to _rmt_recv
8HFT718900132

<16209> _oftp_recv()-1348: opt=252, opt_len=996
<16209> _process_response()-960: checking opt code=252
<16209> _faz_process_oftp_resp()-488: ha nmember:1 nvcluster:0 mode:1
<16209> __is_sn_known()-356: MATCHED: idx:0 sn:FL-8HFT718900132
<16209> _faz_process_oftp_resp()-494: Received SN:FL-8HFT718900132 should update:0
<16208> _oftp_recv()-1348: dev=global-faz type=252 pkt_len=1008


Log and report 805


<16206> _rmt_connect()-1439: setting epoll_hd:0x141f69e0 to _rmt_recv
8HFT718900132



......
<16209> _build_ack()-784: xfer_status changed from 1 to 2 for global-faz
......




......

Log and report 806

......
......


<16206> _add_change_notice_queue_item()-269: Change notice packect added to queue. len=145
......
......


To check FortiGate to FortiGateCloud log server connection status:
FGT-B-LOG# diagnose test application miglogd 20

Home log server:
Address: 172.16.95.92:514
Alternative log server:
Address: 172.16.95.26:514
oftp status: established
Debug zone info:
Server IP: 172.16.95.92
Server port: 514
Server status: up
Log quota: 102400MB
Log used: 673MB
Daily volume: 20480MB
FDS arch pause: 0
fams archive pause: 0
To check real-time log statistics by log type since miglogd daemon start:
FGT-B-LOG (global) # diagnose test application miglogd 4

info for vdom: root
disk
event: logs=1238 len=262534, Sun=246 Mon=247 Tue=197 Wed=0 Thu=55 Fri=246 Sat=247

Log and report 807
compressed=163038
dns: logs=4 len=1734, Sun=0 Mon=0 Tue=0 Wed=0 Thu=4 Fri=0 Sat=0 compressed=453
report
faz
event: logs=6 len=1548, Sun=0 Mon=0 Tue=6 Wed=0 Thu=0 Fri=0 Sat=0 compressed=5446
info for vdom: vdom1

memory
traffic: logs=462 len=389648, Sun=93 Mon=88 Tue=77 Wed=0 Thu=13 Fri=116 Sat=75
app-ctrl: logs=16 len=9613, Sun=3 Mon=3 Tue=3 Wed=0 Thu=0 Fri=5 Sat=2
dns: logs=71 len=29833, Sun=0 Mon=0 Tue=0 Wed=0 Thu=71 Fri=0 Sat=0
disk
traffic: logs=462 len=389648, Sun=93 Mon=88 Tue=77 Wed=0 Thu=13 Fri=116 Sat=75 com-
pressed=134638
compressed=244606
app-ctrl: logs=16 len=9613, Sun=3 Mon=3 Tue=3 Wed=0 Thu=0 Fri=5 Sat=2 compressed=3966
report
traffic: logs=462 len=375326, Sun=93 Mon=88 Tue=77 Wed=0 Thu=13 Fri=116 Sat=75
app-ctrl: logs=16 len=9117, Sun=3 Mon=3 Tue=3 Wed=0 Thu=0 Fri=5 Sat=2
faz
traffic: logs=462 len=411362, Sun=93 Mon=88 Tue=77 Wed=0 Thu=13 Fri=116 Sat=75 com-
pressed=307610
compressed=816636
app-ctrl: logs=16 len=10365, Sun=3 Mon=3 Tue=3 Wed=0 Thu=0 Fri=5 Sat=2 compressed=8193
To check log statistics to local/remote log device since the miglogd daemon start:
diagnose test app miglogd 6 1 <<< 1 means the first child daemon

diagnose test app miglogd 6 2 <<< 2 means the second child daemon
FGT-B-LOG (global) # diagnose test application miglogd 6 1
mem=4288, disk=4070, alert=0, alarm=0, sys=5513, faz=4307, webt=0, fds=0
interface-missed=208
Queues in all miglogds: cur:0 total-so-far:36974
global log dev statistics:
syslog 0: sent=6585, failed=152, relayed=0
faz 0: sent=13, failed=0, cached=0, dropped=0 , relayed=0
To check miglogd daemon number and increase/decrease miglogd daemon:
diagnose test app miglogd 15 <<< Show miglog ID

diagnose test app miglogd 13 <<< Increase one miglogd child
diagnose test app miglogd 14 <<< Decrease one miglogd child

Log and report 808

Main miglogd: ID=0, children=2, active-children=2
ID=1, duration=70465.

ID=3, duration=1.
Back up log files or dump log messages
When a log issue is caused by a particular log message, it is very help to get logs from that FortiGate. This topic
provides steps for using exe log backup or dump log messages to USB.
Back up full logs using exe log backup
This command backs up all disk log files and is only available on FortiGates with SSD disk.
Before running exec log backup, we recommend temporarily stopping miglogd and reportd.
To stop and kill miglogd and reportd:
diagnose sys process daemon-auto-restart disable miglogd

diagnose sys process daemon-auto-restart disable reportd
fnsysctl killall miglogd

fnsysctl killall reportd
To store the log file on USB drive:
1. Plug in a USB drive into the FortiGate.

2. Run this command:
exec log backup /usb/log.tar
To restart miglogd and reportd:
diagnose sys process daemon-auto-restart enable miglogd

diagnose sys process daemon-auto-restart enable reportd

Log and report 809
Dump log messages
To dump log messages:
1. Enable log dumping for miglogd daemon.

miglogd(1) log dumping is enabled
2. Display all miglogd dumping status.

FGT-B-LOG (global) # diagnose test application miglogd 26 0 255
miglogd(0) log dumping is disabled


3. Let FortiGate run and collect log messages.

4. List log dump files.
2019-04-17 15:50:02 20828 log-1-0.dat
2019-04-17 15:48:31 4892 log-2-0.dat
5. Back up log dump files to USB disk.

Dumping file miglog1_index0.dat copied to USB disk OK.
Dumping file miglog2_index0.dat copied to USB disk OK.
6. Disable log dumping for miglogd daemon





VoIP solutions
General use cases
There are three scenarios in which the FortiOS SIP solution are usually deployed:
1. The SIP server is in a private network, protected from the internet by a FortiOS device.
2. The SIP clients are in a private network, protected from the internet by a FortiOS device.
3. The SIP server is in a private network, such as a corporation's internal network or an ISP’s network, protected from
the Internet by a FortiOS device. The SIP clients are in a remote private network, such as a SOHO network, and
behind a NAT device that is not aware of SIP applications.
The following VIP, NAT, and HNT examples show configurations for each of the three common scenarios.
VIP
A FortiGate with SIP Application Layer Gateway (ALG) or SIP Session Helper protects the SIP server from the internet,
while SIP phones from the internet need to register to the SIP server and establish calls through it.
A VIP needs to be configured for the SIP server, and the VIP must be applied in a firewall policy for the phones to send
REGISTER messages through the FortiGate from port1 to port2.
Only one firewall policy needs to be configured for all SIP phones on both the internet and private network to register to
the SIP server through Port1 and set up SIP calls.
Assuming either SIP ALG or SIP Session Helper is enabled, configure the FortiGate with the following CLI commands:
config firewall vip
edit "VIP_for_SIP_Server"
set extip 172.20.120.50
set extintf "port1"
set mappedip "10.11.101.50"
next
end
edit 1
set srcintf "port1"

VoIP solutions 811
set dstintf "port2"

set srcaddr "all"
set dstaddr "VIP_for_SIP_Server"
set action accept
set service "SIP"
next
end
Setting service to SIP and not All in the firewall policy can improve protection by
restricting the data traffic passing through the FortiGate to the SIP call traffic only.
NAT
A FortiGate with SIP ALG or SIP Session Helper protects the SIP phones and the internal network from the internet,
while SIP phones in the internal network need to register to the SIP server installed on the internet and establish calls
through it.
One firewall policy needs to be configured with NAT enabled for SIP phones to send REGISTER messages through the
FortiGate from port2 to port1.
Assuming either SIP ALG or SIP Session Helper is enabled, configure the FortiGate with the following CLI commands:
edit 1
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "SIP"
set nat enable
next
end

VoIP solutions 812
HNT
A FortiGate with SIP ALG or SIP Session Helper protects the SIP server from the internet, while SIP phones are in
remote private networks behind NAT devices that are not aware of the SIP application.
For example, the SIP server is located in an ISP's service cloud that is protected by the FortiGate SIP ALG, and the
SIP phones are installed in the home networks of the ISP's customers.
The SIP messages traversing the remote NAT devices might have their IP addresses translated by the NAT device at
the network layer, but untranslated at the SIP application layer because those NAT devices are not aware of the
SIP applications. This causes problems in a SIP session initiated process. Special configurations for the Hosted NAT
Traversal (HNT) are required to resolve this issue.
To configure the FortiGate with HNT support for SIP phones A and B to set up calls with each other:
1. Identify port1 as the external interface:

edit "port1"
set external enable
next
end
2. Configure VIP for the SIP server:

config firewall vip
edit "VIP_for_SIP_Server"
set extip 10.21.101.10
set extintf "port1"
set mappedip "10.30.120.20"

VoIP solutions 813
next
end
3. Configure a VoIP profile with HNT enabled:

config voip profile
edit "hnt"
config sip
set hosted-nat-traversal enable
set hnt-restrict-source-ip enable
end
next
end
hosted-nat-traversal must be enabled.

hnt-restrict-source-ip does not have to be enabled, but can be enabled to
restrict the RTP packets’ source IP to be the same as the SIP packets’ source IP.
4. Apply the VoIP profile and VIP in a firewall policy for phone A and B to register and set up SIP calls through the
FortiGate and SIP server:
edit 1
set srcintf "port1"
set dstintf "port2"
set srcaddr "all"
set dstaddr "VIP_for_SIP_Server"
set action accept
set service "SIP"
set voip-profile “hnt”
set nat enable
next
end
nat must be enabled in the firewall policy.
SIP message inspection and filtering
SIP ALG provides users with security features to inspect and control SIP messages that are transported through FortiOS
devices, including:
l Verifying the SIP message syntax.
l Blocking particular types of SIP requests.
l Restricting the rate of particular SIP requests.
These features are configured in the VoIP profile:

VoIP solutions 814
config voip profile

edit <voip_profile_name>
config sip set ...
The VoIP profile can then be applied to a firewall policy to process the SIP call traffic.
SIP message syntax inspection
For syntax verification, the following attributes are available for configuration in the VoIP profile to determine what
action is taken when a specific syntax error or attack based on invalid syntax is detected. For example, the action can be
set to pass or discard it.
malformed-request-line
malformed-header-via
malformed-header-from
malformed-header-to
malformed-header-call-id
malformed-header-cseq
malformed-header-rack
malformed-header-rseq
malformed-header-contact
malformed-header-record-route
malformed-header-route
malformed-header-expires
malformed-header-content-type
malformed-header-content-length
malformed-header-max-forwards
malformed-header-allow
malformed-header-p-asserted-identity
malformed-header-sdp-v
malformed-header-sdp-o
malformed-header-sdp-s
malformed-header-sdp-i
malformed-header-sdp-c
malformed-header-sdp-b
malformed-header-sdp-z
malformed-header-sdp-k
malformed-header-sdp-a
malformed-header-sdp-t
malformed-header-sdp-r
malformed-header-sdp-m
SIP message blocking
The following options are available in the VoIP profile to block SIP messages:
block-long-lines
block-unknown
block-ack
block-bye
block-cancel
block-info
block-invite
block-message

VoIP solutions 815
block-notify
block-options
block-prack
block-publish
block-refer
block-register
block-subscribe
block-update
block-geo-red-options
SIP message rate limiting
The rate of certain types of SIP requests that are passing through the SIP ALG can be restricted :
register-rate
invite-rate
subscribe-rate
message-rate
notify-rate
refer-rate
update-rate
options-rate
ack-rate
prack-rate
info-rate
publish-rate
bye-rate
cancel-rate
SIP pinholes
When SIP ALG processes a SIP call, it usually opens pinholes for SIP signaling and RTP/RTCP packets. NAT usually
takes place during the process at both the network and SIP application layers. SIP ALG ensures that, with NAT
happening, corresponding SIP and RTP/RTCP pinholes are created during the process when it is necessary for call
sessions to be established through FortiOS devices.
By default, SIP ALG manages pinholes automatically, but some special configurations can be used to restrict the
pinholes if required.
SIP pinhole restriction
By default, the strict-register attribute is enabled. When enabled, after a SIP endpoint registers to the SIP server
through a firewall policy on the FortiOS device, only the SIP messages sent from the same IP address as the SIP server
are allowed to pass through the SIP pinhole that is created in the FortiOS device to reach the SIP endpoints. If the
attribute is disabled, SIP messages from any IP addresses can pass through the pinhole created after the registration.
config voip profile
edit "voip-profile-name"
config sip
set strict-register [enable|disable]

VoIP solutions 816
...
end
next
end
RTP/RTCP pinhole restriction
In a SIP call through SIP ALG, the NATed RTP/RTCP port range is 5117 to 65533 by default. If required, the port range
can be restricted.
config voip profile
config sip
set nat-port-range <start_port_number>-<end_port_number>
...
end
next
end
In a SIP call session, the RTP port number is usually an even number and the RTCP port number is an odd number that
is one more than the RTP port number. It is best practice to configure start_port_number to an even number, and
end_port_number to an odd number, for example:
config voip profile
conf sip
set nat-port-range 30000-39999
end
next
end
SIP over TLS
Some SIP phones and servers can communicate using TLS to encrypt the SIP signaling traffic. To allow SIP over TLS
calls to pass through the FortiGate, the encrypted signaling traffic must be unencrypted and inspected. The FortiGate
SIP ALG intercepts, unencrypts , and inspects the SIP packets, which are then re-encrypted and forwarded to their
destination.
The SIP ALG only supports full mode TLS. This means that the SIP traffic between SIP phones and the FortiGate, and
between the FortiGate and the SIP server, is always encrypted. The highest TLS version supported by SIP ALG is TLS
1.2.
To enable SIP over TLS support, the SSL mode in the VoIP profile must be set to full. The SSL server and client
certificates can be provisioned so that the FortiGate can use them to establish connections to SIP phones and servers,
respectively.

VoIP solutions 817
To configure SIP over TLS:
1. Configure a VoIP profile with SSL enabled:

config voip profile
edit "tls"
config sip
set ssl-mode full
set ssl-client-certificate "ssl_client_cert"
set ssl-server-certificate "ssl_server_cert"
end
next
end
The ssl_server_cert, ssl_client_cert, and key files can be generated using a certification tool, such as
OpenSLL, and imported to the local certificate store of the FortiGate from System > Certificates in the GUI.
Existing local certificates in the certificate store can also be used. As always for TLS connections, the certificates
used must be verified and trusted at the other end of the connection when required.
For example, the CA certificate of the SIP server's certificate should be imported to the FortiGate as an external CA
certification, such that the FortiGate can use it to verify the SIP server's certificate when setting up the TLS
connection. The CA certificate configured as the ssl_server_cert should be installed as the trusted certificate
on the SIP phones. The deployment of the certificates across the network depends on the SIP client and server
devices that are used in the system.
2. Apply the profile to the firewall policy:
edit 1
set srcintf "port1"
set dstintf "port2"
set srcaddr "all"
set dstaddr "vip_sip_server"
set action accept
set service "SIP"
set voip-profile "tls"
next
end

Explicit and transparent proxies
This section contains instructions for configuring explicit and transparent proxies.
l Explicit web proxy on page 818
l Transparent proxy on page 821
l FTP proxy on page 824
l Proxy policy addresses on page 826
l Proxy policy security profiles on page 834
l Explicit proxy authentication on page 840
Explicit web proxy
Explicit web proxy can be configured on FortiGate for proxying HTTP and HTTPS traffic.
To deploy explicit proxy, individual client browsers can be manually configured to send requests directly to the proxy, or
they can be configured to download proxy configuration instructions from a Proxy Auto-Configuration (PAC) file.
Once explicit proxy is configured on an interface, the interface IP address can be used by client browsers to forward
requests directly to the FortiGate. FortiGate also supports PAC file configuration
To configure explicit web proxy in the GUI:
1. Enable and configure explicit web proxy:

a. Go to Network > Explicit Proxy.
b. Enable Explicit Web Proxy.
c. Select port2 as the Listen on Interfaces and set the HTTP Port to 8080.

d. Configure the remaining settings as needed.
e. Click Apply.
2. Create an explicit web proxy policy:
a. Go to Policy & Objects > Proxy Policy.
c. Set Proxy Type to Explicit Web and Outgoing Interface to port1.

d. Also set Source and Destination to all, Schedule to always, Service to webproxy, and Action to ACCEPT.
e. Click OK to create the policy.
This example creates a basic policy. If required, security profiles can be enabled, and
deep SSL inspection can be selected to inspect HTTPS traffic.
3. Configure a client to use the FortiGate explicit proxy:

Set the FortiGate IP address as the proxy IP address in the browser, or use an automatic configuration script for the
PAC file.
To configure explicit web proxy in the CLI:
1. Enable and configure explicit web proxy:

config web-proxy explicit
set status enable
set ftp-over-http enable
set socks enable
set http-incoming-port 8080
set ipv6-status enable
set unknown-http-version best-effort
end

edit "port2"
set vdom "vdom1"
set ip 10.1.100.1 255.255.255.0
set type physical
set explicit-web-proxy enable
set snmp-index 12
end
next
end
2. Create an explicit web proxy policy:

config firewall proxy-policy
edit 1
set uuid 722b6130-13aa-51e9-195b-c4196568d667
set proxy explicit-web
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "webproxy"
set action accept
set logtraffic all
next
end
3. Configure a client to use the FortiGate explicit web proxy:

Set the FortiGate IP address as the proxy IP address in the browser, or use an automatic configuration script for the
PAC file.
Transparent proxy
In a transparent proxy deployment, the user's client software, such as a browser, is unaware that it is communicating
with a proxy.
Users request Internet content as usual, without any special client configuration, and the proxy serves their requests.
FortiGate also allows user to configure in transparent proxy mode.
To configure transparent proxy in the GUI:
1. Configure a regular firewall policy with HTTP redirect:

c. Name the policy appropriately, set the Incoming Interface to port2, and set the Outgoing Interface to port1.
d. Also set Source and Destination to all, Schedule to always, Service to ALL, and Action to ACCEPT.

e. Set Inspection Mode to Proxy-based and SSL Inspection to deep-inspection.
f. Configure the remaining settings as needed.

g. Click OK.
HTTP redirect can only be configured in the CLI. To redirect HTTPS traffic, deep
inspection is required.
2. Configure a transparent proxy policy:

c. Set Proxy Type to Transparent Web, set the Incoming Interface to port2, and set the Outgoing Interface to
port1.
d. Also set Source and Destination to all, Scheduleto always, Service to webproxy, and Action to ACCEPT.

e. Configure the remaining settings as needed.

f. Click OK to create the policy.
3. No special configure is required on the client to use FortiGate transparent proxy. As the client is using the FortiGate
as its default gateway, requests will first hit the regular firewall policy, and then be redirected to the transparent
proxy policy.
To configure transparent proxy in the CLI:
1. Configure a regular firewall policy with HTTP redirect:

edit 1
set name "1"
set uuid c5c30442-54be-51e9-c17c-4513b1c973c0
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set http-policy-redirect enable
set fsso disable
set nat enable
next
end
2. Configure a transparent proxy policy:

edit 5
set uuid 8fb05036-56fc-51e9-76a1-86f757d3d8dc
set proxy transparent-web
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
next
end

3. No special configure is required on the client to use FortiGate transparent proxy. As the client is using the FortiGate
as its default gateway, requests will first hit the regular firewall policy, and then be redirected to the transparent
proxy policy.
FTP proxy
FTP proxies can be configured on the FortiGate so that FTP traffic can be proxied. When the FortiGate is configured as
an FTP proxy, FTP client applications should be configured to send FTP requests to the FortiGate.
To configure explicit FTP proxy in the GUI:
1. Enable and configure explicit FTP proxy:

a. Go to Network > Explicit Proxy.
b. Enable Explicit FTP Proxy.
c. Select port2 as the Listen on Interfaces and set the HTTP Port to 21.
d. Configure the Default Firewall Policy Action as needed.
e. Click Apply.
2. Create an explicit FTP proxy policy:
c. Set Proxy Type to FTP and Outgoing Interface to port1.

d. Also set Source and Destination to all, Schedule to always, and Action to ACCEPT.
e. Click OK to create the policy.
This example creates a basic policy. If required, security profiles can be enabled.
3. Configure the FTP client application to use the FortiGate IP address.
To configure explicit FTP proxy in the CLI:
1. Enable and configure explicit FTP proxy:

config ftp-proxy explicit
set status enable
set incoming-port 21
end
edit "port2"
set vdom "vdom1"
set ip 10.1.100.1 255.255.255.0
set type physical
set explicit-ftp-proxy enable
set snmp-index 12
end
next
end

2. Create an explicit FTP proxy policy:

edit 4
set uuid 2e945a3a-565d-51e9-4fac-5215d287adc0
set proxy ftp
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
next
end
This example creates a basic policy. If required, security profiles can be enabled.
3. Configure the FTP client application to use the FortiGate IP address.
Proxy policy addresses
Proxy addresses are designed to be used only by proxy policies. The following address types are available:
l Host regex match on page 827
l URL pattern on page 827
l URL category on page 828
l HTTP method on page 829
l HTTP header on page 830
l User agent on page 831
l Advanced (source) on page 832
l Advanced (destination) on page 833
Fast policy match
The fast policy match function improves the performance of IPv4 explicit and transparent web proxies on FortiGate
devices.
When enabled, after the proxy policies are configured, the FortiGate builds a fast searching table based on the different
proxy policy matching criteria. When fast policy matching is disabled, web proxy traffic is compared to the policies one at
a time from the beginning of the policy list.
Fast policy matching is enabled by default, and can be configured with the following CLI command:
config web-proxy global
set fast-policy-match {enable | disable}
end

Host regex match
In this address type, a user can create a hostname as a regular expression. Once created, the hostname address can be
selected on the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests that
match the regular expression.
This example creates a host regex match address with the pattern qa.[a-z]*.com.
To create a host regex match address in the GUI:

3. Set the following:
l Category to Proxy Address,
l Name to Host Regex,
l Type to Host Regex Match, and
l Host Regex Pattern to qa.[a-z]*.com.
4. Click OK.
To create a host regex match address in the CLI:
config firewall proxy-address

edit "Host Regex"
set uuid 8e374390-57c9-51e9-9353-ee4469629df8
set type host-regex
set host-regex "qa.[a-z]*.com"
next
end
URL pattern
In this address type, a user can create a URL path as a regular expression. Once created, the path address can be
selected in the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests that
match the regular expression.
This example creates a URL pattern address with the pattern /filetypes/.

To create a URL pattern address in the GUI:

l Name to URL Regex,
l Type to URL Pattern,
l Host to all, and
l URL Path Regex to /filetypes/.
4. Click OK.
To create a URL pattern address in the CLI:

edit "URL Regex"
set uuid 267dc8e4-57cb-51e9-0cfe-27877bff51d3
set type url
set host "all"
set path "/filetypes/"
next
end
URL category
In this address type, a user can create a URL category based on a FortiGuard URL ID. Once created, the address can
be selected in the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests
that match the URL category.
The example creates a URL category address for URLs in the Education category. For more information about
categories, see https://fortiguard.com/webfilter/categories .
To create a URL category address in the GUI:



l Name to url-category,
l Type to URL Category,
l Host to all, and
l URL Category to Education.
4. Click OK.
To create a URL category address in the CLI:

edit "url-category"
set uuid 7a5465d2-57cf-51e9-49fd-0c6b5ad2ff4f
set type category
set host "all"
set category 30
next
end
To see a list of all the categories and their numbers, when editing the address, enter set category ?.
HTTP method
In this address type, a user can create an address based on the HTTP request methods that are used. Multiple method
options are supported, including: CONNECT, DELETE, GET, HEAD , OPTIONS, POST, PUT, and TRACE. Once
created, the address can be selected in the source tab of an explicit proxy policy. This means that a policy will only allow
or block requests that match the selected HTTP method.
The example creates a HTTP method address that uses the GET method.
To create a HTTP method address in the GUI:

l Name to method_get,

l Type to HTTP Method,

l Host to all, and
l Request Method to GET.
4. Click OK.
To create a HTTP method address in the CLI:

edit "method_get"
set uuid 1e4d1a02-57d6-51e9-a5c4-73387925b7de
set type method
set host "all"
set method get
next
end
HTTP header
In this address type, a user can create a HTTP header as a regular expression. Once created, the header address can
be selected in the source tab of an explicit proxy policy. This means that a policy will only allow or block requests where
the HTTP header matches the regular expression.
This example creates a HTTP header address with the pattern Q[A-B].
To create a HTTP header address in the GUI:

l Name to HTTP-header,
l Type to HTTP Header,
l Host to all,
l Header Name to Header_Test, and
l Header Regex to Q[A-B].

4. Click OK.
To create a HTTP header address in the CLI:

edit "method_get"
set uuid a0f1b806-57e9-51e9-b214-7a1cfafa9bb3
set type header
set host "all"
set header-name "Header_Test"
set header "Q[A-B]"
next
end
User agent
In this address type, a user can create an address based on the names of the browsers that are used as user agents.
Multiple browsers are supported, such as Chrome, Firefox, Internet Explorer, and others. Once created, the address can
be selected in the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests
from the specified user agent.
This example creates a user agent address for Google Chrome.
To create a user agent address in the GUI:

l Name to UA-Chrome,
l Type to User Agent,
l Host to all, and
l User Agent to Google Chrome.

4. Click OK.
To create a user agent address in the CLI:

edit "UA-Chrome"
set uuid e3550196-57d8-51e9-eed0-115095a7920b
set type ua
set host "all"
set ua chrome
next
end
Advanced (source)
In this address type, a user can create an address based on multiple parameters, including HTTP method, User Agent,
and HTTP header. Once created, the address can be selected in the source tab of an explicit proxy policy. This means
that a policy will only allow or block requests that match the selected address.
This example creates an address that uses the get method, a user agent for Google Chrome, and an HTTP header with
the pattern Q[A-B].
To create an advanced (source) address in the GUI:

l Name to advanced_src,
l Type to Advanced (Source),
l Host to all,
l Request Method to GET,
l User Agent to Google Chrome, and
l HTTP header to Header_Test : Q[A-B].

4. Click OK.
To create an advanced (source) address in the CLI:

edit "advance_src"
set uuid fb9991d0-57e3-51e9-9fed-855e0bca16c3
set type src-advanced
set host "all"
set method get
set ua chrome
config header-group
edit 1
set header-name "Header_Test"
set header "Q[A-B]"
next
end
next
end
Advanced (destination)
In this address type, a user can create an address based on URL pattern and URL category parameters. Once created,
the address can be selected in the destination tab of an explicit proxy policy. This means that a policy will only allow or
block requests that match the selected address.
This example creates an address with the URL pattern /about that are in the Education category. For more information
about categories, see https://fortiguard.com/webfilter/categories .
To create an advanced (destination) address in the GUI:



l Name to Advanced-dst,
l Type to Advanced (Destination),
l Host to all,
l URL Path Regex to /about, and
l URL Category to Education.
4. Click OK.
To create an advanced (destination) address in the CLI:

edit "Advanced-dst"
set uuid d9c2a0d6-57e5-51e9-8c92-6aa8b3372198
set type dst-advanced
set host "ubc"
set path "/about"
set category 30
next
end
Proxy policy security profiles
Web proxy policies support most security profile types.
Security profiles must be created before they can be used in a policy, see Security Profiles on
page 322 for information.
Explicit web proxy policy
The security profiles supported by explicit web proxy policies are:

l AntiVirus,
l Web Filter,
l Application Control,
l IPS,
l DLP Sensor,
l ICAP,
l Web Application Firewall, and
l SSL Inspection.
To configure security profiles on an explicit web proxy policy in the GUI:
1. Go to Policy & Objects > Proxy Policy.

Proxy Type Explicit Web
Source all
Destination all
Schedule always
Service webproxy
Action ACCEPT
4. In the Firewall / Network Options section, set Protocol Options to default.

5. In the Security Profiles section, make the following selections (for this example, these profiles have all already
been created):
AntiVirus av
Web Filter urlfiler
Application Control app
IPS Sensor-1
DLP Sensor dlp
ICAP default
Web Application Firewall default
SSL Inspection deep-inspection

6. Click OK to create the policy.
To configure security profiles on an explicit web proxy policy in the CLI:

edit 1
set uuid c8a71a2c-54be-51e9-fa7a-858f83139c70
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "web"
set action accept
set av-profile "av"
set webfilter-profile "urlfilter"
set dlp-sensor "dlp"
set ips-sensor "sensor-1"
set application-list "app"
set icap-profile "default"
set waf-profile "default"
next
end

Transparent proxy

l AntiVirus,
l Web Filter,
l IPS,
l DLP Sensor,
l ICAP,
l Web Application Firewall, and
l SSL Inspection.
To configure security profiles on a transparent proxy policy in the GUI:

Proxy Type Explicit Web
Incoming Interfae port2
Source all
Destination all
Schedule always
Service webproxy
Action ACCEPT

been created):
AntiVirus av
Web Filter urlfiler
IPS Sensor-1
DLP Sensor dlp
ICAP default
Web Application Firewall default
SSL Inspection deep-inspection

To configure security profiles on a transparent proxy policy in the CLI:

edit 2
set uuid 8fb05036-56fc-51e9-76a1-86f757d3d8dc
set proxy transparent-web
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set av-profile "av"
set webfilter-profile "urlfilter"
set icap-profile "default"
set waf-profile "default"

next
end
FTP proxy

l AntiVirus,
l IPS, and
l DLP Sensor.
To configure security profiles on an FTP proxy policy in the GUI:

Proxy Type FTP
Source all
Destination all
Schedule always
Action ACCEPT

been created):
AntiVirus av
IPS Sensor-1
DLP Sensor dlp

To configure security profiles on an FTP proxy policy in the CLI:

edit 3
set uuid cb89af34-54be-51e9-4496-c69ccfc4d5d4
set proxy ftp
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set av-profile "av"
next
end
Explicit proxy authentication
FortiGate supports multiple authentication methods. This topic explains using an external authentication server with
Kerberos as the primary and NTLM as the fallback.

To configure Explicit Proxy with authentication:
1. Enable and configure the explicit proxy on page 841.

2. Configure the authentication server and create user groups on page 841.
3. Create an authentication scheme and rules on page 844.
4. Create an explicit proxy policy and assign a user group to the policy on page 844.
5. Verify the configuration on page 845.
Enable and configure the explicit proxy
To enable and configure explicit web proxy in the GUI:
1. Go to Network > Explicit Proxy.

2. Enable Explicit Web Proxy.
3. Select port2 as the Listen on Interfaces and set the HTTP Port to 8080.
4. Configure the remaining settings as needed.
5. Click Apply.
To enable and configure explicit web proxy in the CLI:
config web-proxy explicit

set status enable
set ftp-over-http enable
set socks enable
set http-incoming-port 8080
set ipv6-status enable
set unknown-http-version best-effort
end
edit "port2"
set vdom "vdom1"
set ip 10.1.100.1 255.255.255.0
set type physical
set explicit-web-proxy enable
set snmp-index 12
end
next
end
Configure the authentication server and create user groups
Since we are using an external authentication server with Kerberos authentication as the primary and NTLM as the
fallback, Kerberos authentication is configured first and then FSSO NTLM authentication is configured.
For successful authorization, the FortiGate checks if user belongs to one of the groups that is permitted in the security
policy.

To configure an authentication server and create user groups in the GUI:
1. Configure Kerberos authentication:

a. Go to User & Device > LDAP Servers.
c. Set the following:
Name ldap-kerberos
Server IP 172.18.62.220
Server Port 389
Common Name Identifier cn
Distinguished Name dc=fortinetqa,dc=local
d. Click OK
2. Define Kerberos as an authentication service. This option is only available in the CLI.
3. Configure FSSO NTLM authentication:
FSSO NTLM authentication is supported in a Windows AD network. FSSO can also provide NTLM authentication
service to the FortiGate unit. When a user makes a request that requires authentication, the FortiGate initiates
NTLM negotiation with the client browser, but does not process the NTLM packets itself. Instead, it forwards all the
NTLM packets to the FSSO service for processing.
a. Go to Security Fabric > Fabric Connectors.
b. Click Create New and select Fortinet Single Sign-On Agent from the SSO/Identity category.
c. Set the Name to FSSO, Primary FSSO Agent to 172.16.200.220, and enter a password.
d. Click OK.
4. Create a user group for Kerberos authentication:
a. Go to User & Device > User Groups.
c. Set the Name to Ldap-Group, and Type to Firewall.
d. In the Remote Groups table, click Add, and set the Remote Server to the previously created ldap-kerberos
server.
e. Click OK.
5. Create a user group for NTLM authentication:
a. Go to User & Device > User Groups.
c. Set the Name to NTLM-FSSO-Group, Type to Fortinet Single Sign-On (FSSO), and add
FORTINETQA/FSSO as a member.
d. Click OK.
To configure an authentication server and create user groups in the CLI:
1. Configure Kerberos authentication:

config user ldap
edit "ldap-kerberos"
set server "172.18.62.220"
set cnid "cn"

set dn "dc=fortinetqa,dc=local"
set type regular
set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
set password ENC
6q9ZE0QNH4tp3mnL83IS/BlMob/M5jW3cAbgOqzTBsNTrGD5Adef8BZTquu46NNZ8KWoIoclAMlrGTR0z1IqT8n
7FIDV/nqWKdU0ehgwlqMvPmOW0+S2+kYMhbEj7ZgxiIRrculJIKoZ2gjqCorO3P0BkumbyIW1jAdPTOQb749n4O
cEwRYuZ2odHTwWE8NJ3ejGOg==
next
end
2. Define Kerberos as an authentication service:

config user krb-keytab
edit "http_service"
set pac-data disable
set principal "HTTP/[email protected]"
set ldap-server "ldap-kerberos"
set keytab
"BQIAAABFAAIAEEZPUlRJTkVUUUEuTE9DQUwABEhUVFAAFEZHVC5GT1JUSU5FVFFBLkxPQ0FMAAAAAQAAAAAEAA
EACKLCMonpitnVAAAARQACABBGT1JUSU5FVFFBLkxPQ0FMAARIVFRQABRGR1QuRk9SVElORVRRQS5MT0NBTAAAA
AEAAAAABAADAAiiwjKJ6YrZ1QAAAE0AAgAQRk9SVElORVRRQS5MT0NBTAAESFRUUAAURkdULkZPUlRJTkVUUUEu
TE9DQUwAAAABAAAAAAQAFwAQUHo9uqR9cSkzyxdzKCEXdwAAAF0AAgAQRk9SVElORVRRQS5MT0NBTAAESFRUUAA
URkdULkZPUlRJTkVUUUEuTE9DQUwAAAABAAAAAAQAEgAgzee854Aq1HhQiKJZvV4tL2Poy7hMIARQpK8MCB//BI
AAAABNAAIAEEZPUlRJTkVUUUEuTE9DQUwABEhUVFAAFEZHVC5GT1JUSU5FVFFBLkxPQ0FMAAAAAQAAAAAEABEAE
G49vHEiiBghr63Z/lnwYrU="
next
end
3. Configure FSSO NTLM authentication:

config user fsso
edit "1"
set server "172.18.62.220"
set password ENC
4e2IiorhPCYvSWw4DbthmLdpJuvIFXpayG0gk1DHZ6TYQPMLjuiG9k7/+qRneCtztBfbzRr1pcyC6Zj3det2pvW
dKchMShyz67v4c7s6sIRf8GooPBRZJtg03cmPg0vd/fT1xD393hiiMecVGCHXOBHAJMkoKmPNjc3Ga/e78rWYeH
uWK1lu2Bk64EXxKFt799UgBA==
next
end
4. Create a user group for Kerberos authentication:

config user group
edit "Ldap-Group"
set member "ldap" "ldap-kerberos"
next
end
5. Create a user group for NTLM authentication:

config user group
edit "NTLM-FSSO-Group"
set group-type fsso-service
set member "FORTINETQA/FSSO"
next
end

Create an authentication scheme and rules
Explicit proxy authentication is managed by authentication schemes and rules. An authentication scheme must be
created first, and then the authentication rule.
To create an authentication scheme and rules in the GUI:
1. Create an authentication scheme:

a. Go to Policy & Objects > Authentication Rules.
b. Click Create New > Authentication Schemes.
c. Set the Name to Auth-scheme-Negotiate and select Negotiate as the Method.
d. Click OK.
2. Create an authentication rule:
a. Go to Policy & Objects > Authentication Rules.
b. Click Create New > Authentication Rules.
c. Set the Name to Auth-Rule, Source Address to all, and Protocol to HTTP.
d. Enable Authentication Scheme, and select the just created Auth-scheme-Negotiate scheme.
e. Click OK.
To create an authentication scheme and rules in the CLI:
1. Create an authentication scheme:

config authentication scheme
edit "Auth-scheme-Negotiate"
set method negotiate <<< Accepts both Kerberos and NTLM as fallback
next
end
2. Create an authentication rule:

config authentication rule
edit "Auth-Rule"
set status enable
set protocol http
set srcaddr "all"
set ip-based enable
set active-auth-method "Auth-scheme-Negotiate"
set comments "Testing"
next
end
Create an explicit proxy policy and assign a user group to the policy
To create an explicit proxy policy and assign a user group to it in the GUI:
1. Go to Policy & Object > Proxy Policy.

3. Set Proxy Type to Explicit Web and Outgoing Interface to port1.
4. Set Source to all, and the just created user groups NTLM-FSSO-Group and Ldap-Group.

5. Also set Destination to all, Schedule to always, Service to webproxy, and Action to ACCEPT.
6. Click OK.
To create an explicit proxy policy and assign a user group to it in the CLI:

edit 1
set uuid 722b6130-13aa-51e9-195b-c4196568d667
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "web"
set action accept
set logtraffic all
set groups "NTLM-FSSO-Group" "Ldap-Group"
set av-profile "av"
set ssl-ssh-profile "deep-custom"
next
end
Verify the configuration
Log in using a domain and system that would be authenticated using the Kerberos server, then enter the diagnose
wad user list CLI command to verify:
# diagnose wad user list
ID: 8, IP: 10.1.100.71, VDOM: vdom1
user name : [email protected]
duration : 389
auth_type : IP
auth_method : Negotiate
pol_id : 1
g_id : 1
user_based : 0
expire : no
LAN:
bytes_in=4862 bytes_out=11893
WAN:
Log in using a system that is not part of the domain. The NTLM fallback server should be used:
# diagnose wad user list
ID: 2, IP: 10.1.100.202, VDOM: vdom1
user name : TEST31@FORTINETQA
duration : 7
auth_type : IP
auth_method : NTLM
pol_id : 1
g_id : 5
user_based : 0
expire : no
LAN:

WAN:

Sandbox Inspection
What is Sandbox inspection?
Sandbox inspection is a network process that allows files to be sent to a separate device, such as FortiSandbox, to be
inspected without risking network security. This allows the detection of threats capable of bypassing other security
measures, including zero-day threats.
You can configure your FortiGate device to send suspicious files to FortiSandbox for inspection and analysis. The
FortiGate queries scan results and retrieves scan details. The FortiGate can also download malware packages as a
complementary AV signature database to block future intrusions by the same malware and download URL packages as
complementary web-filtering black lists.
The FortiSandbox uses virtual machines (VMs) running different operating systems to test a file and to determine if it is
malicious. If the file exhibits risky behavior, or is found to contain a virus, a new signature can be added to the
FortiGuard AntiVirus signature database.
When a FortiGate learns from FortiSandbox that an endpoint is infected, the administrator can quarantine the host, if it
is registered to a FortiClient.
FortiSandbox has a VM pool and processes multiple files simultaneously. The amount of time to process a file depends
on hardware and the number of sandbox VMs used to scan the file. For example, it can take 60 seconds to five minutes
to process a file. FortiSandbox has a robust prefiltering process that, if enabled, reduces the need to inspect every file
and reduces processing time. For more information on enabling prefiltering, refer to the FortiSandbox documentation.
FAQ for Sandbox inspection
The following are some frequently asked questions about using sandbox inspection with FortiSandbox and FortiGate.
Why is the FortiSandbox Cloud option not available when sandbox inspection is enabled?
This option is only available if you have created a FortiCloud account. For more information, see the FortiCloud
documentation.

Why don't results from FortiSandbox Cloud appear in the FortiGate GUI?
Go to Log & Report > Log Settings and make sure Send Logs to FortiCloud is enabled and GUI Preferences is
set to Display Logs from FortiCloud.
Why are the FortiSandbox Appliance VMs inactive?
Make sure that port 3 on the FortiSandbox has an active Internet connection. This is required in order to activate the
FortiSandbox VMs.
Why aren't files are being scanned by FortiSandbox?
Make sure an AntiVirus profile that sends files to FortiSandbox is enabled for all policies that require sandbox
inspection.
Is FortiSandbox supported by FortiGate when in NAT or Transparent mode?
Yes, a FortiGate can be in either NAT or Transparent mode and support FortiSandbox.
Are FortiGates behind a NAT device supported? If so how many?
Yes, multiple FortiGates can be supported in-line with FortiSandbox. Note that the FortiSandbox will see all FortiGates
only as one device so there is no way to differentiate reports.
If the FortiGate has a dynamic IP, will the FortiSandbox automatically update the FortiGate?
Yes. Dynamic IPs are supported and the FortiGate will not have to be reconfigured on the FortiSandbox each time.
FortiSandbox Appliance or FortiSandbox Cloud
FortiSandbox is available as a physical or virtual appliance (FortiSandbox Appliance), or as a cloud advanced threat
protection service integrated with FortiGate (FortiSandbox Cloud).
To select the settings for Sandbox Inspection, such as the FortiSandbox type, server, and notifier email, go to
Security Fabric > Settings.
The table below highlights the supported features of both types of FortiSandbox:
Feature FortiSandbox Appliance FortiSandbox Cloud

(including VM)
Sandbox inspection for FortiGate Yes (FortiOS 5.0.4+) Yes (FortiOS 5.2.3+)
Sandbox inspection for FortiMail Yes (FortiMail OS 5.1+) Yes (FortiMail OS 5.3+)
Sandbox inspection for FortiWeb Yes (FortiWeb OS 5.4+) Yes (FortiWeb OS 5.5.3+)
Sandbox inspection for FortiClient Yes (FortiClient 5.4+ for Windows No

only)

Feature FortiSandbox Appliance FortiSandbox Cloud

(including VM)
Sandbox inspection for network Yes No

share
Sandbox inspection for ICAP client Yes No
Manual File upload for analysis Yes Yes
Sniffer mode Yes Yes
File Status Feedback and Report Yes Yes
Dynamic Threat Database updates Yes (FortiOS 5.4+) Yes (FortiOS 5.4+)
for FortiGate
Dynamic Threat Database updates Yes (FortiClient 5.4 for Windows Yes (FortiClient 5.6+ for Windows
for FortiClient only) only)
Note that a separate Dynamic Threat Database is maintained for FortiMail. For more information, see the
FortiSandbox documentation.
Recipes for Sandbox inspection
Recipes about Sandbox inspection are organized into the following categories:
l AntiVirus on page 849
AntiVirus
The following recipes provide information about Sandbox inspection with AntiVirus:
l Use FortiSandbox Appliance with AntiVirus on page 849
l Use FortiSandbox Cloud with AntiVirus on page 861
Use FortiSandbox Appliance with AntiVirus
Feature overview
AntiVirus can use FortiSandbox to supplement its detection capabilities. In real-world situations, networks are always
under the threat of zero-day attacks.
AntiVirus can submit potential zero-day viruses to FortiSandbox for inspection. Based on FortiSandbox's analysis, the
FortiGate can supplement its own antivirus database with FortiSandbox's database to detect files determined as
malicious/risky by FortiSandbox. This helps FortiGate's AntiVirus to detect zero-day virus and malware whose
signatures are not found in the FortiGate's antivirus Database.

l FortiSandbox can be used with AntiVirus in both proxy-based and flow-based inspection modes.
l With FortiSandbox enabled, Full Scan mode AntiVirus can do the following:
l Submit only suspicious files to FortiSandbox for inspection.
l Submit every file to FortiSandbox for inspection.
l Do not submit anything.
l Quick Scan mode AntiVirus cannot submit suspicious files to FortiSandbox. It can only do the following:
To configure AntiVirus to work with an external block list, the following steps are required:
1. Enable FortiSandbox on the FortiGate.
2. Authorize FortiGate on the FortiSandbox.
3. Enable FortiSandbox inspection.
4. Enable use of the FortiSandbox database.

To enable FortiSandbox on the FortiGate:
1. Go to Global > Security Fabric > Settings.

2. Set the Sandbox Inspection toggle to the On position.
3. Enter the IP address of the FortiSandbox.

4. Add an optional Notifier Email if desired.
5. At this point, selecting Test connectivity will return an unreachable status.

This is expected behavior because the FortiGate is not yet authorized by the FortiSandbox.

6. Select Apply to save the settings.
To authorize FortiGate on the FortiSandbox:
1. In the FortiSandbox Appliance GUI, go to Scan Input > Device.
2. Use the FortiGate serial number to quickly locate the desired FortiGate and select the link icon to authorize the
FortiGate.

3. Enable the desired VDOM in the same manner.
4. The link icon changes from an open to closed link. This indicates that the FortiSandbox has authorized this
FortiGate.
5. In the FortiGate GUI, go to Global > Security Fabric > Settings.

6. Select Test connectivity. FortiGate is now authorized and the status now displays as Connected.
7. FortiSandbox options are now displayed in the AV Profile page.

To enable FortiSandbox inspection:

2. Enable FortiSandbox inspection by selecting either Suspicious Files Only or All Supported Files.
3. Files can be excluded from being sent to FortiSandbox based on their file types by choosing from a list of supported
file types.

4. Files can also be excluded from being sent to FortiSandbox by using wild card patterns.
5. Select Apply.
To enable use of the FortiSandbox database:
1. Go to Security Profiles > AntiVirus

2. Enable use of the FortiSandbox database by setting the Use FortiSandbox Database toggle to the On position.
3. Select Apply.

Diagnostics and Debugging
Debug on the FortiGate side
l Update daemon:
FGT_PROXY (global) # diagnose debug application quarantined -1
FGT_PROXY (global) # diagnose debug enable
quar_req_fsa_file()-890: fsa ext list new_version (1547781904)

quar_fsb_handle_quar()-1439: added a req-6 to fortisandbox-fsb5, vfid=1, oftp-name=[].
__quar_start_connection()-908: start server fortisandbox-fsb5-172.18.52.154 in vdom-1
[103] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca
Fortinet_CA, idx 0 (default)
[551] ssl_ctx_create_new_ex: SSL CTX is created
[578] ssl_new: SSL object is created
upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530
upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043
upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230
upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043
upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-
1901281000
1901281000
1901281000
1901281000
1901281000
quar_remote_recv_send()-731: dev=fortisandbox-fsb2 xfer-status=0
__quar_build_pkt()-408: build req(id=337, type=4) for vdom-vdom1, len=99, oftp_name=
__quar_send()-470: dev buffer -- pos=0, len=99
quar_remote_send()-520: req(id=337, type=4) read response, dev=fortisandbox-fsb2, xfer_
status=1, buflen=12
quar_remote_recv_send()-770: dev-fortisandbox-fsb2, oevent=4, nevent=1, xfer-status=1

status=1, buflen=12
status=1, buflen=12
quar_remote_recv()-662: dev(fortisandbox-fsb2) received a packet: len=69, type=1
quar_remote_recv()-718: file-[337] is accepted by server(fortisandbox-fsb2).
quar_put_job_req()-332: Job 337 deleted
status=1, buflen=12
__quar_build_pkt()-408: build req(id=336, type=4) for vdom-root, len=98, oftp_name=
...
__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0
__quar_req_handler()-127: Request 0 was handled successfully
1901281000
status=1, buflen=12
quar_store_analytics_report()-590: Analytics-report return
file=/tmp/fsb/83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18.json.gz,
buf_sz=735
quar_store_analytics_report()-597: The request
'83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18' score is 1


quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1
quar_stop_connection()-1006: close connection to server(fortisandbox-fsb1)
[193] __ssl_data_ctx_free: Done
[805] ssl_free: Done
[185] __ssl_cert_ctx_free: Done
[815] ssl_ctx_free: Done
[796] ssl_disconnect: Shutdown
l Appliance FortiSandbox diagnostics:

FGT_PROXY (global) # diagnose test application quarantined 1
Total remote&local devices: 8, any task full? 0
System have disk, vdom is enabled, mgmt=1, ha=2
xfer-fas is enabled: ips-archive dlp-archive, realtime=yes, taskfull=no
addr=0.0.0.0/514, source-ip=0.0.0.0, keep-alive=no.
ssl_opt=0, hmac_alg=0
License=0, content_archive=0, arch_pause=0.
global-fas is disabled.
forticloud-fsb is disabled.
fortisandbox-fsb1 is enabled: analytics, realtime=yes, taskfull=no
global-faz is disabled.
global-faz2 is disabled.
l Checking FortiSandbox analysis statistics:

FGT_PROXY (global) # diagnose test application quarantine 7
Total: 0
Statistics:
vfid: 0, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_
reached:0


reached:0
reached:0
FGT_PROXY (global) #
Debug on the FortiSandbox side
l Appliance FortiSandbox OFTP debug:

> diagnose-debug device FG101E4Q17002429
[2019/01/31 00:48:21] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY)

[2019/01/31 00:48:21] FG101E4Q17002429 VDOM: vdom1
[2019/01/31 00:48:21] FG101E4Q17002429 suspicious stats START_TIME: 1548290749
[2019/01/31 00:48:21] FG101E4Q17002429 suspicious stats END_TIME: 1548895549
[2019/01/31 00:48:21] FG101E4Q17002429 opd_data_len=37 clean=2 detected=2 risk_low=0 risk_
med=0 risk_high=0 sus_limit=0
[2019/01/31 00:48:21] FG101E4Q17002429 ENTERING->HANDLE_SEND_FILE.
[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->FGT->VDOM: vdom1
[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->IMG_VERSION: 6.2.0.0818
[2019/01/31 00:48:21] INCOMING->FGT: FG101E4Q17002429, VDOM: vdom1
[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->TYPE: 0
[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->VERSION: 3 . 1795
[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->VERSION: 3 . 595
[2019/01/31 00:48:21] FG101E4Q17002429 VDOM: root
[2019/01/31 00:48:21] FG101E4Q17002429 suspicious stats START_TIME: 1548290749
[2019/01/31 00:48:21] FG101E4Q17002429 suspicious stats END_TIME: 1548895549
[2019/01/31 00:48:21] FG101E4Q17002429 opd_data_len=37 clean=0 detected=0 risk_low=0 risk_
med=0 risk_high=0 sus_limit=0
[2019/01/31 00:48:22] FG101E4Q17002429 RETRIEVE->PKG: TYPE: av, ENTRY_VERSION: 1795,
PACKAGE_PATH: /Storage/malpkg/pkg/avsig/avsigrel_1795.pkg
[2019/01/31 00:48:22] FG101E4Q17002429 RETRIEVE->PKG: TYPE: url, ENTRY_VERSION: 595,
PACKAGE_PATH: /Storage/malpkg/pkg/url/urlrel_595.pkg.gz

Use FortiSandbox Cloud with AntiVirus
Feature overview
FortiCloud Sandbox allows users to take advantage of FortiSandbox features without having to purchase, operate, and
maintain a physical appliance.
FortiCloud Sandbox works the same way as the physical FortiSandbox appliance.
Starting from FortiOS 6.2, the FortiCloud Sandbox allows users to control the region where their traffic is sent to for
analysis. This allows users to meet their country's compliances regarding data's storage location.
l Starting from FortiOS 6.2, users no longer require a FortiCloud account to use FortiCloud Sandbox.
l Without a valid AVDB license, FortiGate devices are limited to 100 FortiCloud submissions per day.
l Unlimited FortiCloud submissions are allowed if the FortiGate has a valid AVDB license.
l There is a limit on how many submissions are sent per minute.
l Per minute submission rate is based on the FortiGate model.
l FortiSandbox can be used with AntiVirus in both proxy-based and flow-based policy inspection modes.
l With FortiSandbox enabled, Full Scan mode AntiVirus can do the following:
l Submit only suspicious files to FortiSandbox for inspection.
l Quick Scan mode AntiVirus cannot submit suspicious files to FortiSandbox. It can only do the following:
To configure AntiVirus to work with an external block list, the following steps are required:
1. Through FortiCare/FortinetOne, register the FortiGate device and purchase a FortiGuard AntiVirus license.
2. Enable FortiCloud Sandbox on the FortiGate.
3. Enable FortiSandbox inspection.
4. Enable the use of the FortiSandbox database.

To obtain or renew an AVDB license:
1. Please see the video How to Purchase or Renew FortiGuard Services for FortiGuard AntiVirus license purchase
instructions.
2. Once a FortiGuard license has been purchased or activated, users will be provided with a paid FortiSandbox Cloud
license.
a. Go to Global > Main Dashboard to view the FortiSandbox Cloud license indicator.
b. Users can also view this indicator at Global > System > FortiGuard.

Enable FortiCloud Sandbox on the FortiGate:
1. Go to Global > Security Fabric > Settings and set the Sandbox Inspection toggle to the On position.
2. Select FortiSandbox Cloud and choose a region from the dropdown list.

3. Select Apply to save the settings.
4. When the FortiGate is connected to the FortiSandbox Cloud, FortiSandbox's current database version is displayed.

Enable FortiSandbox inspection:

2. Enable FortiSandbox inspection by selecting either Suspicious Files Only or All Supported Files.
3. Files can be excluded from being sent to FortiSandbox based on their file types by choosing from a list of supported
file types.

4. Files can also be excluded from being sent to FortiSandbox by using wild card patterns.
5. Select Apply.
Enable the use of the FortiSandbox database:

2. Enable use of the FortiSandbox database by setting the Use FortiSandbox Database toggle to the On position.
3. Select Apply.

Debug on FortiGate side
l Checking FortiCloud controller status:

FGT_FL_FULL (global) # diagnose test application forticldd 2
Server: log-controller, task=0/10, watchdog is off
Domain name: logctrl1.fortinet.com
Address of log-controller: 1
172.16.95.168:443
Statistics: total=3, discarded=1, sent=2, last_updated=12163 secs ago
http connection: is not in progress
Current address: 172.16.95.168:443
Calls: connect=9, rxtx=12
Current tasks number: 0
Account: name=empty, status=0, type=basic
Current volume: 0B
Current tasks number: 0
Update timer fires in 74240 secs
l Checking Cloud APT server status:

FGT_FL_FULL (global) # diagnose test application forticldd 3
Debug zone info:
Domain:
Home log server: 0.0.0.0:0
Alt log server: 0.0.0.0:0
Active Server IP: 0.0.0.0
Active Server status: down
Log quota: 0MB
Log used: 0MB
Daily volume: 0MB
fams archive pause: 0
APTContract : 1 <====
APT server: 172.16.102.51:514 <====
APT Altserver: 172.16.102.52:514 <====
Active APTServer IP: 172.16.102.51 <====
Active APTServer status: up <====
l Cloud FortiSandbox diagnostics:

FGT_FL_FULL (global) # diagnose test application quarantine 1
forticloud-fsb is enabled: analytics, realtime=yes, taskfull=no
fortisandbox-fsb1 is disabled.

l Checking FortiSandbox Cloud submission statistics:

FGT_FL_FULL (global) # diagnose test application quarantined 2
Quarantine daemon state:
QUAR mem: mem_used=0, mem_limit=97269, threshold=72951
dropped(0 by quard, 0 by callers)
pending-jobs=0, tot-mem=0, last_ipc_run=12353, check_new_req=1
alloc_job_failed=0, job_wrong_type=0, job_wrong_req_len=0, job_invalid_qfd=0
tgz_create_failed=0, tgz_attach_failed=0, qfd_mmap_failed=0, buf_attached=0
xfer-fas:
ips: total=0, handled=0, accepted=0
quar: total=0, handled=0, accepted=0
archive: total=0, handled=0, accepted=0
analytics: total=0, handled=0, accepted=0, local_dups=0
analytics stats: total=0, handled=0, accepted=0
last_rx=0, last_tx=0, error_rx=0, error_tx=0
max_num_tasks=10000, num_tasks=0, mem_used=0, ttl_drops=0, xfer_status=0
forticloud-fsb:
ips: total=0, handled=0, accepted=0
quar: total=0, handled=0, accepted=0
archive: total=0, handled=0, accepted=0
analytics: total=0, handled=0, accepted=0, local_dups=0
num_buffer=0(per-minute:10) last_min_count=0 last_vol_count=0 next_vol_reset_tm='Sun Feb 17
00:00:00 2019
'
analytics stats: total=24, handled=24, accepted=24
last_rx=1224329, last_tx=1224329, error_rx=2, error_tx=0
max_num_tasks=200, num_tasks=0, mem_used=0, ttl_drops=0, xfer_status=0
l Checking FortiSandbox analysis statistics:

FGT_FL_FULL (global) # diagnose test application quarantine 7
Total: 0
Statistics:
reached:0
reached:0
reached:0
FGT_FL_FULL (global) #
l Update Daemon debug:

FGT_FL_FULL (global) # diagnose debug application quarantined -1
FGT_FL_FULL (global) # diagnose debug enable
quar_req_fsa_file()-890: fsa ext list new_version (1547781904)



1901281000
1901281000
1901281000
1901281000
1901281000
status=1, buflen=12
status=1, buflen=12
status=1, buflen=12


status=1, buflen=12
__quar_build_pkt()-408: build req(id=336, type=4) for vdom-root, len=98, oftp_name=
...
1901281000
status=1, buflen=12
quar_store_analytics_report()-590: Analytics-report return
file=/tmp/fsb/83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18.json.gz,
buf_sz=735
quar_store_analytics_report()-597: The request
'83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18' score is 1
quar_stop_connection()-1006: close connection to server(fortisandbox-fsb1)
[193] __ssl_data_ctx_free: Done
[805] ssl_free: Done
[185] __ssl_cert_ctx_free: Done

[815] ssl_ctx_free: Done

[796] ssl_disconnect: Shutdown
l Appliance FortiSandbox diagnostics:

FGT_PROXY (global) # diagnose test application quarantined 1
forticloud-fsb is disabled.

Zero touch provisioning
This section contains instructions for configuring zero touch provisioning.

l Zero touch provisioning with FortiDeploy on page 872
l Zero touch provisioning with FortiManager on page 874
Zero touch provisioning with FortiDeploy
You can use this feature only when the FortiGate boots up from factory reset.
Topology
FortiGate zero touch provisioning workflow
1. Add the FortiGate Cloud product key to the FortiGate Cloud portal so that the FortiGate serial number appears in
the portal.

2. Set up a configuration template with the basic configuration in the FortiGate Cloud portal.
3. Deploy the FortiGate to FortiGate Cloud with that template.
4. Ensure the FortiGate has an interface in default DHCP client mode and is connected to the ISP outlet.
5. Boot the FortiGate in factory reset. The FortiGate gets the DHCP lease so that it can access FortiGate Cloud in the
Internet and join FortiGate Cloud.
Initializing firewall...
System is starting...
FortiGate-201E login: admin

Password:
Welcome !
FortiGate-201E #
FortiGate-201E # dia debug cli 7

Debug messages will be on for 30 minutes.
FortiGate-201E # 0: config system fortiguard
0: set service-account-id "[email protected]"
0: end
0: config log fortiguard setting
0: set status enable
0: end
FortiGate-201E # dia test application forticldd 1
System=FGT Platform=FG201E
Management vdom: root, id=0, ha=master.
[email protected]
acct_st=OK
FortiGuard log: status=enabled, full=overwrite, ssl_opt=1, source-ip=0.0.0.0
Centra Management: type=FGD, flags=000000bf.
active-tasks=0
FortiGate-201E #
The FortiGate Cloud server checks that the FortiGate key is valid and then deploys the FortiGate to FortiGate
Cloud.
To prevent spoofing, FortiGate Cloud invalidates that key after a successful join.
6. Complete zero touch provisioning by obtaining configuration from platform template in the Cloud.
0: set admintimeout 50
0: end
0: config system interface
0: edit "wan1"
0: set allowaccess ping ssh fgfm
0: next
0: edit "port1"
0: set allowaccess ping
0: set ip 1.1.1.1 255.255.255.0

0: next
0: edit "port2"
0: set allowaccess ping
0: set ip 2.2.2.2 255.255.255.0
0: next
0: end
7. The FortiGate Cloud admin can change the template for different configuration requirements and then deploy the
updated template to the FortiGate.
For example, you can add a secondary DNS to the template and deploy it to FortiGate.
Zero touch provisioning with FortiManager
You can use this feature only when the FortiGate boots up from factory reset. This feature for FortiGate devices that
cannot access the Internet.
A DHCP server includes option 240 and 241 which records FortiManager IP and domain name. FortiGate has an
interface with the default DHCP client mode that is connected to the DHCP server in the intranet.
The FortiManager admin can authorize the FortiGate the specific ADOMs and install specific configurations on the
FortiGate.
In the whole operation, you do not need to do any manual configuration on the FortiGate except connect to the DHCP
server. This is called zero touch deployment.
To prevent spoofing, if a different FortiManager IP comes from the DHCP server later, FortiGate does not change the
central management configuration.
Example of configuring DHCP server with option 240

edit 2
config ip-range
edit 2
set start-ip 172.16.200.201
set end-ip 172.16.200.209
next

end
config options
edit 1
set code 240
set type ip
set ip "172.18.60.115"
next
end
next
end
FortiGate zero touch provisioning workflow
1. Boot the FortiGate in factory reset.

G201E4Q17901047 # dia fdsm fmg-auto-discovery-status
dhcp: fmg-ip=0.0.0.0, fmg-domain-name='', config-touched=0
config-touched=0 means no configuration change from the default.

2. When FortiGate boots in factory reset, it gets the DHCP lease including IP, gateway, DNS, and the FortiManager
IP/URL. Central management is automatically configured by using FortiManager IP in option 240.
FG201E4Q17901047 # show system central-management
set fmg "172.18.60.115"
end
3. If FortiGate changes from factory reset, you can see it in central management in config-touched=1.
FG201E4Q17901047 # dia fdsm fmg-auto-discovery-status
dhcp: fmg-ip=172.18.60.115, fmg-domain-name='', config-touched=1(/bin/dhcpcd)
Example of a spoofing DHCP server with a fake FortiManager IP

config options
edit 1
set code 240
set type ip
set ip "172.18.60.117"
end
After FortiGate reboots and gets DHCP renew, central management will not use the fake FortiManager IP because
config-touched=1 shows that the FortiGate is not in factory reset.
FG201E4Q17901047 # dia fdsm fmg-auto-discovery-status
dhcp: fmg-ip=0.0.0.0, fmg-domain-name='', config-touched=1(/bin/dhcpcd)
FG201E4Q17901047 # show system central-management

set fmg "172.18.60.115"
end

Upcoming recipes 876
Upcoming recipes
Category Recipe
Security Fabric
Fabric connectors Implementation of the FSSO connector for FortiNAC
FortiView FortiView from FortiCloud
WiFi
FortiAP Upgrade Firmware of FortiAP units

management
Data-channel security: clear-text, DTLS, IPsec VPN
VoIP Solutions: SIP Overview
SIP Debugging

Copyright© 2019 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in
the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.

FortiOS-6 2 0-Cookbook

Uploaded by

Copyright:

Available Formats

FortiOS-6 2 0-Cookbook

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiOS-6 2 0-Cookbook

Uploaded by

Copyright:

Available Formats

FortiOS - Cookbook

FORTINET VIDEO GUIDE

CUSTOMER SERVICE & SUPPORT

FORTINET TRAINING & CERTIFICATION PROGRAM

END USER LICENSE AGREEMENT

May 31, 2019

FortiOS Cookbook Fortinet Technologies Inc.

FortiOS Cookbook Fortinet Technologies Inc.

FortiOS Cookbook Fortinet Technologies Inc.

Policy views and policy lookup 269

FortiOS Cookbook Fortinet Technologies Inc.

Email filter 417

FortiOS Cookbook Fortinet Technologies Inc.

FortiOS Cookbook Fortinet Technologies Inc.

Common issues 691

FortiOS Cookbook Fortinet Technologies Inc.

FortiOS Cookbook Fortinet Technologies Inc.

FTP proxy 839

FortiOS Cookbook Fortinet Technologies Inc.

Date Change Description

2019-03-28 Initial release.

2019-04-02 Updated Virtual Domains on page 222.

2019-04-15 Updated Email filter on page 417 with additional topics.

2019-04-16 Updated Switch Controller on page 735 with additional topics.

2019-04-17 Added About FortiOS inspection modes on page 447.

2019-04-18 Added SD-WAN Troubleshooting on page 184.

2019-04-24 Added Application Control on page 334.

2019-04-29 Added Aggregation and redundancy on page 202.

2019-04-30 Added Data Leak Prevention on page 431.

2019-05-01 Added Explicit and transparent proxies on page 818.

2019-05-07 Updated Using FortiGate as a DNS server on page 141.

2019-05-08 Added topics for DNS Filter:

FortiOS Cookbook Fortinet Technologies Inc.

Date Change Description

l Introduction to DNS Filter on page 388.

2019-05-14 Added Using DHCP interface on page 150.

2019-05-22 Added Replacing the Fortinet_Wifi certificate on page 706.

2019-05-23 Added Sample logs by log type on page 784.

2019-05-24 Added FortiView Introduction on page 130.

2019-05-27 Added VXLAN over IPsec using a VTEP on page 582.

2019-05-28 Added FortiView from FortiAnalyzer on page 134.

2019-05-29 Added Web rating override on page 372.

2019-05-30 Updated Log and report on page 780.

2019-05-31 Added Endpoint control and compliance on page 460.

FortiOS Cookbook Fortinet Technologies Inc.

FortiOS Cookbook Fortinet Technologies Inc.

Differences between models

Using the GUI

Connecting using a web browser

FortiOS Cookbook Fortinet Technologies Inc.

The GUI will now be displayed in your browser.

System Configure system settings, such as administrators, FortiGuard, and certificates.

FortiOS Cookbook Fortinet Technologies Inc.

Log & Report Configure logging and alert email as well as reports.

FortiOS Cookbook Fortinet Technologies Inc.

Administrators This widget allows you to view:

The following optional widgets are also available:

FortiOS Cookbook Fortinet Technologies Inc.

Modifying dashboard widget titles