0% found this document useful (0 votes)

56 views220 pages

Fortigate Cookbook 504

Uploaded by

regabri

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

56 views220 pages

Fortigate Cookbook 504

Uploaded by

regabri

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 220

The FortiGate Cookbook 5.0.

4
Essential Recipes for Success with your FortiGate

September 4, 2013

Revision 1

Copyright© 2013 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are
registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks
of Fortinet. All other product or company names may be trademarks of their respective owners.
Performance metrics contained herein were attained in internal lab tests under ideal conditions,
and performance may vary. Network variables, different network environments and other conditions
may affect performance results. Nothing herein represents any binding commitment by Fortinet, and
Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters
a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly
warrants that the identified product will perform according to the performance metrics herein. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in
Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to
change, modify, transfer, or otherwise revise this publication without notice, and the most current
version of the publication shall be applicable.

Fortinet Knowledge Base - http://kb.fortinet.com

Technical Documentation - http://docs.fortinet.com

Video Tutorials - http://video.fortinet.com

Training Services - http://campus.training.fortinet.com

Technical Support - https://support.fortinet.com

Please report errors or omissions in this or any Fortinet technical document to [email protected].
Contents
Introduction................................................................................................................... 1

Installing & Setup.......................................................................................................... 3

Connecting a private network to the Internet using NAT/Route mode............................... 4

Extra help: NAT/Route mode............................................................................................... 8

Adding a FortiGate unit without changing the network configuration............................... 10

Extra help: Transparent mode........................................................................................... 14

Verifying and updating the FortiGate unit’s firmware........................................................ 17

Setting up FortiGuard services.......................................................................................... 20

Extra help: FortiGuard....................................................................................................... 22

Logging network traffic to gather information................................................................... 23

Extra help: Logging........................................................................................................... 27

Using FortiCloud to record log messages......................................................................... 28

Using SNMP to monitor the FortiGate unit....................................................................... 32

Setting up an explicit proxy for users on a private network.............................................. 38

Adding packet capture to help troubleshooting................................................................ 42

Protecting a web server on the DMZ network................................................................... 45

Using port pairing to simplify transparent mode............................................................... 49

Using two ISPs for redundant Internet connections......................................................... 54

Adding a backup FortiGate unit to improve reliability....................................................... 59

Security Policies & Firewall Objects............................................................................ 65

Ordering security policies to allow different access levels................................................ 66

Contents iii
Controlling when BYOD users can access the Internet.................................................... 70

Using port forwarding on a FortiGate unit......................................................................... 73

Using AirPlay with iOS, AppleTV, FortiAP, and a FortiGate unit........................................ 78

Using AirPrint with iOS and OS X and a FortiGate unit..................................................... 86

Security Features........................................................................................................ 95

Monitoring your network using client reputation............................................................... 96

Controlling network access using application control.................................................... 100

Protecting a web server from external attacks................................................................ 106

Blocking outgoing traffic containing sensitive data........................................................ 110

Blocking large files from entering the network................................................................ 115

Blocking access to specific websites............................................................................. 118

Extra help: Web filtering.................................................................................................. 121

Blocking HTTPS traffic with web filtering........................................................................ 122

Using web filter overrides to control website access...................................................... 127

Wireless Networking.................................................................................................. 135

Setting up a temporary guest WiFi user.......................................................................... 136

Setting up a network using a FortiGate unit and a FortiAP unit...................................... 143

Providing remote users access to the corporate network and Internet.......................... 148

Authentication........................................................................................................... 155

Providing single sign-on for a Windows AD network with a FortiGate........................... 156

Providing single sign-on in advanced mode for a Windows AD network....................... 162

Providing single sign-on for Windows AD with LDAP..................................................... 165

Preventing security certificate warnings when using SSL inspection............................. 169

iv The FortiGate Cookbook 5.0.4

Extra help: Certificates.................................................................................................... 173

SSL and IPsec VPN.................................................................................................... 175

Using IPsec VPN to provide communication between offices........................................ 176

Providing remote users with access using SSL VPN...................................................... 184

Providing secure remote access to a network for an iOS device................................... 192

Using redundant OSPF routing over IPsec VPN............................................................. 199

Contents v
Introduction
The FortiGate Cookbook provides examples, or recipes, of basic and advanced
FortiGate configurations to administrators who are unfamiliar with the unit. All
examples require access to the graphical user interface (GUI), also known as the
web-based manager.
Each example begins with a description of the desired configuration, followed by
step-by-step instructions. Some topics include extra help sections, containing tips
for dealing with some common challenges of using a FortiGate unit.
Using the FortiGate Cookbook, you can go from idea to execution in simple steps,
configuring a secure network for better productivity with reduced risk.

The Cookbook is divided into the following chapters:

Installing & Setup: This chapter explains the configuration of common network
functions and the different network roles a FortiGate unit can have.
Security Policies & Firewall Objects: This chapter describes security policies and
firewall objects, which determine whether to allow or block traffic.
Security Features: This chapter describes the core security features that you can
apply to the traffic accepted by your FortiGate unit.
Wireless Networking: This chapter explains how to configure and maintain a wireless
network.
Authentication: This chapter describes the FortiGate authentication process for
network users and devices.
SSL and IPsec VPN: This chapter explains the configuration and application of SSL
and IPsec virtual private networks (VPNs).

This version of the FortiGate Cookbook was written using FortiOS 5.0.4.
1
Installing & Setup
The FortiGate unit provides protection for a variety of different network functions
and configurations. This section contains information about the basic setup for
common network functions as well as different roles that a FortiGate unit can have
within your network.
This section contains the following examples:

• Connecting a private network to the Internet using NAT/Route mode

• Extra help: NAT/Route mode
• Adding a FortiGate unit without changing the network configuration
• Extra help: Transparent mode
• Verifying and updating the FortiGate unit’s firmware
• Setting up FortiGuard services
• Extra help: FortiGuard
• Logging network traffic to gather information
• Extra help: Logging
• Using FortiCloud to record log messages
• Using SNMP to monitor the FortiGate unit
• Setting up an explicit proxy for users on a private network
• Adding packet capture to help troubleshooting
• Protecting a web server on the DMZ network
• Using port pairing to simplify transparent mode
• Using two ISPs for redundant Internet connections
• Adding a backup FortiGate unit to improve reliability

3
Connecting a private network to the Internet
using NAT/Route mode
In this example, you will learn how to connect and configure a new FortiGate unit
to securely connect a private network to the Internet. Typically, a FortiGate unit is
installed as a gateway or router between a private network and the Internet, where
the FortiGate operates in NAT/Route mode in order to hide the addresses of the
private network from prying eyes, while still allowing anyone on the private network
to freely connect to the Internet.

1. Connecting the network

2. Configuring the FortiGate unit’s interfaces
3. Creating a policy to enable NAT/Route mode
4. Results

Internet

WAN 1

NAT/Route
mode
FortiGate
port 1

Internal Network

4 The FortiGate Cookbook

Connecting the network
Connect the FortiGate WAN1 interface to
your ISP-supplied equipment.
ISP
Connect the internal network to the FortiGate
internal interface (typically port 1).

Power on the ISP’s equipment, the FortiGate

unit, and the PCs on the Internal network.

FortiGate
Internal Network
Configuring the FortiGate
unit’s interfaces
From a PC on the Internal network, connect
to the FortiGate web‑based manager.

You can configure the PC to get its IP

address using DHCP and then browse
to https://192.168.1.99. You could also
give the PC a static IP address on the
192.168.1.0/255.255.255.0 subnet.

Login using admin and no password.

Go to System > Network > Interface and.

Edit the wan1 interface.

Set the Addressing Mode to Manual and

the IP/Netmask to your public IP.

Connecting a private network to the Internet using NAT/Route mode 5

Edit the internal interface.

Set the Addressing Mode to Manual and

set the IP/Netmask the private IP of the
FortiGate unit.

Go to Router > Static > Static Routes and

select Create New to add a default route.

Set the Destination IP/Mask to

0.0.0.0/0.0.0.0, set the Device to wan1,
and set the Gateway to the gateway (or
default route) provided by your ISP or to the
next hop router, depending on your network
requirements.

A default route always has a Destination

IP/Mask of 0.0.0.0/0.0.0.0. Normally, you
would have only one default route. If the
static route list already contains a default
route, you can edit it or delete it and add a
new one.

The FortiGate unit’s DNS Settings are set to

Use FortiGuard Services by default, which
is sufficient for most networks. However, if
you require the DNS servers to be changed,
go to System > Network > DNS and add
Primary and Secondary DNS servers.

6 The FortiGate Cookbook

Creating a policy to enable
NAT/Route mode
Go to Policy > Policy > Policy and select
Create New to add a security policy that
allows users on the private network to
access the Internet.

Select Enable NAT and Use Destination

Interface Address and click OK.

Some FortiGate models include this

security policy in the default configuration.
If you have one of these models, this step
has already been done for you and as
soon as your FortiGate unit is connected
and the computers on your internal
network are configured, they should be
able to access the Internet.

Results
On the PC that you used to connect to the
FortiGate internal interface, open a web
browser and browse to any Internet website.
You should also be able to connect to the
Internet using FTP or any other protocol or
connection method.

Go to Policy > Monitor > Session Monitor

to view the sessions being processed by the
FortiGate unit.

Connecting a private network to the Internet using NAT/Route mode 7

Extra help: NAT/Route mode
This section provides instructions for troubleshooting connection issues in situations
when a NAT/Route configuration is used.

1. Check for equipment issues.

Verify that all network equipment is powered on and operating as expected.

2. Check the physical network connections.

Check the cables used for all physical connections between the PC, the FortiGate unit, and
your ISP-supplied equipment to ensure that they are fully connected and do not appear
damaged. Also check the Unit Operation dashboard widget, which indicates the connection
status of FortiGate network interfaces (System > Dashboard > Status).

3. Verify that you can connect to the internal IP address of the FortiGate unit.
Use a web browser to connect to the web‑based manager from the FortiGate internal
interface by browsing to its IP address. From the PC, try to ping the internal interface IP
address; for example, ping 192.168.1.99

If you cannot connect to the internal interface, verify the IP configuration of the PC. Go to
the next step when you can connect to the internal interface.

4. Check the FortiGate interface configurations.

Check the configuration of the FortiGate interface connected to the internal network, and
check the configuration of the FortiGate interface that connects to the Internet to make sure
it includes the proper addressing mode.

5. Verify that you can communicate from the FortiGate unit to the Internet.
Access the FortiGate CLI and use the execute ping command to ping an address or
domain name on the Internet. You can also use the execute traceroute command to
troubleshoot connectivity to the Internet.

6. Verify the DNS configurations of the FortiGate unit and the PCs.
Check for DNS errors by pinging or using traceroute to connect to a domain name; for

8 The FortiGate Cookbook

example:
ping www.fortinet.com
ping: cannot resolve www.fre.com: Unknown host
If the name cannot be resolved, the FortiGate unit or PC cannot connect to a DNS server
and you should confirm the DNS server IP addresses are present and correct.

7. Verify the security policy configuration.

Go to Policy > Policy > Policy and verify that an internal -> wan1 security policy has been
added and check the Session column to ensure that traffic has been processed. Check the
configuration of the policy to make sure that Enable NAT and Use Destination Interface
Address is selected.

8. Verify the static routing configuration.

Go to Router > Static > Static Routes and verify that the default route is correct. Go to
Router > Monitor > Router Monitor and verify that the default route appears in the list as
a static route. Along with the default route, you should see at least two connected routes,
one for each connected FortiGate interface.

9. Disable web filtering.

A web filtering security policy may block access to the website that you are attempting to
connect to. This could happen because the configuration of the default web filter profile is
blocking access to the site.

It is also possible that FortiGuard Web Filtering has produced a rating error for the website,
causing the web filter profile to block access. A rating error could occur for a number of
reasons, including not being able to access FortiGuard. To fix this problem, go to Security
Profiles > Web Filter > Profile and, in the default profile, enable Allow Websites When
a Rating Error Occurs.

10. Verify that you can connect to the wan1 IP address of the FortiGate unit.
Once you have established that the internal network is operating, ping the FortiGate wan1
interface IP address. If you cannot connect to the wan1 interface, the FortiGate unit is not
allowing internal to wan1 sessions.

11. Verify that you can connect to the gateway provided by your ISP.
Try pinging the default gateway IP address from a PC on the internal network.

Extra help: NAT/Route mode 9

Adding a FortiGate unit without changing the
network configuration
This section describes how to connect and configure a new FortiGate unit to protect
a private network without changing the network configuration. This is known as
Transparent mode and it allows you to add network security without replacing the
router. The FortiGate unit blocks access from the Internet to the private network but
allows users on the private network to connect to the Internet. The FortiGate unit
monitors application usage and detects and eliminates viruses.

1. Connecting the FortiGate and configuring Transparent mode

2. Creating a security policy
3. Connecting the network
4. Results

Internet

Router

WAN 1

Security policies
FortiGate allow traffic between
(Transparent network segments
Mode)

port 1

Internal Network
10 The FortiGate Cookbook
Connecting the FortiGate
and configuring Transparent
mode
Changing to Transparent mode removes
most configuration changes made in
NAT/Route mode. To keep your current
NAT/Mode configuration, backup
the configuration using the System
Information dashboard widget.

Go to System > Dashboard > Status >

System Information and beside Operation
Mode select Change.

Set the Operation Mode to Transparent.

Set the Management IP/Netmask and

Default Gateway to connect the FortiGate
unit the internal network.

You can now access the web‑based

manager by browsing to the Management
IP (in the example, you would browse to
https://10.31.101.40).

The FortiGate unit’s DNS Settings are set to

Adding a FortiGate unit without changing the network configuration 11

Creating a security policy
Go to Policy > Policy > Policy and select
Create New to add a security policy that
allows users on the private network to
access the Internet.

Under Security Profiles, enable Antivirus

and enable Application Control.

Press OK to save the security policy

Power off the FortiGate unit.

Connecting the network

Connect the FortiGate unit between the
Router
internal network and the router.

Connect the wan1 interface to the router

internal interface and connect the internal
network to the FortiGate internal interface
port.

Power on the FortiGate unit.

FortiGate
Internal Network

12 The FortiGate Cookbook

Go to Policy > Monitor > Session Monitor

to view the sessions being processed by the
FortiGate unit.

If a FortiGate unit operating in Transparent

mode is installed between a DHCP server
and PCs that get their address by DHCP,
you must add a security policy to allow the
DHCP server’s response to get back
through the FortiGate unit from the DHCP
server to the DHCP client. The internal to
wan1 policy allows the DHCP request to
get from the client to the server, but the
response from the server is a new session,
not a typical response to the originating
request, so the FortiGate unit will not
accept this new session unless you add a
wan1 to the internal policy with the
service set to DHCP.

Adding a FortiGate unit without changing the network configuration 13

Extra help: Transparent mode
This section provides instructions for troubleshooting connection issues when using
a FortiGate in Transparent mode.

1. Check for equipment issues.

Verify that all network equipment is powered on and operating as expected.

2. Check the physical network connections.

3. Verify that you can connect to the management IP address of the

FortiGate unit from the Internal network.
From the internal network, attempt to ping the management IP address. If you cannot
connect to the internal interface, verify the IP configuration of the PC and make sure the
cables are connected and all switches and other devices on the network are powered on
and operating. Go to the next step when you can connect to the internal interface.

4. Verify that you can communicate from the FortiGate unit to the Internet.
Access the FortiGate CLI and use the execute ping command to ping an address or
domain name on the Internet. You can also use the execute traceroute command to
troubleshoot connectivity to the Internet.

5. Verify the DNS configurations of the FortiGate unit and the PCs on the
internal network.
Check for DNS errors by pinging or using traceroute to connect to a domain name; for
example:
ping www.fortinet.com
ping: cannot resolve www.fre.com: Unknown host
If the name cannot be resolved, the FortiGate unit or PC cannot connect to a DNS server

14 The FortiGate Cookbook

and you should confirm the DNS server IP addresses are present and correct.

6. Verify the security policy configuration.

Go to Policy > Policy > Policy and verify that an internal -> wan1 security policy has been
added and check the Session column to ensure that traffic has been processed.

7. Verify the static routing configuration.

Go to System > Network > Routing Table and verify that the default route is correct.

8. Disable web filtering.

9. Verify that you can connect to the gateway provided by your ISP.
Try pinging the default gateway IP address from a PC on the internal network.

10. Confirm that the FortiGate unit can connect to the FortiGuard network.
Once registered, the FortiGate unit obtains antivirus and application control and other
updates from the FortiGuard network. Once the FortiGate unit is on your network, you
should confirm that it can reach the FortiGuard network. The FortiGate unit must be able
to connect to the network from its management IP address. If the following tests provide
incorrect results, the FortiGate unit cannot connect to the Internet from its management
IP address. Check the FortiGate unit’s default route to make sure it is correct. Check your
Internet firewall to make sure it allows connections from the FortiGate management IP
address to the Internet.

First, check the License Information dashboard widget to make sure the status of all
FortiGuard services matches the services that you have purchased. The FortiGate unit
connects to the FortiGuard network to obtain this information.

Go to System > Config > FortiGuard. Open web filtering and email options and select

Extra help: Transparent mode 15

Test Availability. After a minute the web‑based manager should indicate that the
connection was successful.

11. Check the FortiGate bridge table.

The bridge table is a list of MAC addresses of devices on the same network as the FortiGate
unit and the FortiGate interfaces from which each MAC address was found. The FortiGate
unit uses this table to determine where to forward a packet. If a the MAC address of a
specific device is getting added to in the bridge table, then packets to that MAC address will
be blocked. This may appear as traffic going to a MAC address, but no reply traffic coming
back. In this situation, check the bridge table to ensure the correct MAC addresses have
been added to the bridge table. Use the following CLI command to check the bridge table
associated with the root VDOM.
diagnose netlink brctl name host root.b
show bridge control interface root.b host.
fdb: size=2048, used=25, num=25, depth=1
Bridge root.b host table
port no device devname mac addr ttl attributes
3 4 wan1 00:09:0f:cb:c2:77 88
3 4 wan1 00:26:2d:24:b7:d3 0
3 4 wan1 00:13:72:38:72:21 98
4 3 internal 00:1a:a0:2f:bc:c6 6
1 6 dmz 00:09:0f:dc:90:69 0 Local Static
3 4 wan1 c4:2c:03:0d:3a:38 81
3 4 wan1 00:09:0f:15:05:46 89
3 4 wan1 c4:2c:03:1d:1b:10 0
2 5 wan2 00:09:0f:dc:90:68 0 Local Static
If your device’s MAC address is not listed, the FortiGate unit cannot find the device on the
network. This could indicate that the device is not connected or not operating. Check the
device’s network connections and make sure it is operating correctly.

16 The FortiGate Cookbook

Verifying and updating the FortiGate unit’s
firmware
This example verifies the current version of FortiOS firmware and, if necessary,
updates it to the latest version.

Always review the Release Notes before installing a new firmware version. They provide the recommended upgrade
path for the firmware release as well as additional information not available in other documentation. Only perform a
firmware update during a maintenance window.

1. Checking the current FortiOS firmware

2. Downloading the latest FortiOS firmware
3. Updating the FortiGate to the latest firmware
4. Results

Download and
no install current
version

Check
Current
firmware
version?
version

yes
No action
required

Verifying and updating the FortiGate unit’s firmware 17

Checking the current
FortiOS firmware
Log in to the web‑based manager and view
the dashboard System Information widget
to see the Firmware Version currently
installed on your FortiGate unit.

Downloading the latest

FortiOS firmware
To download a newer firmware version,
browse to http://support.fortinet.com and log
in using your Fortinet account user name and
password.

Your FortiGate unit must be registered

before you can access firmware images
from the Support site.

Go to Download Firmware Images >

FortiGate. Locate and download the
firmware for your FortiGate unit.

Download and read the Release Notes

for this firmware version. Always review
the Release Notes before installing a new
firmware version in case you cannot update
to the new firmware release from the one
currently running.

18 The FortiGate Cookbook

Updating the FortiGate to
the latest firmware
Go to System > Dashboard > Status.

Backup your configuration from the System

Information dashboard widget, next to
System Configuration..

Always remember to back up your

configuration before doing any firmware
upgrades.

Under System Information > Firmware

Version, select Update.

Find the firmware image file that you

downloaded and select OK to upload and
install the firmware build on the FortiGate
unit.

Results
The FortiGate unit uploads the firmware
image file, updates to the new firmware
version, restarts, and displays the FortiGate
login. This process takes a few minutes.

From the FortiGate web‑based manager, go

to System > Dashboard > Status. In the
System Information widget, the Firmware
Version will show the updated version of
FortiOS.

Verifying and updating the FortiGate unit’s firmware 19

Setting up FortiGuard services
If you have purchased FortiGuard services and registered your FortiGate unit, the
FortiGate should automatically connect to a FortiGuard Distribution Network (FDN)
and display license information about your FortiGuard services. In this example, you
will verify whether the FortiGate unit is communicating with the FDN by checking
the License Information dashboard widget.

Internet

FortiGuard

FortiGate

Internal Network

20 The FortiGate Cookbook 5.0.4

Verifying the connection
On the dashboard, go to the License
Information widget.

Any subscribed services should have a green

check mark, indicating that connections are
successful.

A grey X indicates that the FortiGate unit

cannot connect to the FortiGuard network, or
that the FortiGate unit is not registered.

A red X indicates that the FortiGate unit was

able to connect but that a subscription has
expired or has not been activated.

You can also view the FortiGuard connection

status by going to System > Config >
FortiGuard.

Setting up FortiGuard services 21

Extra help: FortiGuard
This section contains tips to help you with some common challenges of using
FortiGuard.
FortiGuard services appear as expired/unreachable.
Verify that you have registered your FortiGate unit, purchased FortiGuard services and that
the services have not expired at support.fortinet.com.

Services are active but still appear as expired/unreachable.

Verify that the FortiGate unit can communicate with the Internet.

The FortiGate is connected to the Internet but can’t communicate with

FortiGuard.
Go to System > Network > DNS and ensure that the primary and secondary DNS servers
are correct. If the FortiGate interface connected to the Internet gets its IP address using
DHCP, make sure Override internal DNS is selected.

Also, determine if the default port used for FortiGuard traffic, port 53, is being blocked, either
by a device on your network or by your ISP. If you cannot unblock the port, change it by
going to System > Config > FortiGuard and selecting the service(s) where communication
errors are occurring. Under Port Selection, select Use Alternate Port.

Communication errors remain.

FortiGate units contact the FortiGuard Network by sending UDP packets with typical source
ports of 1027 or 1031, and destination ports of 53 or 8888. The FDN reply packets would
then have a destination port of 1027 or 1031. If your ISP blocks UDP packets in this port
range, the FortiGate unit cannot receive the FDN reply packets.

In effort to avoid port blocking, You can configure your FortiGate unit to use higher-
numbered ports, such as 2048-20000, using the following CLI command:
config system global
set ip-src-port-range 2048-20000
end
Trial and error may be required to select the best source port range. You can also contact
your ISP to determine the best range to use.

22 The FortiGate Cookbook 5.0.4

Logging network traffic to gather information
This example demonstrates how to enable logging to capture the details of the
network traffic processed by your FortiGate unit.

1. Recording log messages and enabling event logging

2. Enabling logging in the security policies
3. Results

Security events
yes only Security no
Logging Log all
Session begins traffic? event in
enabled?
session?

no yes yes

No record Record
session data

Logging network traffic to gather information 23

Recording log messages and
enabling event logging
Go to Log & Report > Log Config > Log
Settings.

Select where log messages will be recorded.

You can save log messages to disk if
your FortiGate unit supports this, to a
FortiAnalyzer or FortiManager unit if you
have one, or to FortiCloud if you have a
subscription. Each of these options allow
you to record and view log messages and to
create reports based on them.

In most cases, it is recommended to

Send Logs to FortiCloud, as shown
in the example. For more information on
FortiCloud, see “Using FortiCloud to record
log messages” on page 28.

Next, enable Event Logging.

You can choose to Enable All types of

logging, or specific types, such as WiFi
activity events, depending on your needs.

24 The FortiGate Cookbook 5.0.4

Enabling logging in the
security policies
Go to Policy > Policy > Policy. Edit the
policies controlling the traffic you wish to log.

Under Logging Options, you can choose

either Log Security Events or Log all
Sessions.

In most cases, you should select Log

Security Events. Log all Sessions can
be useful for more detailed traffic analysis
but also has a greater effect on system
performance and requires more storage.

Results
View traffic logs by going to Log & Report
> Traffic Log > Forward Traffic. The logs
display a variety of information about your
traffic, including date/time, source, device,
and destination.

To change the information shown, right-

click on any column title and select Column
Settings to enable or disable different
columns.

Logging network traffic to gather information 25

You can also select any entry to view more
information about a specific session.

Different types of event logs can be found at

Log & Report > Event Log.

The example shows the System log

that records system events, such as
administrative logins and configuration
changes.

As with the Forward Traffic log, select an

entry for further information.

26 The FortiGate Cookbook 5.0.4

Extra help: Logging
This section contains tips to help you with some common challenges of FortiGate
logging.

No log messages appear.

Ensure that logging is enabled in both the Log Settings and the policy used for the traffic
you wish to log, as logging will not function unless it is enabled in both places.

If logging is enabled in both places, check that the policy in which logging is enabled is the
policy being used for your traffic. Also make sure that the policy is getting traffic by going to
the policy list and adding the Sessions column to the list.

Logs from a FortiAnalyzer, FortiManager, or from FortiCloud do not appear in

the GUI.
Ensure that the correct log source has been selected in the Log Settings, under GUI
Preferences.

The FortiGate unit’s performance level has decreased since enabling disk
logging.
If enabling disk logging has impacted overall performance, change the log settings to either
send logs to a FortiAnalyzer unit, a FortiManager unit, or to FortiCloud.

Log All Sessions is enabled on all security policies and cannot be changed.
This can occur if Client Reputation is enabled.

Logging to a FortiAnalyzer unit is not working as expected.

The firmware for the FortiGate and FortiAnalyzer units may not be compatible. Check the
firmware release notes, found at support.fortinet.com, to see if this is the case.

Extra help: Logging 27

Using FortiCloud to record log messages
This example describes setting up FortiGate logging to FortiCloud, an online log
retention service provided by Fortinet. It also describes how to use FortiCloud to
view and access FortiGate traffic logs.

You must register your FortiGate unit before you can activate FortiCloud.

1. Activating FortiCloud
2. Sending logs to FortiCloud
3. Enabling logging in your security policies
4. Results

FortiCloud

FortiGate

Internal Network
28 The FortiGate Cookbook 5.0.4
Activating FortiCloud
Go to System > Dashboard > Status.

In the FortiCloud section of the License

Information widget, select the green
Activate button.

Fill in the required information to create a

new FortiCloud account.

Using FortiCloud to record log messages 29

Sending logs to FortiCloud
Go to Log & Report > Log Config > Log
Setting.

Enable Send Logs to FortiCloud and

adjust the Event Logging settings as
required.

Select Test Connectivity to verify the

connection between the FortiGate unit and
your FortiCloud account.

Set the GUI Preferences to Display Logs

from FortiCloud, to easily view your logs.

Enabling logging in the

security policies
Go to Policy > Policy > Policy. Edit the
security policies that control the traffic you
wish to log.

Under Logging Options, select either Log

Security Events or Log all Sessions,
depending on your needs.

In most cases, Log Security Events will

provide sufficient information in the traffic
logs. Log all Sessions can be useful for
more detailed traffic analysis but also has a
greater effect on system performance and
requires more memory for storage.

30 The FortiGate Cookbook 5.0.4

Results
Go to System > Dashboard > Status.

In the FortiCloud section of the License

Information widget, select Launch Portal.

From the portal, you can view the log data

and reports.

You can access your FortiCloud account at

any time by going to www.forticloud.com.

Daily Summary reports can also be found

through the FortiGate unit by going to Log &
Report > Report > FortiCloud.

You can also configure your FortiCloud

account to have these reports emailed to
you.

Logs viewed through the GUI will also now

read Log location: FortiCloud in the upper
right corner.

Using FortiCloud to record log messages 31

Using SNMP to monitor the FortiGate unit
Simple Network Management Protocol (SNMP) enables you to monitor hardware
on your network. You configure the hardware, such as the FortiGate SNMP
agent, to report system information and send traps (alarms or event messages) to
SNMP managers. An SNMP manager, or host, is typically a computer running an
application that reads the traps from the agent and sends out SNMP queries to the
SNMP agents.
In this example, you configure the SNMP agent and FortiGate interface to send
SNMP traps to the SNMP server for review.

1. Configuring the SNMP agent and community

2. Enabling SNMP on a FortiGate interface
3. Downloading the MIB files and configuring the SNMP
manager
4. Results

Internet

Internal Network

FortiGate

SNMP Manager

32 The FortiGate Cookbook 5.0.4

Configuring the SNMP agent
and community
Go to System > Config > SNMP.

Configure the SNMP agent.

Using SNMP to monitor the FortiGate unit 33

Under the SNMP version, create a new
community.

Add a host IP address where the SNMP

manager is installed, (in the example,
192.168.1.114/32), and select the port to
receive SNMP requests and send SNMP
traps.

You can also set the IP address/Netmask

to 0.0.0.0/0.0.0.0 and the Interface to ANY
so that any SNMP manager at any network
connected to the FortiGate unit can use this
SNMP community and receive traps from the
FortiGate unit.

Enable the SNMP Events to meet your

needs.

Enabling SNMP on a
FortiGate interface
Go to System > Network > Interfaces.

Enable SNMP on an internal port.

34 The FortiGate Cookbook 5.0.4

Downloading the MIB files
and configuring the SNMP
manager
Go to System > Config > SNMP to
download FortiGate SNMP MIB.

Two types of MIB files are available for

FortiGate units: the Fortinet MIB, and the
FortiGate MIB. The Fortinet MIB contains
traps, fields, and information that is common
to all Fortinet products. The FortiGate MIB
contains traps, fields, and information that is
specific to FortiGate units.

Configure the SNMP manager at

192.168.1.114 to receive traps from the
FortiGate unit.

Results
This example uses the SolarWinds SNMP
trap viewer.

In the SolarWinds Toolset Launch Pad, go to

SNMP > MIB Viewer and select Launch.

Using SNMP to monitor the FortiGate unit 35

Choose Select Device, enter the IP address
of the FortiGate unit, and choose the
appropriate community string credentials.

Open the SNMP Trap Receiver and select

Launch.

36 The FortiGate Cookbook 5.0.4

Perform an action to trigger a trap (for
example, change the IP address of the DMZ
interface in the FortiGate).

Verify that the SNMP manager receives the

trap.

View the log by going to Log & Report >

Event Log > System.

Using SNMP to monitor the FortiGate unit 37

Setting up an explicit proxy for users on a
private network
In this example, an explicit web proxy is set to accommodate faster web browsing.
This allows internal users to connect using port 8080 rather than port 80.

1. Enabling explicit web proxy on the internal interface

2. Configuring the explicit web proxy for HTTP/HTTPS traffic
3. Adding a security policy for proxy traffic
4. Results

Internet

Port 3

Explicit web proxy

FortiGate
Port 4
Internal Network

38 The FortiGate Cookbook 5.0.4

Enabling explicit web proxy
on the internal interface
Go to System > Network > Interfaces.

Edit an internal port (port 4 in the example).

Enable both DHCP Server and Explicit
Web Proxy.

Go to System > Config > Features. Ensure

that WAN Opt. & Cache is enabled.

Setting up an explicit proxy for users on a private network 39

Configuring the explicit web
proxy for HTTP/HTTPS
traffic
Go to System > Network > Explicit Proxy
and enable the HTTP/HTTPS explicit web
proxy.

Ensure that the Default Firewall Policy

Action is set to Deny.

40 The FortiGate Cookbook 5.0.4

Adding a security policy for
proxy traffic
Go to Policy > Policy > Policy.

Create a new policy and set the Incoming

Interface to web-proxy, the Outgoing
Interface to an internal port (in the example,
port 3), and the Service to webproxy.

Results
Configure web browsers on the private
network to connect using a proxy server.
The IP address of the HTTP proxy server is
10.10.1.99 (the IP address of the FortiGate
internal interface) and the port is 8080
(the default explicit web proxy port). Web
browsers configured to use the proxy server
are able to connect to the Internet.

Go to Policy > Policy > Policy to see the ID

of the policy allowing webproxy traffic.

Web proxy traffic is not counted by security

policy.

Setting up an explicit proxy for users on a private network 41

Adding packet capture to help troubleshooting
Packet capture is a means of logging traffic and its details to troubleshoot any
issues you might encounter with traffic flow or connectivity. This example shows the
basics of setting up packet capture on the FortiGate unit and analyzing the results.

1. Creating a packet capture filter

2. Starting the packet capture
3. Stopping the packet capture
4. Results

Original Packet

Internet
FortiGate

Internal Network

Duplicate Packet

Packet Capture

42 The FortiGate Cookbook 5.0.4

Creating a packet capture
filter
Go to System > Network > Packet
Capture.

Create a new filter. In this example, the

FortiGate unit will capture 100 HTTP packets
on the internal interface from/to host
192.168.1.200.

• Host(s) can be a single IP or multiple

IPs separated by comma, IP range, or
subnet.

• Port(s) can be single or multiple

separated by comma or range.

• Protocol can be single or multiple

separated by comma or range. Use 6 for
TCP, 17 for UDP, and 1 for ICMP.

Starting the packet capture

Select Start to begin the packet capture.
Using an internal computer, or a device set to
IP address 192.168.1.200, surf the Internet to
generate traffic.

Adding packet capture to help troubleshooting 43

Stopping the packet
capture
Once the FortiGate reaches the maximum
number of packets to save (in this case 100),
the capturing progress stops and you can
download the saved pcap file.

You can also stop the capturing at any time

before reaching the maximum number of
packets.

Results
Open the pcap file with a pcap file viewer,
such as tcpdump or Wireshark.

Adjust the settings in the filter depending on

the kind of traffic you wish to capture.

Go to Log & Report > Event Log >

System to verify that the packet capture file
downloaded successfully.

44 The FortiGate Cookbook 5.0.4

Protecting a web server on the DMZ network
In the following example, a web server is connected to a DMZ network. An internal-
to-DMZ security policy allows internal users to access the web server using an
internal IP address (10.10.10.22). A WAN-to-DMZ security policy hides the internal
address, allowing external users to access the web server using a public IP address
(172.20.120.22).

1. Configuring the FortiGate unit’s DMZ interface

2. Adding virtual IPs
3. Creating security policies
4. Results

Internet

WAN 1
172.20.120.22 DMZ Network

DMZ
FortiGate

LAN

Web Server
10.10.10.22

Internal Network

Protecting a web server on the DMZ network 45

Configuring the FortiGate
unit’s DMZ interface
Go to System > Network > Interfaces.

Edit the DMZ interface. A DMZ Network

(from the term ‘demilitarized zone’) is a
secure network connected to the FortiGate
that only grants access if it has been
explicitly allowed. Using the DMZ interface is
recommended but not required.

Adding virtual IPs

Go to Firewall Objects > Virtual IPs >
Virtual IPs.

Create two virtual IPs: one for HTTP access

and one for HTTPS access.

Each virtual IP will have the same address,

mapping from the public-facing interface to
the DMZ interface. The difference is the port
for each traffic type: port 80 for HTTP and
port 443 for HTTPS.

46 The FortiGate Cookbook 5.0.4

Creating security policies
Go to Policy > Policy > Policy.

Create a security policy to allow HTTP and

HTTPS traffic from the Internet to the DMZ
interface and the web server.

Create a second security policy to allow

HTTP and HTTPS traffic from the internal
network to the DMZ interface and the web
server.

Adding this policy allows traffic to pass

directly from the internal interface to the DMZ
interface.

Protecting a web server on the DMZ network 47

Results
External users can access the web
server on the DMZ network from the
Internet using http://172.20.120.22 and
https://172.20.120.22.

Internal users can access the web

server using http://10.10.10.22 and
https://10.10.10.22.

Go to Policy > Monitor > Policy Monitor.

Use the policy monitor to verify that traffic

from the Internet and from the internal
network is allowed to access the web server.
This verifies that the policies are configured
correctly.

Go to Log & Report > Traffic Log >

Forward Traffic.

The traffic log shows sessions from the

internal network and from the Internet
accessing the web server on the DMZ
network.

48 The FortiGate Cookbook 5.0.4

Using port pairing to simplify transparent mode
When you create a port pair, all traffic accepted by one of the paired ports can
only exit out the other port. Restricting traffic in this way simplifies your FortiGate
configuration because security policies between these interfaces are pre-
configured.

1. Switching the FortiGate unit to transparent mode and adding a static

route
2. Creating an internal and wan1 port pair
3. Creating firewall addresses
4. Creating security policies
5. Results

Internet
Protected web server
192.168.1.200

Router

WAN 1

Internal
FortiGate

Management IP Internal Network

192.168.1.100 192.168.1.[110-150]

Using port pairing to simplify transparent mode 49

Switching the FortiGate unit
to transparent mode and
adding a static route
Go to System > Dashboard > Status.

In the System Information widget,

select Change. Set Operation mode to
Transparent.

Log into the FortiGate unit using the

management IP (in the example,
192.168.1.100).

Go to System > Network > Routing Table

and set a static route.

Creating an internal and

wan1 port pair
Go to System > Network > Interfaces.

Create an internal/wan1 pair so that all traffic

accepted by the internal interface can only
exit out of the wan1 interface.

50 The FortiGate Cookbook 5.0.4

Creating firewall addresses
Go to Firewall Objects > Address >
Addresses.

Create an address for the web server using

the web server’s Subnet IP.

Create a second address, with an IP range

for internal users.

Creating security policies

Go to Policy > Policy > Policy.

Create a security policy that allows internal

users to access the web server using HTTP
and HTTPS.

Using port pairing to simplify transparent mode 51

Create a second security policy that allows
connections from the web server to the
internal users’ network and to the Internet
using any service.

Results
Connect to the web server from the internal
network and surf the Internet from the server
itself.

Go to Log & Report > Traffic Log >

Forward Traffic to verify that there is traffic
from the internal to wan1 interface.

52 The FortiGate Cookbook 5.0.4

Select an entry for details.

Go to Policy > Monitor > Policy Monitor

to view the active sessions.

Using port pairing to simplify transparent mode 53

Using two ISPs for redundant Internet
connections
This example describes how to improve the reliability of a network connection
using two ISPs. The example includes the configuration of equal cost multi-path
load balancing, which efficiently distributes sessions to both Internet connections
without overloading either connection.

1. Configuring connections to the two ISPs

2. Adding security policies
3. Configuring failover detection and spillover load balancing
4. Results

Internet

WAN 1 WAN 2
ISP 1 ISP 2
FortiGate

LAN

Internal
Network

54 The FortiGate Cookbook 5.0.4

Configuring connections to
the two ISPs
Go to System > Network > Interfaces and
configure the wan1 and wan2 connections.
Make sure that both use DHCP as the
Addressing mode and have Retrieve
default gateway from server and
Override internal DNS enabled.

Using two ISPs for redundant Internet connections 55

Adding security policies
Go to Policy > Policy > Policy.

Create a security policy for the primary

interface connecting to the ISPs and the
internal network.

Create a security policy for each interface

connecting to the ISPs and the internal
network.

Configuring failover
detection and spillover load
balancing
Go to Router > Static > Settings.

Create two new Dead Gateway Detection

entries.

56 The FortiGate Cookbook 5.0.4

Set the Ping Interval and Failover
Threshold to a smaller value for a more
immediate reaction to a connection going
down.

Go to Router > Static > Settings and set

the ECMP Load Balancing Method to
Spillover.

The Spillover Threshold value is calculated

in kbps (kilobits per second). However, the
bandwidth on interfaces is calculated in kBps
(kilo Bytes per second).

For wan1 interface, Spillover Threshold = 100

kbps = 100000 bps. Assume that 1000 bps
is equal to 1024 bps. Thus, 100000 bps =
102400 bps = 102400/8 Bps = 12800 Bps.

Results
Go to Log & Report > Traffic Log >
Forward Traffic to see network traffic from
different source IP addresses flowing through
both wan1 and wan2.

Using two ISPs for redundant Internet connections 57

Disconnect the wan1 port on the FortiGate
unit to see that all traffic automatically goes
through the wan2 port unit, until wan1 is
available again.

58 The FortiGate Cookbook 5.0.4

Adding a backup FortiGate unit to improve
reliability
Adding a backup FortiGate unit to a currently installed FortiGate unit provides
redundancy if the primary FortiGate unit fails. This system design is known as High
Availability (HA) and is intended to improve network reliability.

1. Adding the backup FortiGate unit and configuring HA

2. Testing the failover functionality
3. Upgrading the firmware for the HA cluster

Internet

Internet
Switch

Dual HA
WAN 1 WAN 1 Links WAN 2

HA 1 HA 1
FortiGate FortiGate FortiGate
(Primary) (Primary) HA 2 (Backup)
HA 2
Internal Internal Internal

Switch

Internal Network

Adding a backup FortiGate unit to improve reliability 59

Adding the backup
FortiGate unit and
configuring HA
Connect the backup FortiGate unit as shown
in the diagram.

Go to System > Dashboard > Status.

Change the host name of the primary

FortiGate unit.

Go to System > Config > HA.

Configure the HA settings for the primary

FortiGate unit.

Go to System > Dashboard > Status.

Change the host name of the backup

FortiGate unit.

60 The FortiGate Cookbook 5.0.4

Go to System > Config > HA.

Configure the HA settings for the backup

FortiGate unit.

Ensure that the Group Name and

Password are the same as on the primary
FortiGate unit.

Go to System > Config > HA to view the

cluster information.

Select View HA Statistics for more

information on the cluster.

Adding a backup FortiGate unit to improve reliability 61

Go to System > Dashboard > Status to
see the cluster information.

Testing the failover

functionality
Unplug the Ethernet cable from the WAN1
interface of the primary FortiGate unit. Traffic
will divert to the backup FortiGate unit.

Use the ping command to view the results.

Shut down the primary FortiGate unit, and

you will see that traffic fails over to the
backup FortiGate unit.

Use the ping command to view the results.

62 The FortiGate Cookbook 5.0.4

Upgrading the firmware for
the HA cluster
When a new version of the FortiOS firmware
becomes available, upgrade the firmware on
the primary FortiGate unit and the backup
FortiGate unit will upgrade automatically.

Go to System > Dashboard > Status

and view the System Information widget.
Select Upgrade beside the Firmware
Version listing.

The firmware will load on the primary

FortiGate unit, and then on the backup unit.

Go to Log & Report > Event Log >

System.

Go to System > Dashboard > Status. View

the System Information widget again. Both
FortiGate units should have the new firmware
installed.

Adding a backup FortiGate unit to improve reliability 63

Security Policies & Firewall Objects
Security policies and firewall objects are used to tell the FortiGate unit which traffic
should be allowed and which should be blocked.
No traffic can pass through a FortiGate unit unless specifically allowed to by
a security policy. With a security policy, you can control the addresses and
services used by the traffic and apply various features, such as security profiles,
authentication and VPNs.
Firewall objects are those elements within the security policy that further dictate how
and when network traffic is routed and controlled. This includes addresses,services,
and schedules.
This section contains the following examples:

• Ordering security policies to allow different access levels

• Controlling when BYOD users can access the Internet
• Using port forwarding on a FortiGate unit
• Using AirPlay with iOS, AppleTV, FortiAP, and a FortiGate unit
• Using AirPrint with iOS and OS X and a FortiGate unit

65
Ordering security policies to allow different
access levels
This example illustrates how to order multiple security policies in the policy table,
in order for the appropriate policy to be applied to different network traffic. In the
example, three policies will be used: one that allows a specific PC access to all
services, one that allows only Internet access to other network devices, and the
default deny policy.

1. Configuring the Internet access only policy

2. Creating the policy for the PC
3. Ordering the policy table
4. Results

Network PC

All Services

LAN WAN 1
FortiGate

Internet Access Only

Other Network Devices

66 The FortiGate Cookbook 5.0.4

Configuring the Internet
access only policy
Go to Policy > Policy > Policy.

The screen that appears is the policy list.

In the example, Global View has been
selected, with the Seq.#, From, To, Source,
Destination, Action, Service, and
Sessions columns visible. To change the
visible columns, right-click on the menu bar
and select only the columns you wish to see.

Edit the first policy, which allows outgoing

traffic. Set Service to HTTP, HTTPS and
DNS. This policy now only allows Internet
access.

Creating the policy for the

PC
Go to System > Network > Interfaces.

Edit the LAN interface. Under DHCP Server,

expand the Advanced options.

Create a new MAC Address Access

Control List. Set MAC to the MAC address
of the PC and IP to an available IP address.

This will automatically assign the specified

Ordering security policies to allow different access levels 67

IP address to the PC when it connects to the
FortiGate.

Go to Firewall Objects > Address >

Addresses.

Create a new address. Set Type to IP

Subnet, Subnet/IP Range to the IP
address that will be assigned to the PC, and
Interface to LAN.

Using /32 as the Netmask ensures that the

firewall address applies only to the
specified IP.

Go to Policy > Policy > Policy.

Create a new policy. Set Incoming

Interface to LAN, Source Address to the
PC address, and Outgoing Interface to
WAN1.

Ordering the policy table

Use the PC to browse to any Internet site,
then go to Policy > Policy > Policy.

The policy with Seq.# 1 is the Internet

access only policy, while 2 is the policy for
the PC. The Sessions column shows that
all sessions are currently using the Internet
access policy. Policy 3 is the default deny
policy.

To ensure that traffic from the PC matches

68 The FortiGate Cookbook 5.0.4

the PC policy, not the Internet access only
policy, select the Seq.# column and drag the
policy to the top of the list.

The device identity list will now appear at the

top of the list. After the list is refreshed, this
policy will be assigned Seq.# 1.

With this new order set, the FortiGate unit

will attempt to apply the policy for the PC to
all traffic from the LAN interface. If the traffic
comes from a different source, the FortiGate
will attempt to apply the Internet access only
policy. If this attempt also fails, traffic will be
blocked using the default deny policy.

When ordering multiple security policies, the

most specific policies (in this case, the policy
for the PC) must go to the top of the list, to
ensure that the FortiGate unit checks them
first when determining which policy to apply.

Results
Browse the Internet using the PC and
another network device, then refresh the
policy list. You can now see Sessions
occuring for both policies.

Ordering security policies to allow different access levels 69

Controlling when BYOD users can access the
Internet
This example uses a FortiOS device definition and security policy scheduling to limit
use of Bring Your Own Device (BYOD) users during company time.

In this example, a FortiWiFi unit is used. A similar method can be used to control BYOD access using a FortiAP and a
FortiGate..

1. Adding BYODs to the FortiWiFi unit

2. Adding schedules for the use of a BYOD
3. Adding a device identity security policy
4. Results

Internet

FortiWiFi

Wireless Mobile
Devices

Internal
network

70 The FortiGate Cookbook 5.0.4

Adding BYODs to the
FortiWiFi unit
Go to User & Device > Device > Device
Definitions.

Add a new device by assigning an Alias

and setting the MAC Address and Device
Type.

The device will now appear on the definitions

list.

Devices not yet added may also appear in

the list. Double-click the entry and enter an
Alias to add it.

Adding schedules for the

use of a BYOD
Go to Firewall Objects > Schedule >
Schedules.

Create a new recurring schedule to suit

your needs. The example schedule, when
included with a security policy, allows users
to access the Internet with their personal
wireless devices over lunch time hours.

Controlling when BYOD users can access the Internet 71

Adding a device identity
security policy
Go to Policy > Policy > Policy.

Create a new policy, setting the Policy

Subtype to Device Identity. Set the
Incoming Interface to the wireless
interface used for BYOD connections and
set the Outgoing Interface as the Internet-
facing interface.

Create a new authentication rule that

includes the wireless devices and the new
schedule.

Results
Go to Log & Report > Traffic Log >
Forward Traffic. When a mobile user
connects during the lunch break, they can
surf the Internet, as shown in the logs.

When the time in the schedule is reached,

further surfing cannot continue. This does
not appear in the logs, as only allowed traffic
is logged.

Evidence that the schedule and policy are

working appears when attempting to connect
to a website, and possibly a few questions
from the BYOD users.

72 The FortiGate Cookbook 5.0.4

Using port forwarding on a FortiGate unit
This example illustrates how to use virtual IPs to configure port forwarding on a
FortiGate unit, which redirects traffic from one port to another. In this example,
incoming connections from the Internet are allowed access to a server on the
internal network by opening TCP ports in the range 7882 to 7999 and UDP ports
2119 and 2995.

1. Creating three virtual IPs

2. Adding the virtual IPs to a VIP group
3. Creating a security policy
4. Results

Internet

Open TCP ports 7882-7999,

UDP port 2119 and 2995
for traffic from the
FortiGate
Internet to the server

Server

Using port forwarding on a FortiGate unit 73

Creating three virtual IPs
Go to Firewall Objects > Virtual IPs >
Virtual IPs.

Enable Port Forwarding and add a virtual

IP using TCP protocol with the range 7882-
7999.

Create a second virtual IP for the UDP port

2119.

Create a third a virtual IP for the UDP port

2995.

74 The FortiGate Cookbook 5.0.4

Adding virtual IPs to a VIP
group
Go to Firewall Objects > Virtual IPs > VIP
Groups.

Create a VIP group that includes all three

virtual IPs.

Creating a security policy

Go to Policy > Policy > Policy.

Create a security policy allowing inbound

connections to the server from the Internet.
Set the Destination Address as the new
VIP group.

Using port forwarding on a FortiGate unit 75

Results
Go to Policy > Monitor > Policy Monitor
to see the active sessions.

Select the blue bar for more information on a

session.

Go to Log & Report > Traffic Log >

Forward Traffic to see the logged activity.

76 The FortiGate Cookbook 5.0.4

Select an entry for more information about
the session.

Using port forwarding on a FortiGate unit 77

Using AirPlay with iOS, AppleTV, FortiAP, and a
FortiGate unit
This example sets up AirPlay services for use with an iOS device using Bonjour and
multicast security policies.

1. Configuring the FortiAP and SSIDs

2. Adding addresses for the wireless network
3. Adding service objects for multicasting
4. Adding multicast security policies
5. Adding inter-subnet security policies
6. Results

iPad

Internal Network
(OS x)

FortiAP FortiGate

Apple
TV

78 The FortiGate Cookbook 5.0.4

Configuring the FortiAP and
SSIDs
Go to System > Network > Interfaces.

Edit the internal interface to be used for

the FortiAP and set Addressing Mode to
Dedicate to FortiAP.

Connect the FortiAP unit to the FortiGate

unit.

Go to WiFi Controller > Managed Access

Points > Managed FortiAP and authorize
the FortiAP.

Once authorized, it will appear in the

authorized list.

Using AirPlay with iOS, AppleTV, FortiAP, and a FortiGate unit 79

Go to WiFi Controller > WiFi Network >
SSID.

Create a WiFi SSID for the network for

wireless users and enable DHCP Server.

Adding addresses for the

wireless network
Go to Firewall Objects > Address >
Addresses.

Create an address for SSID 1.

80 The FortiGate Cookbook 5.0.4

Create a second address for the internal
network containing the OS X computers.

Adding two service objects

for AirPlay
Go to Firewall Objects > Service >
Services.

Add service objects for each device

connection.

Using AirPlay with iOS, AppleTV, FortiAP, and a FortiGate unit 81

Adding multicast security
policies
Go to Policy > Policy > Multicast Policy.

Create a policy to allow multicast traffic from

the LAN and WLAN1 for AppleTV to iOS
devices. Set Incoming Interface to LAN,
Source Address to the Internal network,
Outgoing Interface to the SSID, and
Destination Address to Bonjour.

The Bonjour address allows the devices to

find each other when they connect
through the FortiGate unit.

Go to Policy > Policy > Multicast Policy.

Create a policy to allow multicast traffic

from the WLAN1 and LAN for iOS devices
to AppleTV. Set Incoming Interface to
the SSID, Source Address to the SSID
IP, Outgoing Interface to LAN, and
Destination Address to Bonjour.

82 The FortiGate Cookbook 5.0.4

Adding inter-subnet security
policies
Go to Policy > Policy > Policy.

Create a policy allowing traffic from the

Apple TV to the iOS device. Set Incoming
Interface to LAN, Source Address to the
Internal network, and Outgoing Interface to
the SSID.

Create a policy allowing traffic from the

iOS device to the Apple TV. Set Incoming
Interface to the SSID, Source Address to
the SSID IP, and Outgoing Interface to the
LAN.

Results
Use Airplay from the iPad to stream video to
the Apple TV.

Go to Log & Report > Traffic Log >

Multicast Traffic to see the multicast traffic
between the WLAN1 and LAN interfaces.

Using AirPlay with iOS, AppleTV, FortiAP, and a FortiGate unit 83

Select an entry for more information.

Go to Log & Report > Traffic Log > Log

Forward and filter policy IDs 6 and 7, which
allow AirPlay traffic.

84 The FortiGate Cookbook 5.0.4

Select an entry for more information.

Apple TV can also be connected to the

Internet wirelessly. AirPlay will function
from any iOS device connected to the
same SSID as Apple TV. No configuration is
required on the FortiGate unit.

Using AirPlay with iOS, AppleTV, FortiAP, and a FortiGate unit 85

Using AirPrint with iOS and OS X and a FortiGate
unit
This example sets up AirPrint services for use with an iOS device and OS X
computers using Bonjour and multicast security policies.

1. Configuring the FortiAP and SSIDs

2. Adding addresses for the wireless networks and printer
3. Adding service objects for printing
4. Adding multicast security policies
5. Adding inter-subnet security policies
6. Results

iPad Internal Network

OS x

FortiAP FortiGate

AirPrint

86 The FortiGate Cookbook 5.0.4

Configuring the FortiAP and
SSIDs
Go to System > Network > Interfaces.

Set an internal interface as dedicated to the

FortiAP unit.

Connect the FortiAP unit to the FortiGate

unit.

Go to WiFi Controller > Managed Access

Points > Managed FortiAP and authorize
the FortiAP.

Once authorized, it will appear in the

authorized list.

Using AirPrint with iOS and OS X and a FortiGate unit 87

Go to WiFi Controller > WiFi Network >
SSID.

Create a WiFi SSID for the network for

wireless users and enable DHCP Server.

88 The FortiGate Cookbook 5.0.4

Create an SSID for the network for the
AirPrint printer and enable DHCP Server.

Adding addresses for the

wireless networks and
printer
Go to Firewall Objects > Address >
Addresses.

Create addresses for the SSID1, SSID2, and

AirPrint printer.

Using AirPrint with iOS and OS X and a FortiGate unit 89

Create an address for the internal network
containing the OS X computers.

Adding service objects for

printing
Go to Firewall Objects > Service >
Services.

Create a new service for Internet Printing

Protocol (IPP) for iOS devices.

Create a new service for PDL Data Stream

for OS X computers.

90 The FortiGate Cookbook 5.0.4

Adding multicast security
policies
Go to Policy > Policy > Multicast Policy.

Create two policies to allow multicast traffic

from WLAN1 and WLAN2 for iOS devices.

For the first policy, set Incoming Interface

to WLAN1, Source Address to the SSID1
IP, Outgoing Interface to WLAN2, and
Destination Address to Bonjour.

For the second policy, set Incoming

Interface to WLAN2, Source Address
to the SSID2 IP, Outgoing Interface to
WLAN1, and Destination Address to
Bonjour.

The Bonjour address allows the devices to

find each other when they connect
through the FortiGate unit.

Create two policies to allow multicast

traffic from the LAN and WLAN2 for OS X
computers.

For the first policy, set Incoming Interface

to LAN, Source Address to the Internal
network, Outgoing Interface to WLAN2,
and Destination Address to Bonjour.

Using AirPrint with iOS and OS X and a FortiGate unit 91

For the second policy, set Incoming
Interface to WLAN2, Source Address to
the AirPrint, Outgoing Interface to LAN,
and Destination Address to Bonjour.

Adding inter-subnet security

policies
Go to Policy > Policy > Policy.

Create a policy allowing printing from

wireless devices. Set Incoming Interface to
WLAN1, Source Address to the SSID1 IP,
Outoing Interface to WLAN2, Destination
Address to the AirPrint, and Service to IPP.

Create a policy allowing printing from an

OS X computer to the AirPrint printer. Set
Incoming Interface to LAN, Source
Address to the Internal network, Outoing
Interface to WLAN2, Destination Address
to the AirPrint, and Service to IPP.

92 The FortiGate Cookbook 5.0.4

Results
Print a document from an iOS device.

Go to Log & Report > Traffic Log >

Multicast Traffic to see the printing traffic
passing through the FortiGate unit.

Select an entry to see more information.

Go to Log & Report > Traffic Log >

Forward Traffic and verify the entry with the
IPP service.

Using AirPrint with iOS and OS X and a FortiGate unit 93

Print a document from an OS X computer.

Go to Log & Report > Traffic Log >

Multicast Traffic to see the printing traffic
passing through the FortiGate unit.

Select an entry to see more information.

Go to Log & Report > Traffic Log >

Forward Traffic and filter the destination
interface for WLAN2 traffic.

Select an entry to see more information.

94 The FortiGate Cookbook 5.0.4

Security Features
Security features, including antivirus, web filtering, application control, intrusion
protection (IPS), email filtering, and data leak prevention (DLP), apply core security
functions to the traffic accepted by your FortiGate unit.
Each security feature has a default profile. You can also create custom profiles to
meet the needs of your network. These profiles are then applied to your security
policies and used to monitor and, if necessary, block external and internal traffic that
is considered risky or dangerous.
This section contains the following examples:

• Monitoring your network using client reputation

• Controlling network access using application controll
• Protecting a web server from external attacks
• Blocking outgoing traffic containing sensitive data
• Blocking large files from entering the network
• Blocking access to specific websites
• Extra help: Web filtering
• Blocking HTTPS traffic with web filtering
• Using web filter overrides to control website access

95
Monitoring your network using client reputation
Client reputation allows you to monitor traffic from internal sources to identify any
users who may be engaging in risky or dangerous behavior. This example enables
client reputation on web filtering, in order to monitor user traffic to the Internet.

1. Enabling client reputation

2. Adding default security profiles to a security policy
3. Results

Internet

Traffic from internal sources

monitored by Client Reputation
FortiGate

Internal Network

96 The FortiGate Cookbook 5.0.4

Enabling client reputation
Go to Security Profiles > Client
Reputation > Threat Level Definition.

Enable Client Reputation Tracking by

selecting the Off button, so it changes to
appear green and reads On.

The client reputation profile is made up of

categories of different behaviors which could
be considered risky, dangerous, or otherwise
unwanted. All behavior types are assigned
Risk Level Values that determine how
closely that behavior is monitored.

Risk levels have a default value that you can

change to meet your needs. To change a
value, select a level indicator dial and drag
it right to increase the risk level, or left to
decrease.

Enabling Client Reputation Tracking also

enables the Log Allowed Traffic setting
for all security policies. For more
information about logging, see “Logging
network traffic to gather information” on
page 23.

Monitoring your network using client reputation 97

Adding default security
profiles to a security policy
Go to Policy > Policy > Policy.

Edit the policy controlling the traffic you

wish to monitor using client reputation.
Under Security Profiles, enable all types of
activity you wish to monitor and set them to
use the default profiles.

In the example, only the web filter profile is

enabled, so only traffic to the Internet will be
monitored.

98 The FortiGate Cookbook

Results
Monitor traffic for a day. To see the
results, go to Security Profiles > Client
Reputation > Reputation Score.

The chart lists users by IP address and

scores the users according to the risk level of
their behavior. Scores are listed from highest
to lowest.

With this information, you can see where

potential problems might occur or where
potential security breaches are imminent.

Select a blue bar to view more information

about a particular user’s activity, including
the application being used and the client
reputation score.

If you wish to continue to monitor user

behavior and are either using FortiCloud for
logging or have an SMTP email server, daily
or weekly client reputation reports can be
sent to you.

Client Reputation only monitors risky

activity, it does not block it. If you discover
activity that you are concerned about,
additional action must be taken to stop it,
such as applying a more restrictive
security policy to the traffic.

Monitoring your network using client reputation 99

Controlling network access using application
control
This example uses application control to monitor traffic and determine what
applications are contributing to high bandwidth usage or distracting employees.
After this is determined, a different application sensor is used to block those
applications from having network access.

1. Creating an application sensor to monitor network traffic

2. Adding the monitoring sensor to a security policy
3. Reviewing the application control monitor
4. Creating an application sensor to block applications
5. Adding the blocking sensor to a security policy
6. Results

Action applied
yes

Application
yes targeted?

Application Application
Session begins specific control
traffic enabled?

no Traffic not
affected

100 The FortiGate Cookbook 5.0.4

Creating an application
control sensor to monitor
traffic
Go to Security Profiles > Application
Control > Application Sensors. Select
the plus icon in the upper right corner of
the window to create a new sensor list for
monitoring application traffic.

Select Create New to add a new application

filter. Leave all Filter Options selected.

Ensure that you set the Action to Monitor.

At this stage in the process, you are
monitoring the traffic to locate any problems
that may be occurring, rather than blocking
applications.

Controlling network access using application control 101

Adding the monitoring
sensor to a security policy
Go to Policy > Policy > Policy.

Edit the security policy that allows internal

users to access the Internet. Under Security
Profiles, enable Application Control and
set it to use the new filter.

102 The FortiGate Cookbook 5.0.4

Reviewing the application
control monitor
Go to Security Profiles > Monitor >
Application Monitor to see the results
found by the application sensor.

Select a bar to see further details on the

usage statistics.

In the example, you can see an occurrence

of an HTTP segmented download, which
typically occurs during Peer-to-Peer (P2P)
downloads. To avoid this from occurring
in the future, P2P applications must be
blocked.

Creating an application
sensor to block applications
Go to Security Profiles > Application
Control > Application Sensors and create
a new sensor list for blocking application
traffic.

Controlling network access using application control 103

Select Create New to add a new application
filter.

In the Category list, select the application

categories you wish to block. As well as
blocking P2P, other types of applications
can be selected that are known to distract
employees.

Ensure that you set the Action to Block.

Adding the blocking sensor

to a security policy
Go to Policy > Policy > Policy.

Edit the firewall policy allowing internal users

to access the Internet. Under Security
Profiles, enable Application Control and
set it to use the new filter.

104 The FortiGate Cookbook 5.0.4

Results
Go to Log & Report > Traffic Log >
Forward Traffic.

You can see the sensor is working and

blocking the traffic from the selected
application types, including the P2P
application Skype.

Select an entry to view more information,

including the application name and the
device the traffic originated on.

Controlling network access using application control 105

Protecting a web server from external attacks
This example uses the FortiOS intrusion protection system (IPS) to protect a web
server by configuring an IPS sensor to protect against common attacks and adding
it to the policy which allows external traffic to access the server. A denial of service
(DoS) security policy is also added to further protect the server against that specific
type of attack.

1. Configuring an IPS sensor to protect against common

attacks
2. Adding the IPS sensor to a security policy
3. Adding a DoS security policy
4. Results

Attacks

Internet
FortiGate

Web Server

106 The FortiGate Cookbook 5.0.4

Configuring an IPS sensor
to protect against common
attacks
Go to Security Profiles > Intrusion
Protection > IPS Sensors. Select the plus
icon in the upper right corner of the window
to create a new sensor.

Create a new IPS filter. Set the Target to

server and set the Action to Block All.

Protecting a web server from external attacks 107

Adding the IPS sensor to a
security policy
Go to Policy > Policy > Policy. Edit the
security policy allowing traffic to the web
server from the Internet.

Enable IPS and set it to use the new sensor.

Adding a DoS security policy

Go to Policy > Policy > DoS Policy.

Create a new policy. The Incoming

Interface is your Internet-facing interface.

In the Anomalies list, enable Status and

Logging and set the Action to Block for all
types.

108 The FortiGate Cookbook

Results

WARNING: Causing a DoS attack is illegal,

unless you own the server under attack.
Before performing an attack, make sure
you have the correct server IP.

Perform an DoS tcp_sync_flood attack to the

web server IP address. IPS blocks the TCP
sync session when it reaches the tcp_syn_
flood threshold, in this case 20.

Go to Log & Report > Security Log >

Intrusion Protection to view the results of
the DoS policy.

Select an entry to view more information,

including the severity of the attack and the
attack name.

Protecting a web server from external attacks 109

Blocking outgoing traffic containing sensitive
data
Data leak prevention (DLP) analyzes outgoing traffic and blocks any sensitive
information from leaving the network. In this example, DLP will be used to block files
using the file’s name and type.

1. Creating a file filter

2. Creating a DLP sensor that uses the file filter
3. Adding the DLP sensor to a security policy
4. Results

Internet

Data Leak

FortiGate
Internal Network

110 The FortiGate Cookbook 5.0.4

Creating a file filter
Go to Security Profiles > Data Leak
Prevention > File Filter. Select Create
New to make a File Filter Table.

Create a new filter in the table. Set the Filter

Type to File Name Pattern and enter the
pattern you wish to match. If needed, you
can use a wildcard character in the pattern.

Create a second filter, this time setting the

Filter Type to File Type. Select a File Type
from the list.

Blocking outgoing traffic containing sensitive data 111

Creating a DLP sensor that
uses the file filter
Go to Security Profiles > Data Leak
Prevention > Sensors. Select the plus icon
in the upper right corner of the window to
create a new sensor.

Select Create New to make a new filter.

Set the type to Files. Enable File Type
included in and set it to your file filter.

Under Examine the following Services,

select the services you wish to monitor with
DLP.

Set the Action to Block.

112 The FortiGate Cookbook 5.0.4

Adding the DLP sensor to a
security policy
Go to Policy > Policy > Policy. Edit the
security policy that controls the traffic you
wish to block.

Enable DLP Sensor and set it to use the

new sensor.

Results
Attempt to upload a file that matches the
file filter criteria using FTP protocol. The file
should be blocked and a message from the
server should appear.

Blocking outgoing traffic containing sensitive data 113

To find more information about the blocked
traffic, go to Log & Report > Traffic Log >
Forward Traffic.

The selected log message shows the name

of the file that was blocked (File_pattern_text.
exe), the type of file filter that blocked it
(file-type), and a variety of other information
which may be useful.

114 The FortiGate Cookbook 5.0.4

Blocking large files from entering the network
Some files are too large to be properly scanned by a FortiGate unit, which can put
your network at risk. This example configures data leak prevention (DLP) to block
files larger than 10 MB (10,000 kB) from entering the network.

1. Creating a DLP sensor to block large files

2. Adding the DLP sensor to a security policy
3. Results

Large file containing a virus

Internet
FortiGate

Internal Network

Blocking large files from entering the network 115

Creating a DLP sensor to
block large files
Go to Security Profiles > Data Leak
Prevention > Sensors. Select the plus icon
in the upper right corner of the window to
create a new sensor.

Select Create New to make a new filter and

set the filter type to Files.

Enable File Size >= and set the size to

10,000 kB. Select all of the services you wish
to examine and set the Action to Block.

116 The FortiGate Cookbook 5.0.4

Adding the DLP sensor to a
security policy
Go to Policy > Policy > Policy.

Edit the security policy controlling the

traffic you wish to block. Under Security
Features, enable DLP Sensor and set it to
use the new sensor.

Results
Attempt to download a file larger than 10
MB. The download will fail and a replacement
message from the FortiGate unit will appear.

The DLP sensor may not take effect until

all the current sessions have expired. If
the file is not blocked immediately, wait 24
hours and try again.

Blocking large files from entering the network 117

Blocking access to specific websites
This example sets up the FortiGate unit to block users from viewing a specific
website using web filtering.

1. Creating a web filter profile

2. Adding the web filter profile to a security policy
3. Results

Website

Block

FortiGate

Internal Network

118 The FortiGate Cookbook 5.0.4

Creating a web filter profile
Go to Security Profiles > Web Filter >
Profiles.

Create a new profile and select Enable

Web Site Filter and Create New. Set the
URL to *fortinet.com, using * as a wildcard
character in order to block all subdomains of
the site. Set the Type to Wildcard and the
Action to Block.

Adding the web filter profile

to a security policy
Go to Policy > Policy > Policy.

Edit the policy controlling the traffic you wish

to block from the website. Under Security
Profiles, enable Web Filter and set it to use
the new profile.

Blocking access to specific websites 119

Results
In a web browser, visit www.fortinet.com
and docs.fortinet.com. In both cases, the
FortiGate unit displays a message, stating
that the website is blocked.

This example will only block HTTP web

traffic. In order to block HTTPS traffic as
well, see”Blocking HTTPS traffic with web
filtering” on page 122.

120 The FortiGate Cookbook 5.0.4

Extra help: Web filtering
This section contains tips to help you with some common challenges of FortiGate
web filtering.

The Web Filter option does not appear in the GUI.

Go to Config > System > Features and enable Web Filter.

New Web Filter profiles cannot be created.

Go to Config > System > Features and select Show More. Enable Multiple Security
Profiles.

Web Filtering has been configured but is not working.

Make sure that web filtering is enabled in a policy. If it is enabled, check that the policy is the
policy being used for the correct traffic. Also check that the policy is getting traffic by going
to the policy list and adding the Sessions column to the list.

An active FortiGuard Web Filtering license displays as expired/unreachable.

First, ensure that web filtering is enabled in one of your security policies. The FortiGuard
service will sometimes show as expired when it is not being used, to save CPU cycles.

If web filtering is enabled in a policy, go to System > Config > FortiGuard and click the
blue arrow beside Web Filtering. Under Port Selection, select Use Alternate Port (8888).
Select Apply to save the changes. Check whether the license is shown as active. If it is still
inactive/expired, switch back to the default port and check again.

Websites blocked using the FortiGuard Categories are not consistently

blocked (for example, traffic is only blocked using certain browsers).
In your web filter profile, make sure that Scan Encrypted Connections is selected. Next,
create an SSL Inspection profile and add it to the security policy. Traffic should now be
blocked consistently.

SSL Inspection is causing certificate errors.

Download the Fortinet_CA_SSLProxy certificate and install it on your web browser. For more
information, see “Preventing security certificate warnings when using SSL inspection” on
page 169.

Extra help: Web filtering 121

Blocking HTTPS traffic with web filtering
Some websites are accessible using HTTPS protocol, such as Youtube. This
example shows how to use web filtering to block HTTPS access.

This example requires an active license for FortiGuard Web Filtering Services.

1. Verifying FortiGuard services are enabled

2. Creating a web filter profile
3. Creating an SSL inspection profile
4. Adding the profiles to a security policy
5. Results

Website

Block

HTTPS Traffic

FortiGate

Internal Network
122 The FortiGate Cookbook 5.0.4
Verifying FortiGuard
Services are enabled
Go to System > Dashboard > Status.

In the License Information widget, verify

that you have an active subscription to
FortiGuard Web Filtering. If you have a
subscription, the service will have a green
checkmark beside it.

Blocking HTTPS traffic with web filtering 123

Creating a web filter profile
Go to Security Profiles > Web Filter >
Profiles. Select the plus icon in the
upper right corner to create a new profile.

Enable FortiGuard Categories and expand

the category Bandwidth Consuming.
Right-click on Streaming Media and
Download, the category to which Youtube
belongs, and select Block.

Creating an SSL inspection

profile
Go to Policy > Policy > SSL Inspection.
Select the plus icon in the upper right corner
to create a new profile.

Enable the inspection of the HTTPS

Protocol.

124 The FortiGate Cookbook 5.0.4

Adding the profiles to a
security policy
Go to Policy > Policy > Policy.

Edit the security policy controlling the traffic

you wish to block. Under Security Profiles,
enable Web Filter and SSL Inspection and
set both to use the new profiles.

Blocking HTTPS traffic with web filtering 125

Results
Browse to https://www.youtube.com. A
replacement message appears indicating
that the website was blocked.

Blocked traffic can be monitored by going

to Security Profiles > Monitor > Web
Monitor.

126 The FortiGate Cookbook 5.0.4

Using web filter overrides to control website
access
This example shows two methods of using web filter overrides to control access to
specific websites: one for the entire network and one for specific users.

This example requires an active license for FortiGuard Web Filtering Services.

Method 1 Method 2
1. Creating a rating override 1. Creating a user group and
two users
2. Adding FortiGuard blocking
to the default web filter profile 2. Creating a web filter profile
3. Adding the web filter profile to 3. Adding the web filter profile to
a security policy a security policy
4. Results 4. Results

Internet

FortiGuard
Override

FortiGate

Internal Network

Using web filter overrides to control website access 127

Method 1
Creating a ratings override
Go to Security Profiles > Web Filter >
Rating Overrides.

Create a new override and enter the URL

fortinet.com. Select Lookup Rating to see
its current FortiGuard Rating.

Set Category to Custom Categories (local

categories) and create a new Sub-Category
for blocked sites.

The sub-category has been added to the list

of FortiGuard Categories, under Local
Categories.

128 The FortiGate Cookbook 5.0.4

Adding FortiGuard blocking
to the default web filter
profile
Go to Security Profiles > Web Filter >
Profiles.

Create a new profile and enable FortiGuard

Categories. Right-click on Local
Categories and select Block.

Adding the web filter profile

to a security policy
Go to Policy > Policy > Policy.

Edit the policy that allows outbound traffic.

Under Security Profiles, enable Web Filter
and set it to use the new profile.

Using web filter overrides to control website access 129

Results
In a web browser, go to www.fortinet.com.

The website will be blocked and a

replacement message from FortiGuard Web
Filtering will appear.

Rating overrides can also be used to allow

access to specific sites within a FortiGuard
category, such as General Interest -
Personal, while still blocking the rest of
the sites listed in that category.

Method 2
Creating a user group and
two users
Go to User & Device > User > User
Group. Select Create New and create the
group override_group.

130 The FortiGate Cookbook 5.0.4

Go to User & Device > User > User
Definition.

Using the User Creation Wizard, create

two users (in the example, ckent and
bwayne). Assign ckent to override_group but
not bwayne.

Using web filter overrides to control website access 131

Creating a web filter profile
Go to Security Profiles > Web Filter >
Profiles.

Create a new profile and enable FortiGuard

Categories. Right click on Local
Categories and select Block.

Expand the Advanced Filter and enable

Allow Blocked Override. Set Apply to
Group(s) to override_group.

Set Assign to Profile to default to use it as

the alternate web filter profile for override_
group users.

Because the default web filter does not block

Local Categories, using it will allow ckent to
access fortinet.com for the duration of the
override period (by default, Duration is set
to 15 minutes).

Adding the web filter profile

to a security policy
Go to Policy > Policy > Policy.

Edit the policy that allows outbound traffic

and set the Policy Subtype to User
Identity.

132 The FortiGate Cookbook 5.0.4

Create an Authentication Rule that
includes both override_group and bwayne
and has Web Filter set to override_profile.

Results
In a web browser, go to www.fortinet.com.

After the user authentication screen, the

website is blocked and a replacement
message from FortiGuard Web Filtering
appears.

Select Override. You are prompted to

authenticate to view the page.

User bwayne is not able to override the web

filter and receives an error message.

Using web filter overrides to control website access 133

However, user ckent is able to override the
filter and can access the site for 15 minutes.

You can monitor web filter overrides by going

to Log & Report > Traffic Log > Forward
Traffic.

Select an entry for more information about a

session, including the user and hostname.

134 The FortiGate Cookbook 5.0.4

Wireless Networking
FortiOS WiFi networking provides a wide range of capabilities for integrating
wireless networks into your organization’s network architecture. Each WiFi network,
or SSID, is represented by a virtual network interface to which you can apply firewall
policies, security profiles, and other features in the same way you would for physical
wired networks.
This chapter contains the following examples:

• Setting up a temporary guest WiFi user

• Setting up a network using a FortiGate unit and a FortiAP unit
• Providing remote users access to the corporate network and Internet

135
Setting up a temporary guest WiFi user
In this example, a temporary user account will be created and distributed to a guest
user, allowing the guest to have wireless access to the Internet.

1. Connecting the FortiAP unit using the DMZ interface

2. Creating a WiFi guest user group
3. Creating an SSID using a captive portal
4. Creating a security policy to allow guest users Internet
access
5. Creating a guest user management account
6. Results

Internet

Internal Network

FortiGate
FortiAP

Guest WiFi User

136 The FortiGate Cookbook 5.0.4

Connecting the FortiAP unit
using the DMZ interface
Go to System > Network > Interfaces.
Select the dmz interface.

Set the dmz interface to be Dedicated to

FortiAP.

Connect the FortiAP to the DMZ interface.

Go to WiFi Controller > Managed Access
Points > Managed FortiAP and right-click
on the FortiAP unit. Select Authorize.

Using the DMZ interface creates a secure

network that will only grant access if it is
explicitly allowed. This allows guest access
to be carefully controlled.

Setting up a temporary guest WiFi user 137

Creating a WiFi guest user
group
Go to User & Device > User > User
Group.

Create a new group, setting Type to Guest,

User ID to Email, and Password to Auto-
Generate.

These guest user accounts are temporary

and will expire four hours after the first login.

Creating an SSID using a

captive portal
Go to WiFi Controller > WiFi Network >
SSID.

Create a new SSID. Set Traffic Mode to

Tunnel to Wireless Controller and enable
DHCP Server, taking note of the IP range
assigned.

Under WiFi Settings, set Security Mode

to Captive Portal and User Groups to the
new guest user group.

A Captive Portal will intercept connections

to the wireless network and display a login
screen on the guest user’s device. The guest
must then authenticate with the portal to gain
access to the wireless network.

138 The FortiGate Cookbook 5.0.4

Creating a security policy
to allow guest users Internet
access
Go to Firewall Objects > Address >
Addresses.
Create a firewall address for the guest WiFi
users. Use the DHCP IP range for Subnet/IP
Range and set the Interface to the wireless
interface.

Go to Policy > Policy > Policy.

Create a security policy allowing guest users

to have wireless access to the Internet.

Set Incoming Interface to the wireless

interface, Outgoing Interface to your
Internet-facing interface, and Source
Address to the guest WiFi users group.

Setting up a temporary guest WiFi user 139

Creating a guest user
management account
Optionally, you can create an administrator
that is used only to create guest accounts.
Access to this account can be given to a
receptionist, to simply the process of making
new accounts.

Go to System > Admin > Administrators.

Create a new account. Set the Type to

Regular and set a Password. Enable
Restrict to Provision Guest Accounts
and set Guest Groups to the WiFi guest
user group.

140 The FortiGate Cookbook 5.0.4

Results
Log in to the FortiGate unit using the guest
user management account. Go to User &
Device > User > Guest Management and
select Create New.

Use a guest’s email account to create a new

user ID.

The FortiGate unit generates a user account

and password. This account is only valid for
four hours (the default time limit for the guest
user group).

The guest can now log in using the FortiGate

Captive Portal. Once authenticated, the
guest is able to connect wirelessly to the
Internet.

Setting up a temporary guest WiFi user 141

To verify that the guest user logged in
successfully, go to WiFi Controller >
Monitor > Client Monitor.

Go to Policy > Monitor > Policy Monitor

and verify the active sessions.

Select one of the bars to view more

information about a session.

142 The FortiGate Cookbook 5.0.4

Setting up a network using a FortiGate unit and
a FortiAP unit
This example sets up a wired network and a wireless network that are in the same
subnet. This will allow wireless and wired users to share network resources.

1. Configuring the internal wired network to use DHCP

2. Creating the internal wireless network
3. Results

Internet

FortiGate

FortiAP

Wireless Network

Internal Network

Setting up a network using a FortiGate unit and a FortiAP unit 143

Configuring the internal
wired network to use DHCP
Edit the internal interface.

Set Addressing mode to Manual and

enable DHCP server. Take note of the IP
range.

Go to Firewall Objects > Address >

Addresses.

Set Type to IP Range and set Subnet/IP

Range to use the IP range from the DHCP
server.

144 The FortiGate Cookbook 5.0.4

Go to Policy > Policy > Policy.

Create a security policy allowing users on the

wired network to access the Internet.

Creating the internal

wireless network
Connect the FortiAP to the internal interface.
Go to WiFi Controller > Managed Access
Points > Managed FortiAP and right-click
on the FortiAP unit. Select Authorize.

It may take a few minutes for the FortiAP

unit to appear on the Managed FortiAP list.

Setting up a network using a FortiGate unit and a FortiAP unit 145

Go to WiFi Controller > WiFi Network >
SSID and create a new SSID.

Ensure the Traffic Mode is set to Local

bridge with FortiAP’s Interface.

Go to WiFi Controller > WiFi Network >

Custom AP Profile. Select Create New.

Set SSID for both Radio 1 and Radio 2 to

the new SSID.

146 The FortiGate Cookbook 5.0.4

Go to WiFi Controller > Managed Access
Points > Managed FortiAP. Edit the
FortiAP unit.

Under Wireless Settings, set AP Profile to

use the new profile.

Results
Users connected to the new SSID will be
able to access the Internet. The wireless
devices will be in the same subnet as the
internal wired network.

Go to WiFi Controller > Monitor > Client

Monitor to see WiFi users and their IP
addresses.

Go to Log & Report > Traffic Log >

Forward Traffic to verify that the same
policy controls both wired and wireless
traffic.

Setting up a network using a FortiGate unit and a FortiAP unit 147

Providing remote users access to the corporate
network and Internet
In this example, a user in a remote location, such as a hotel or their home, will use
a FortiAP unit to securely connect to the corporate network and browse the Internet
from behind the corporate firewall.

1. Connecting the FortiAP unit to the corporate FortiGate unit

2. Creating an SSID and a firewall addresses
3. Creating security policies
4. Configuring the FortiAP unit to connect to the corporate
FortiGate unit
5. Connecting to the corporate FortiGate unit remotely
6. Results

FortiAP
Remote User

Internet

Internal Network

FortiGate

148 The FortiGate Cookbook 5.0.4

Connecting the FortiAP unit
to the corporate FortiGate
unit
Insert the Ethernet cable provided into the
FortiAP unit’s WAN port.

Connect the Ethernet cable to an internal

port on your FortiGate. You may use a
different port but, for ease of use, an internal
port is preferred.

Configure the port by going to System >

Network > Interfaces. Set the Addressing
mode to Dedicate to FortiAP.

Go to WiFi Controller > Managed

AccessPoints > Managed FortiAP. The
FortiAP unit should be listed.

There will be an orange question mark icon

listed under State. Right-click on the icon
and select Authorize.

Now that the FortiAP unit is authorized, the

icon will change to a green checkmark.

Providing remote users access to the corporate network and Internet 149
Creating an SSID and a
firewall addresses
Go to WiFi Controller > WiFi Network >
SSID. Select Create New.

Enable the DHCP Server and make note of

the IP range.

Configure the WiFi Settings with a unique

SSID name and Pre-shared Key.

Go to Firewall Objects > Address >

Addresses. Create addresses for both the
remote users and the corporate network.

For the remote users, set Type to IP Range.

The range for the remote users should be
within the range used for the DHCP server.
Set Interface to the new SSID.

150 The FortiGate Cookbook 5.0.4

For the corporate network, set Type to
Subnet and use the corporate network’s
IP address. Set Interface to an internal
interface.

Creating security policies

Go to Policy > Policy > Policy.

Create a policy that allows remote wireless

users to access the Internet. Set the
Incoming Interface to the SSID and the
Outgoing Interface as your Internet-facing
interface.

Providing remote users access to the corporate network and Internet 151
Create a second policy for remote wireless
users to access the corporate network.
Again, set the Incoming Interface to the
SSID but now the Outgoing Interface is an
internal interface.

Configuring the FortiAP unit

to connect to the corporate
FortiGate unit
Go to WiFi Controller > Managed Access
Points > Managed FortiAP and note the IP
Address assigned to your FortiAP.

Enter the address into your browser’s

address bar to access your FortiAP web
manager.

152 The FortiGate Cookbook 5.0.4

In the System Information tab, enter the
AC IP Address of the public facing interface
of the corporate FortiGate unit. The Internet-
facing interface is also the public facing
interface. To locate this IP address, go to
System > Network > Interfaces.

The FortiAP will search for this FortiGate

interface when it tries to connect.

The remote user may now take this device

to the desired remote location to connect
securely to the corporate FortiGate unit.

Connecting to the
corporate FortiGate
remotely
At the remote location, connect the FortiAP
to the Internet using an Ethernet cable. Next,
connect the FortiAP to power.

Once connected, the FortiAP requests an IP

address and locates the FortiGate wireless
controller.

The remote user can now access the

corporate network and browse the Internet
securely from behind the corporate firewall.

Providing remote users access to the corporate network and Internet 153
Results
Go to WiFi Controller > Monitor > Client
Monitor to see remote wireless users
connected to the FortiAP unit.

Go to Log & Report > Traffic Log >

Forward Traffic to see remote wireless
users appear in the logs.

Select an entry to view more information

about remote traffic to the corporate
network and to the Internet.

154 The FortiGate Cookbook 5.0.4

Authentication
Authentication, the act of confirming the identity of a person or device, is a key part
of network security. In the context of a private computer network, the identities of
users or host computers must be established to ensure that only authorized parties
can access the network. The FortiGate unit enables controlled network access and
applies authentication to users of security policies and VPN clients.
This section contains the following examples:

• Providing single sign-on for a Windows AD network with a FortiGate

• Providing single sign-on in advanced mode for a Windows AD network
• Providing single sign-on for Windows AD with LDAP
• Preventing security certificate warnings when using SSL inspection
• Extra help: Certificates

155
Providing single sign-on for a Windows AD
network with a FortiGate
This example uses the Fortinet Single Sign-On (FSSO) Collector Agent to integrate a
FortiGate unit into the Windows AD domain.

1. Installing the FSSO Collector Agent

2. Configuring the Single Sign-on Agent
3. Configuring the FortiGate unit to connect to the FSSO agent
4. Adding a FSSO user group
5. Adding a firewall address for the internal network
6. Adding a security profile that includes an authentication rule
7. Results

Internet

FortiGate

Windows AD
Internal Network

156 The FortiGate Cookbook 5.0.4

Installing the FSSO Collector
Agent
Run the setup for the Fortinet SSO Collector
Agent. After logging in, configure the agent
settings.

Add the Collector Agent address information.

Providing single sign-on for a Windows AD network with a FortiGate 157

Select the domains to monitor, and any users
whose activity you do not wish to monitor.

Set the working mode and complete the

installation.

158 The FortiGate Cookbook 5.0.4

Configuring the Single
Sign-on Agent
If required, select Require authenticated
connection from FortiGate, and add a
password.

You will also enter this password when

configuring the FSSO on the FortiGate unit.

Configuring the FortiGate

unit to connect to the FSSO
agent
On the FortiGate unit, go to User & Device
> Authentication > Single Sign-On.

Enter this password used configuring the

FSSO on the FortiGate unit in the previous
step.

Adding a FSSO user group

On the FortiGate unit, go to User & Device
> User > User Group.

Providing single sign-on for a Windows AD network with a FortiGate 159

Adding a firewall address
for the internal network
Go to Firewall Objects > Address >
Addresses.

Adding a security
profile that includes an
authentication rule
Go to Policy > Policy > Policy.

Add an accept user identity security policy

and add the new FSSO group.

160 The FortiGate Cookbook 5.0.4

Results
Go to Log & Report > Traffic Log >
Forward Traffic. As users log into the
Windows AD system, the FortiGate collects
their connection information.

Select an entry for more information.

Providing single sign-on for a Windows AD network with a FortiGate 161

Providing single sign-on in advanced mode for a
Windows AD network
Using Fortinet Single Sign On, the FortiGate unit automatically authenticates any
user that successfully logs into Windows. The Domain Controller agent Advanced
mode has the advantage of supporting nested or inherited user groups. If Standard
mode is used, the FortiGate unit can authenticates only users who are a direct
member of a group.

1. Configuring the DC agent for Advanced mode

2. Configuring the DC agent as an FSSO agent
3. Creating an FSSO user group
4. Creating an identity-based security policy
5. Results

Internet

FortiGate

Windows AD
Internal Network

162 The FortiGate Cookbook 5.0.4

Configuring the DC agent
for Advanced mode
Log on to the Windows server where the DC
agent is installed. Go to All Programs >
FortiNet > Fortinet Single Sign On Agent
> Configure Fortinet Single Sign On
Agent.

Select Directory Access Information and

set AD Access mode to Advanced.

The rest of the configuration is done on the

FortiGate unit.

Configuring the FSSO agent

Go to User & Device > Authentication >
Single Sign-On to enter the information the
FortiGate unit needs to access the DC agent.

After you select Apply & Refresh, the

Windows AD groups are listed. This confirms
that the FortiGate unit can communicate with
the DC agent.

On a Windows AD network with a large

number of groups, the FortiGate unit’s
performance might be affected by the
volume of user logon information it
receives. Use the Set Group Filters
function of the DC agent to send
information only for the groups you intend
to authenticate.

Providing single sign-on in advanced mode for a Windows AD network 163

Creating an FSSO user
group
Select the Windows AD groups to include in
the FortiGate FSSO user group.

Creating an identity-based
security policy
Create an identity-based security policy that
uses the FSSO user group that you created.

Results
The Windows AD user, having authenticated
at logon, does not have to authenticate again
to connect to the Internet.

164 The FortiGate Cookbook 5.0.4

Providing single sign-on for Windows AD with
LDAP
A logged-on Windows user can be automatically authenticated on a FortiGate unit
through Fortinet Single Sign-On. Some Windows AD systems use an external LDAP
server. FSSO can also accommodate this configuration.

1. Configuring access to the LDAP server.

2. Configuring the DC agent as an FSSO agent.
3. Configuring a group filter on the DC agent.
4. Creating an FSSO user group and add Active Directory user
groups to it.
5. Creating a security policy to allow the FSSO user group
access to the Internet through the FortiGate unit.

Internet
LDAP Server
192.168.1. 117

WAN 1

FortiGate Port 1 Internal Network

Windows AD
Domain Controller
192.168.1.114

Providing single sign-on for Windows AD with LDAP 165

Configuring access to the
LDAP server
Go to User & Device > Authentication
> LDAP Server and enter the information
needed to connect the FortiGate unit to the
external LDAP server.

Configuring the DC agent as

an FSSO agent
Go to User & Device > Authentication >
Single Sign-On to enter the information the
FortiGate unit needs to access the DC agent.

Select the LDAP Server. In Users/Groups

use the Edit Users/Groups tab to select user
groups from the LDAP tree.

166 The FortiGate Cookbook 5.0.4

Configuring a group filter
on the DC agent
Log on to the Windows server where the DC
agent is installed. Go to All Programs >
FortiNet > Fortinet Single Sign On Agent
> Configure Fortinet Single Sign On
Agent.

Select Set Group Filters. Select Add. Enter

the FortiGate unit serial number and specify
which user groups the DC agent should
monitor for the FortiGate unit. Select Add
again.

To avoid adversely affecting the FortiGate

unit’s performance, configure the filter to
send information only for the groups you
intend to authenticate.

Creating an FSSO user

group and add Active
Directory user groups to it
.Go to User & Device > User > User
Group. Create a Fortinet Single Sign-On
group and select which Windows AD groups
to include as members.

Providing single sign-on for Windows AD with LDAP 167

Creating a security policy
Create identity-based security policies that
use the FSSO user group that you created.

Results
The Windows AD user, having authenticated
at logon, does not have to authenticate again
to connect to the Internet.

168 The FortiGate Cookbook 5.0.4

Preventing security certificate warnings when
using SSL inspection
This example illustrates how to prevent your users from getting a security certificate
error, which happens because an SSL session is established with the SSL Proxy,
not the destination web site. Instead of having users select Continue when they
receive an error, a bad habit to encourage, you will provide them with the FortiGate
SSL CA certificate to install on their browsers.

1. Enabling Certificate configuration in the web-based

manager.
2. Downloading the Fortinet_CA_SSLProxy.
3. Importing the CA certificate into the web browser.

Website Certificate
Certificate

SSL proxy
FortiGate

Internal Network

Preventing security certificate warnings when using SSL inspection 169

Enabling certificate
configuration in the web-
based manager
Go to System > Config > Features and
enable Certificates.

Downloading the Fortinet_

CA_SSLProxy
Go to System > Certificates > Local
Certificates to download the Fortinet_CA_
SSLProxy certificate.

Make the CA certificate file available to your

users.

Importing the CA
certificate into the web
browser
For Internet Explorer:
Go to Tools > Internet Options. On the
Content tab, select Certificates and
find the Trusted Root Certification
Authorities.

Import the certificate using the Import

Wizard. Make sure that the certificate is
imported into Trusted Root Certification
Authorities.

You will see a warning because the FortiGate

unit’s certificate is self-signed. It is safe to
select Yes to install the certificate.

170 The FortiGate Cookbook 5.0.4

For Firefox:
Depending on platform, go to Tools >
Options or Edit > Preferences and find
the Advanced Encryption settings.

View Certificates, specifically the Authorities

certificate list.

Preventing security certificate warnings when using SSL inspection 171

Import the Fortinet_CA_SSLProxy certificate file.

Results
Even if you bypass the error message by
selecting “Continue to this website”, the
browser may still show an error in the toolbar.

After you install the FortiGate SSL CA

certificate, there will be no certificate security
issue when you browse to sites on which
the FortiGate unit performs SSL content
inspection.

172 The FortiGate Cookbook 5.0.4

Extra help: Certificates
This section contains tips to help you with some common challenges of using
certificates.

Certificate options do not appear in the GUI.

Go to System > Features > Config and select Show More. Enable the Certificates
feature.

A new certificate must be used.

Go to System > Certificates > Local Certificates and select Import.

A new certificate must be generated.

First, go to System > Certificates > Local Certificates and select Generate. Fill in the
required fields. The certificate must then be either self-signed or signed by a third party.
Finally, import the new certificate.

Certificate warnings appear when users attempt to authenticate.

Go to User & Device > Authentiction > Settings and set Certificate to use the correct
certificate.

The wrong certificate appears when using an SSL-VPN.

Go to VPN > SSL > Config and set Server Certificate to use the correct certificate.

Extra help: Certificates 173

SSL and IPsec VPN
Virtual private networks (VPNs) extend a private network across a public network,
typically the Internet. Two types of VPN can be configured with FortiGate unit: SSL
VPN and IPsec VPN.
SSL VPN configuration requires an SSL VPN web portal for users to log into, a
user authentication configuration for SSL VPN users, and the creation of SSL VPN
security policies that control the source and destination access of SSL VPN users.
IPsec supports a similar client server architecture as SSL VPN. However, to support
a client server architecture, IPsec users must install and configure an IPsec VPN
client (such as FortiClient) on their PCs or mobile devices.
This section contains the following examples:

• Providing remote users with access using SSL VPN

• Providing secure remote access to a network for an iOS device
• Using IPsec VPN to provide communication between offices
• Using redundant OSPF routing over IPsec VPN

175
Using IPsec VPN to provide communication
between offices
This example provides secure, transparent communication between two FortiGates
located at different offices using route-based IPsec VPN. In this example, one office
will be referred to as HQ and the other will be referred to as Branch.

1. Configuring the HQ IPsec VPN

2. Adding firewall addresses for the local and remote LAN on HQ
3. Creating an HQ security policy and static route
4. Configure the Branch IPsec VPN Phase 1 and Phase 2
settings
5. Add Branch firewall addresses for the local and remote LAN
6. Create a branch IPsec security policy and static route
7. Results

WAN 1 WAN 1
172.20.120.123 172.20.120.22

IPsec Internet
FortiGate
FortiGate

Port 1 LAN
192.168.1.99/24 10.10.1.99/24

Internal Internal
Network (HQ) Network (Branch)

176 The FortiGate Cookbook 5.0.4

Configuring the HQ’s IPsec
VPN
On the HQ FortiGate, go to VPN > IPsec >
Auto Key (IKE).

Select Create Phase 1. Set IP Address

to the IP of the Branch FortiGate, Local
Interface to the Internet-facing interface,
and enter a Pre-shared Key.

Using IPsec VPN to provide communication between offices 177

Now select Create Phase 2, set it to use
the new Phase 1, and expand the Advanced
options.

Specify Source address as the HQ subnet

and Destination address as the Branch
subnet.

Adding firewall addresses

for the local and remote
LAN on HQ
Go to Firewall Objects > Address >
Addresses.

Create a local address. Set Type to Subnet,

Subnet/IP Range to the HQ subnet, and
Interface to an internal port.

178 The FortiGate Cookbook 5.0.4

Create a remote LAN address. Set Type to
Subnet, Subnet/IP Range to the Branch
subnet, and Interface to the VPN Phase 1.

Creating an HQ security
policy and static route.
Go to Policy > Policy > Policy.

Create a policy for outbound traffic. Set

Incoming Interface to an internal port,
Source Address to the local address,
Outgoing Interface to the VPN Phase 1,
and Destination Address to the remote
LAN address.

Create a second policy for inbound traffic.

Set Incoming Interface to the VPN phase
1, Source Address to the local address,
Outgoing Interface to an internal port, and
Destination Address to the local address.

Using IPsec VPN to provide communication between offices 179

Go to Router > Static > State Routes.

Create a route for IPsec traffic, setting

Device to the VPN Phase 1.

Configuring the Branch’s

IPsec VPN
One the Branch FortiGate, Go to VPN >
IPsec > Auto Key (IKE).

Select Create Phase 1. Set IP Address to

the IP of the HQ FortiGate, Local Interface
to the Internet-facing interface, and enter the
same Pre-shared Key used previously.

180 The FortiGate Cookbook 5.0.4

Now select Create Phase 2, set it to use
the new Phase 1, and expand the Advanced
options.

Specify Source address as the Branch

subnet and Destination address as the HQ
subnet.

Adding firewall addresses

for the local and remote
LAN on HQ
Go to Firewall Objects > Address >
Addresses.

Create a local address. Set Type to Subnet,

Subnet/IP Range to the Branch subnet,
and Interface to an internal port.

Using IPsec VPN to provide communication between offices 181

Create a remote LAN address. Set Type
to Subnet, Subnet/IP Range to the HQ
subnet, and Interface to the VPN Phase 1.

Creating an HQ security
policy and static route.
Go to Policy > Policy > Policy.

Create a policy for outbound traffic. Set

Incoming Interface to an internal port,
Source Address to the local address,
Outgoing Interface to the VPN Phase 1,
and Destination Address to the remote
LAN address.

Create a second policy for inbound traffic.

Set Incoming Interface to the VPN phase
1, Source Address to the local address,
Outgoing Interface to an internal port, and
Destination Address to the local address.

182 The FortiGate Cookbook 5.0.4

Go to Router > Static > State Routes.

Create a route for IPsec traffic, setting

Device to the VPN Phase 1.

Results
Go to VPN > Monitor > IPSec Monitor to
verify the status of the VPN tunnel. It should
be up.

A user on either of the office networks should

be able to connect to any address on the
other office network transparently.

From the HQ FortiGate unit go to Log &

Report > Traffic Log > Forward Traffic to
verify that both inbound and outbound traffic
is occurring.

To verify traffic on the Branch FortiGate unit

as well, go to Log & Report > Traffic Log >
Forward Traffic.

Using IPsec VPN to provide communication between offices 183

Providing remote users with access using SSL
VPN
This example provides remote users with access to the corporate network using
SSL VPN and connect to the Internet through the corporate FortiGate unit. During
the connecting phase, the FortiGate unit will also verify that the remote user’s
antivirus software is installed and current.
1. Creating an SSL VPN tunnel for remote users
2. Creating a user and a user group
3. Adding an address for the local network
4. Adding security policies for access to the Internet and internal
network
5. Setting the FortiGate unit to verify users have current antivirus
software
6. Results

Internet
Remote SSL VPN user

WAN 1
SSL Root 172.20.120.123
Browsing

FortiGate

Port 1
192.168.1.99/24

Internal Network Windows Server

192.168.1.114

184 The FortiGate Cookbook 5.0.4

Creating an SSL VPN tunnel
for remote users
Go to VPN > SSL > Portal.

Edit the full-access portal.

The full-access portal allows the use of

tunnel mode and/or web mode. In this
scenario we are using both modes.

Enable Split Tunneling is not enabled

so that all Internet traffic will go through
the FortiGate unit and be subject to the
corporate security profiles.

Select Create New in the Include

Bookmarks area to add a bookmark for a
remote desktop link/connection.

Bookmarks are used as links to internal

network resources.

Providing remote users with access using SSL VPN 185

Creating a user and a user
group
Go to User & Device > User > User
Definition.

Add a remote user with the User Creation

Wizard (in the example, ‘twhite’).

Go to User & Device > User > User

Group.

Add the user to a user group for SSL VPN

connections.

186 The FortiGate Cookbook 5.0.4

Adding an address for the
local network
Go to Firewall Objects > Address >
Addresses.

Add the address for the local network. Set

Type to Subnet, Subnet/ IP Range to the
local subnet, and Interface to an internal
port.

Adding security policies for

access to the Internet and
internal network
Go to Policy > Policy > Policy.

Add a security policy allowing access to

the internal network. Set Type to VPN and
Subtype to SSL-VPN.

If your FortiGate unit does not have the

Policy-based IPsec feature turned on, you
will only have to set Policy Type to VPN.

Set Incoming Interface to your Internet-

facing interface, Local Interface to an
internal port and Local Protected Subnet
to the address for the local network. Create
a new Authentication Rule to allow the
remote user group access.

Providing remote users with access using SSL VPN 187

Add a second security policy allowing access
to the Internet.

For this policy, Incoming Interface is sslvpn

tunnel interface and Outgoing Interface is
your Internet-facing interface.

Setting the FortiGate

unit to verify users have
current antivirus software
Go to System > Status > Dashboard.

In the CLI Console widget, enter the

commands on the right to enable the host to
check for compliant antivirus software on the
remote user’s computer.

Results
Log into the portal using the credentials you
created in step two.

188 The FortiGate Cookbook 5.0.4

The FortiGate unit performs the host check.

After the check is complete, the portal

appears.

Select the bookmark Remote Desktop link

to begin an RDP session.

Go to VPN > Monitor > SSL-VPN to verify

the list of SSL users. The Web Application
description indicates that the user is using
web mode.

Providing remote users with access using SSL VPN 189

Go to Log & Report > Traffic Log >
Forward Traffic and view the details for the
SSL entry.

In the Tunnel Mode widget, select Connect

to enable the tunnel.

Select the bookmark Remote Desktop link

to begin an RDP session.

Go to VPN > Monitor > SSL-VPN to verify

the list of SSL users.

The tunnel description indicates that the user

is using tunnel mode.

190 The FortiGate Cookbook 5.0.4

Go to Log & Report > Traffic Log >
Forward Traffic and view the details for the
SSL entry.

Go to Log & Report > Traffic Log >

Forward Traffic.

Internet access occurs simultaneously

through the FortiGate unit.

Select an entry to view more information.

Providing remote users with access using SSL VPN 191

Providing secure remote access to a network
for an iOS device
This recipe uses the VPN Wizard to provide a group of remote iOS users with
secure, encrypted access to the corporate network. The example enables group
members to access the internal network and forces them through the FortiGate unit
when accessing the Internet. The example uses an iPad 2 running iOS 6.1.2 (menu
options may vary for different iOS versions and devices).

1. Creating a user group for iOS users

2. Adding addresses for the local LAN and remote users
3. Configuring IPsec VPN phases using the VPN Wizard
4. Creating security policies for access to the internal network and
the Internet
5. Configuring VPN on the iOS device
6. Results

WAN 1
172.20.120.123
Internet IPsec
FortiGate
Port 1
192.168.1.99/24
Remote User
(iPad)

Internal Network

192 The FortiGate Cookbook 5.0.4

Creating a user group for
iOS users
Go to User & Device > User > User
Definition.

Create a new user.

Go to User & Device > User > User

Group.

Create a user group for iOS users and add

the user you created.

Adding addresses for the

local LAN and remote users
Go to Firewall Objects > Address >
Addresses.

Add the address for the local network,

including the subnet and local interface.

Providing secure remote access to a network for an iOS device 193

Go to Firewall Objects > Address >
Addresses.

Add the address for the remote user,

including the IP range.

Configuring the IPsec VPN

phases using the VPN Wizard
Go to VPN > IPSec > Auto Key (IKE).

Select Create VPN Wizard. Name the VPN

connection and select Dial Up - iPhone /
iPad Native IPsec Client. Click Next.

Enter your pre-shared key and select the iOS

user group, then click Next. Note that the
pre-shared key is a credential for the VPN
and should differ from the user’s password.

Select your Internet-facing interface for the

Local Outgoing Interface, and enter the IP
range from the address range you created.

194 The FortiGate Cookbook 5.0.4

Creating security policies
for access to the internal
network and the Internet
Go to Policy > Policy > Policy.

Create a security policy allowing remote iOS

users to access the internal network.

Go to Policy > Policy > Policy.

Create a security policy allowing remote iOS

users to access the Internet securely through
the FortiGate unit. Ensure that Enable NAT
is checkmarked.

Providing secure remote access to a network for an iOS device 195

Configuring VPN on the iOS
device
On the iPad, go to Settings > General >
VPN and select Add VPN Configuration.

Enter the VPN address, user account, and

password in their relevant fields. Enter the
pre-shared key in the Secret field.

Results
On the FortiGate unit, go to VPN >
Monitor > IPsec Monitor and view the
status of the tunnel.

Users on the internal network will be

accessible using the iOS device.

Go to Log & Report > Traffic Log >

Forward Traffic to view the traffic.

196 The FortiGate Cookbook 5.0.4

Select an entry to view more information.

Remote iOS users can also access the

Internet securely via the FortiGate unit.

Go to Log & Report > Traffic Log >

Forward Traffic to view the traffic.

Select an entry to view more information.

Providing secure remote access to a network for an iOS device 197

View the status of the tunnel on the iOS
device.

On the iPad, go to Settings > General >

VPN and view the Status of the connection.

Using a Ping tool, send a ping packet

directly to an IP address on the LAN behind
the FortiGate unit to verify the connection
through the VPN tunnel..

198 The FortiGate Cookbook 5.0.4

Using redundant OSPF routing over IPsec VPN
This example sets up redundant secure communication between two remote
networks using an Open Shortest Path First (OSPF) VPN connection. In this example,
the HQ FortiGate unit will be called FortiGate 1 and the Branch FortiGate unit will be
called FortiGate 2.

1. Creating redundant IPsec tunnels on FortiGate 1

2. Configuring IP addresses and OSPF on FortiGate 1
3. Configuring firewall addresses on FortiGate 1
4. Configuring security policies on FortiGate 1
5. Creating redundant IPsec tunnels for FortiGate 2
6. Configuring IP addresses and OSPF on FortiGate 2
7. Configuring firewall addresses on FortiGate 2
8. Configuring security policies on FortiGate 2
9. Results
OSPF

WAN 1 WAN 1
172.20.120.24 172.20.120.123
IPsec

Internet
FortiGate 1 FortiGate 2
IPsec
Internal WAN 2 WAN 2 Internal
10.20.1.1/24 172.20.120.23 172.20.120.127 10.21.1.1/24

OSPF

Internal Internal
Network Network
(HQ) (Branch)

Using redundant OSPF routing over IPsec VPN 199

Creating redundant IPsec
tunnels on FortiGate 1
Go to VPN > IPsec > Auto Key (IKE).

Select Create Phase 1 and create the

primary tunnel. Set IP Address to FortiGate
2’s wan1 IP, Local Interface to wan1 (the
primary Internet-facing interface) and enter a
Pre-shared Key.

Select Create Phase 2. Set it to use the

new Phase 1.

200 The FortiGate Cookbook 5.0.4

Go to VPN > IPsec > Auto Key (IKE).

Select Create Phase 1 and create the

secondary tunnel. Set IP Address to use
FortiGate 2’s wan2 IP, Local Interface
to wan2 (the secondary Internet-facing
interface) and enter the Pre-shared Key.

Go to VPN > IPsec > Auto Key (IKE).

Select Create Phase 2. Set it to use the

new Phase 1

Using redundant OSPF routing over IPsec VPN 201

Configuring IP addresses
and OSPF on FortiGate 1
Go to System > Network > Interfaces.

Select the arrow for wan1 to expand the list.

Edit the primary tunnel interface and create
IP addresses.

Select the arrow for wan2 to expand the

list. Edit the secondary tunnel interface and
create IP addresses.

Go to Router > Dynamic > OSPF.

Enter the Router ID for FortiGate 1.

Select Create New in the Area section.

Add the backbone area of 0.0.0.0.

Select Create New in the Networks

section.

Create the networks and select Area 0.0.0.0

for each one.

202 The FortiGate Cookbook 5.0.4

Select Create New in the Interfaces
section.

Create primary and secondary tunnel

interfaces. Set a Cost of 10 for the primary
interface and 100 for the secondary interface.

Configuring firewall
addresses on FortiGate 1
Go to Firewall Objects > Address >
Addresses.

Edit the subnets behind FortiGate 1 and

FortiGate 2.

Using redundant OSPF routing over IPsec VPN 203

Edit the primary and secondary interfaces of
FortiGate 2.

Configuring security policies

on FortiGate 1
Go to Policy > Policy > Policy.

Create the four security policies required for

both FortiGate 1’s primary and secondary
interfaces to connect to FortiGate 2’s primary
and secondary interfaces.

204 The FortiGate Cookbook 5.0.4

Using redundant OSPF routing over IPsec VPN 205
Creating redundant IPsec
tunnels on FortiGate 2
Go to VPN > IPsec > Auto Key (IKE).

Select Create Phase 1 and create the

primary tunnel. Set IP Address to FortiGate
1’s wan1 IP, Local Interface to wan1 (the
primary Internet-facing interface) and enter a
Pre-shared Key.

Select Create Phase 2. Set it to use the

new Phase 1.

206 The FortiGate Cookbook 5.0.4

Select Create Phase 1 and create the
secondary tunnel. Set IP Address to use
FortiGate 2’s IP, Local Interface to wan2
(the secondary Internet-facing interface) and
enter the Pre-shared Key.

Select Create Phase 2. Set it to use the

new Phase 1.

Using redundant OSPF routing over IPsec VPN 207

Configuring IP addresses
and OSPF on FortiGate 2
Go to System > Network > Interfaces.

Select the arrow for wan1 to expand the list.

Edit the primary tunnel interface and create
IP addresses.

Select the arrow for wan2 to expand the

list. Edit the secondary tunnel interface and
create IP addresses.

Go to Router > Dynamic > OSPF.

Enter the Router ID for FortiGate 2.

Select Create New in the Area section.

Add the backbone area of 0.0.0.0.

Select Create New in the Networks

section.

Create the networks and select Area 0.0.0.0

for each one.

208 The FortiGate Cookbook 5.0.4

Select Create New in the Interfaces
section.

Create primary and secondary tunnel

interfaces. Set a Cost of 10 for the primary
interface and 100 for the secondary interface.

Configuring firewall
addresses on FortiGate 2
Go to Firewall Objects > Address >
Addresses.

Edit the subnets behind FortiGate 1 and

FortiGate 2.

Using redundant OSPF routing over IPsec VPN 209

Edit the primary and secondary interfaces of
FortiGate 1.

Configuring security policies

on FortiGate 2
Go to Policy > Policy > Policy.

Create the four security policies required for

both FortiGate 2’s primary and secondary
interfaces to connect to FortiGate 1’s primary
and secondary interfaces.

210 The FortiGate Cookbook 5.0.4

Using redundant OSPF routing over IPsec VPN 211
Results
Go to VPN > Monitor > IPsec Monitor to
verify the statuses of both the primary and
secondary IPsec VPN tunnels on FortiGate 1
and FortiGate 2.

Go to Router > Monitor > Routing.

Monitor to verify the routing table on
FortiGate 1 and FortiGate 2. Type OSPF for
the Type and select Apply Filter to verify
the OSPF route.

Verify that traffic flows via the primary tunnel.

From a PC1 set to IP:10.20.1.100 behind

FortiGate 1, run a tracert to a PC2 set to IP
address 10.21.1.00 behind FortiGate 2 and
vise versa.

From PC1, you should see that the traffic

goes through 10.1.1.2 which is the primary
tunnel interface IP set on FortiGate 2.

From PC2, you should see the traffic goes

through 10.1.1.1 which is the primary tunnel
interface IP set on FortiGate 1.

The VPN network between the two OSPF

networks uses the primary VPN connection.
Disconnect the wan1 interface and

212 The FortiGate Cookbook 5.0.4

confirm that the secondary tunnel will be
used automatically to maintain a secure
connection.

Verify the IPsec VPN tunnel statuses on

FortiGate 1 and FortiGate 2. Both FortiGates
should show that primary tunnel is DOWN
and secondary tunnel is UP.

Go to VPN > Monitor > IPsec Monitor to

verify the status.

Verify the routing table on FortiGate 1 and

FortiGate 2.

The secondary OSPF route (with cost = 100)

appears on both FortiGate units.

Go to Router > Monitor > Routing

Monitor. Type OSPF for the Type and
select Apply Filter to verify OSPF route.

Verify that traffic flows via the secondary

tunnel.

From a PC1 set to IP:10.20.1.100 behind

FortiGate 1, run a tracert to a PC2 set to
IP:10.21.1.100 behind FortiGate 2 and
vice versa. From PC1, you should see that
the traffic goes through 10.2.1.2 which is
the secondary tunnel interface IP set on
FortiGate 2.

From PC2, you should see the traffic goes

through 10.2.1.1 which is the secondary
tunnel interface IP set on FortiGate 1.

Using redundant OSPF routing over IPsec VPN 213

Acn Unit Wise Question Paper 2024
No ratings yet
Acn Unit Wise Question Paper 2024
3 pages
Nokia 7250 IXR-R6 Data Sheet
100% (2)
Nokia 7250 IXR-R6 Data Sheet
6 pages
Fortigate Cookbook Expanded
100% (2)
Fortigate Cookbook Expanded
418 pages
Fortigate Cookbook 504 PDF
No ratings yet
Fortigate Cookbook 504 PDF
201 pages
ch08-SLIDE - (2) Data Communications and Networking by Behrouz A.Forouzan
No ratings yet
ch08-SLIDE - (2) Data Communications and Networking by Behrouz A.Forouzan
46 pages
Lab Cisco Packet Tracer
No ratings yet
Lab Cisco Packet Tracer
17 pages
Fortios Firewall 56
No ratings yet
Fortios Firewall 56
376 pages
Fortigate Cookbook 52
No ratings yet
Fortigate Cookbook 52
100 pages
EoIP Tunneling for Network Admins
No ratings yet
EoIP Tunneling for Network Admins
5 pages
NIOS Configuration Class Lab Guide: Infoblox Educational Services
100% (1)
NIOS Configuration Class Lab Guide: Infoblox Educational Services
161 pages
FortiOS-6 2 3-Cookbook
No ratings yet
FortiOS-6 2 3-Cookbook
1,501 pages
FortiOS-6.2.0-Cookbook-Security Rating Service
100% (1)
FortiOS-6.2.0-Cookbook-Security Rating Service
1,362 pages
FortiOS-6 0 0-Cookbook
No ratings yet
FortiOS-6 0 0-Cookbook
357 pages
FortiOS-6 0 0-Cookbook
No ratings yet
FortiOS-6 0 0-Cookbook
358 pages
Fortigate Cookbook v5
No ratings yet
Fortigate Cookbook v5
384 pages
Fortigate Cookbook 54 PDF
No ratings yet
Fortigate Cookbook 54 PDF
209 pages
Fortigate Cookbook 506 Expanded
No ratings yet
Fortigate Cookbook 506 Expanded
399 pages
CCNA 9TUT - New Questions Part 12
No ratings yet
CCNA 9TUT - New Questions Part 12
62 pages
FortiOS-6 2 0-Cookbook PDF
No ratings yet
FortiOS-6 2 0-Cookbook PDF
614 pages
Advanced Cisco Networking Courses
No ratings yet
Advanced Cisco Networking Courses
2 pages
Fortinet Cookbook Part-1
No ratings yet
Fortinet Cookbook Part-1
3 pages
FortiGate UTM Features & Admin Guide
No ratings yet
FortiGate UTM Features & Admin Guide
39 pages
AAC-007-05 Labguide - v2
No ratings yet
AAC-007-05 Labguide - v2
71 pages
(Viral) Kamal Kaur Viral Video Original Link
No ratings yet
(Viral) Kamal Kaur Viral Video Original Link
5 pages
FortiOS-6 2 0-Cookbook
No ratings yet
FortiOS-6 2 0-Cookbook
1,370 pages
FortiOS-6 2 0-Cookbook PDF
No ratings yet
FortiOS-6 2 0-Cookbook PDF
792 pages
FortiOS-6 2 0-Cookbook
100% (1)
FortiOS-6 2 0-Cookbook
877 pages
Fortigate Cookbook 504 Expanded
No ratings yet
Fortigate Cookbook 504 Expanded
311 pages
What Is A Network?
No ratings yet
What Is A Network?
9 pages
Fortigate Cookbook 505 Expanded
No ratings yet
Fortigate Cookbook 505 Expanded
364 pages
FortiOS 5.2 Handbook
No ratings yet
FortiOS 5.2 Handbook
197 pages
Fortigate Cookbook
No ratings yet
Fortigate Cookbook
393 pages
Fortios Handbook 54 PDF
No ratings yet
Fortios Handbook 54 PDF
3,366 pages
Initial Setup: Steps: Connect To The Device
No ratings yet
Initial Setup: Steps: Connect To The Device
4 pages
FortiOS-6 2 0-Cookbook PDF
No ratings yet
FortiOS-6 2 0-Cookbook PDF
614 pages
FortiOS 6.0.0 Cookbook Guide
No ratings yet
FortiOS 6.0.0 Cookbook Guide
200 pages
FortiOS-6 0 0-Cookbook
No ratings yet
FortiOS-6 0 0-Cookbook
353 pages
FortiOS 5.6 Setup Guide
No ratings yet
FortiOS 5.6 Setup Guide
335 pages
Fortigate CookThe FortiGate Cookbook 5.2
No ratings yet
Fortigate CookThe FortiGate Cookbook 5.2
512 pages
FortiOS-6 0 0-Cookbook
No ratings yet
FortiOS-6 0 0-Cookbook
342 pages
Fortigate Cookbook 52
No ratings yet
Fortigate Cookbook 52
777 pages
F5 Analytics - Lab Guide - Final
No ratings yet
F5 Analytics - Lab Guide - Final
35 pages
Lab 2 - Configuring Basic EIGRP For IPv4
No ratings yet
Lab 2 - Configuring Basic EIGRP For IPv4
9 pages
Fortigate 620B Quickstart
No ratings yet
Fortigate 620B Quickstart
2 pages
EXOSConcepts12 5 3
No ratings yet
EXOSConcepts12 5 3
1,584 pages
Fortigate Labs
No ratings yet
Fortigate Labs
7 pages
Medical VPN Request Form
No ratings yet
Medical VPN Request Form
1 page
Sample Networking MCQs
No ratings yet
Sample Networking MCQs
22 pages
Brkipm 3114 PDF
No ratings yet
Brkipm 3114 PDF
73 pages
FortiOS-6 2 0-Cookbook PDF
No ratings yet
FortiOS-6 2 0-Cookbook PDF
1,221 pages
Fortinet Fortiwifi 60 Instruccion de Instalacion
No ratings yet
Fortinet Fortiwifi 60 Instruccion de Instalacion
76 pages
Quickstart Guide: Fortigate/Fortiwifi
No ratings yet
Quickstart Guide: Fortigate/Fortiwifi
17 pages
Distance Learning Module in CSS10
No ratings yet
Distance Learning Module in CSS10
5 pages
Connecting The Network Devices and Logging Onto The Fortigate
No ratings yet
Connecting The Network Devices and Logging Onto The Fortigate
6 pages
Package Contents: Quickstart Guide
No ratings yet
Package Contents: Quickstart Guide
2 pages
FortiGate I 01 Introduction
No ratings yet
FortiGate I 01 Introduction
35 pages
Chapter 2 World and The Internet
No ratings yet
Chapter 2 World and The Internet
10 pages
Fortios Firewall 56
No ratings yet
Fortios Firewall 56
380 pages
OS9000 AOS 6.1.5 R01 Advanced Routing
No ratings yet
OS9000 AOS 6.1.5 R01 Advanced Routing
284 pages
Connecting A Private Network To The Internet Using NAT/Route Mode
No ratings yet
Connecting A Private Network To The Internet Using NAT/Route Mode
5 pages
105B-108B User Guide
No ratings yet
105B-108B User Guide
48 pages
Package Contents: Quickstart Guide
No ratings yet
Package Contents: Quickstart Guide
2 pages
Fortigate Cookbook
No ratings yet
Fortigate Cookbook
393 pages
CIIT Vehari Campus: The Internet and WWW: E-Commerce Infrastructure
No ratings yet
CIIT Vehari Campus: The Internet and WWW: E-Commerce Infrastructure
15 pages
Junos Security Admin Guide
No ratings yet
Junos Security Admin Guide
452 pages
IPv6 and XDSL
No ratings yet
IPv6 and XDSL
44 pages
Junos Security Swconfig Security
No ratings yet
Junos Security Swconfig Security
1,074 pages
Fe Ge Loopback2
No ratings yet
Fe Ge Loopback2
10 pages
Cisco Evpn Vxlan
No ratings yet
Cisco Evpn Vxlan
57 pages
XCS v91 Studentguide Basics
No ratings yet
XCS v91 Studentguide Basics
248 pages
FortiMail Administration Guide 06-30003-0154-20080605
No ratings yet
FortiMail Administration Guide 06-30003-0154-20080605
402 pages
AdventNet ManageEngine SupportCenterPlus 7 Help AdminGuide
No ratings yet
AdventNet ManageEngine SupportCenterPlus 7 Help AdminGuide
212 pages
B Cisco Nexus 7000 Series NX-OS Verified Scalability Guide
No ratings yet
B Cisco Nexus 7000 Series NX-OS Verified Scalability Guide
26 pages
DDoS Protection Strategies 2016
No ratings yet
DDoS Protection Strategies 2016
56 pages
Technology Speed
No ratings yet
Technology Speed
17 pages
Technical Note: Fortinet Server Authentication Extension
No ratings yet
Technical Note: Fortinet Server Authentication Extension
26 pages
Module 09 (Spanning Tree)
No ratings yet
Module 09 (Spanning Tree)
38 pages
Cross-Module Trunking in Extremeware 7.1.1
No ratings yet
Cross-Module Trunking in Extremeware 7.1.1
16 pages
Deployment Guide - Palo Alto Networks NGFW With Gigamon Deployment Guide
No ratings yet
Deployment Guide - Palo Alto Networks NGFW With Gigamon Deployment Guide
24 pages
Eng - Shady (Modules 5 - 6 Exam Answers)
No ratings yet
Eng - Shady (Modules 5 - 6 Exam Answers)
14 pages
D Link DIR-825M Single Band
No ratings yet
D Link DIR-825M Single Band
3 pages
OSI Model Quiz: Key Concepts
No ratings yet
OSI Model Quiz: Key Concepts
3 pages
NWC Q1
No ratings yet
NWC Q1
1 page
User Guide & Product Overview
No ratings yet
User Guide & Product Overview
2 pages
Administration Guide: Fortinet Server Authentication Extension™ Version 3.0 MR7
No ratings yet
Administration Guide: Fortinet Server Authentication Extension™ Version 3.0 MR7
36 pages
T1600G-28TS V1 Ug PDF
No ratings yet
T1600G-28TS V1 Ug PDF
269 pages