201 v4-1 Final

FortiGate Multi-Threat Security Systems I
Administration, Content Inspection and SSL VPN

Course 201
www.fortinet.com
FortiGate Multi-Threat Security Systems I
Administration, Content Inspection and SSL VPN
Student Guide v4.1 for FortiOS 4.0 MR2
Course 201
01-4200-0201-20100430
© Copyright 2010 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams, or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical, or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-
Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS,
FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are
trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies
and products mentioned herein may be the trademarks of their respective owners.
Contents
Contents
Introduction............................................................................... 1
Course Overview ........................................................................................... 3
Course Objectives ................................................................................... 3
Prerequisites ........................................................................................... 3
Who Should Attend ................................................................................. 3
Certification ............................................................................................. 4
Self-Paced Training Course .................................................................... 4
Course Evaluation (for Self-Paced Training Students) ........................... 4
Lesson 1 - Overview and System Setup ................................ 7

Unified Threat Management .......................................................................... 7
The Fortinet Solution ..................................................................................... 8
FortiGate Appliance ................................................................................ 8
FortiGuard ............................................................................................. 10
FortiManager ......................................................................................... 10
FortiAnalyzer ......................................................................................... 11
FortiMail ................................................................................................ 11
FortiClient.............................................................................................. 11
FortiWeb................................................................................................ 12
FortiDB .................................................................................................. 12
FortiScan ............................................................................................... 12
FortiSwitch ............................................................................................ 12
FortiCarrier ............................................................................................ 12
Firewall Basics............................................................................................. 13
Types of Firewalls ................................................................................. 15
Network Address Translation ................................................................ 17
FortiGate Capabilities .................................................................................. 18
Firewall.................................................................................................. 18
Unified Threat Management.................................................................. 18
WAN Optimization ................................................................................. 19
Endpoint Control ................................................................................... 19
Virtual Domains ..................................................................................... 19
Traffic Shaping ...................................................................................... 19
Secure VPN .......................................................................................... 20
High Availability ..................................................................................... 20
Logging ................................................................................................. 20
User Authentication ............................................................................... 20
Course 201-v4.1 Administration, Content Inspection and SSL VPN

01-4200-0201-20100604 i
Contents
FortiGate Unit Components.......................................................................... 21

CPU ....................................................................................................... 21
FortiASIC Content Processor................................................................. 21
DRAM .................................................................................................... 21
Flash Memory ........................................................................................ 21
Hard Drive.............................................................................................. 21
Network Interface Ports ......................................................................... 21
Serial Console Port ................................................................................ 21
USB Port ................................................................................................ 21
Wireless ................................................................................................. 21
Module Slot Bays ................................................................................... 22
PC Card Slot .......................................................................................... 22
FortiGate Unit Front View ...................................................................... 23
FortiGate Unit Back View....................................................................... 24
FortiGate Operating Modes .......................................................................... 25
NAT/Route Mode ................................................................................... 25
Transparent Mode.................................................................................. 26
Device Administration................................................................................... 27
Web Config ............................................................................................ 27
Command Line Interface........................................................................ 37
Administrators ........................................................................................ 48
DHCP..................................................................................................... 54
Interface Addressing .............................................................................. 57
DNS ....................................................................................................... 61
Configuration Backup and Restore ........................................................ 62
Firmware Upgrades ............................................................................... 64
Disk Usage............................................................................................. 65
Lab 1 - Initial Setup .......................................................................................66
Lesson 2 - Logging and Alerts ............................................. 81

Logging Levels ............................................................................................. 81
Emergency............................................................................................. 81
Alert........................................................................................................ 81
Critical .................................................................................................... 81
Error ....................................................................................................... 81
Warning.................................................................................................. 82
Notification ............................................................................................. 82
Information ............................................................................................. 82
Debug .................................................................................................... 82
Log Storage .................................................................................................. 83
Local Logging......................................................................................... 83
Remote Logging..................................................................................... 85
FortiGuard Analysis Service .................................................................. 86
FortiAnalyzer.......................................................................................... 87

ii 01-4200-0201-20100604
Contents
Log Types .................................................................................................... 88

Event Log .............................................................................................. 88
Traffic Log ............................................................................................. 88
Attack Log ............................................................................................. 88
AntiVirus Log ......................................................................................... 88
Web Filter Log ....................................................................................... 88
Email Filter Log ..................................................................................... 88
DLP Log ................................................................................................ 89
Application Control Log ......................................................................... 89
Network Scan Log ................................................................................. 89
Generating Logs .......................................................................................... 90
Viewing Log Files......................................................................................... 93
Log Display Formats ............................................................................. 94
Logging to a FortiAnalyzer Device............................................................... 97
FortiAnalyzer Device List ...................................................................... 98
Viewing FortiAnalyzer Logs................................................................. 100
Browsing Log Files.............................................................................. 103
Searching the Logs ............................................................................. 104
Logging to Multiple FortiAnalyzer Units or Syslog Servers........................ 106
Content Archiving ...................................................................................... 107
Viewing Content Archives ................................................................... 109
Alert Email ................................................................................................. 110
SNMP ........................................................................................................ 111
Configuring an Interface for SNMP Access......................................... 114
Reporting ................................................................................................... 115
Report Layout...................................................................................... 115
Lab 2 - Logging and Monitoring ................................................................. 117
Lesson 3 - Firewall Policies ................................................ 125

Policy Matching.......................................................................................... 126
Firewall Policy List............................................................................... 127

01-4200-0201-20100604 iii
Contents
Firewall Policy Elements............................................................................. 131

Firewall Addresses............................................................................... 133
Firewall Schedules............................................................................... 138
Firewall Services.................................................................................. 145
Firewall Actions .................................................................................... 151
Logging Traffic ..................................................................................... 155
Network Address Translation ............................................................... 156
Identity-Based Policies......................................................................... 164
Threat Management............................................................................. 166
Traffic Shaping..................................................................................... 187
Virtual IPs............................................................................................. 197
Load Balancing .................................................................................... 203
DoS Policy List..................................................................................... 213
Sniffer Policy List ................................................................................. 214
Firewall Suggested Practices ..................................................................... 215
General ................................................................................................ 215
Policies................................................................................................. 215
NAT...................................................................................................... 215
Lab 3 - Firewall Policies ..............................................................................217
Lesson 4 - Authentication .................................................. 233

Authentication Methods .............................................................................. 234
Local Users .......................................................................................... 234
Remote Users ...................................................................................... 234
Authenticated Operations ........................................................................... 236
Firewall Authentication ......................................................................... 236
SSL VPN Authentication ...................................................................... 239
IPSec Authentication............................................................................ 240
Administrator Authentication ................................................................ 242
Users .......................................................................................................... 243
User Groups ............................................................................................... 245
Firewall User Group ............................................................................. 246
Directory Service User Group .............................................................. 248
Identity-Based Policies ............................................................................... 250
Authentication Rules ............................................................................ 251
Monitoring Firewall Authentication.............................................................. 253
Lab 4 - Authentication .................................................................................254

iv 01-4200-0201-20100604
Contents
Lesson 5 - SSL VPN ............................................................ 261

FortiGate VPN ........................................................................................... 261
SSL VPN ............................................................................................. 261
IPsec VPN........................................................................................... 262
SSL VPN.................................................................................................... 263
Operating Modes................................................................................. 263
Web-Only Mode .................................................................................. 263
Tunnel Mode ....................................................................................... 264
User Groups .............................................................................................. 265
Portals........................................................................................................ 267
Web-Access Portal.............................................................................. 267
Tunnel-Access Portal .......................................................................... 269
Full-Access Portal ............................................................................... 270
Enabling SSL VPN..................................................................................... 271
SSL VPN Firewall Policies......................................................................... 273
Web-Only Mode Firewall Policies ....................................................... 273
Tunnel Mode Firewall Policies ............................................................ 276
Connecting to the SSL VPN ...................................................................... 278
Web Portal Page ................................................................................. 278
Lab 5 - SSL VPN ....................................................................................... 279
Lesson 6 - FortiGuard Subscription Services .................. 287

FortiGuard Distribution Network ................................................................ 287
Connecting to the FortiGuard Servers ................................................ 289
FortiGuard Antivirus Service...................................................................... 290
FortiGuard Intrusion Prevention System Service....................................... 291
FortiGuard Web Filtering Service .............................................................. 292
FortiGuard Antispam Service..................................................................... 293
FortiGuard Vulnerability Management Service .......................................... 294
FortiGuard Subscription Services Licensing.............................................. 295
Updating Antivirus and IPS Services ......................................................... 296
Scheduled Updates ............................................................................. 297
Override Server ................................................................................... 297
Push Updates...................................................................................... 297
Manual Updates .................................................................................. 299
Web Filtering and Antispam Options ......................................................... 301
Port Selection ...................................................................................... 301
Caching ............................................................................................... 301

01-4200-0201-20100604 v
Contents
Configuring FortiGuard Subscription Services Using the CLI..................... 303

FortiGuard Center....................................................................................... 304
Lab 6 - Fortinet Subscription Services ........................................................305
Lesson 7 - Threat Management .......................................... 311

Content Scanning Techniques ................................................................... 311
Flow-Based Scanning .......................................................................... 311
File-Based Scanning............................................................................ 312
Threat Management Architectural Components......................................... 313
Proxies ................................................................................................. 313
IPS Engine ........................................................................................... 314
Scanunit Daemon ................................................................................ 314
URLFilter Daemon ............................................................................... 315
Update Daemon................................................................................... 315
Lesson 8 - Antivirus ............................................................ 319

Virus Types................................................................................................. 319
Virus..................................................................................................... 319
Trojan................................................................................................... 319
Worm ................................................................................................... 319
Antivirus Elements...................................................................................... 320
File Size ............................................................................................... 320
File Pattern........................................................................................... 320
Virus Scan............................................................................................ 320
File Type .............................................................................................. 320
Grayware ............................................................................................. 321
Heuristics ............................................................................................. 321
File Filters ................................................................................................... 322
File Filter Actions ................................................................................. 322
Defining File Filters .............................................................................. 323
Virus Databases ......................................................................................... 329
Regular Virus Database ....................................................................... 329
Extended Virus Database .................................................................... 329
Flow-Based Virus Scanning ................................................................. 330
Updating the Antivirus Definitions ........................................................ 331
Grayware .................................................................................................... 332
Grayware Categories ........................................................................... 332
Heuristics.................................................................................................... 336
Quarantine.................................................................................................. 337
Quarantine Options.............................................................................. 337
Quarantined Files List .......................................................................... 339
Quarantine Virus Senders.................................................................... 340

vi 01-4200-0201-20100604
Contents
Antivirus Profiles ........................................................................................ 342

Enabling Antivirus Profiles in Firewall Policies .................................... 344
Antivirus Suggested Practices ................................................................... 345
Lab 7 - Antivirus Scanning ......................................................................... 346
Lesson 9 - Email Filtering ................................................... 351

Email Filtering Actions ............................................................................... 352
Tag ...................................................................................................... 352
Discard ................................................................................................ 352
Email Filtering Methods ............................................................................. 353
IP Address Check ............................................................................... 353
URL Check .......................................................................................... 353
Email Checksum Check ...................................................................... 353
Black/White List................................................................................... 353
HELO DNS Lookup ............................................................................. 353
Return E-mail DNS Check .................................................................. 353
Banned Word ...................................................................................... 354
Multipurpose Internet Mail Extensions (MIME) Headers Check.......... 354
FortiGuard Email Filters............................................................................. 356
Global Filters ....................................................................................... 356
Customized Filters .............................................................................. 357
Banned Word............................................................................................. 358
Defining Banned Word Lists................................................................ 358
IP Address Filtering ................................................................................... 365
Defining IP Address Lists .................................................................... 365
Email Address Filtering.............................................................................. 369
Defining Email Address Filters ............................................................ 369
Multipurpose Internet Mail Extensions (MIME) Headers Check ................ 373
DNS Blackhole List and Open Relay Database List .................................. 374
Email Filter Profiles.................................................................................... 375
Enabling Email Filter Profiles in Firewall Policies................................ 379
FortiMail Email Filtering ............................................................................. 380
Lesson 10 - Web Filtering ................................................... 383

Web Filtering Elements.............................................................................. 383
URL Filter................................................................................................... 384
Defining URL Filter Lists ..................................................................... 384
FortiGuard Web Filter ................................................................................ 388
FortiGuard Web Filtering Categories .................................................. 389
FortiGuard Web Filtering Classes ....................................................... 391
FortiGuard Web Filtering Overrides .................................................... 392

01-4200-0201-20100604 vii
Contents
Web Filtering Overrides.............................................................................. 394

Administrative Overrides ...................................................................... 394
Override Rules ..................................................................................... 395
Web Filtering Override Page................................................................ 399
Web Filtering Authentication Page....................................................... 399
User Overrides..................................................................................... 400
Local Ratings.............................................................................................. 401
Local Categories......................................................................................... 403
Web Content Filter...................................................................................... 405
Defining Web Content Filters Lists....................................................... 405
Web Filter Profiles ...................................................................................... 408
Advanced Filtering Settings ................................................................. 411
Enabling Web Filter Profiles in Firewall Policies .................................. 413
Lab 8 - Web Filtering ..................................................................................414
Lesson 11 - Data Leak Prevention ..................................... 423

Monitored Data Types ................................................................................ 423
Data Leak Prevention Rules....................................................................... 424
Regular Rules ...................................................................................... 424
Compound Rules ................................................................................. 431
Rule Processing ................................................................................... 433
Rule Priority ......................................................................................... 433
Data Leak Prevention Sensors................................................................... 434
Data Leak Prevention Sensor Actions ................................................. 437
Enabling Data Leak Prevention in Firewall Policies ............................. 439
Data Leak Prevention Logging............................................................. 440
Data Leak Prevention Suggested Practices ............................................... 441
Lab 9 - Data Leak Prevention .....................................................................442
Lesson 12 - Application Control ........................................ 449

Application Types ....................................................................................... 450
Application Control Lists ............................................................................. 452
Defining Application Control Lists ........................................................ 452
Enabling Application Control in a Firewall Policy ................................. 455
Application Control Logging ................................................................. 456
Lab 10 - Application Control .......................................................................457

viii 01-4200-0201-20100604
Contents
Lesson 13 - Endpoint Control ............................................ 461

Endpoint Network Access Control ............................................................. 461
Application Sensors ............................................................................ 461
Endpoint NAC Profiles ........................................................................ 466
Enabling Endpoint NAC in Firewall Policies ........................................ 468
Vulnerability Scanning ............................................................................... 469
Assets ................................................................................................. 469
Monitoring Endpoints ................................................................................. 473

01-4200-0201-20100604 ix
Contents

x 01-4200-0201-20100604
Introduction
1
www.fortinet.com
Introduction Course Overview
Course Overview
This course provides an introduction to the configuration and administration of
FortiGate Unified Threat Management (UTM) appliances.
Through a variety of hands-on labs, students will learn about the most common
features of the FortiGate unit.
Students will gain a solid understanding of how to integrate the FortiGate unit into
an existing environment and the operational maintenance involved to ensure
optimal performance and full protection of corporate assets.
Course Objectives
Upon completion of this course, students will be able to:
• Use Web Config and the CLI to complete the following administration and
maintenance tasks for FortiGate devices:
• Configure system and network settings.
• Create administrative accounts.
• Perform system backups.
• Monitor system alerts.
• Verify device performance and operational status.
• Update FortiGuard Subscription Services.
• Manage firmware to ensure availability and reliability.
• Implement logging and monitoring features of the FortiGate device using a
FortiAnalyzer appliance for content archiving.
• Construct firewall policies with schedules, source and service type restrictions,
and unauthorized traffic logging.
• Apply firewall policy options for authentication, virtual IP address, IP pool, and
traffic shaping.
• Enable FortiGate threat management features in policies including antivirus,
email filtering, web filtering, data leak prevention and application control.
• Understand the differences between operating a FortiGate unit in NAT/Route
and Transparent modes.
Prerequisites
The following is required to attend this course:
• Introductory-level network security experience
• Basic understanding of core network security and firewall concepts
Who Should Attend

This introductory-level course is intended for anyone who is responsible for the
day-to-day administration and management of a FortiGate unit.

01-4200-0201-20100604 3
Course Overview Introduction
Certification
This course helps to prepare students for the following certification exams:
• Fortinet Certified Network Security Associate (FCNSA)
• Fortinet Certified Network Security Professional (FCNSP)
Self-Paced Training Course

Course 201 - Administration, Content Inspection and SSL VPN is available as a 2-
day instructor-led course (public class or private on-site session) or as a self-
paced training course.
If this training is being taken as self-paced, the following are required to perform
the hands-on exercises included in this Student Guide:
• A PC or laptop running Microsoft Windows 2000/XP/2003/Vista/7
The PC or laptop used for the exercises in the Student Guide requires a serial
port to connect the FortiGate unit to the computer. If the computer does not
include a serial port, a USB to Serial adaptor can be purchased from a local
computer supply store.
• A FortiGate unit
This course is designed to be used with a Small Office/Home Office (SOHO)
level FortiGate model (FortiGate 80 Series or lower). The FortiGate must be
running FortiOS version 4.0 MR2 of the firmware.
• Internet connection
An Internet connection is required.
• A FortiGuard Subscription Services license
Each new FortiGate unit comes with a free 30-day license to access
FortiGuard Subscriptions Service updates. If beyond the initial 30-day trial time
limit, a license to access FortiGuard Subscriptions Services is required to
complete some of the exercises in the course.
• Remote access to the FortiAnalyzer unit at the following address:
http://209.87.230.134
Course Evaluation (for Self-Paced Training Students)

Once this training has been concluded, please complete the course survey. The
comments provided will help to guide development of future versions of this
course. To access the survey, type the following URL in a web browser:
http://campus.training.fortinet.com
Click Student Survey in the Quick Links pane on the left hand side of the web
page.

4 01-4200-0201-20100604
LESSON 1
Overview and System Setup
5
www.fortinet.com
Overview and System Setup Unified Threat Management
Lesson 1 Overview and System

Setup
Maintaining a secure network environment using existing network security
technologies is a significant challenge due to a number of reasons:
• Increasingly sophisticated and rapidly evolving cyber threats evade one or
more standalone security technologies.
• The costs and complexities associated with managing an increasingly
distributed network with no clear perimeter adds strain to already taxed
resources.
• The performance and processing power required to provide complete content
level protection is difficult to achieve without purpose-built hardware.
Most standalone network security offerings generally consist of single-purpose

security software deployed onto PC-based hardware platforms, and provide basic
network security functions like firewall and VPN services. These standalone
network security products, however, fail to provide the comprehensive security,
network deployment flexibility and the performance necessary to combat complex
network-level and content-level security threats.
Unified Threat Management

In order to solve the security problems for businesses and service providers, the
Unified Threat Management (UTM) market has emerged. UTM devices
incorporate firewall, intrusion prevention, antivirus and more in a single device.
Many vendors have attempted to provide UTM capabilities by cobbling together
existing firewall and VPN offerings with antivirus and intrusion detection and/or
prevention technologies from other vendors. Others have simply relabeled their
existing network security products, which offer limited threat management
capabilities across different technology areas. In order to address the challenges
faced by the modern organization, an effective UTM solution must deliver a
network security platform comprised of robust and fully integrated security and
networking functions. Protection must be provided against the next generation of
threats and offer centralized management from a single console, all without
impairing the performance of the network.

01-4200-0201-20100604 7
The Fortinet Solution Overview and System Setup
The Fortinet Solution

Fortinet is a leading worldwide provider of Unified Threat Management network
security solutions. Fortinet supplies a comprehensive UTM solution comprised of
the FortiGate network security platform, the FortiGuard security subscription
services and an integrated suite of management, reporting and analysis products.
Fortinet UTM solutions enable customers to cost-effectively defend against
current and next generation network and application layer threats without slowing
down their networks. Fortinet UTM solutions are built from the ground up offering
truly integrated hardware, software and services for the best security and
performance possible.
FortiGate Appliance
The FortiGate unit is a dedicated, easily managed security device that delivers a
full suite of capabilities including:
• Application-level services such as virus protection, email filtering, web content
filtering, data leak prevention, application control, as well as IM, P2P, and VoIP
filtering
• Network-level services such as firewall, intrusion detection, IPSec and SSL
VPN, and traffic shaping
• Management services such as user authentication, logging, reporting,
administration profiles, secure administrative access, and SNMP
The FortiGate relies on the dedicated Fortinet Global Threat Research Team that
researches and develops protection against known and unknown security threats.
This dynamic protection forms the basis of the FortiGuard Subscription Services,
which results in continuous updates for antivirus, intrusion prevention, web
filtering and antispam services.
FortiGate Network Security Product Portfolio

From the FortiGate 30 series for small businesses and branch offices to the
FortiGate 5000 series for large enterprises and services providers, all FortiGate
appliances include a proprietary technology platform, which includes the
proprietary FortiASIC processor specifically designed for accelerating certain
security functions. Also part of the FortiGate technology platform is FortiOS, a
proprietary operating system that provides the foundation for all security functions.
FortiGate platforms incorporate sophisticated networking features, such as high
availability for maximum network uptime and virtual domain capabilities to
separate various networks requiring different security policies.

8 01-4200-0201-20100604
Overview and System Setup The Fortinet Solution
Branch
SOHO Office Medium Enterprise Large Enterprise Service Provider
5140
5
PWRACC
PWRACC
PWRACC
PWRACC
PWRACC
PWRACC
PWRACC
PWRACC
PWRACC
PWRACC
PWRACC
PWRACC
MANAGEMENT MANAGEMENT
E E
T T
H H
O O
CONSOLE
CONSOLE
CONSOLE
CONSOLE
CONSOLE
CONSOLE
CONSOLE
CONSOLE
CONSOLE
CONSOLE
CONSOLE
CONSOLE
USB
USB
USB
USB
USB
USB
USB
USB
USB
USB
USB
USB
SYSTEM SYSTEM
CONSOLE CONSOLE
R R
S S
2 2
3 3
2 2
1
1
1
Z Z
R R
E E
0 0
2
Z Z
2
2
2
R R
E E
1 1
Z Z
R R
3
E E
3
3
3
2 2
E2 E1 E2 E1
14 15 14 15
12 13 12 13
4
4
4
10 11 10 11
8 9 8 9
6 7 6 7
4 5 4 5
5
5
5
2 3 2 3
0 1 0 1
ZRE ZRE
6
6
6
CLK OK CLK OK
EXT INT EXT INT
FLT FLT FLT FLT
7
7
7
HOTSWAP HOTSWAP
RESE
T RESE
T
8
8
8
LED MODE LED MODE
STA IPM
STA IPM
STA IPM
STA IPM
STA IPM
STA IPM
STA IPM
STA IPM
STA IPM
STA IPM
STA IPM
STA IPM
PSUA
PSUB
USB 1 2 3 4 5 6 7 8
CONSOL
E
PWRACC STA IPM
USB 1 2 3 4 5 6 7 8
CONSOL
E
PWRACC STA IPM
FortiGate 5000 series

AMC-SW1 AMC-DW1
-E4
AMC-SW2 AMC-DW2
USB
CONSOL
E AUX 1 2 3 4 5 6 7 8 9 10
Esc Enter
STATUS
POWER
FortiGate 3810A
CONSOLE
PWR
Esc Enter
Hi-Temp
1 3 5 7 9 MODEM USB
2 4 6 8 10
FortiGate 3600A
CONSOLE 1 3 5 7 9 11 13 15 17
FG-AMC-SW
Esc Enter POWER

STATUS
MODEM 2 4 6 8 10 12 14 16 18
FortiGate 3016B
FSM FSM FSM5
FortiGate 1240B
FSM FSM CONSOLE
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39
2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 ASM USB
FortiGate 1240B
Redundant power supply

CONSOLE USB
A1 A2
FortiGate 1000 series

8
Esc Enter
PWR
INTE RNAL EXTERNAL DMZ HA 1 2 3 4 CONSOL
E USB
Gigabit performance
FortiGate 800
620B-DC USB CONSOLE
High port density

FortiGate 620B
NP2 Powered
311B STATUS
ALARM
1 POWER HA
1/2 3/4 5/6 7/8 9/10 USB CONSOLE ASM
FortiGate 311B
Pow
ered
NP2
TUS
STA
ALARM
POW
ER
HA
ASM
CONSOLE
USB
9/10
7/8
5/6
3/4
1/2
FortiGate 310B
Esc Enter
CONSOLE USB
1 2
10/100
3 4 5
10/100/1000
6
Gigabit Ethernet
FortiGate 300A
1 3 5 7 9 11 13 15 17 19 21 23
25 26 WAN1 WAN2 USB CONSOL

E
2 4 6 8 10 12 14 16 18 20 22 24
FortiGate 224B
Integrated logging
CONSO
LE USB INTERNAL DMZ1 DMZ2 WAN1 WAN2
1 2 3 4
Esc Enter
FortiGate 200A
111C
USB CONSOLE
1 2 3 4 5 6 7 8 WAN1 WAN2
ALARM HA STATUS POWER HDD1 HDD2
FortiGate 111C
USB CONSOLE
1 2 3 4 5 6 7 8 WAN1 WAN2
ALARM HA STA TUS POWER
FortiGate 110C
1 2 3 4
FortiGate 82C
INTERNAL
1 3 5
POWERSTATUS HA ALARM WAN 1 WAN 2 DMZ 2 4 6
FortiGate 80C
INTERNAL
1 3 5
POWERSTATUS HA ALARM WIFI WAN 1 WAN 2 DMZ 2 4 6
FortiWifi 80CM
High availability, VLAN support

INTERNAL
1 3 5
POWERSTATUS HA ALARM WAN1 WAN2 DMZ 2 4 6

B
FortiGate 60B
INTERNAL
1 3 5
POWERSTATUS HA ALARM Wifi WAN1 WAN2 DMZ 2 4 6

B
FortiWifi 60B
INTERNAL
WAN1 WAN2
LINK / ACT
POWER STATUS HDD
10/100
1 2 3
FortiGate 51B
INTERNAL
WAN1 WAN2
LINK/ ACT
POWER STATUS
10/100
1 2 3
FortiGate 50B
INTERNAL
WAN1
(PoE) WAN2
WLAN LINK/ ACT
POWER STATUS
10/100
1 2 3
FortiWifi 50B
FortiGate 30B
INTERNAL
WAN
WLAN LINK / ACTIVITY
POWER STATUS
10/100
1 2 3 4
30B
FortiWifi 30B

01-4200-0201-20100604 9
FortiGate Solutions for the Small Office/Home Office (SOHO) and Branch
Office
The FortiGate 30B series, 50B series, 51B, 60B series, 80C series along with the
100C and 111C devices are all-in-one, network-based security solutions designed
to protect smaller deployments from network level and content level threats.
FortiGate Solutions for Medium-Sized Enterprises

The FortiGate enterprise series, which includes the FortiGate 200A to the
FortiGate 800 models, meets enterprise-class requirements for network level and
content level threat protection, performance, availability and reliability. These
models include all of the key security services provided by other FortiGate
models, with integrated enterprise firewall, VPN, intrusion prevention, antivirus /
antispyware, spam filtering, web filtering and traffic-shaping services. Units in the
FortiGate enterprise series meet the requirements for mission critical enterprise
applications.
FortiGate Solutions for Large-Sized Enterprises and Service Providers

The Fortinet network security solution for large enterprises and service providers
includes the FortiGate 1000 series of devices to the FortiGate 5000 series. These
high performance units are designed to meet the most stringent requirements for
performance and reliability, including redundant, hot-swappable power supplies
and fans to minimize single-point failures, and also support active/active
redundant fail-over for uninterrupted service. The high capacity, reliability and
easy management of FortiGate units make them natural choices as the
cornerstone of a service provider's managed service offerings.
FortiGuard
FortiGuard Subscription Services extend the value of the initial investment in
Fortinet by providing customers with dynamic updates to antivirus, intrusion
prevention, web filtering and email filtering functionality.
FortiGuard Subscription Services are continuously updated by the 24x7x365
Global Threat Research Team possessing in-depth expertise in content and
network level attacks. The FortiGuard network has data centers around the world
located in secure, high-availability locations that automatically deliver updates to
the Fortinet security platforms. With the FortiGuard Subscription Services
enabled, customers can rest assured that their Fortinet security platforms are
performing optimally and protecting their corporate assets with the latest security
technology.
FortiManager
To compliment the FortiGate product line, Fortinet also offers FortiManager
appliances which enable customers to manage all Fortinet products from a
centralized console. It minimizes the administrative effort required to deploy,
configure, and maintain the full range of network protection services provided by
Fortinet products.

10 01-4200-0201-20100604
Overview and System Setup The Fortinet Solution
FortiAnalyzer
For centralized analysis and reporting, Fortinet offers FortiAnalyzer appliances for
forensics, archiving and graphical reporting functions.
The FortiAnalyzer unit is a dedicated hardware solution that securely aggregates
and analyzes log data from FortiGate security appliances. It provides network
administrators with a comprehensive view of network usage and security
information, supporting the needs of enterprises and service providers
responsible for discovering and addressing vulnerabilities across dispersed
FortiGate systems. FortiAnalyzer appliances minimize the effort required to
monitor and maintain acceptable use policies, to identify attack patterns and
prosecute attackers, and to comply with governmental regulations regarding
privacy and disclosure of security breaches. They accept and process a full range
of log records provided by FortiGate systems, including traffic, event, virus, attack,
content filtering, and email filtering data. FortiAnalyzer devices also provide
advanced security management functions such as quarantine archiving, event
correlation, vulnerability assessments, traffic analysis, and content archiving.
FortiMail
With the worldwide volume of spam now significantly increasing, daily corporate
email servers and users alike are becoming increasingly overwhelmed. Spam
email results in wasted corporate resources and decreased employee
productivity. In addition, increasingly sophisticated content level threats now
commonly use email applications as a mode of attack. This can be illustrated by
the dramatic rise in phishing attacks, signaling a change in strategy for spammers
looking to profit from unsuspecting users.
Fortinet FortiMail is a family of high-performance, multi-layered email security
platforms that remove unwanted spam, provide maximum protection for blended
email-related threats and facilitate regulatory compliance. For complete email
security that includes content archiving and the highest levels of antispam and
antivirus capabilities, Fortinet offers FortiMail specialized email security
appliances. The FortiMail device can provide full messaging server functionality
when configured in Server Mode.
FortiClient
For endpoint security, Fortinet provides FortiClient software, a product that
provides unified endpoint security for desktops, laptops and mobile devices.
PC desktop and laptop devices have allowed users to access enterprise
applications and mission critical data both in the office and on the road.
Unfortunately, these devices are exposed to blended threats such as viruses,
spam, spyware and worms. As well, users accessing inappropriate and
dangerous web content jeopardize device integrity, negatively impact productivity
and violate corporate content access guidelines. While security technologies,
such as antivirus agents, are available to protect devices from certain threats,
such methods fall short from comprehensively protecting against blended threats
and do not enforce content access guidelines.
FortiClient provides unified security agent features for personal computers
including personal firewall, IPSec VPN, antivirus, antispam and web content
filtering. FortiClient's protection agent is powered by FortiGuard Subscription
Services to ensure devices are comprehensibly protected against today's blended
threats.

01-4200-0201-20100604 11
FortiWeb
FortiWeb devices protect, balance, and accelerate Web applications, databases,
and the information exchanged between them. FortiWeb devices protect web-
based applications, improve the security of confidential information and aid in
legislative and PCI compliance. FortiWeb goes beyond traditional web application
firewalls to provide XML security enforcement, application acceleration, and
server load balancing.
FortiDB
FortiDB devices provide a comprehensive solution to secure databases and
applications such as ERP, CRM, SCM and custom applications, addressing
vulnerability management, Database Activity Monitoring (DAM), data loss
prevention, auditing and compliance as well as change control.
FortiScan
FortiScan devices integrate endpoint vulnerability management, industry and
federal compliance, patch management, remediation, auditing and reporting into a
single, unified appliance. A FortiScan device can be used to identify security
vulnerabilities and finds compliance exposures on hosts, servers and throughout
the network.
FortiSwitch
FortiSwitch devices meet the growing needs of high-speed interconnected
applications driven by server virtualization, data center consolidation, and parallel
and cloud computing applications. With FortiSwitch hardware at the core, network
operators can build wire speed, resilient, scalable, ultra-low latency fabrics with
the simplicity and robustness of standard Ethernet. Multi-path traffic switching and
Dynamic Congestion Avoidance features on the device switch data flows to the
lowest latency path - avoiding congestion while maintaining full Ethernet
compliance.
FortiCarrier
FortiCarrier devices extend the integrated security concept to protect critical
applications across a service provider's IP network. Features such as a GTP
firewall, secure MMS with scanning of all interfaces, and an SIP/IMS signaling
firewall assure service providers of the security, privacy, and quality of service that
are critical to their businesses.

12 01-4200-0201-20100604
Overview and System Setup Firewall Basics
Firewall Basics
A firewall is a hardware-based network device or software running on a computer

that actively inspects and controls the flow of traffic between computer networks
of different trust levels. Examples include the Internet which is an untrusted zone
and an internal network which is a zone with a higher level of trust.
Internet
Firewall
Untrusted network Trusted corporate network
The area situated between the Internet and a trusted internal network is often
referred to as a demilitarized zone (DMZ) or perimeter network. Normally, this is
where firewalls are positioned but some larger organizations may also place
firewalls between different parts of their own network that require different levels
of security.
Firewalls control the flow of traffic between two or more networks, allowing good
information through but blocking intrusions, unauthorized users, or malicious
traffic from accessing a network. As network traffic passes through the firewall,
the firewall either allows or denies passage based on a set rules configured on the
device. The rules may be defined by the firewall administrator or the default rules
may apply.
For example, a firewall might permit all traffic of a specified type (such as HTTP)
and deny all other services or requests. Or, it might be configured to deny all
traffic types except incoming (also referred to as ingress) traffic from a specified
network address or address range. Firewalls can enforce an organization’s
security policies by filtering outgoing (also referred to as egress) traffic to ensure
that it complies with usage policies. Incoming traffic is similarly inspected and
matched against the firewall’s policies to allow or deny access, to apply advanced
filtering options and other security settings configured in the policy.
In basic terms, a firewall’s main function is to keep information from leaking out
(for example, confidential business information) and leaking in (for example,
viruses, spyware, or spam).
Depending on the sophistication of the firewall, it can provide rudimentary or
advanced protection.

01-4200-0201-20100604 13
Firewall Basics Overview and System Setup
Entry-level software firewalls for personal computers are widely available or even
built in to the operating system to protect an individual computer when it accesses
an external network. Firewalls designed for businesses can be more extensively
customized in various ways. They can perform more involved operations, such as
filtering spam and spyware, preventing intrusions into the network and allowing
administrators to monitor traffic. High-end enterprise products can also create
virtual private networks, allow management for multiple firewalls, support
sophisticated authentication or access management systems, and allow for load
balancing and failover.
Some common firewall features include:
• Blocking unwanted incoming traffic based on source or destination IP
addresses
• Blocking outgoing network traffic based on source or destination IP addresses.
This can be an advantage for organizations who, for example, may want to
prevent employees from accessing inappropriate web sites from workplace
computers.
• Blocking network traffic based on content.
For example, the firewall can screen network traffic for unacceptable content
such as files that contain viruses or unacceptable spam email.
• Allowing connections to an internal network.
For example, telecommuters and traveling salespeople can use a VPN to
connect to the corporate network.
• Reporting on network traffic and firewall activities.
Administrators might use this reporting information to know what the firewall is
doing, who tried to break into the network, who tried to access inappropriate
material on the Internet and so forth.
• Performing authentication to verify the identity of the users or processes.
By authenticating users, the firewall has additional information it can work with
to filter packets. Identifying the user can permit the firewall to allow the user to
access some services but not others.

14 01-4200-0201-20100604
Types of Firewalls
Firewalls fall into different categories including:
• Packet filter firewall
• Stateful firewall
• Application layer (or proxy-based) firewall
Packet Filter Firewall

Data that is transmitted across a TCP/IP network is broken down into small
chunks called packets. Packet filter firewalls act by inspecting incoming and
outgoing packets. If a packet matches the packet filter’s set of rules, the desired
action is taken. For example, the packet filter may allow the packet, drop (silently
discard) the packet or reject it (with an error response). The packets are filtered
based only on information contained in the packet headers for example, the
source and destination IP address, port number and protocol. No connection state
information is maintained with this type of packet filtering.
Stateful Firewall
A stateful firewall is a form of packet filtering that does more than just examine the
headers of a packet to determine source and destination information. It also looks
at the contents of the packet to determine what the state is of each connection
that is created and holds attributes of each connection in a state table in memory,
from the start to the end of the connection. These attributes may include details
such as the IP addresses and ports involved in the connection and the sequence
numbers of the packets passing through the connection. When a packet is
received by the firewall, it will compare the information reported in the packet
header with the state of its associated session stored in memory in the state table.
If the information matches what is in memory, the packet is allowed to pass the
firewall. If the two do not match, the packet is dropped. When stateful filtering is
used, packets are only forwarded if they belong to a connection that has already
been established and tracked in a state table.
Since more intensive checking is performed at the time of setup of the connection,
all packets for that session that are delivered after the initial setup are processed
quickly since they belong to an existing pre-screened session. Once the session
has ended, its entry in the state table is discarded and the ports closed off until a
connection to the specific port is requested. This allows an added layer of
protection from the threat of port scanning.
Stateful firewalls provide added efficiency in terms of packet inspection since they
only need to check the state table, instead of checking the packet against the
firewall's established rule set each time a packet is received.

01-4200-0201-20100604 15
Firewall Basics Overview and System Setup
Application Layer (or Proxy-Based) Firewall

Some firewalls can serve proxy server functions, modifying traffic as it passes
through the gateway. A proxy stands between the protected and unprotected
network; all external connections leading into the proxy terminate at the proxy.
This effectively eliminates IP routing between the networks. The proxy
repackages the messages into new packets that are allowed into the internal
network. The proxy also terminates internal traffic that is headed out to the
Internet and repackages it in a new packet with the source IP address of the
proxy, not the internal host.
In the case of a proxy firewall, traffic never flows directly between the networks.
Instead, the proxy repackages requests and responses. No internal host is directly
accessible from the external network and no external host is directly accessible by
an internal host. With a proxy firewall, the firewall is the endpoint of the incoming
and outgoing connection.
Proxy-based firewalls work at the application layer of the TCP/IP protocol stack
inspecting the contents of the traffic, blocking inappropriate content, such as
certain web sites, viruses, attempts to exploit client software vulnerabilities, and
so forth, as dictated by its rule set.

16 01-4200-0201-20100604
Network Address Translation

Network Address Translation (NAT) is a method of mapping one or more private,
reserved IP addresses to one or more public IP addresses. Typically, the NAT
device has a public IP address that can be seen by external hosts. Computers on
the local network use a completely different set of IP addresses. When traffic goes
out, the internal IP address is removed and replaced with the public IP address of
the NAT device. When replies come back to the NAT device, it determines which
internal computer the response belongs to and routes it to its proper destination.
Using NAT allows a network to maintain public IP addresses separately from
private IP addresses and allows a single device to act as an agent between a
public network and a private network. Using NAT conserves IP addresses since a
single unique IP address can be used to represent an entire group of computers,
using a specific block of IP addresses that are never recognized or routed on the
Internet. As a result, organizations can use their own internal IP addressing
schemes, with a single IP address provided by their Service Provider. NAT
provides additional security on the network by effectively hiding the entire internal
network to the outside world by using only one address for the entire network.
Dynamic NAT
Dynamic NAT is one form of NAT in which a private IP address is mapped to a
public IP address drawn from a pool of registered public IP addresses. Typically,
the NAT device will maintain a table of registered IP addresses. When a private IP
address requests access to the Internet, the device will choose an IP address
from the table that is not being used at the time by another private IP address.
Dynamic NAT helps to secure a network as it masks the internal configuration of a
private network and makes it difficult for someone outside the network to monitor
individual usage patterns. Another advantage of dynamic NAT is that it allows a
private network to use private IP addresses that are invalid on the Internet but
useful as internal addresses.
This method of mapping an unregistered IP address to a registered IP address on
a one-to-one basis is particularly useful when a device needs to be accessible
from outside the network.
Static NAT
Static NAT is a type of NAT in which a private IP address is mapped to a public,
static IP address, where the public address is always the same IP address. This
allows an internal host, such as a web server, to have an unregistered (private) IP
address and still be reachable over the Internet.

01-4200-0201-20100604 17
FortiGate Capabilities Overview and System Setup
FortiGate Capabilities
FortiGate devices include a comprehensive array of security and networking
capabilities.
Firewall
A FortiGate unit uses firewall policies to dictate whether traffic will be allowed or
denied access to the network. Traffic will not be able to pass through the FortiGate
unit unless it matches the policy rules exactly. The FortiGate unit uses UTM
profiles to dictate which type of content inspection will be performed on traffic
passing though the firewall.
Unified Threat Management
Antivirus
The FortiGate unit uses a combination of techniques to provide real-time
protection against virus attacks, worms and spyware. These techniques include
signature blocking, file recognition, heuristics, IP address checks, and URL
checks and more.
Email Filtering
The FortiGate unit delivers reliable and high performance features to detect, tag,
quarantine, and block spam messages and their malicious attachments, including
IP address checks, checksum checks, banned word check, black/white list,
DNSBL, ORDBL, and more.
Web Filtering
The FortiGate unit, in conjunction with the FortiGuard Web Filtering Service offers
a solution to control access to inappropriate web sites that may expose
businesses to potentially liable material, jeopardize network security and consume
valuable bandwidth. The FortiGuard Web Filtering database is a URL database
with over 60 million rated web sites and 76 web content categories.
Intrusion Prevention
The FortiGate unit can record suspicious traffic in logs, can send alert email to
system administrators, and can log, pass, drop, reset, or clear suspicious packets
or sessions. An organization can create custom signatures to customize the
Intrusion Prevention System on the FortiGate unit for diverse network
environments. The FortiGate Intrusion Prevention System matches network traffic
against patterns contained in attack signatures. Attack signatures reliably protect
the network from known attacks.
The FortiGuard infrastructure ensures the rapid identification of new threats and
the development of new attack signatures.
Application Control
Application Control detects network traffic based on the applications generating
the traffic, for instance, Instant Messaging (IM), Peer-to-Peer (P2P), and VoIP.
Based on FortiGate Intrusion Prevention protocol decoders, application control is
a more user-friendly and powerful way to use Intrusion Protection features to log
and manage the behavior of application traffic passing through the FortiGate unit.

18 01-4200-0201-20100604
Overview and System Setup FortiGate Capabilities
Data Leak Prevention

Data Leak Prevention (DLP) protects sensitive information from being transmitted
over web, email, or file transfer protocols. Rules and compound rules are defined
to detect possible data leaks and specify the action to take in response. Rules and
compound rules are combined into DLP Sensors which can be enabled in firewall
protection profiles. Actions in response to detected data leakage include:
• Log leakage
• Block sending of the data
• Content archiving
• Ban user from using this protocol
• Add user to the banned user List
WAN Optimization
The FortiGate WAN optimization can be used to improve performance and
security across a WAN by applying a number of related techniques, including
protocol and application-based data compression and optimization data deduction
(a technique that reduces how often the same data is transmitted across the
WAN), web caching, secure tunneling, and SSL acceleration.
Endpoint Control
Endpoint control can be used to block or monitor applications on the client
computer, including enforcement of the use of FortiClient End Point Security
software. Clients can be monitored to ensure they have both the most recent
version of the FortiClient software and the most up-to-date antivirus signatures. A
database of end point applications to allow, block or monitor is available on the
FortiGate device. Endpoint client computers can also be scanned to help
determine if the computers are vulnerable to attacks.
Virtual Domains
Virtual Domains (VDOMs) enable a FortiGate unit to function as multiple
independent units. A single FortiGate unit can then be flexible enough to serve
multiple departments of an organization, separate organizations or be the basis
for a service provider’s managed security service. VDOMs provide separate
security domains that allow separate zones, user authentication, firewall policies,
routing, and VPN configurations. Using VDOMs can also simplify administration of
complex configurations because administrators do not have to manage as many
routes or firewall policies at one time.
Traffic Shaping
Traffic shaping controls the bandwidth available and the priority of traffic
processed by a firewall policy. Traffic shaping makes it possible to control which
policies have the highest priority when large amounts of data are moving through
the FortiGate device. For example, the policy for the corporate web server might
be given higher priority than the policies for an employee's computer.

01-4200-0201-20100604 19
FortiGate Capabilities Overview and System Setup
Secure VPN
The built-in SSL and IPSec VPN capabilities of the FortiGate unit can ensure the
confidentiality and integrity of data transmitted over the Internet. The FortiGate
unit provides enhanced authentication in addition to encrypting and securing
information sent from a web browser to a web server. Customized SSL VPN web
portal configurations can be created which have a different look and feel, as well
as different types of web portal functionality.
High Availability
FortiGate High Availability (HA) provides a solution for two key requirements of
critical enterprise networking components: enhanced reliability and increased
performance. FortiGate HA is implemented by configuring two or more FortiGate
units to operate as an HA cluster. To the network, the HA cluster appears to
function as a single FortiGate unit, processing network traffic and providing
normal security services such as firewall, VPN, IPS, virus scanning, web filtering,
and spam filtering services.
Logging
A FortiGate unit provides extensive logging capabilities for traffic, system and
network protection functions. Detailed log information and reports provide
historical as well as current analysis of network activity to help identify security
issues and reduce network misuse and abuse.
User Authentication
A FortiGate unit can control access to network resources by defining lists of
authorized users. User authentication can be performed locally on the FortiGate
unit, or through the use of external authentication servers and and digital
certificates. Supported external server types for authentication include: RADIUS,
LDAP, Directory Services, and TACACS+.

20 01-4200-0201-20100604
Overview and System Setup FortiGate Unit Components
FortiGate Unit Components

A FortiGate unit, depending on the model, may include some of the following
components:
CPU
Depending on the model of FortiGate device, a 300 Mhz to 1.8 Ghz Intel
processor is included. Some higher-end models may include dual processors.
FortiASIC Content Processor

This custom-designed processor augments the capabilities of the unit by
offloading some of the intensive processing activities, such as antivirus scanning,
from the CPU. The FortiASIC processior includes an engine for antivirus signature
scanning, accelerating cryptographic operations, processing firewall policies and
accelerating packing traffic for applications such as VoIP and HTTPS.
DRAM
The FortiGate unit can include from 64MB to 1GB of DRAM.
Flash Memory
The FortiGate unit can include from 32MB to 64MB of flash memory to store
firmware images on the device.
Hard Drive
Some FortiGate devices include a hard drive that can be used for storing logs,
archiving content and quarantines as well as enabling the WAN optimization
mechanisms on certain FortiGate models.
Network Interface Ports

The FortiGate unit includes a collection of interface connections to connect the
device to various networks, such as an internal network, a DMZ network or to a
WAN network. Some high-end enterprise models may include Small Formfactor
Pluggable (SFP) and XPF (a 10Gbps version of SFP) network interfaces.
Serial Console Port

The FortiGate unit includes a serial console port to allow access to a management
computer.
USB Port
A USB port is included on the FortiGate device for use with any FAT16 formatted
USB drive or an external modem.
Wireless
Some FortiGate devices, such as the FortiWifi 30, 50, 60 and 80C are WiFi
enabled and will enable wireless connections between host computers and the
FortGate unit.

01-4200-0201-20100604 21
FortiGate Unit Components Overview and System Setup
Module Slot Bays

Some high-end models of FortiGate device include slot bays for Advanced
Mezzanine Cards (AMC), where the FortiGate is a blade card that is installed
within a chassis.
PC Card Slot
Some models of FortiGate devices integrate a PC card slot (also called PCMCIA)
for additional expansion using a Type II PC card.

22 01-4200-0201-20100604
Overview and System Setup FortiGate Unit Components
FortiGate Unit Front View

Each model of a FortiGate unit may look different. The example device illustrated
below is the FortiGate 51B, which is commonly used in classroom configurations.
Similar indicators will be available on most FortiGate units.
X Power LED: This indicator will display green when the FortiGate unit is powered
on.
Y Status LED: This indicator will flash green when the FortiGate unit is starting up
and will be off when the FortiGate unit is running normally, or when the device is
shut off. The indicator will be red when the modem is in use and connected.
Z Alarm: The Alarm indicator will display red when a major error has occurred and
will display amber when a minor error has occurred.
[ WAN1 and WAN2 interface LED: There are indicators for each of the wan
interfaces on the FortiGate unit. The indicator will display green when the correct
cable is in use, and the connected equipment has power. This indicator will flash
green when there is network activity on the interface and will be off when there is
no link established on the interface.
\ Internal interface LEDs: There are indicators for each internal interface on the
FortiGate unit. The indicator will display green when the correct cable is in use,
and the connected equipment has power. This indicator will flash green when
there is network activity on the interface and will be off when there is no link
established on the interface.

01-4200-0201-20100604 23
FortiGate Unit Components Overview and System Setup
FortiGate Unit Back View

Each model of FortiGate unit may look different. The example device illustrated
below is the FortiGate 51B, which is commonly used in classroom configurations.
Similar interface connections will be available on most FortiGate units.
X Power: Plug the power adaptor connection here.
Y Console: This RJ-45 interface connects the FortiGate unit to the management
computer using the supplied DB-9 serial cable.
Z USB: These optional USB connections can be used for a serial modem (serial to
USB adapter required), or for USB drives.
[ Internal: Ethernet cables connect the FortiGate unit to computers on an internal
network. Internal interfaces are MDI/MDIX auto-sensing, therefore, both straight
through and cross-over cables will work.
\ WAN1 and WAN2: A straight-through Ethernet cable connects the wan1 interface
to the Internet (public switch, router or modem). The wan2 connection offers an
optional redundant connection to the Internet.

24 01-4200-0201-20100604
Overview and System Setup FortiGate Operating Modes
FortiGate Operating Modes

A FortiGate unit can operate in two different modes depending on the
configuration of the network and the needs of the organization.
NAT/Route Mode
NAT/Route Mode is the default configuration on the FortiGate unit. In NAT/Route
Mode, each FortiGate unit is visible to the network that it is connected to. All of its
interfaces are on different subnets. Each interface that is connected to a network
must be configured with a private IP address that is valid for that network.
Internal
192.168.1.99
192.168.1.3
WAN1 Routing policies control
204.23.1.5 traffic between internal
Internet
networks.
Router
DMZ
10.10.10.1
10.10.10.2
NAT mode policies control

traffic between internal
and external networks.
An organization would typically use NAT/Route Mode when the FortiGate unit is
deployed as a gateway between private and public networks.
In its default NAT/Route Mode configuration, the unit functions as a firewall.
Firewall policies control communications through the FortiGate unit. No traffic can
pass through the FortiGate unit until firewall policies are put in place to allow
network traffic to pass. In NAT/Route Mode, firewall policies can operate in NAT
Mode or in Route Mode. In NAT Mode, the FortiGate unit performs network
address translation before IP packets are sent to the destination network. In
Route Mode, no translation takes place.

01-4200-0201-20100604 25
FortiGate Operating Modes Overview and System Setup
Transparent Mode
In Transparent Mode, the FortiGate unit is invisible to the network. All of its
interfaces are on the same subnet. Configure a management IP address so that
configuration changes can be made. This type of configuration is used when an
organization wishes to make use of the features of the FortiGate without altering
the IP infrastructure of the network.
Gateway to public network
WAN1
204.23.1.5 10.10.10.2
Internet
Router Internal
Hub or switch
10.10.10.3
Transparent Mode on the FortiGate unit would typically be used on a private

network behind an existing firewall or behind a router. In its default Transparent
Mode configuration, the unit functions as a firewall. No traffic can pass through the
FortiGate unit until firewall policies are added.
Connect network segments to the FortiGate unit to allow the device to control
traffic between these network segments.

26 01-4200-0201-20100604
Overview and System Setup Device Administration
Device Administration
Administration tasks on the FortGate unit can be performed from either a
graphical user interface (Web Config) or a command line interface (CLI).
Web Config
Web Config can be used to configure most FortiGate settings and to monitor the
status of the FortiGate unit using HTTP or a secure HTTPS connection from any
computer running a web browser.
Web Config consists of a menu and web pages. When a menu item is selected,
such as System, it expands to reveal a submenu. When one of the submenu
items is selected, the associated page is displayed.

01-4200-0201-20100604 27
Device Administration Overview and System Setup
Configuration changes made using Web Config are effective immediately without
resetting the firewall or interrupting service. Once satisfied with a configuration, it
can be backed up. The saved configuration can be restored at any time.
To connect to the Web Config interface, the following are required:
• A computer with an Ethernet connection
• A display monitor with a resolution of at least 1280x1024
• A supported web browser such as Microsoft Internet Explorer (version 8 or
higher) or Firefox (version 3.5 or higher)
• Ethernet cables (Since internal interfaces are MDI/MDIX auto-sensing,
straight-through or crossover cables will work)

28 01-4200-0201-20100604
System Dashboard
The system dashboard, displayed under System > Dashboard > Status uses
widgets to display important information about the FortiGate device. A default
dashboard displays core widgets. Elements can be moved around on the Status
page and or click Widget to remove, replace or add additional items to the
dashboard.
Web Config Menu

The left-hand navigation menu displayed in Web Config provides access to
configuration options for all major features of the FortiGate unit.
System Configure system facilities, such as network interfaces,
virtual domains, DHCP services, High Availability (HA),
system time and set system options.
Router Configure FortiGate static and dynamic routing.
Firewall Configure firewall policies and protection profiles that
apply network protection features. Also configure virtual
IP addresses and IP pools.
UTM Configure antivirus, IPS, web filtering, email filtering.
data leak prevention and application control.
VPN Configure IPSec, SSL, and PPTP virtual private
networking.
User Configure user accounts for use with firewall policies
that require user authentication. Also configure external
authentication servers such as RADIUS, LDAP, and
Windows AD.
WAN Opt. & Cache Configure WAN Optimization rules and caching. This
menu item is only available devices containing an
internal hard drive supporting WAN Optimization.
Endpoint Monitor list of known endpoints. Configure FortiClient
settings for endpoints. Configure software application
detection on endpoints.
Log&Report Configure logging and alert email. View log messages
and reports.

01-4200-0201-20100604 29
Default System Dashboard Widgets

System Information
The System Information widget on the Status tab displays information regarding
the FortiGate unit, including firmware versions and operating mode.
License Information
The License Information widget displays the current status of service contracts,
versions of antivirus and IPS definitions, available services and more.

30 01-4200-0201-20100604
CLI Console
The Status tab displays a CLI Console where commands can be entered without
leaving Web Config.
System Resources
The System Resource widget displays the current CPU and memory usage.
Unit Operation
The Unit Operation widget displays which interfaces are currently in use, along
with links to reboot, restart, and reset the FortiGate device.

01-4200-0201-20100604 31
Alert Message Console

The Alert Message Console displays important system warnings.
Log and Archive Statistics

The Log and Archive Statistics widget displays summary logging and archive
information.

32 01-4200-0201-20100604
Top Sessions
Top Sessions displays the IP addresses that have the most sessions open on the
FortiGate unit.
Add Widgets
Click Widget to display the additional dashboard elements.

01-4200-0201-20100604 33
Add Dashboards
Click Dashboard to add additional dashboard pages or to rename, delete or reset
existing dashboard pages. Once a new dashboard page has been added, widgets
can be added to the web page.
Online Help
Online help can be accessed from anywhere in Web Config by clicking the Online
Help icon.
The Help window that is displayed is context sensitive.

34 01-4200-0201-20100604

01-4200-0201-20100604 35
Searching Help
It is also possible to search the Help index by clicking Show Navigation in the Help
window and clicking the Contents, Index or Search tabs.

36 01-4200-0201-20100604
Command Line Interface

The FortiGate Command Line Interface (CLI) can be accessed by connecting a
management computer serial port to the FortiGate serial console connector.
Telnet or a secure SSH can also be used to connect to the CLI from any network
that is connected to the FortiGate unit, including the Internet.
The CLI supports the same configuration and monitoring functionality as Web
Config. In addition, the CLI can be used for advanced configuration options that
are not available from the Web Config.
The following is required to use the CLI:
• A computer with an available COM port
• A null modem cable, such as the RJ-45 to DB9 serial cable provided with the
FortiGate unit, to connect the FortiGate console port to a communications port
on the computer
• Terminal emulation software such as HyperTerminal for Windows or PuTTY
A CLI administrative session can also be accessed remotely using SSH,or Telnet.
The CLI Console widget on the dashboard can be used to access the command
line interface directly in Web Config.
Logging in to the CLI

The following settings must be configured in the terminal emulation software to
connect to the CLI:
Bits per second 9600
Data bits 8
Parity None
Stop bits 1
Flow control None
The administrator wishing to makes changes to the FortiGate device through the
CLI must enter appropriate login credentials, including a user name and
password. The default login name on the FortiGate unit is admin with a blank
password

01-4200-0201-20100604 37
The command line prompt changes to the # character once the administrator has
completed a successful login.

38 01-4200-0201-20100604
CLI Command Structure

The structure of the CLI commands allows an administrator to modify any of the
settings within the FortiGate unit from the command line.
The command structure includes the following components:
• Commands
• Objects
• Tables
• Sub-commands
• Fields and values
Commands
Commands are at the top level of the CLI command structure and indicate an
action that the FortiGate unit should perform on a part of the configuration or host
on the network.
Once logged in as an administrator, type ? at the # prompt to view the available
commands.
Note: The ? character that is typed is not displayed in the command line.

01-4200-0201-20100604 39
The FortiGate CLI uses the following commands:
config Configures CLI objects, such as the firewall, the router, and
antivirus protection.
For example: config system admin
get Displays system status information. get can also be used within
a config command to display the settings for that command, or
use get with a full path to display the settings for a particular
object.
For example: get hardware status
show Displays the FortiGate unit configuration. By default, only
changes to the default configuration are displayed. Use show
full-configuration to display the complete configuration.
Use show within a config command to display the configuration
of that command.
For example: show branch
execute Runs static commands to reset the FortiGate unit to factory
defaults or to back up or restore a FortiGate configuration file.
The execute commands are available only from the root level.
For example: execute factoryreset
diagnose Commands in the diagnose branch are used to debug the
operation of the FortiGate unit and to set parameters for
displaying different levels of diagnostic information.
For example: diagnose branch
exit Exits the CLI.

40 01-4200-0201-20100604
Objects
The next level of the FortiGate CLI command structure is based on configurable
objects. For each of the commands at the top level, there are objects that can be
associated with it. Objects contains tables and/or fields. To view the objects
associated with a command, type the command followed by the ? character.
In this example, all objects related to the config command are displayed.

01-4200-0201-20100604 41
The objects vary depending on the command that is entered and include the
following:.
application Configures application control.
antivirus Scans services for viruses and grayware, optionally providing
quarantine of infected files
dlp Configures Data Leak Prevention (DLP).
endpoint control Configures parts of the Endpoint NAC feature:
firewall Controls connections between interfaces according to
policies based on IP addresses and type of service, applies
protection profiles
gui Controls preferences for the web-based manager, CLI
console, and topology viewer
imp2p Controls user access to Internet Messaging and Peer-to-
Peer applications
ips Configures the Intrusion Prevention System
log Configures logging
netscan Configures the Endpoint network vulnerability scanner.
report Configures SQL reports.
router Moves packets from one network segment to another
towards a network destination, based on packet headers
spamfilter Filters email based on MIME headers, a banned word list,
email and IP addresses
system Configures options related to the overall operation of the
FortiGate unit, such as interfaces, virtual domains, and
administrators
user Authenticates users to use firewall policies or VPNs
voip Configures VoIP profiles for firewall policies.
vpn Provides Virtual Private Network access through the
FortiGate unit
wanopt Configures FortiGate WAN optimization
web-proxy Configures the FortiGate web proxy.
webfilter Blocks or passes web traffic based on a banned word list,
filter URLs, and FortiGuard-Web category filtering
Objects are containers for more specific lower level items that are each in the form
of a table. For example, the firewall object contains tables of addresses, address
groups, policies and protection profiles. Entries in the table can be added, deleted
or edited. Table entries consist of keywords that can be set to particular values (or
parameters).
Note: There may be other CLI objects that are model-specific and, therefore, only
available on certain FortiGate models.

42 01-4200-0201-20100604
Tables
The next level of the command structure is the table. The table allows the
modification of an objects’ fields and values. The available tables will be different
depending on the object being modified.
When entering a table, the command prompt changes to identify the table. To exit
a table, enter the end command.
In this example, the administrator is editing the FortiGate unit interface table.

01-4200-0201-20100604 43
Sub-commands
Sub-commands are command that are available only when nested within the
scope of another command and affect fields and their values.
In this example, the edit sub-command is entered to modify the port field..

44 01-4200-0201-20100604
Fields and Values

The final components of the CLI command structure are the fields and values.
The parameters are the actual items that are being edited through the CLI. Each
table could have a collection of fields, any of which can be modified through the
CLI. The fields and values available for modification will be different depending on
the table that is being edited.
In this example, the vdom called root is being assigned the value of
172.20.110.251 255.255.255.0 in the port1 table.
Once the desired parameters are set, type end to go back to the table level.
Alternately, to configure other parameters, type next to display the next
parameter.
By default, when end or next is entered, the parameters are written to the
configuration file. These changes are not lost should a system reboot occur.
Modifying the cfg-save parameter can change the behavior so that changes are
not automatically saved. If this option is used, all changes must be saved
manually before exiting the CLI by entering exe cfg save at the root level.

01-4200-0201-20100604 45
CLI Basics
There are shortcuts and options available to simplify using CLI commands.
Command Help
• Press the question mark (?) key at the command prompt to display a list of the
commands available and a description of each command.
• Type a command followed by a space and press the question mark (?) key to
display a list of the objects available for that command and a description of
each.
• Type a command followed by an object and press the question mark (?) key to
display a list of branches available for that command/object combination, along
with a description of each option.
Command Completion
• Use the tab key or the question mark (?) key to complete commands.
• Press the tab key at any prompt to scroll through the options available for that
prompt.
• Type the first characters of any command and press the tab key or the
question mark (?) key to complete the command or to scroll through the
options that are available at the current cursor position.
• After completing the first word of a command, press the space bar and then the
tab key to scroll through the objects available at the current cursor position.
Recalling Commands
Recall previously entered commands by using the Ç and È arrow keys to scroll
through the commands previously entered.

46 01-4200-0201-20100604
Editing Commands
Use the Å and Æ keys to move the cursor back and forth in a recalled
command. Use the Backspace and Delete keys and the control keys listed below
to edit the command.
Function Key combination
Beginning of line CTRL+A
End of line CTRL+E
Back one character CTRL+B
Forward one character CTRL+F
Delete current character CTRL+D
Previous command CTRL+P
Next command CTRL+N
Abort the command CTRL+C
Exit the CLI if used at the root prompt CTRL+C
Line Continuation
To break a long command over multiple lines, use a \ character at the end of
each line.
Command Abbreviation
Abbreviate commands, objects, and branches to the smallest number of non-
ambiguous characters. For example, the command get system status can be
abbreviated to g sy st.
IP Address Formats
Enter an IP address and subnet using either dotted decimal or slash-bit format.
For example, type either:
set ip 192.168.1.1 255.255.255.0
or
set ip 192.168.1.1/24
The IP address is displayed in the configuration file in dotted decimal format.
See the FortiGate CLI Reference Guide for more details on using the CLI.

01-4200-0201-20100604 47
Administrators
Administrators are responsible for the firewall’s configuration and operation. The
system’s factory default configuration has one administrative account called
admin. The admin account has full read/write control of the FortiGate unit’s
configuration. After connecting to Web Config or the CLI, additional administrators
can be configured. Once they are added, administrators are given various levels
of access to different parts of the FortiGate unit configuration using an admin
profile.
Admin Profiles
Admin profiles define the permissions assigned to administrators. Multiple admin
profiles can be created and assigned to administrators to restrict them to specific
tasks.
To view the list of available admin profiles on the FortiGate unit, go to System >
Admin > Admin Profile.
The factory default system administrator account called admin uses an admin
profile called super_admin. This is a special profile which cannot be viewed or
changed. It can, however, be assigned to additional administrative users.
Any administrator assigned to the super_admin profile has full access to the
FortiGate unit configuration in all VDOMs, and in addition, they can:
• Enable VDOM configuration
• Create VDOMs
• Configure VDOMs
• Assign regular administrators to VDOMs
• Configure global options

48 01-4200-0201-20100604
Users assigned to the super_admin profile:

• Can delete other users assigned the super_admin profile and/or change the
configured authentication method, password, or admin profile, only if the other
users are not logged in.
• Can delete the default admin account only if another user with the
super_admin profile is logged in and the default admin user is not.
The default super_admin_read_only profile can be assigned to any administrator

and allows them to view all the configuration settings on the FortiGate unit but not
make any modifications.
The default prof_admin profile can also be assigned to any administrator and
allows the same access as the super_admin profile, but is tied to a specific
VDOM. This profile can be edited to remove any permissions that should be
available to the administrator.
To view or modify any other admin profiles in the list (other than super_admin),
select the profile and click Edit ( ) or double-click the entry.

01-4200-0201-20100604 49
New admin profiles can be defined by clicking Create New ( ) on the Admin
Profile List page. Complete the parameters of the admin profile as needed.
Profile Name The name assigned to the profile will be

used to identify the profile on the New
Administrator page.
Access Control Select None, Read Only or Read-Write for
each of the configuration settings listed.

50 01-4200-0201-20100604
Administrative Users
An identity must be created for each administrative user assigned to the FortiGate
unit. The administrator will log into the FortiGate unit with the credentials defined.
To view the list of available administrators on the FortiGate unit, go to System >
Admin > Administrators.
The default admin user will be displayed in the list.

To view or modify any administrator in the list (other than admin), select them and
click Edit ( ) or double-click the entry.
To modify the password for any administrator in the list, select them and click
Change Password ( ). The default admin user cannot be renamed, however, the
password can and should be modified for the account immediately after initial
login to Web Config or CLI. By default, admin has no password. The maximum
password length is 32 characters.

01-4200-0201-20100604 51
New administrators can be defined by clicking Create New ( ) on the

Administrators List page. Complete the parameters of the administrator as
needed.
Administrator The name assigned to the administrator

that will be used to log into the FortiGate
unit.
Type Select the authentication type used by the
administrator.
Select Regular to authenticate with the
Password entered, Remote to
authenticate using an entry in an LDAP,
RADIUS or TACACS+ server, or PKI to
authenticate using a digital certificate.
Password Enter the password used by the
administrator to log in using Regular
authentication.
The password entered must conform to
the rules identified in Admin Settings.
Trusted Hosts Administrators will only be able to log into
FortiGate devices from the hosts
identified. Click + to add more Trusted
Hosts fields.
Admin Profile Select the Admin Profile from the list to
define the permissions (or rights)
assigned to the administrator.

52 01-4200-0201-20100604
Admin Settings
Settings related to administrator access are defined in System > Admin >
Settings.
Web Administration Ports Define the ports used for administrative

access to Web Config
Password Policy Define the policy settings to be enforced
when administrator passwords are
created.
Timeout Settings Administrators will be forced to re-
authenticate after a certain period of
inactivity as defined by this value.
Display Settings Define the language for the interface and
the number of entries displayed for
administrators. Enable IPv6 Support on
GUI to display fields required when using
IP v6.

01-4200-0201-20100604 53
DHCP
The FortiGate unit can operate as a Dynamic Host Configuration Protocol (DHCP)
server to assign IP addresses to PCs on the network. A range of IP addresses is
defined on the FortiGate unit, and are leased to PCs as needed.
The PC must be set to Obtain an IP address automatically to receive the IP
address from the FortiGate device.
A DHCP server called internal is available by default on the FortiGate unit.
Multiple DHCP servers can be created on the FortiGate unit.
To view the list of available DHCP servers on a Fortigate unit, go to System >
DHCP Server > Service.
To view the parameters of the internal DHCP server, select the server and click
Edit ( ) or double-click the entry.

54 01-4200-0201-20100604
The parameters of the internal DHCP server are displayed.

01-4200-0201-20100604 55
Address Leases
Administrators can view the list of addresses that have been leased to PCs on the
network. Go to System > DHCP Server > Address Leases.

56 01-4200-0201-20100604
Interface Addressing
One of the first tasks in setting up a FortiGate device to operate in the network is
to configure the network interfaces.
The number of physical interfaces on a FortiGate unit varies per model. On the
FortiGate 51B for example, there are five interfaces. The interfaces are named
wan1, wan2, internal1, internal2 and internal3.
The interfaces on a FortiGate unit can support multiple IP addresses, each with
independent administrative access settings, for example, HTTPS, ping, and SSH.
A FortiGate interface can be configured with a static IP address or acquire its IP
address from a DHCP or PPPoE server.
The FortiGate interfaces can be configured using either Web Config or the CLI
command config system interface.
Administrative access is configured per interface and can include the following
protocols:
• HTTPS
• PING
• HTTP
• SSH
• SNMP
• Telnet

01-4200-0201-20100604 57
Manual
In Web Config, configure a manual (or static) IP address on the Interface tab in
System > Network. Select Manual as the Addressing mode. The IP address and
subnet information are entered in the IP/Netmask field. Note that an IP address
can only be assigned on the same subnet as the network to which the interface
connects. The same is true for any assigned secondary IP addresses.

58 01-4200-0201-20100604
DHCP
No configuration information is required on the FortiGate unit for interfaces that
are configured to use DHCP. When DHCP is selected, the FortiGate unit
automatically broadcasts a DHCP request. The interface is configured with the IP
address and optionally the DNS server addresses and default gateway address
that the DHCP server provides.
If Retrieve default gateway from server is selected, the gateway (next hop)
retrieved by the interface will be set as the default gateway for the FortiGate
device. This will override any other configured default gateways.
If Override internal DNS is selected, the DNS servers retrieved by the interface
will become the FortiGate device’s preferred DNS servers. This will override any
DNS entries configured in the system.

01-4200-0201-20100604 59
PPPoE
If PPPoE is configured for the interface, the FortiGate unit automatically
broadcasts a PPPoE request. PPPoE requires a username and password. In
addition, PPPoE unnumbered configurations require an IP address in the
Unnumbered IP field. If the ISP has assigned a block of IP addresses, use one of
them. Otherwise, this IP address can be the same as another interface or it can be
any IP address.

60 01-4200-0201-20100604
DNS
Several FortiGate functions make use of DNS, including alert email and URL
blocking. The IP addresses of the DNS servers to which the FortiGate unit
connects must be specified. DNS server IP addresses are usually supplied by the
ISP. Configure SOHO-level FortiGate models to obtain DNS server addresses
automatically. To obtain these addresses automatically, at least one FortiGate
unit interface must use the DHCP or PPPoE addressing mode.
FortiGate SOHO models can provide DNS forwarding on their interfaces. Hosts
on the attached network use the interface IP address as their DNS server. DNS
requests sent to the interface are forwarded to configured DNS server addresses
or ones that the FortiGate unit obtained automatically.

01-4200-0201-20100604 61
Configuration Backup and Restore

The configuration of the FortiGate device can be saved to a file. The configuration
file can then be used to revert the device to the state saved in the file.
Go tothe System Information widget at System > Dashboard > Status to backup
and restore configuration files.
Backups are performed manually by clicking the Backup link in the System
Information widget.
Indicate the location for the backup, either to the hard drive of the management
PC, to a remote FortiManager device or to a USB disk. To protect the contents of
the backup, select the option to encrypt the configuration file and enter a
password to decrypt the file.
If the password used to encrypt the configuration file is forgotten, the configuration
file can no longer be used.

62 01-4200-0201-20100604
To revert the FortiGate device to the configuration saved in the file, click the
Restore link in the System Information widget.
Locate the configuration file and enter the password if the file was encrypted.

01-4200-0201-20100604 63
Firmware Upgrades
Firmware upgrades can be applied through Web Config, CLI, or automatically
through the FortiGuard Management Service.
To upgrade the firmware through Web Config or CLI, the firmware file must be
obtained from Fortinet Support.
In Web Config, the firmware file can be applied from the System Information
widget in System > Dashboard > Status.
Click the Update link and mbrowse to the location of the firmware file obtained
from Fortinet.
Alternately, apply the update from System > Maintenance > Firmware.

64 01-4200-0201-20100604
Disk Usage
An administrator can track the capacity of a FortiGate device hard disk through
System > Maintenance > Disk.

01-4200-0201-20100604 65
Connecting the FortiGate unit Overview and System Setup
Lab 1 Initial Setup

Objectives
This lab will guide the student through the basic setup of the FortiGate unit and
provide an initial orientation to the CLI and Web Config.
Tasks
In this lab, the following tasks will be completed:
• Exercise 1 Connecting the FortiGate unit
• Exercise 2 Accessing the Command Line Interface (CLI)
• Exercise 3 Accessing FortiGate Web Config
• Exercise 4 Configuring Network Connectivity
• Exercise 5 Exploring the CLI
• Exercise 6 Configuring Global System Settings
• Exercise 7 Configuring Administrative Users
Timing
Estimated time to complete this lab: 55 minutes
Exercise 1 Connecting the FortiGate unit

1 Plug the Internet connection into the wan1 port on the FortiGate unit. Verify
that the WAN1 LED indicators on the front of the device (Link/Activity and
10/100) are green.
Note: In the classroom lab environment, all addresses used are private addresses as
outlined in RFC1918. The wan1 Internet subnet is actually a private address subnet
and cannot be used in a real-world situation.
2 Connect the PC’s network cable into the internal1 interface of the FortiGate
unit and make sure the corresponding INTERNAL LED indicators are green.
The FortiGate unit’s built-in DHCP server will assign addresses to the devices
connected to these ports as required. The factory default subnet assignment of
192.168.1.0/24 will be used.
Note: The internal interface on a FortiGate unit is a multi-port switching hub port with
auto-MDX sensing so either a straight or cross-over cable can be used.

66 01-4200-0201-20100604
Overview and System Setup Accessing the Command Line Interface (CLI)
Exercise 2 Accessing the Command Line Interface (CLI)

1 When setting up a new FortiGate unit, establishing the connection to the CLI is
generally the first step, even if many of the configuration changes are
performed in Web Config.
Use a serial cable to connect the serial port on the PC to the FortiGate console
port that is located on the back of the device.
If the PC is not equipped with a serial port, a USB to serial adapter (purchased
separately) can be used to connect the PC to the FortiGate device.
2 Start a terminal emulation program on the PC to connect to the FortiGate unit
(such as Windows HyperTerminal or TeraTerm). The serial connection settings
required are:
• 9600 bps
• 8 bit data
• no parity
• 1 stop bit
• no flow control
3 At the FortiGate CLI login prompt, log in with username of admin (all
lowercase). The default password on the device is blank.
4 Reset the FortiGate device to factory defaults by typing the following
command:
exec factoryreset
When asked to continue, type Y, press <enter>, and wait for the reset to
complete.
5 Log in to the CLI once again and type the following command to display status
information about the FortiGate unit:
get system status
The output displays the FortiGate unit serial number, firmware build,
operational mode, and additional settings.
Confirm that the firmware build on the FortiGate unit is 4.00 MR2, the required
version for this course.
6 Type the following command to see a full list of accepted objects for the get
command:
get ?
Note: The ? character is not displayed on the screen.
Depending on objects and branches used with this command, there may be
other sub-keywords and additional parameters to enter.

01-4200-0201-20100604 67
Accessing the Command Line Interface (CLI) Overview and System Setup
7 Press the Ç key to display the previous get system status command and
try some of the control key sequences that are summarized below.
Previous command Ç or CTRL+P

Next command È, or CTRL+N
Beginning of line CTRL+A
End of line CTRL+E
Back one word CTRL+B
Forward one word CTRL+F
Delete current character CTRL+D
Abort command and exit branch CTRL+C
CTRL+C is context sensitive and in general, aborts the current command and
moves up to the previous command branch level. If already at the root branch
level, CTRL+C will force a logout of the current session and another login will
be required.
8 Type the following command and press the <tab> key 2 or 3 times.
execute <tab>
The command displays the list of available system utility commands one at a
time each time the <tab> key is pressed.
Note: Log back into the CLI if the admin login timeout has elapsed.
9 Type the following command to see the entire list of execute commands:
execute ?
10 Enter the following CLI commands and compare the available keywords for
each one:
config ?
show ?
These two commands are closely related.
config begins the configuration mode while show displays the
configuration. The only difference is show full-configuration. The
default behavior of the show command is to only display the differences from
the factory-default configuration.

68 01-4200-0201-20100604
Overview and System Setup Accessing FortiGate Web Config
11 Enter the following CLI commands to display the FortiGate unit’s internal
interface configuration settings and compare the output for each of them:
show system interface internal
show full-configuration system interface internal
Only the characters shown in bold type face need to be typed, optionally
followed by <tab>, to complete the command key word. Use this technique to
reduce the number of keystrokes to enter information. CLI commands can be
entered in an abbreviated form as long as enough characters are entered to
ensure the uniqueness of the command keyword.
Note: At the --More-- prompt in the CLI, press the spacebar to continue scrolling or
<enter> to scroll one line at a time. Press <q> to exit.
12 Enter the CLI command below to display the factory set IP address of the
FortiGate’s internal interface.
show system interface internal
The internal interface’s IP address is 192.168.1.99. This address will be
used later for HTTP administrative access to the FortiGate device.
Exercise 3 Accessing FortiGate Web Config

To access Web Config using a standard Web browser, ensure that cookies and
Javascript are enabled for proper rendering and display of the graphical user
interface.
Caution: If using a personal laptop or PC for the following exercise, make sure to
record the original PC network settings before proceeding.
1 Ensure that the IP addressing mode on the PC is set to DHCP (Obtain an IP

address automatically). The FortiGate device will assign the PC an address in
the range of 192.168.1.110 to 192.168.1.210.
2 Verify the PC settings using the ipconfig command from the Windows
command prompt. The default gateway corresponds to the IP address of the
internal interface on the FortiGate unit (192.168.1.99).
3 Open a web browser and type the following address to access the FortiGate
Web Config interface.
https://192.168.1.99
Accept the self-signed certificate or security exemption if a security alert
appears.
HTTPS is the recommended protocol for administrative access to the
FortiGate unit. Other available protocols include SSH, ping, SNMP, HTTP, and
Telnet.
4 At the login screen, enter the username of admin and leave the password
blank. Click Login.
5 The Dashboard is displayed after a successful login. Before continuing with
the rest of the initial configuration, explore the Dashboard page and find the
following information:

01-4200-0201-20100604 69
Configuring Network Connectivity Overview and System Setup
Current Firmware Version

Date and Time
Serial Number
Operation Mode
Other system details found on the Dashboard include the current CPU and
memory usage, number of active sessions, alert messages, number of
administrative users, and FortiGuard Services status.
6 To avoid Web Config timeouts during the lab exercises, increase the idle
timeout. Go to System > Admin > Settings. Increase the Idle Timeout to 60
minutes.
Leave all other settings unchanged.
Click Apply to save the changes.
7 Before proceeding to the next exercise, ensure that the FortiGate unit is
running the correct version of FortiOS firmware (FortiOS version 4.0 MR2).
Note: If are not running the correct version, click Update for Firmware version on the
Dashboard and browse to the firmware file available from the Fortinet Support site with
a valid service contract.
Exercise 4 Configuring Network Connectivity

The FortiGate unit’s wan1 interface settings must be configured using one of the
following addressing modes: DHCP, Manual (Static IP), or PPPoE.
Complete the steps for the configuration that applies to the Internet setup on the
computer being used to complete the exercise.
• If the network setup supports DHCP, complete the section Configuring the
wan1 Interface Using DHCP.
• If using static IP addresses, complete the section Configuring the wan1
interface Using Manual Assignments.
• If using PPPoE, complete the section Configuring the wan1 Interface Using
PPPoE.

70 01-4200-0201-20100604
Overview and System Setup Configuring Network Connectivity
Configuring the wan1 Interface Using DHCP

If the Internet setup (ISP or other) being used on the student computer uses
DHCP, perform the steps below to configure the wan1 interface.
1 In the Web Config, go to System > Network > Interface. Select the wan1
interface and click Edit ( ).
On the Edit Interface page, configure the following settings:
.
Addressing mode DHCP

Distance: 5
Retrieve default gateway from server
Administrative access HTTPS
Click OK.
2 Wait a few seconds for the wan1 interface to acquire an address from the
ISP’s DHCP server before continuing.
Note: Configuration changes get saved to the non-volatile flash memory when clicking
OK in Web Config or when next or end is entered on the CLI. No explicit save
command is required.
For CLI configuration only, this behavior can be changed to require an explicit save or
to revert after a set period if an explicit save is not performed.
config system global
set cfg-save <automatic/manual/revert>
set cfg-revert-timeout <600> (in seconds, only when cfg-save is revert)
3 After a few seconds, the acquired DHCP address assignment will be displayed
in the IP/Netmask column on the Interface page.
Continue at step 4.
Configuring the wan1 Interface Using Manual Assignments

If the Internet setup on the student PC uses manual IP assignments, complete
the steps below for the wan1 network configuration.
1 In Web Config, go to System > Network > Interface tab. Select the wan1
interface and click Edit ( ).
.
Addressing mode Manual

IP/Netmask Enter the IP address and netmask (as
provided by a network administrator).
For example:
192.168.20.20/255.255.255.0
Click Apply.
2 Click the Options tab to open Networking Options. In the Primary DNS Server
field, enter the IP address of the DNS server given by the network
administrator.
If a second DNS server is available, enter its IP address in the Secondary DNS
Server field.
Click OK.

01-4200-0201-20100604 71
Configuring Network Connectivity Overview and System Setup
3 Go to the Router > Static > Static Route and click Create New to define a new
static route entry for the default gateway.
In the New Static Route window, leave the Destination/IP Mask settings at the
default setting 0.0.0.0/0.0.0.0.
Select the the wan1 device from the list and enter the IP address for Gateway
as the default gateway device as provided by a network administrator.
Leave the distance to the default of 10.
Click OK.
Continue at step 4.
Configuring the wan1 interface using PPPoE

If the Internet setup on the student PC uses PPPoE, perform the steps below to
configure the wan1 interface.
1 In Web Config, go to System > Network > Interface . Select the wan1 interface
and click Edit ( ).
.
Addressing mode PPPoE

Username Enter the username provided by the
ISP.
Password Enter the password provded by the
ISP.
Retrieve default gateway from server Enable only if the ISP supports this
option
Override internal DNS Enable only if the ISP supports this
option
Click OK.
2 Go to System > Network > Options. In the Primary DNS Server field, enter the
IP address of the DNS Server as provided by a network administrator.
If a second DNS server is available, enter its IP address in the Secondary DNS
Server field.
Leave the Dead Gateway Detection values at their default.
Click Apply.
3 Go to the Router > Static > Static Route tab to configure a new static route
entry for the default gateway.
In the New Static Route window, leave the Destination/IP Mask settings at the
default setting 0.0.0.0/0.0.0.0.
Select the the wan1 device from the list and enter the IP address for Gateway
as the default gateway device as provided by a network administrator.
Leave the distance to the default of 10.
Click OK.
Continue at step 4.

72 01-4200-0201-20100604
Overview and System Setup Configuring Network Connectivity
All users, irrespective of the type of addressing used (DHCP, Manual, or

PPPoE) should continue with the following steps.
4 From the CLI, type the following commands to view the interface settings for
wan1:
config system interface
edit wan1
get
end
In the displayed output, note the same DHCP parameters that were viewed for
the wan1 interface in the previous step.
Note: Depending on how long it has been since the last command has been entered in
the CLI, another login may be required.
5 In a DOS command prompt window use the nslookup command to verify

the IP address of a web site. For example:
nslookup www.fortinet.com
6 Ping the IP address displayed through the command above using the following
command in the CLI:
exec ping <IP_address_of_web_site>
7 To secure the wan2 interface from accidental usage, remove the IP address
and administratively disable this port. The IP address can only be unset from
the CLI.
In the CLI, enter the following commands below to disable and clear the IP
address of the wan2 interface:
edit wan2
set status down
end
8 In Web Config, go to System > Network > Interface. Note that the interface list
will now display wan2 with an IP/Netmask of 0.0.0.0/0.0.0.0 and a
disabled status icon (red dot with È). A display refresh may be needed to see
the new status information.
9 The FortiGate unit runs a DHCP server configured for the internal interface. To
view the configuration of the built-in DHCP server go to System > DHCP
Server > Service. Select the internal DHCP server and click Edit ( ) or
double-click the entry to view the settings for the pre-defined DHCP server.
Note: The DHCP leases are preserved even when the FortiGate unit is re-booted. To
clear all DHCP leases, disable and then re-enable the specific DHCP server.
Click Cancel to exit.

10 To view the DHCP address leases, go to System > DHCP Server > Address
Leases and locate the entry for the PC in the displayed list.
As new PCs are connected to the trusted internal subnet, a list of all the DHCP
address leases that have been assigned will be displayed.

01-4200-0201-20100604 73
Exploring the CLI Overview and System Setup
Exercise 5 Exploring the CLI

1 To view the configuration of the FortiGate interfaces through the CLI, type the
following command:
show system interface
2 To see verbose settings, type the following command:
show full-configuration
3 To view additional parameters for all interfaces, type the following command:
get system interface
Compare the get command output with the output from the show command.
The information from each is similar: get displays all settings and values,
while show gives the syntax for the configuration.
4 The FortiGate CLI is hierarchical, which means that some commands are only
applicable at a certain level or context. To demonstrate the hierarchy, modify
the wan1 interface to add additional administrative access to assist with
troubleshooting during initial deployment.
To add SSH access on the wan1 interface, type the following CLI commands:
edit wan1
set allowaccess https ping ssh
next
end
Note: The set command is not additive. The existing parameters must be re-entered
along with the new parameter being added.
5 Verify the changes by typing the following command:

show system interface wan1
6 Display the configuration of the DHCP server that provides IP addresses to the
PCs connected to the internal interface with the following commands:
show system dhcp server or show full system dhcp server
get system dhcp server
7 To inspect the DHCP leases in the CLI for the addresses distributed by the
internal interface DHCP server, type the following command:
exec dhcp lease-list
Other available DHCP CLI commands are listed below. Please do not run
these commands at this time.
DHCP leases can be cleared with the following command:
exec dhcp lease-clear
DHCP leases can be refreshed with the following command:
exec interface dhcpclient-renew <interface name>

74 01-4200-0201-20100604
Overview and System Setup Configuring Global System Settings
Exercise 6 Configuring Global System Settings

1 In Web Config, go to System > Network > Options. Modify the following DNS
Settings:
Primary DNS Server 4.2.2.1

Secondary DNS Server Leave as the default server
address.
Click Apply.
Note: For FortiGate 200A models and higher, the Primary DNS and Secondary DNS
servers can only be configured manually. The factory defaults are set to Fortinet-
maintained DNS forwarders 208.91.112.53 and 208.91.112.52 respectively.
2 Compare the output for the following DNS CLI commands:

show system dns
get system dns
The output should correspond to the changes made in Step 1.
3 For logging purposes, as well as to optimize FortiGuard updates, the FortiGate
unit should be set to the correct time zone and NTP server synchronization
should be enabled. Go to System > Dashboard > Status. In the System
Information widget, click the [Change] link for System Time.
Select the appropriate Time Zone.
Enable Automatically adjust clock for daylight savings changes if required in
the local area.
Enable Synchronize with NTP Server. By default, pool.ntp.org will be
used, or a local NTP server can be used if available.
Click OK.
4 Display the current system time from the CLI by typing the following command:
execute time
Type exec time ? to view the syntax to set the system time manually.
5 Verify that the date setting is correct by typing the following CLI command:
exec date
6 In the System Information widget, click the [Change] link for Host Name and
change the hostname of the FortiGate unit to UserX. (In a classroom
environment, assign to X the student number as dictacted by the instructor. In
a self-paced environment, assign to X a random value. (For example, User2)
Click OK.
The new hostname will appear in the browser title bar at the next login or when
the page is refreshed.
7 View the CLI equivalent commands for all the system settings configured in the
above steps by typing the following command:
show system global

01-4200-0201-20100604 75
Configuring Administrative Users Overview and System Setup
Exercise 7 Configuring Administrative Users

1 Go to System > Admin > Administrators to view the list of current
administrators.
Click to select the default admin administrator and click Edit ( ) or double-
click the entry in the list. The factory default Trusted Host setting of
0.0.0.0/0 allows connections from any host address.
Click Cancel to close the Edit Administrator page.
2 Click to select the default admin administrator and click Change Pasword ( )
The factory default password for the admin account is empty, set the password
to fortinet.
To save the changes, click OK.
3 Log back into Web Config using the new admin password.
4 To enhance administrative security, create a new administrator account that
will be used for day-to-day administration of the FortiGate device and restrict
the source IP connection with Trusted Hosts.
Go to System > Admin > Administrators. Click Create New to assign a new
administrator with the following settings:
Administrator admin1
Type Regular
Password fortinet
Trusted Host #1 192.168.1.0/24
Admin Profile super_admin
Click OK to save the changes.
Note: Ping requests to this device are also restricted by the trusted host setting of the
administrator account.

76 01-4200-0201-20100604
Overview and System Setup Configuring Administrative Users
5 Go to System > Admin > Admin Profile. Click Create New to define a new
admin profile called content-control as in the New Admin Profile window
illustrated below. Limiting access only to the areas affecting content inspection
helps to eliminate accidental errors that could adversely affect connectivity.
Click OK.
6 Go to System > Admin > Administrators and create a new administrative
account that uses the new content-control admin profile. Configure the new
administrator account using the following settings:
Administrator cadmin
Type Regular
Password 123456
Trusted Host #1 192.168.1.0/24
Admin Profile content-control
Click OK.
7 To view the CLI configuration for administrative users and profiles, type the
following commands:
show system admin
show system accprofile

01-4200-0201-20100604 77
Configuring Administrative Users Overview and System Setup
8 Test the new administrative access login by logging out of the current Web
Config session and logging in again as the new cadmin user.
Try to access areas set to read only, for example, go to System > Network >
Interface. The data will be able to be viewed but not edited.
The Trusted Host setting configured for admin1 and cadmin will only allow
access to PCs connected to the internal 192.168.1.0/24 subnet even if the
correct password is entered.

78 01-4200-0201-20100604
LESSON 2
Logging and Alerts
79
www.fortinet.com
Logging and Alerts Logging Levels
Lesson 2 Logging and Alerts

Logging is a key element of maintaining a FortiGate unit in a network. Logging
allows an administrator to track down and pinpoint problems efficiently by
monitoring the many facets of network and Internet traffic. In addition to being
able to identify problems, logging lets an administrator monitor normal events, as
well as establish network behavior baselines, such as allowed traffic, typical traffic
patterns (regular protocols that pass through the network), and traffic volume.
This type of network information can tell an administrator at a glance whether or
not the FortiGate device is functioning correctly and can help identify any
configuration changes that are necessary for optimal operation.
Logging Levels
All log messages have severity or priority levels. The administrator should define
at what severity level the FortiGate unit will record logs when the logging location
is configured. All messages at and above the minimum log level selected will be
logged, for example, if the Error level is selected, the unit logs for Error, Critical,
Alert, and Emergency level messages.
In the following example of a log message, the priority level is notification. This
indicates the occurrence of a normal event, which in this example indicates that
the admin user has added a new firewall policy.
2007-01-11 14:23:37 log_id=0104032126 type=event
subtype=admin pri=notification vd=root user=admin
ui=GUI(192.168.96.1) seq=3 msg="User admin added new
firewall policy 3 from GUI(192.168.96.1)"
The minimum logging levels is selected from the drop down list for each enabled
log type.
Emergency
Event logs, specifically administrative events, can generate an emergency
severity level. This level indicates the system has become unstable.
Alert
Attack logs are the only logs that generate an alert severity level. This level
indicates that immediate action is required.
Critical
This level is generated by event, antivirus, and spam filter logs and indicates that
functionality is affected.
Error
This level is generated by event and spam filter logs and indicates that an error
condition exists and functionality could be affected.

01-4200-0201-20100604 81
Logging Levels Logging and Alerts
Warning
This level is generated by event and antivirus logs and indicates that functionality
could be affected.
Notification
This level is generated by traffic and web filter logs and indicates information
about normal events.
Information
This level is generated by content archive, event, and spam filter logs and
indicates general information about system operations.
Debug
This level is primarily used as a technical or customer support function on an as-
directed basis only.

82 01-4200-0201-20100604
Logging and Alerts Log Storage
Log Storage
FortiGate logs can be stored in various locations depending on the type and
frequency of the logs to save.
FortiGate logs can be stored in the following locations:
• System memory
• Local hard disk
• Syslog
• FortiGuard Analysis Service
• FortiAnalyzer appliance
Local Logging
Local logs are stored and viewed on the FortiGate device. Local logs are
displayed under Log&Report > Log Access. Select the log type to be viewed.
Local logs can also be read from the CLI using the execute log display
command if a log filter has been defined.
Memory
When logging to memory is enabled, recent log entries are stored for most log
types except for Traffic and Content, mainly due to their frequency and large file
size. When the system has reached its capacity for log messages, the FortiGate
unit overwrites the oldest messages.
The logging level required can be selected from the Minimum log level list.
IPS Packet Archives can be enabled for memory logs.
Memory logs can be backed up to an FTP server using the execute backup
command.
Memory is volatile, that is, if the FortiGate unit is reset or loses power, log entries
captured to memory will be lost.

01-4200-0201-20100604 83
Log Storage Logging and Alerts
Disk
If the FortiGate unit includes a hard disk, logging to that disk can be enabled. All
log types are supported when logging to hard disk except for Content logs.
Log rolling settings can identify when information will be written to a new log file,
either when a maximum size is reached or at a scheduled time.
The administrator should specify how the FortiGate unit handles new logs when
the hard disk becomes full. In this case, the older logs can be overwritten, or the
device can stop logging information altogether.
DLP Archive can be enabled when logging to the hard disk. The archiving of
information is triggered by Data Leak Prevention sensors. Content archiving
provides a method of simultaneously logging and archiving copies of content
transmitted over the network, such as email and web pages. Content logs include
information such as the senders, recipients, and the content of messages and
files. If full content archiving is enabled, FortiGate units can also archive a copy of
the associated file or message with the content log message. If the DLP sensor is
configured to archive data when triggered and DLP Archive is enabled on the
FortiGate, information will be archived to the local hard disk on the FortiGate unit.
IPS Packet Archives can be enabled for memory logs.
SQL Logging is enabled by selecting the log type from the list.

84 01-4200-0201-20100604
Remote Logging
Remote logs include information forwarded from the FortiGate unit to an external
storage mechanism.
Syslog
A Syslog server is a remote computer running software used to collect log
messages forwarded over an IP network. Administrators commonly use Syslog
servers for logging purposes because computers on a variety of operating
systems can run Syslog software, including Linux, Unix, and Windows systems.
The IP address or FQDN of the Syslog server must be identified where the
information is to be forwarded. Usually, communication with the Syslog server
takes place on port 514 but any port number can be used.
The Facility value is used as a way of determining which process of the computer
created the machine and can be used to distinguish between different classes of
syslog messages. On the FortiGate unit, the Facility can be used to identify the
source of the log message. The FortiGate reports the Facility at a default value of
local7, but any value can be selected from the list.
When logging to a Syslog server there are two different log file formats available,
either Comma Separated Values (CSV) or normal. The CSV format contains
commas, whereas the normal format contains spaces.

01-4200-0201-20100604 85
Log Storage Logging and Alerts
FortiGuard Analysis Service

FortiGuard Analysis Service is a subscription-based service that provides a web-
based logging and reporting solution. An active license for this service must be
available for the service to be enabled.

86 01-4200-0201-20100604
FortiAnalyzer
A FortiGate unit can be configured to send log messages to a FortiAnalyzer
device on the local network or over the Internet. FortiAnalyzer units are network
appliances that provide integrated log collection, analysis tools, and data storage.
The IP Address of the FortiAnalyzer device must be identified. Click Test
Connectivity to ensure that a connection to the FortiAnalyzer device is available.
To conserve bandwidth over the network, FortiGate units equipped with a hard
drive can buffer log information locally and upload to the FortiAnalyzer device at a
scheduled time. Enable Buffer to hard disk and upload and set the time for the
transfer.
IPS Packet Archives can be enabled for FortiAnalyzer logs.
The administrator should specify how the FortiGate unit handles new logs when
the hard disk on the FortiAnalyzer becomes full. In this case, the older logs can be
overwritten, or the device can stop logging information altogether.
Further details regarding logging to a FortiAnalyzer device are provided in the

Logging to a FortiAnalyzer Device section of this lesson.

01-4200-0201-20100604 87
Log Types Logging and Alerts
Log Types
A FortiGate system can log a wide range of system activity including overall
network traffic, attack incidents, and general system events.
Event Log
The Event Log records management and activity events including configuration
changes, admin logins, or high availability and VPN events.
Traffic Log
The Traffic log records any traffic between a source and destination interface.
These interfaces must be correctly classified in the FortiAnalyzer device so that it
can identify if the session is incoming or outgoing, internal or external.
Traffic logs are only generated when the session table entry expires. This is
because the log message also includes the amount of data sent and received.
This is not the case for violation traffic as no session entry is created and a log
message is generated immediately indicating 0 bytes were transmitted and
received.
Note: Any denied traffic on a FortiGate device is implicit and not logged. Therefore, to
log violation traffic, a deny and log rule is required. Also, in order to log connections to
closed ports, set the global variable set loglocaldeny enable.
Attack Log
The Attack log records attacks that are detected and prevented by the FortiGate
unit. The FortiGate unit will log attack signatures and attack anomalies. Packet
logging can also be enabled through the IPS settings (CLI or Web Config). This
feature provides administrators with the ability to analyze packets for forensics
and false positive detection.
AntiVirus Log
The Antivirus log records virus incidents within the proxies. For example, when the
FortiGate unit detects an infected file, blocks a file type, or blocks an oversized file
or email.
Web Filter Log

The Web Filter log records HTTP FortiGate log rating errors including web content
blocking actions that the FortiGate unit performs. The logs contain the URLs and
optionally the user name who requested the resource if user authentication is
enabled.
Email Filter Log

The Email Filter log records detected spam and blocks email address patterns
and content in SMTP, IMAP, and POP3 traffic.

88 01-4200-0201-20100604
Logging and Alerts Log Types
DLP Log
The Data Leak Prevention log records data that matches pre-defined sensitive
patterns as it passes through the FortiGate unit. The data patterns can also be
blocked.
Application Control Log

Application Control logs includes any activities triggered by the application control
features on the FortiGate device.
Network Scan Log

Network Scan logs include the information gathered by running a vulnerability
assessment against client computers on the network.

01-4200-0201-20100604 89
Generating Logs Logging and Alerts
Generating Logs
Depending on the information required to record, logging can be enabled in
various locations in Web Config including:
• UTM profiles and sensors
• Event log
• Firewall policy
UTM Profiles and Sensors

Threat management logging is enabled within UTM profiles for antivirus, web
filtering, email filtering, and VoIP filtering and in sensors for IPS and DLP.

90 01-4200-0201-20100604
Logging and Alerts Generating Logs
Event Log
FortiGate unit events to be logged are enabled from the Event Log list.
If the CLI is used to disable certain event logs for a destination, the Event Log
option display check boxes are greyed out.

01-4200-0201-20100604 91
Generating Logs Logging and Alerts
Firewall Policy
Traffic logging can be enabled for individual firewall policies. Logging traffic per
firewall policy is more granular and better suited for troubleshooting.
When traffic logging is enabled on a majority of firewall policies, consideration

must be made for the CPU and network utilization of the logging operation.
Local hard disk traffic logging on heavily used systems can be CPU intensive and
should be avoided whenever possible. Remote devices such as FortiAnalyzer
units or SysLog should be used instead.

92 01-4200-0201-20100604
Logging and Alerts Viewing Log Files
Viewing Log Files

Log Access displays options for viewing log files stored locally in memory or on
the hard disk. A Log Access display window is available for each log type
available and provides options for viewing log messages, such as search and
filtering options, including selecting the log type to view. The columns that appear
in Log Access reflect the content found in the log file.
The bottom portion of the Log Access page includes navigational features to help
move through the log messages and locate specific information, for example,
going to the next page, previous page, last, or first page. A number can also be
entered to jump ahead to a particular page of log messages, for example, entering
the number 5 displays the fifth page.

01-4200-0201-20100604 93
Viewing Log Files Logging and Alerts
Log Display Formats

Log messages can be viewed in Formatted view or Raw view.
Formatted View
Formatted View presents logs information in a columnar format. Column Settings
allows the log information columns that are displayed to be added or removed (for
example, Date, Time, Source etc.).
Filters allow only the log messages that fit a specified filter criteria to be viewed.
For example, to view all log messages for a specific date range, the Date filter can
be used.
Select the log type from the Log&Report > Log Access menu including:
• Application Control
• DLP
• Email Filter
• Attack
• Web Filter
• Antivirus
• Event
• Traffic
• Network Scan

94 01-4200-0201-20100604
Logging and Alerts Viewing Log Files
Columns can be added or removed from the the log display by clicking Column
Settings ( ).
Select the fields to be displayed from the Available fields list and click Æ to move
the field to the Show list. Click Move Up and Move Down to change the order of
the fields in the list. Fields will be displayed in Formatted View in the order they
are shown in the list.
To remove a field from the columns displayed, select it in the Show list and click
Å to move it back to the Available fields list
In addition, filters can be used to display only the log messages that fit a specified
filter criteria. For example, to view all log messages for a specific date range, use
the Date filter. Click Filter ( ) to edit the filters for the column.

01-4200-0201-20100604 95
Viewing Log Files Logging and Alerts
Raw View
When log messages display in raw view, the log message displays as it is saved
in the log file.

96 01-4200-0201-20100604
Logging and Alerts Logging to a FortiAnalyzer Device
Logging to a FortiAnalyzer Device

A FortiGate device can be configured to send log messages to a FortiAnalyzer
unit. FortiAnalyzer units are network appliances that provide integrated log
collection, analysis tools, and data storage.
Logging to the FortiAnalyzer unit is enabled in the FortiGate device by either
specifying the FortiAnalyzer device’s IP address or enabling Automatic Discovery.
FortiGate units running FortiOS version 3.0 or greater use the Fortinet Discovery
Protocol (FDP), a UDP protocol, to locate a FortiAnalyzer unit. When a FortiGate
administrator selects Automatic Discovery, the FortiGate unit uses HELO packets
to locate FortiAnalyzer units on the network within the same subnet. If FDP has
been enabled for its interface to that subnet, the FortiAnalyzer unit will respond.
Once the FortiGate unit discovers a FortiAnalyzer unit, the FortiGate unit
automatically enables logging to the FortiAnalyzer and begins sending log data.
Depending on its configuration, the FortiAnalyzer unit may then automatically
register the device and save its data, add the device but ignore its data, or ignore
the device entirely.
The connection status of the FortiAnalyzer device will be identified in the
FortiAnalyzer Connection Summary window.
The Syslog protocol (UDP port 514) is used by default by the FortiGate unit to
transport log messages to the FortiAnalyzer unit. TCP port 514 (OFTP) is used to
transfer the content archive and to remotely view the log files and reports.
If logging data is traversing a public network, an IPSec tunnel can be used to
secure the communication between the FortiGate and the FortiAnalyzer devices.
The FortiGate unit can send all log message types, as well as quarantine files, to
a FortiAnalyzer unit for storage. Log files stored on a FortiAnalyzer unit can also
be uploaded to an FTP server for archival purposes.
The transfer of log data between the FortiGate unit and the FortiAnalyzer can be
secured using IPSec.

01-4200-0201-20100604 97
Logging to a FortiAnalyzer Device Logging and Alerts
FortiAnalyzer Device List

The device list displays devices allowed to connect to the FortiAnalyzer unit and
their connection permissions. It may also display unregistered devices attempting
to connect.
Connection attempts occur when a device sends traffic to the FortiAnalyzer unit
before they have been added to the device list on the unit. FortiAnalyzer units will
either ignore the connection attempt, or automatically add the device to its device
list. This connection attempt handling depends on the type of the device
attempting to connect, the selections made in the Unregistered Device Options
window, and whether or not the maximum number of devices has been reached
on the FortiAnalyzer unit.
An administrator may choose to block connection attempts from devices that they
do not want to add to the device list since connection attempts must be
reconsidered with each attempt.
The Secure column the in Device List identifies when secure connections are
enabled. If secure connections are enabled, the closed lock ( ) will appear,
however, the FortiAnalyzer unit cannot create a secure tunnel without being
configured first.
Secure connections are enabled and configured between the FortiAnalyzer unit
and the device(s) being monitored though the CLI. The secure tunnel must be
configured on both ends of the tunnel including the FortiAnalyzer unit and the
device.
Secure connections cannot be configured with FortiMail units, FortiClient
installations, or syslog devices.

98 01-4200-0201-20100604
Device Registration
The FortiAnalyzer device list can display both registered and unregistered
devices. Depending on the settings in Unregistered Device Options, the
FortiAnalyzer unit handles connection attempts from unregistered or
unrecognized devices in one of these ways:
• Ignore the connection and only allow connections from manually added
devices.
• Allow the connection, add as an unregistered device, but do not keep the
device’s log data. This option will add devices automatically, but will not keep
data until manually registered.
• If the device is an unknown type, allow the connection, add as an unregistered
device, and keep a specified amount of the device’s log data.
• If the device is a known type, allow the connection, and add as a registered
device and keep a specified amount of the device’s log data.
Manually adding a device to the device list configures connections from the device
but does not automatically establish a connection. The device must be configured
to send traffic to the FortiAnalyzer unit to establish a connection.
A device will not be able to use most of the FortiAnalyzer unit’s features until the
device is registered, either manually or automatically.

01-4200-0201-20100604 99
Viewing FortiAnalyzer Logs

The FortiAnalyzer Log Viewer displays logs for devices that were added to the
device list, as well as the FortiAnalyzer unit itself, focusing on specific log types
and time frames.
Select the log type to be viewed by selecting it from Log & Archive > Log Access.
Historical
The Historical tab displays all log messages for the selected log type whose time
stamps are within the specified time frame.
Select the devices to be displayed in the log list from the Show list. Select the
Timeframe for the list to be displayed, either Anytime, Last 1 Hour, Last 1 Day,
Last 7 days, or Last Month.

100 01-4200-0201-20100604
Select the columns be displayed by clicking Column Settings. Identify the columns
to display in the list by selecting the column and moving it from the Available
Fields list to the Display Fields list.
Real-time
An up-to-the-minute display of the log messages received by the FortiAnalyzer
unit can be displayed by clicking Realtime Log ( ) . The display refreshes every
few seconds, and contains only the most current entries.

01-4200-0201-20100604 101
Display Options
Click the Display Options link at the bottom of the window to to choose either Raw
or Formatted view or to resolve host names and services.
Raw View
Raw view displays log messages exactly as they appear in the log file.
Formatted view
Formatted view displays log messages in a columnar format. Each log field in a
log message appears in its own column, aligned with the same field in other log
messages, for rapid visual comparison. When displaying log messages in
formatted view, the log view can be customized by hiding, displaying and
arranging columns and/or by filtering columns, refining the view to include only
those log messages and fields that are required for display. If log messages are
displayed in formatted view, the log messages can be displayed and arranged
and/or filtered by column contents.
When viewing log messages in formatted view, columns can be filtered to display
only those log messages that do or do not contain the specified content in that
column. By default, most column headings contain a gray filter icon, which
becomes green when a filter is configured and enabled. When viewing real-time
logs, the time column cannot be filtered on (by definition of the real-time aspect,
only current logs are displayed).

102 01-4200-0201-20100604
Browsing Log Files

Log Browse enables the administrator to see all stored log files for all devices and
the FortiAnalyzer itself. In this window, view the log information, download log files
to the hard disk, or delete unneeded files.
Device log file size and consumption of the FortiAnalyzer disk space can be
controlled by configuring log rolling and/or scheduled uploads to a server. As the
FortiAnalyzer unit receives new log items, it verifies whether the log file has
exceeded its file size limit. If the file size is not exceeded, the FortiAnalyzer unit
checks to see if it is time to roll the log file. When a log file reaches its maximum
size, or reaches the scheduled time, the FortiAnalyzer unit saves the log files with
an incremental number, and starts a new log file with the same name.
If log uploading has been enabled, choose to automatically delete the rolled log
file after uploading, thereby freeing the amount of disk space used by rolled log
files. If the log upload fails, such as when the FTP server is unavailable, the logs
are uploaded during the next scheduled upload.
A device’s log files can be imported. This can be useful when restoring data or
loading log data for temporary use. For example, if older log files from a device
are available, these logs can be imported into the FortiAnalyzer unit in order to
generate reports on older data. Logs can be imported in normal log, compressed
log (.log.gz) or comma separated value format.
In addition, a log file can be downloaded to save it as a backup or for use outside
the FortiAnalyzer unit. The download consists of either the entire log file, or a
partial log file, as selected by the current log view filter settings.

01-4200-0201-20100604 103
Searching the Logs

The device log files can be searched for matching text using two search types.
Quick Search
Quick Search finds results more quickly if the search terms are relatively simple
and only need to search indexed log fields. Indexed log fields are those that
appear with a filter icon when browsing the logs in column view; unindexed log
fields do not contain a filter icon for the column or do not appear in column view,
but do appear in the raw log view. Quick Search keywords cannot contain special
characters such as single (‘) quotes, double quotes (“), question marks (?), wild
card characters (*), or only contain a wild card as the last character of a keyword
(logi*)
Quick Searches can be perfomed quickly by entering the search value in the
search field on the Log Display page..

104 01-4200-0201-20100604
Quick Searches can also be performed by clicking Advanced Search, entering the
criteria as needed and clicking Quick Search.
Full Search
Full Search can be used if the search terms are more complex, and require the
use of special characters, regular expressions or log fields not supported by Quick
Search. Full Search performs an exhaustive search of all log fields, both indexed
and unindexed, but is often slower than Quick Search.

01-4200-0201-20100604 105
Logging to Multiple FortiAnalyzer Units or Syslog Servers Logging and Alerts
Logging to Multiple FortiAnalyzer Units or Syslog Servers

FortiGate devices can support up to three FortiAnalyzer and/or Syslog servers for
logging. This allows for load balancing of log traffic in busy network environments.
For example, all Event logs can be sent to FortiAnalyzer1, all Web filter logs to
FortiAnalyzer2, and Traffic logs to FortiAnalyzer3.
Logging to multiple destinations must configured using the CLI. (For more
information, see the FortiGate CLI Reference Guide.)

106 01-4200-0201-20100604
Logging and Alerts Content Archiving
Content Archiving
Content archiving provides a method of simultaneously logging and archiving
copies of content transmitted over the network, such as email and web pages.
Content logs include information such as the senders, recipients, and the content
of messages and files. If full content archiving is enabled, FortiGate units can also
archive a copy of the associated file or message with the content log message.
Content archive data is needed to generate many of the reports available on the
FortiAnalyzer device. Content archiving may also be required by corporate policy
and/or to ensure regulatory compliance.
Both FortiGate content archive logs and their associated copies of files or
messages can be stored and viewed remotely on a FortiAnalyzer unit, leveraging
its large storage capacity for large media files that can be common with
multimedia content. When content archives are received by the FortiAnalyzer unit,
data filtering similar to other log files can be used to track and locate specific email
or instant messages, or to examine the contents of archived files.
Summary content archives are those which contain only a log message consisting
of summary metadata. Full content archives are those which contain both the
summary and a hyperlink to the associated archived file or message. For
example, if the FortiAnalyzer unit has a full content archive for an email message,
the Subject log field of email content archives contains a link that enables that
email message to be viewed. If the FortiAnalyzer unit has only a content archive
summary, the Subject field does not contain a link.
Whether or not each content archive will be full or summary varies by whether the
device is configured to send full content archives, whether the content satisfies
content archiving requirements, and whether the FortiAnalyzer unit has the copy
of the file or message associated with the summary log message.

01-4200-0201-20100604 107
Content Archiving Logging and Alerts
Content archiving is enabled through DLP rules. Rules are added to DLP sensor
which are then applied within a protection profile. Content meta-information for
HTTP, HTTPS, FTP, IMAP, POP3, SMTP, and IM traffic can be displayed on the
System Dashboard or the full content archive to a FortiAnalyzer device.
At least one of the threat management functions, such as antivirus scanning, web
filtering, and spam filtering for the relevant protocol should be enabled to use the
full content archiving features for that protocol.
Archiving through Data Leak Prevention is examined in further detail in Lesson 11

- Data Leak Prevention.

108 01-4200-0201-20100604
Logging and Alerts Content Archiving
Viewing Content Archives

All archived logs stored on a FortiAnalyzer unit can be viewed from Log & Archive
> Archive Access in FortiAnalyzer Web Config.
The content archive logs can be viewed in Raw or Formatted view.

01-4200-0201-20100604 109
Alert Email Logging and Alerts
Alert Email
Alert Emails enable the FortiGate unit to send notifications to an email address
upon detection of a message meeting a defined event type or security level.
For example, an alert email can be configured to send notifications for critical
events such as an HA member leaving the cluster.
The FortiGate unit uses the SMTP server name to connect to the mail server.
When configuring alert email, configure at least one DNS server. Up to three
recipients can be specified per mail server and the email body is base64 encoded.

110 01-4200-0201-20100604
Logging and Alerts SNMP
SNMP
Simple Network Management Protocol (SNMP) enables administrators to manage
hardware on a network including servers, workstations, routers, switches, and
other network devices. An SNMP-managed network is made up of three main
components: managed devices, agents, and SNMP managers. Configure the
hardware or FortiGate SNMP agent to report system information and to send
traps (alarms or event messages) to SNMP managers. An SNMP manager is a
computer running an application that can read the incoming traps from the agent
and track the information. Using an SNMP manager, access SNMP traps and
data from any FortiGate interface configured for SNMP management access.
The FortiGate SNMP implementation is read-only. SNMP v1 and v2c compliant
SNMP managers have read-only access to FortiGate system information and can
receive FortiGate traps. To monitor FortiGate system information and receive
FortiGate traps, compile the Fortinet proprietary Management Interface Bases
(MIBs), as well as Fortinet supported standard MIBs (available from the Fortinet
Support site) into an SNMP manager.
SNMP is configured through System > Config > SNMP v1/v2c. Enable the SNMP
agent option and enter information for the Description, Location, and Contact.

01-4200-0201-20100604 111
SNMP Logging and Alerts
SNMP Communities
Add SNMP communities so that SNMP managers can connect to the FortiGate
unit to view system information and receive SNMP traps. SNMP communities can
be configured to have different SNMP queries and traps and they can be
configured to monitor the FortiGate unit for different sets of SNMP events. Up to
eight SNMP managers per community can be added.

112 01-4200-0201-20100604
Logging and Alerts SNMP
SNMP Traps
The FortiGate agent can send traps to SNMP managers added to SNMP
communities. To receive traps, load and compile the Fortinet 3.0 MIB into the
SNMP manager.
All traps include the trap message, as well as the FortiGate unit serial number and
hostname. Available traps include:
• CPU overusage
• Memory low
• Log disk space low
• HA cluster status changed
• HA heartbeat failure
• HA member up
• HA member down
• Interface IP changed
• Virus detected
• Oversize file/email detected
• Fragmented email detected
• IPS Signature
• IPS Anomaly
• VPN tunnel up
• VPN tunnel down
• FortiAnalyzer disconnection

01-4200-0201-20100604 113
SNMP Logging and Alerts
Configuring an Interface for SNMP Access

One or more interfaces must be configured on the FortiGate unit to accept SNMP
connections before a remote SNMP manager will be able to connect to the
FortiGate agent.
Go to System > Network > Interface and edit the applicable interface. Click to
enable SNMP in the Administrative Access section of the web page.

114 01-4200-0201-20100604
Logging and Alerts Reporting
Reporting
Reports provide an easy way to analyze and view the information from logs. A
report is a collection of log information which is then displayed in the report in the
form of text, graphs and tables. An administrator can create reports based on log
information that has been accumulated over a period of time.
Reports are only available logging to a FortiAnalyzer device.
FortiAnalyzer reports provide flexible options, offering a choice to compile a report
layout based on variables (which can be reused) or based on specific information.
Logs are the basis of all FortiAnalyzer reports. Logs must be collected or
uploaded before a report can be generated. Reports cannot be created for
devices that are of an unknown type, such as generic Syslog devices, nor for
devices that are not registered with the FortiAnalyzer unit.
After logs are collected or uploaded, the report can be defined.
Report Layout
In FortiAnalyzer Web Config, go to Report > Config > Report to configure and
define layout of the report.
Reports can be scheduled for compilation, or can be set to be created on demand.

Define when reports are to be created by modifying the the Schedule settings.

01-4200-0201-20100604 115
Reporting Logging and Alerts
Click Add to select components, such as charts or graphics that are to be included
on the report.

116 01-4200-0201-20100604
Logging and Alerts Exploring Web Config Monitoring
Lab 2 Logging and Monitoring

Objectives
In this exercise, system event logging will be configured.
Tasks
In this lab, you will complete the following tasks:
• Exercise 1 Exploring Web Config Monitoring
• Exercise 2 Configuring System Event Logging
• Exercise 3 Exploring the FortiAnalyzer Interface
• Exercise 4 Configuring Email Alerts (Optional)
Timing
Exercise 1 Exploring Web Config Monitoring

1 Log in to Web Config on the FortiGate unit as admin. Go to System >
Dashboard > Status.
2 Locate the System Resources widget. Verify the CPU Usage and Memory
Usage status dials.
3 Hover the mouse pointer over the System Resources title bar and click History.

01-4200-0201-20100604 117
Exploring Web Config Monitoring Logging and Alerts
4 A pop-up window appears showing a trace of past CPU usage, memory usage,
session, network utilization, virus, and intrusion history.
In the System Resource History graph window, the time interval represented
by each horizontal grid square can be selected from the pull-down menu to the
right of Time Interval. The refresh rate of this window is automatically set to
1/20th of the time interval.
Click Close.
5 The Alert Message Console widget displays recent critical system events, such
as system restart and firmware upgrade.
Hover over the Alert Message Console title bar and click the History icon to
view a pop-up window that displays the entire message list.
Click Close.
6 Log and DLP archive statistics are shown in the Log and Archive Statistics
widget. Since there will have been little or no traffic through the FortiGate unit
and no content inspection configured, the DLP Archive and Log statistics will
be uninteresting at this time.

118 01-4200-0201-20100604
Logging and Alerts Exploring Web Config Monitoring
The Reset link in the top-right of the Statistics box will clear the current
statistics counts.
7 There will already be a number of sessions recorded by the FortiGate unit.

Click the Details link on the Top Session widget to display more information
about the sessions or click each graphical bar representing sessions per IP
address.
Test the function of the various icons in this window. There are icons for
display refresh, page forward and back, column display filters, as well as clear
session.
Identify the Web Admin sessions in the Session table display by looking for the
TCP sessions from the PC IP address to the IP address of the internal
interface of the FortiGate unit.
Click Return to re-display the graphical view of the Top Sessions widget.
8 Some widgets are not displayed by default. Add them to the dashboard by
clicking Widgets and selecting from the pop-up window.

01-4200-0201-20100604 119
Configuring System Event Logging Logging and Alerts
Exercise 2 Configuring System Event Logging

1 Go to Log&Report > Log Config > Log Setting. Expand Remote Logging &
Archiving and click to enable FortiAnalyzer.
Apply the following settings:
IP Address 209.87.230.134
Minimum log level Information
Note: Depending on the location of class, the instructor may direct students to a
FortiAnalyzer unit at a different address.
Click Apply.
For initial testing purposes, the log level is set to the lowest and most verbose
level, Information. In actual deployments, the level would more likely be set to
Warning or Notification.
Automatic discovery of a FortiAnalyzer unit with the Fortinet Discovery
Protocol is only applicable when the FortiGate unit and the FortiAnalyzer unit
are on the same broadcast domain (subnet). This would be a rare situation in
an actual network but appropriate for a FortiGate 5000 series chassis when a
FortiAnalyzer blade is used.
2 In Remote Logging & Archiving, click Test Connectivity to register with the
FortiAnalyzer device. A pop-up window displays to indicate a successful
connection and registration process.
The FortiAnalyzer unit being used is configured to automatically accept and
register all new FortiGate device connections. Alternate settings are to register
only (and ignore logging messages) or ignore (manual registration).
In an actual scenario, there would be additional configuration required at the
FortiAnalyzer end to permit the necessary connection for manual device
registration.
Click Close to exit from the FortiAnalyzer Connection Summary window.
3 While still in the Log Settings window, expand Local Logging & Archiving and
confirm that Disk logging is enabled and that the Minimum log level is set to
Information. If using a FortiGate device without a local hard drive, enable
Memory logging instead.
4 On the Log&Report > Log Config > Event Log page, click Enable and select all
events.
Click Apply to save the changes.
The CLI settings for the logging destinations can be displayed with the
following commands:
get log <destination> setting
get log <destination> filter
Substitute <destination> with either fortianalyzer, disk or
memory.
Note: There are different logging capabilities, depending on the destination. The
keywords may also differ.

120 01-4200-0201-20100604
Logging and Alerts Exploring the FortiAnalyzer Interface
5 Test the logging setup with some simulated log messages sent to the logging
destinations using the following CLI command:
diagnose log test
6 Go to Log&Report > Log Access. Select each log type from the Log Access
menu item one at a time. Click Disk from the Log Access pages to view the
entries for the test messages.
Exercise 3 Exploring the FortiAnalyzer Interface

1 Connect to a FortiAnalyzer by typing the following address in a web browser:
https://209.87.230.134
Note: Depending on the location of class, the instructor may direct students to a
FortiAnalyzer unit at a different address.
Accept the self-signed certificate messages if they are displayed.

Log in with the username student and the password fortinet.
After a successful login, the FortiAnalyzer Dashboard displays.
2 In the FortiAnalyzer Web Config, go to Log&Archive > Log Browse > Log
Browse. In the Log Browse window, expand No Group and expand the name
of the student FortiGate device to verify that log messages are being received
by the FortiAnalyzer unit. FortiGate device names are displayed as
HostName(SerialNumber).
3 Expand a category in the list. Click Show Log File Names and the names of
the log files will display. Select one of the log files and click Display ( ) to
show the log entries in the file.
The log message view is pre-formatted to show selected items in columns.
The messages are color-coded according to severity level.
4 Explore the log message display features in the Log Browse window. Click the
Change Display Options link and click Raw to view the logs entries in raw
format.
5 Log out of the FortiAnalyzer device.

01-4200-0201-20100604 121
Configuring Email Alerts (Optional) Logging and Alerts
Exercise 4 Configuring Email Alerts (Optional)

This exercise can only be completed if an online email account is available
to test with.
1 The FortiGate unit will be configured to send alert mail to a test mail account.
In Web Config on the FortiGate unit, go to Log&Report > Log Config > Alert E-
mail and use the following settings to complete the Alert E-mail configuration:
SMTP server Type the name or IP address of an

online email account server.
Email from Type the sender’s email address.
Email to Type the destination email address.
Authentication Enable if the email server requires
authentication and enter the
sender’s email address and account
password.
Interval Time 1 minute
Send alert mail for the following Select Intrusion detected and Virus
detected.
Send alert email for logs based on Enable and select the Alert level
severity from the minimum log level list.
Click Apply to save the settings.

2 Click Test Connectivity. Test messages will be sent to the email account.
3 Open the email client application and confirm that the test messages have
been received.
Alert emails can be sent based on selected event categories or simply on a log
message threshold level. If a threshold level is used, the CLI contains
additional interval hold-off timers for log levels above the selected threshold
level.
Check the following CLI commands for the Alert Email configuration:
show system alertemail
show alertemail setting
Note: If the FortiGate unit collects more than one log message before an interval is
reached, it combines the messages and sends out one alert email.

122 01-4200-0201-20100604
LESSON 3
Firewall Policies
123
www.fortinet.com
Firewall Policies
Lesson 3 Firewall Policies

Firewall policies control all traffic passing through the FortiGate unit. Firewall
policies are instructions that the FortiGate unit uses to decide what to do with a
connection request. When the firewall receives a connection request in the form of
a packet, it analyzes the packet and compares the content to determine if the
information contained conforms to a policy that is in place.
ACCEPT policies accept communication sessions. An accept policy can apply
FortiGate features such as virus scanning and authentication to the
communication session accepted by the policy.
DENY policies deny communication sessions. Firewall policies can also be used
to control connections and traffic between FortiGate interfaces, zones, and VLAN
subinterfaces.
IPSEC and SSLVPN policies apply a tunnel mode IPSec VPN or SSL VPN and
may optionally apply NAT and allow traffic for one or both directions.
For a packet to be connected through the FortiGate unit, the source address,
destination address, and service of the packet must match the firewall policy. The
policy can also direct the firewall to require authentication before the connection is
allowed.
Each policy can be configured to route connections or apply Network Address
Translation (NAT) to translate source and destination IP addresses and ports. IP
pools can be used in conjunction with dynamic NAT when the firewall translates
source addresses.
Traffic logging can be enabled for a firewall policy so the FortiGate unit will log all
connections that use this policy.
Threat management elements such as antivirus, email filtering, intrusion
prevention, web filtering, data leak protection and application control are enabled
in firewall policies to apply protection to traffic passing through the firewall. In
addition, traffic shaping and endpoint control can be enabled in firewall policies as
needed.

01-4200-0201-20100604 125
Policy Matching Firewall Policies
Policy Matching
When the FortiGate unit receives a connection attempt on an interface, it selects a
policy list to search through for a policy that matches the connection attempt. The
FortiGate unit chooses the policy list based on the source and destination
addresses of the connection attempt.
The FortiGate unit starts at the top of the selected policy list and searches down
the list for the first policy that matches the connection attempt source and
destination addresses, service port, and time and date at which the connection
attempt was received. The first policy that matches is applied to the connection
attempt. If no policy matches, the connection is dropped. Arrange policies in the
policy list from more specific to more general. For example, the default policy is a
very general policy because it matches all connection attempts. Exceptions to that
policy are added to the policy list above the default policy. No policy below the
default policy will ever be matched.
General policies are policies that can accept connections from multiple source
and destination addresses or from address ranges. General policies can also
accept connections from multiple service ports or have schedules that mean the
policy can be matched over a wide range of times and dates. Policies that are
exceptions to general policies should be added to the policy list above the general
policies. For example, a general policy may allow all users on the internal network
to access all services on the Internet. To block access to specific services, such
as FTP servers on the Internet, add a policy that denies FTP connections above
the general policy. The deny policy blocks FTP connections. Connection attempts
for all other kinds of services do not match the FTP policy but do match the
general policy. Therefore, the firewall still accepts all connections from the internal
network to the Internet other than FTP connections.
If virtual domains are enabled on the FortiGate unit, firewall policies are
configured separately for each virtual domain.

126 01-4200-0201-20100604
Firewall Policies Policy Matching
Firewall Policy List

The firewall policy list displays firewall policies in their order of matching
precedence for each source and destination interface pair. Policies can be added,
deleted, edited, and re-ordered in the policy list. Firewall policy order affects policy
matching.
Two default policies are included on the FortiGate device, an Allow policy allowing
all traffic, and an implicit Deny policy which blocks all traffic.
Section View
Selecting Section View in Web Config will display firewall polices organized by
Source and Destination interfaces.

01-4200-0201-20100604 127
Global View
Selecting Global View will list all firewall policies in order, according to a sequence
number, and are not grouped by interface. When policies are re-ordered, the
sequence number will change in consequence. The Policy ID value is
independent of the sequence number.
If a firewall policy is created with a source or destination interface of ANY, only the
global view will be available in Web Config.

128 01-4200-0201-20100604
Firewall Policies Policy Matching
Column Settings
Some columns of information may not be displayed by default. Use the Column
Settings options to add or remove table columns from the displayed list. Select the
item to display from the Available fields list and click Æ to move it to the Show
these fields in this order list. Reorder the items in the Show these fields in this
order list by selecting the item and clicking Move Up or Move Down.
For example, if the Count field is added to the column settings, the number of
packets and bytes that match a firewall policy can be displayed.

01-4200-0201-20100604 129
Filtering Columns
Click Filter ( ) to edit the column filters which allow the policy list to be filtered or
sorted according to criteria specified. Filters are useful for reducing the number of
entries that are displayed on the list. Filters can be added for one column or for
multiple columns. Filter configuration is maintained after leaving Web Config, after
logging out of Web Config, or after rebooting the FortiGate unit.
Different filter styles are available depending on the type of information displayed
in individual columns. In all cases, filters are configured by specifying what to filter
on and whether to display information that matches the filter or to select NOT to
display information that does not match the filter.
Reordering Policies
A policy can be moved within the list to influence the order in which policies are
evaluated. When more than one policy has been defined for the same interface
pair, the policy that is first in the list is evaluated first.
The ordering of firewall encryption policies is important to ensure that they take
effect as expected; firewall encryption policies must be evaluated before regular
firewall policies. Moving a policy in the list does not change its policy ID number.
Select a policy and click Move ( ) to change the order of policies in the list.
Alternately, when creating a new policy click Insert ( ) to create the new policy in
the list before the selected policy.
The policy ordering can also be changed using the CLI move command from the
firewall policy table.
For example:
config firewall policy
move X before Y
end

130 01-4200-0201-20100604
Firewall Policies Firewall Policy Elements
Firewall Policy Elements

Multiple elements are included in the creation of a firewall policy. Each element is
configured separately, then combined with others to create the final policy.
Elements used in the creation of a firewall policy include:
• Addresses
• Schedules
• Services
• Action
• Network Address Translation
• Identity-Based Policies
• Threat Management Options
• Traffic Shaping
• Endpoint Network Access Control
• Allowed Traffic Logging
• Virtual IPs
• Load Balancing
Multiple policies can be enabled on the FortiGate device to scan traffic passing
through the interfaces on the device.

01-4200-0201-20100604 131
Firewall Policy Elements Firewall Policies
Click Create New ( ) in the Policy List to create a new firewall policy or select an
existing policy and click Edit ( ) to modify or view the policy.
Alternately, click Insert ( ) to create a new policy in the list before the currently
selected policy.
Note: The Comments field is very useful to complete when working with
firewall policies as important details can be documented about the firewall
policy which may be referred to in the future.

132 01-4200-0201-20100604
Firewall Addresses
Firewall addresses are added to the Source and Destination Address fields of
firewall policies to match the source or destination IP addresses of packets that
are received by the FortiGate unit.
Multiple addresses can be added on the FortiGate device and the appropriate
address can be selected when creating the policy.

01-4200-0201-20100604 133
To view the list of available addresses on the FortiGate unit, go to Firewall >
Address > Address.
To view or modify any individual addresses in the list, select the address from the
list and click Edit ( ) or double-click the entry.
The FortiGate unit comes configured with a default All address which represents
any IP address on the network. This is required in order to reach all addresses on
the Internet.

134 01-4200-0201-20100604
New firewall addresses can be defined by clicking Create New ( ) on the

Address List page, or by selecting [Create New...] from the Source Address and
Destination Address drop-down list on the New Policy page. Complete the
parameters of the firewall address as needed.
Address Name The name assigned to the address will be

used to identify the address on the New
Policy page. Addresses must have unique
names to avoid confusion in firewall
policies
Type Addresses can be identified by Subnet/IP
Range or FQDN.
Subnet/IP Range or FQDN If using Subnet/IP Range enter the
firewall IP address and subnet mask. If
using an IP address range, separate the
addresses at each end of the range by a
hyphen. For example,
192.168.110.100-
192.168.110.120 or
192.168.110.[100-120]. To
represent all addresses on the subnet,
use the * wildcard, for example
192.168.110.* .
If using FQDN enter the fully qualified
domain name, for example,
www.fortinet.com or acme.com.
Interface Select the interface or zone with which
the IP address will be associated.
Alternately, Any can be selected to
associate the IP address with the
interface/zone when the policy is created.

01-4200-0201-20100604 135
Address Groups
Related addresses can be organized into address groups to simplify policy
creation and management. For example, after adding three addresses and
configuring them in an address group, configure a single policy using all three
addresses.
Multiple address groups can be added on the FortiGate device and the
appropriate address group can be selected when creating the policy.
To view the list of available address groups on the FortiGate unit, go to Firewall >
Address > Group.
To view or modify any individual groups in the list, select the group and click Edit
( ) or double-click the entry.

136 01-4200-0201-20100604
New firewall address groups can be defined by clicking Create New ( ) on the
Address Group List page, or by selecting [Multiple...] from the Source Address
and Destination Address drop-down list on the New Policy page. Complete the
parameters of the firewall address group as needed.
Group Name The name assigned to the group will be

used to identify the address group on the
New Policy page.
Available Addresses The list of available firewall addresses is
displayed. Select an address and click
to move the address from the
Available Addresses list to the Members
list.
Members The list of addresses in the group is
displayed. Select an address and click
to remove the address from the
Members list and move it back to the
Available Addresses list.
If an address group is included in a policy, it cannot be deleted unless it is first
removed from the policy.

01-4200-0201-20100604 137
Firewall Schedules
Schedules are used to control when policies are active.
One-Time Schedule
One-time schedules are used to activate a policy for a specified period of time. For
example, a firewall might be configured with a default policy that allows access to
all services on the Internet at all times and a one-time schedule can be added to
block access to the Internet during a holiday period.
Multiple one-time schedules can be added on the FortiGate device and the
appropriate schedule can be selected when creating a policy.

138 01-4200-0201-20100604
To view the list of available one-time schedules on the FortiGate unit, go to

Firewall > Schedule > One-time.
To view or modify any one-time schedules in the list, select the schedule and click

01-4200-0201-20100604 139
New one-time schedules can be defined by clicking Create New ( ) on the One-
time Schedule List page, or by selecting [Create New...] from the Schedule drop-
down list on the New Policy page. Complete the parameters of the one-time
schedule as needed.
Name The name assigned to the one-time schedule

will be used to identify the schedule on the New
Policy page.
Start Select the start date and time for the one-time
schedule.
Stop Select the end date and time for the one-time
schedule.

140 01-4200-0201-20100604
Recurring Schedules
Recurring schedules are used to activate policies at specified times of the day or
on specified days of the week. For example, game play can be prevented during
working hours by creating a recurring schedule.
Multiple recurring schedules can be added on the FortiGate device and the
appropriate schedule can be selected when creating a policy.
To view the list of available recurring schedules on a FortiGate unit, go to Firewall
> Schedule > Recurring.
To view or modify any recurring schedules in the list, select the schedule and click

01-4200-0201-20100604 141
New recurring schedules can be defined by clicking Create New ( ) on the

Recurring Schedule List page, or by selecting [Create New...] from the Schedule
drop-down list on the New Policy page. Complete the parameters of the recurring
schedule as needed.
Name The name assigned to the recurring

schedule will be used to identify the
schedule on the New Policy page.
Day of the Week Select the days affected by the recurring
schedule.
Start Select the daily start time for the
recurring schedule.
Stop Select the daily end time for the recurring
schedule.

142 01-4200-0201-20100604
Schedule Groups
Related schedules can be organized into groups to simplify policy creation and
management. For example, after adding multiple schedules and configuring them
in a schedule group, configure a single policy using all the selected schedules.
Multiple schedule groups can be added on the FortiGate device and the
appropriate group can be selected when creating a policy.
To view the list of available schedule groups on the FortiGate unit, go to Firewall >
Schedule > Group.

01-4200-0201-20100604 143
New schedule groups can be defined by clicking Create New ( ) on the Schedule
Group List page. Complete the parameters of the schedule group as needed.

used to identify the schedule group on
the New Policy page.
Available Schedules The list of available firewall schedules is
displayed. Select a schedule and click
to move the schedule from the
Available Schedules list to the Members
list.
Members The list of schedules in the group is
displayed. Select a schedule and click
to remove the schedule from the
Available Schedules list.
If a schedule group is included in a policy, it cannot be deleted unless it is first

144 01-4200-0201-20100604
Firewall Services
The Service list is used to determine the types of communication accepted or
denied by the firewall. Services control the opening and closing of ports.

01-4200-0201-20100604 145
Predefined Services
Certain services are predefined on the FortiGate unit and can be easily added to a
policy by selecting from the list
To view the list of predefined services, go to Firewall > Service > Predefined.
These services can be added to a policy by selecting them from the Service drop-
down list on the New Policy page, or can be added to service groups.

146 01-4200-0201-20100604
Custom Services
A custom service can be created for any type of communication that is not in the
predefined list.
Multiple custom services can be added on the FortiGate device and the
appropriate service can be selected when creating a policy.
To view the list of available custom services on the FortiGate unit, go to Firewall >
Service > Custom.
To view or modify any custom services in the list, select the service and click Edit

01-4200-0201-20100604 147
New services can be defined by clicking Create New ( ) on the Custom Services
List page, or by selecting [Create New...] from the Service drop-down list on the
New Policy page. Complete the parameters of the custom service as needed.
Name The name assigned to the custom

service will be used to identify the service
on the New Policy page.
Protocol Type Select TCP/UDP/SCTP, ICMP or IP as
the protocol for the service.
• If TCP/UDP/SCTP is selected,
indicate the Source Port and
Destination Port number range.
• If ICMP is selected, indicate the Type
and Code values.
• If IP is selected, indicate the Protocol
Number value.

148 01-4200-0201-20100604
Service Groups
To make it easier to add and manage policies, groups of services can be created
and a single policy can be used to allow or block access for all the services in the
group. A service group can contain predefined services and custom services in
any combination. A service group cannot be added to another service group.
Multiple service groups can be added on the FortiGate device and the appropriate
group can be selected when creating a policy.
To view the list of available service groups on the FortiGate unit, go to Firewall >
Service > Group.

01-4200-0201-20100604 149
New service groups can be defined by clicking Create New ( ) on the Service
Group List page or by selecting [Multiple...] from the Service drop-down list on the
New Policy page. Complete the parameters of the service group as needed.

used to identify the service group on the
New Policy page.
Available Schedules The list of available services is displayed.
Select a service and click to move
the service from the Available Services
list to the Members list.
Members The list of services in the group is
displayed. Select a service and click
to remove the service from the Members
list and move it back to the Available
Services list.
If a service group is included in a policy, it cannot be deleted unless it is first

150 01-4200-0201-20100604
Firewall Actions
The firewall action identifies the response to make when the policy matches a
connection attempt. If the initial packet matches the firewall policy, the FortiGate
unit performs the configured action and any other configured options on all
packets in the session.
Packet handling actions can be Accept, Deny, SSL-VPN or IPSec.
Accept
A policy action of Accept permits communication sessions, and may optionally
include other packet processing instructions, such as requiring authentication to
use the policy, or specifying threat management features such as virus scanning
to be applied to packets in the session.

01-4200-0201-20100604 151
Deny
A policy action of Deny blocks communication sessions, and may optionally log
the denied traffic.

152 01-4200-0201-20100604
SSL VPN
A policy action of SSL-VPN configures an SSL VPN firewall encryption policy to
accept SSL VPN traffic. This action is available only after an SSL VPN user group
has been added.
Policies with an SSL-VPN action can also include settings for NAT and identity-
based policies.
SSL VPN will be covered in further detail in Lesson 6 - SSL VPN.

01-4200-0201-20100604 153
IPSec
A policy action of IPSec applies a firewall encryption policy to process packets in
policy-based IPSec VPNs. Tunnel options must be identified when assigning an
action of IPSec for the policy. In addition, threat management features such as
virus scanning can be specified to be applied to packets in the session as well as
traffic shaping.
IPSec VPN is covered in further detail in Course 301 - Secure Network

Deployment and IPSec VPN.

154 01-4200-0201-20100604
Logging Traffic
Enable Log Allowed Traffic for Accept, SSL-VPN or IPSec policies or Log
Violation Traffic for Deny policies to record messages to the traffic log whenever
the policy processes a connection. Logging will be performed based on the
configuration defined in Log&Report > Log Config > Log Settings.
Additional details regarding logging is provided in Lesson 2 - Logging and Alerts.

01-4200-0201-20100604 155
Network Address Translation

Network Address Translation (NAT) of the source address and port of packets
accepted by the policy can be enabled as part of the firewall policy.
No NAT
If no address translation of the source address is to be performed by the FortiGate
unit for this policy, enable No NAT.

156 01-4200-0201-20100604
Enable NAT
Click Enable NAT when address translation is necessary, In this example, the IP
address of the client on the internal network is translated from 10.10.10.1 to
192.168.2.2.
Dynamic IP Pool
When Enable NAT is selected in the firewall policy and an IP pool has been
defined, the option to enable Dynamic IP Pool becomes available. Enable
Dynamic IP Pool, and select an IP pool to translate the source address to an IP
address randomly selected from addresses in the IP Pool.
An IP pool defines an address or a range of IP addresses, all of which respond to
ARP requests on the interface to which the IP pool is added.
IP pools cannot be used when using zones. An IP pool can only be associated
with an interface.
In this example, the IP address of the client on the internal network is translated
from 10.10.10.1 to an address within the 172.168.12.2 - 172.16.12.12
range.

01-4200-0201-20100604 157
Multiple IP pools can be added on the FortiGate device and the appropriate pool
can be selected when creating a policy.
To view the list of available IP pools on the FortiGate unit, go to Firewall > Virtual
IP > IP Pool.
To view or modify any individual pool in the list, select the pool and click Edit ( )
or double-click the entry.

158 01-4200-0201-20100604
New IP pools can be defined by clicking Create New ( ) on the IP Pool List page
or by selecting [Create...] from the Dynamic IP Pool drop-down list on the New
Policy page. Complete the parameters of the IP pool as needed.
Name The name assigned to the IP Pool will be

used to identify the pool when Dynamic
IP Pool is enabled on the New Policy
page.
IP Range/Subnet Define the IP address range and subnet
for the IP pool.

01-4200-0201-20100604 159
Central NAT Table

Central NAT Table allows the manual creation of NAT rules and NAT mappings.
These rules will allow the administrator to control port translation instead of
allowing the system to assign them randomly. These NAT rules can be used in
firewall policies by selecting the Use Central NAT Table option.
Multiple NAT rules can be added on the FortiGate device.
To view the list of available NAT rules on the FortiGate unit, go to Firewall > Policy
> Central NAT Table.
To view or modify any individual NAT rules in the list, select the table and click

160 01-4200-0201-20100604
New NAT rules can be defined by clicking Create New ( ) on the NAT Table List
page. Complete the parameters of the NAT rule as needed.
Source Address Select the source IP address from the

list, or click [Create New] to define a new
source IP address. A group of source
address can be defined by clicking
Multiple.
Translated Address Select a dynamic IP pool from the list or
click [Create New] to define a new
dynamic IP pool. A group of multiple
translated addressed can be defined by
clicking Multiple.
Original Port Enter the port that the address is coming
from.
Translated Port Enter the translated port number.

01-4200-0201-20100604 161
Fixed Port
When NAT is enabled in the firewall policy, the option to enable Fixed Port
becomes available. Enable Fixed Port to prevent NAT from translating the source
port. Some applications do not function correctly if the source port is translated. In
most cases, if Fixed Port is enabled, Dynamic IP Pool is also enabled.
If Dynamic IP Pool is not enabled, a policy with Fixed Port enabled can only allow
one connection to that service at a time.
In this example, the IP address of the client on the internal network is translated
from 10.10.10.1 to an address within the 172.16.12.2 - 172.16.12.12
range, but the source port of 1025 is not translated.
Fixed port NAT can only be enabled through the CLI.

162 01-4200-0201-20100604
Destination Network Address Translation

Destination Network Address Translation (DNAT) accepts packets from an
external network that are intended for a specific destination IP address, translates
the destination address of the packets to a mapped IP address on another hidden
network, and then forwards the packets through the FortiGate unit to the hidden
destination network.

01-4200-0201-20100604 163
Identity-Based Policies
Identity-based policies can be enabled to configure firewall policies to require
authentication. If identity-based policies are enabled in a firewall policy, network
users must send traffic involving a supported firewall authentication protocol to
trigger the firewall authentication challenge, and successfully authenticate, before
the FortiGate unit will allow any other traffic matching the firewall policy.

164 01-4200-0201-20100604
Authentication rules must be defined to specify the user group details identifying
users who will be forced to authenticate.
Identity-based policies will be examined in further detail in Lesson 6 -

Authentication.
Disclaimers
Enabling Disclaimer and Redirect URL displays the Authentication Disclaimer
page (a replacement message) that the user must accept to connect to the
destination. The disclaimer option is available when Identity-based Policy is
enabled.
If you enter a URL in the Redirect URL field, the user is redirected to that URL
after authenticating and/or accepting the user authentication disclaimer.

01-4200-0201-20100604 165
Threat Management
The threat management capabilities of the FortiGate unit are enabled in the
firewall policy. UTM elements that apply different protection settings are pre-
configured, then selected when the policy is created. The types and levels of
protection for different firewall policies can be customized, for example, traffic
between internal and external addresses can use strict protection, traffic between
trusted internal addresses can use moderate protection.
Threat management attributes available in firewall policies include:
• Protocol Options
• Antivirus
• IPS
• Web Filtering
• Email Filtering
• Data Leak Prevention
• Application Control
• VoIP
Enabling UTM in the New Policy window will allow the selection of the threat
management elements.

166 01-4200-0201-20100604

01-4200-0201-20100604 167
Protocol Options
Protocol options include settings related to proxy operations. A Protocol Options
List can be selected when UTM is enabled in a firewall policy. To enable the
attributes contained in a Protocol Options List within the policy, select the list from
Protocol Options drop-down list, or click [Create New...] to define a new list. Click
Edit ( ) to modify a selected Protocol Options List from the Policy page.

168 01-4200-0201-20100604
Multiple Protocol Options Lists can be added on the FortiGate device and the
appropriate list can be selected when creating a policy.
To view the list of available Protocol Options Lists on the FortiGate unit, go to
Firewall > Policy > Protocol Options.
To view or modify any individual Protocol Options Lists, select the list and click

01-4200-0201-20100604 169
New Protocol Options Lists can be defined by clicking Create New ( ) on the
Protocol Options List page or by selecting [Create New...] from the Protocol
Options drop-down list on the New Policy page. Complete the parameters of the
protocol options as needed.
Name The name assigned to the Protocol

Options list will be used to identify the list
Enable Oversized File File Select to enable logging of oversized
files.
Enable Invalid Certificate Log Select to enable logging of invalid
certificates
Expand each protocol to view the attributes specific to that protocol.

170 01-4200-0201-20100604
HTTP
Expand HTTP to set the attributes affecting HTTP traffic.
Port Identify the port to which the protocol

options will be applied when scanning
HTTP traffic.
Comfort Clients Client comforting helps to prevent client
application timeouts while files are being
buffered for scanning by the FortiGate
unit.
• Interval is the time in seconds before
client comforting starts after the
download has begun. It is also the
time between subsequent intervals.
• Amount is the number of bytes sent at
each interval.
Oversize File/Email Define the action to be taken on any
oversize files or emails being transferred
using HTTP, either Pass or Block.
• Threshold defines the size of the file
or email to trigger the action.

01-4200-0201-20100604 171
Monitor Content Information Select to view the activity of the protocol

for Dashboard from the Dashboard menu.
Enable Chunked Bypass Select to enable the chunked bypass
setting.

172 01-4200-0201-20100604
HTTPS
Expand HTTPS to set the attributes affecting secured HTTP traffic.

HTTPS traffic.
for Dashboard from the Dashboard menu.
Allow Invalid SSL Certicate Enable to allow expired or invalid digital
certificates to be accepted..

01-4200-0201-20100604 173
FTP
Expand FTP to set the attributes affecting FTP traffic.

FTP traffic.
Comfort Clients Client comforting helps to prevent client
application timeouts while files are being
buffered for scanning by the FortiGate.
• Interval is the time in seconds before
client comforting starts after the
download has begun. It is also the
time between subsequent intervals.
• Amount is the number of bytes sent at
each interval
using FTP, either Pass or Block.
for Dashboard from the Dashboard.

174 01-4200-0201-20100604
IMAP
Expand IMAP to set the attributes affecting IMAP traffic.

IMAP traffic.
using IMAP, either Pass or Block.
Allow Fragmented Messages Enable to allow fragmented email
messages.

01-4200-0201-20100604 175
POP3
Expand POP3 to set the attributes affecting POP3 traffic.

POP3 traffic.
using POP3, either Pass or Block.
Monitor Content Information Enable to view the activity of the protocol
messages to be passed.

176 01-4200-0201-20100604
SMTP
Expand SMTP to set the attributes affecting SMTP traffic.

SMTP traffic.
using SMTP, either Pass or Block.
messages to be passed.
Append Email Signatures Enable if a signature is to be appended
by the FortiGate unit to any email
transferred using SMTP.
Email Signature Text This text field becomes available when
the Append Email Signature option is
enabled. Type the text of the email
signature to be appended using SMTP.

01-4200-0201-20100604 177
IM
Expand IM to set the attributes affecting instant messaging traffic.

using IM, either Pass or Block.

178 01-4200-0201-20100604
NNTP
Expand NNTP to set the attributes affecting NNTP traffic.

NNTP traffic.
using NNTP, either Pass or Block.
Threshold defines the size of the file or
email to trigger the action.

01-4200-0201-20100604 179
Antivirus
Click Enable Antivirus to enforce the attributes contained in an antivirus profile
within the policy. Select the antivirus profile from the drop-down list, or click
[Create New...] to define a new profile. Click Edit ( ) to modify a selected
antivirus profile from the Policy page.
Creating an antivirus profile is described in detail in Lesson 8 - Antivirus.

180 01-4200-0201-20100604
IPS Filtering
Click Enable IPS to enforce the rules contained in an IPS sensor within the policy.
Select the IPS sensor from the drop-down list, or click [Create New...] to define a
new IPS sensor. Click Edit ( ) to modify a selected IPS sensor from the Policy
page.
Creating an IPS sensor is described in detail in Course 301 - Secure Network


01-4200-0201-20100604 181
Web Filtering
Click Enable Web Filter to enforce the attributes contained in a web filter profile
within the policy. Select the web filter profile from the drop-down list, or click
[Create New...] to define a new web filter profile. Click Edit ( ) to modify a
selected web filter profile from the Policy page.
Creating a web filter profile is described in detail in Lesson 10 - Web Filtering.

182 01-4200-0201-20100604
Email Filtering
Click Enable Email Filter to enforce the attributes contained in a email filter profile
within the policy. Select the email filter profile from the drop-down list, or click
[Create New...] to define a new email filter profile. Click Edit ( ) to modify a
selected email filter profile from the Policy page.
Creating an email filter profile is described in detail in Lesson 9 - Email Filtering.

01-4200-0201-20100604 183
DLP Filtering
Click Enable DLP Sensor to enforce the rules contained in a DLP sensor within
the policy. Select the DLP sensor from the drop-down list, or click [Create New...]
to define a new DLP sensor. Click Edit ( ) to modify a selected DLP sensor from
the Policy page.
When a DLP sensor is enabled, a Protocol Options list must be selected.

Creating a DLP sensor is described in detail in Lesson 11 - Data Leak Prevention.

184 01-4200-0201-20100604
Application Control
Click Enable Application Control to enforce attributes contained in an application
control list within the policy. Select the application control list from the drop-down
list, or click [Create New...] to define a new application control list. Click Edit ( )
to modify a selected application control list from the Policy page.
Creating an application control list is described in detail in Lesson 12 - Application

Control.

01-4200-0201-20100604 185
VoIP
Click Enable VoIP to enforce attributes contained in an VoIP profile within the
policy. Select the VoIP profile from the drop-down list, or click [Create New...] to
define a new VoIP profile. Click Edit ( ) to modify a selected VoIP profile from
the Policy page.

186 01-4200-0201-20100604
Traffic Shaping
Traffic shaping controls the available bandwidth and the priority of traffic
processed by a policy. Traffic shaping makes it possible to control which policies
have the highest priority when large amounts of data are moving through the
FortiGate device. For example, the policy for the corporate web server might be
given higher priority than the policies for an employee’s computer. Traffic shaping
is available for Accept, IPSEC, and SSL-VPN policies and is also available for all
supported services.
Traffic shaping consists of a mixture of traffic policing to enforce bandwidth limits,
and priority queue adjustment to assist packets in achieving the guaranteed rate.
Traffic shaping does not increase the total amount of bandwidth available but is
used to improve the quality of bandwidth-intensive and sensitive traffic.
Click to enable Traffic Shaping on the policy. Select a traffic shaper from the drop-
down list or click [Create New...] to define a new traffic shaper. Click Edit ( ) to
modify a selected traffic shaper from the Policy page.
If traffic shaping is to be applied to traffic passing in the reverse direction, enable
Reverse Direction Traffic Shaping and select a traffic shaper from the list.

01-4200-0201-20100604 187
Traffic Shapers
Traffic shapers help to ensure that traffic may consume bandwidth at least at the
guaranteed rate by assigning a greater priority queue if the guarantee is not being
met. Also, it ensures that traffic cannot consume bandwidth greater than the
maximum at any given instant in time. Flows greater than the maximum rate are
subject to traffic policing.
After packet acceptance, the FortiGate unit classifies traffic and may apply traffic
policing at additional points during processing. It may also apply additional QoS
techniques, such as prioritization and traffic shaping.
For traffic types originating on or terminating at the FortiGate unit, such as
administrative access to the FortiGate unti through HTTPS or SSH, or IPSec
tunnel negotiations, firewall policies do not apply, and therefore FortiGate units do
not apply traffic shaping. Such traffic also uses the highest priority queue, queue
0. Exceptions to this rule include traffic types that, while technically originated by
the FortiGate unit, are connections related to a session governed by a firewall
policy. For example, if the administrator has enabled scanning by FortiGuard
Antivirus, traffic from the sender technically terminates at the FortiGate proxy that
scans that traffic type; the FortiGate unit initiates a second connection that
transmits scanned content to its destination. Because the second connection’s
traffic is technically originating from the FortiGate proxy and therefore the
FortiGate unit itself, it uses the highest priority queue, queue 0. However, this
connection is logically associated with through traffic, and is therefore subject to
possible bandwidth enforcement and guarantees in its governing firewall policy. In
this way, it behaves partly like other through traffic.
For traffic passing through the FortiGate unit, the method used is determined by
the priority queue and whether traffic shaping is enabled. Packets may or may not
use a priority queue directly or indirectly derived from the Type of Service (ToS)
byte, sometimes used instead with differentiated services, in the packet’s IP
header.
If traffic shaping is not enabled in the firewall policy, the FortiGate unit neither
limits nor guarantees bandwidth, and traffic for that session uses the priority
queue determined directly by matching the ToS byte in its header with the values
configured on the FortiGate unit.
If traffic shaping is enabled in the firewall policy, the FortiGate unit may instead or
also subject packets to traffic policing, or priority queue increase in an effort to
meet bandwidth guarantees configured in the firewall policy.

188 01-4200-0201-20100604
Packet rates specified for Maximum Bandwidth or Guaranteed Bandwidth are:

rate = amount / time
(where rate is expressed in kilobytes per second (KB/s).)
Burst size at any given instant cannot exceed the amount configured in Maximum
Bandwidth. Packets in excess are dropped. Packets deduct from the amount of
bandwidth available to subsequent packets and available bandwidth regenerates
at a fixed rate. As a result, bandwidth available to a given packet may be less than
the configured rate, down to a minimum of 0 KB/s. Rate calculation and behavior
can alternatively be described using the token bucket metaphor, where:
• A traffic flow has an associated bucket, which represents burst size bounds,
and is the size of the configured bandwidth limit.
• The bucket receives tokens, which represent available bandwidth, at the fixed
configured rate.
• As time passes, tokens are added to the bucket, up to the capacity of the
bucket; excess tokens are discarded.
• When a packet arrives, the packet must deduct bandwidth tokens from the
bucket equal to its packet size in order to egress.
• Packets cannot egress if there are insufficient tokens to pay for its egress;
these non-conformant packets are dropped.
Bursts are not redistributed over a longer interval, so bursts are propagated rather
than smoothed, although their peak size is limited.
Maximum burst size is the capacity of the bucket (the configured bandwidth limit);
actual size varies by the current number of tokens in the bucket, which may be
less than bucket capacity, due to deductions from previous packets and the fixed
rate at which tokens accumulate. A depleted bucket refills at the rate of the
configured bandwidth limit. Bursts cannot borrow tokens from other time intervals.
By limiting traffic peaks and token regeneration in this way, the available
bandwidth at a given moment may be less than bucket capacity, but the limit on
the total amount per time interval is ensured. That is, total bandwidth use during
each interval of one second is at most the integral of the configured rate.
Traffic Shaping Considerations

Traffic shaping will by definition attempt to normalize traffic peaks/bursts and can
be configured to prioritize certain flows over others. There is a physical limitation
to the amount of data which can be buffered and for how long. Once these
thresholds have been surpassed, frames and packets will be dropped and
sessions will be affected. Incorrect traffic shaping configurations may actually
further degrade certain network flows since the excessive discarding of packets
can create additional overhead at the upper layers, which may be attempting to
recover from these errors.
A basic traffic shaping example would be to prioritize certain traffic flows at the
detriment of other traffic which can be discarded. Performance and stability is
sacrificed on traffic X to increase or guarantee performance and stability to traffic
Y. If applying bandwidth limitations to certain flows, the fact that these sessions
can be limited and, therefore, negatively impacted must be accepted.

01-4200-0201-20100604 189
Traffic shaping is enforced for traffic which may flow in either direction. A session,
which may be set up by an internal host to an external one through an internal Æ
external policy, will have traffic shaping applied even if the data stream is then
coming from external to internal.
Traffic shaping is effective for normal IP traffic at normal traffic rates. Traffic
shaping is not effective during extremely high-traffic situations where the traffic is
exceeding the FortiGate unit's capacity. Packets must be received by the
FortiGate unit before they are subject to traffic shaping. If the FortiGate unit
cannot process all of the traffic it receives, dropped packets, delays, and latency
are likely to occur.
To ensure that traffic shaping is working at its best, verify that the interface
Ethernet statistics are clean of errors, collisions, or buffer overruns. If these are
not clean, the FortiGate settings may require adjusting.
To make traffic shaping work efficiently, be sure to observe the following rules:
• Enable traffic shaping on all firewall policies. If traffic shaping is not applied to a
policy, the policy is set to high priority by default.
• Distribute firewall policies over all three priority queues (low, medium, and
high).
• Be sure that the sum of all Guaranteed Bandwidth in all firewall policies is
significantly less than the bandwidth capacity of the interface.

190 01-4200-0201-20100604
Shared Traffic Shapers

Shared traffic shapers will apply the Guaranteed and Maximum Bandwidth values
defined between all IP addresses affected by the policy. In effect, the settings are
shared between all IP addresses.
Multiple shared traffic shapers can be added on the FortiGate device and the
appropriate shared traffic shapers can be selected when creating a policy.
To view the list of available shared traffic shapers on the FortiGate unit, go to
Firewall > Traffic Shaper > Shared.
To view or modify any shared traffic shapers in the list, select the traffic shaper
and click Edit ( ) or double-click the entry.

01-4200-0201-20100604 191
New shared traffic shapers can be defined by clicking Create New ( ) on the
Shared Traffic Shaper List page, or by selecting [Create New...] from the Traffic
Shaping drop-down list on the New Policy page. Complete the parameters of the
shared traffic shaper as needed.
Name The name assigned to the shared traffic

shaper will be used to identify the traffic
shaper on the New Policy page.
Apply Shaper Select Per Policy or For All Policies Using
This Shaper.
Maximum Bandwidth Identify the amount of bandwidth
available for selected network traffic (in
Kbytes/sec).
Guaranteed Bandwidth Identify the guaranteed amount of
bandwidth available for selected network
traffic (in Kbytes/sec).
Traffic Priority Select a traffic priority of High, Medium, or
Low. Important and latency-sensitive
traffic should be assigned a high priority.
Less important and less sensitive traffic
should be assigned a low priority. The
FortiGate unit provides bandwidth to low-
priority connections only when bandwidth
is not needed for high-priority
connections.

192 01-4200-0201-20100604
The bandwidth available for traffic controlled by a policy is used for both control
and data sessions and is used for traffic in both directions. For example, if
guaranteed bandwidth is applied to an internal to external FTP policy and a user
on an internal network uses FTP to put and get files, both the put and get
sessions share the bandwidth available to the traffic controlled by the policy.
The guaranteed and maximum bandwidth available for a policy is the total
bandwidth available to all traffic controlled by the policy. If multiple users start
multiple communications sessions using the same policy, all of these
communications sessions must share the available bandwidth for the policy.
Bandwidth availability is not shared between multiple instances of using the same
service if these multiple instances are controlled by different policies. For
example, you can create one FTP policy to limit the amount of bandwidth
available for FTP for one network address and create another FTP policy with a
different bandwidth availability for another network address.

01-4200-0201-20100604 193
Per-IP Traffic Shapers

Per-IP traffic shapers will apply the Guaranteed and Maximum Bandwidth values
defined to all IP address affected by the policy. In effect, every IP address will
receive the total of the bandwidth values indicated.
Per-IP traffic shapers will override shared traffic shapers.
Click to enable Per-IP Traffic Shaping on the policy and select a per-IP traffic
shaper from the list or click [Create New...] to define a new Traffic Shaper. Click
Edit ( ) to modify the selected per-IP traffic shaper on the Policy page.
Multiple per-IP traffic shapers can be added on the FortiGate device and the
appropriate per-IP traffic shapers can be selected when creating a policy.

194 01-4200-0201-20100604
To view the list of available per-IP traffic shapers on the FortiGate unit, go to
Firewall > Traffic Shaper > Per-IP.
To view or modify any per-IP traffic shapers in the list, select the traffic shaper and

01-4200-0201-20100604 195
New per-IP traffic shapers can be defined by clicking Create New ( ) on the per-
IP traffic shaper list page, or by selecting [Create New...] from the Per-IP Traffic
Shaping drop-down list on the New Policy page. Complete the parameters of the
shared traffic shaper as needed.
Name The name assigned to the shared traffic

shaper will be used to identify the traffic
shaper on the New Policy page.
Maximum Bandwidth The amount of bandwidth available for
selected network traffic (in Kbytes/sec) is
limited to this value.
Guaranteed Bandwidth The guaranteed amount of bandwidth
available for selected network traffic (in
Kbytes/sec) is defined by this value.

196 01-4200-0201-20100604
Virtual IPs
Virtual IPs can be used to allow connections through a FortiGate unit using
network address translation firewall policies. Virtual IPs use Proxy ARP so that the
FortiGate unit can respond to ARP requests on a network for a server that is
actually installed on another network. For example, add a virtual IP to an external
FortiGate unit interface so that the external interface can respond to connection
requests for users who are actually connecting to a server on the DMZ or internal
network.
A virtual IP’s external IP address can be a single IP address or an IP address
range, and is bound to a FortiGate unit interface. When you bind the virtual IP’s
external IP address to a FortiGate unit interface, by default, the network interface
responds to ARP requests for the bound IP address or IP address range.
To implement the translation configured in the virtual IP or IP pool, it must be
added to a NAT firewall policy.
A virtual IP can be a single IP address or an IP address range bound to a
FortiGate unit interface. When an IP address or IP address range is bound to a
FortiGate unit interface using a virtual IP, the interface responds to ARP requests
for the bound IP address or IP address range.
When virtual IPs are used, the FortiGate unit receives packets from a client. The
addresses in the packets are remapped and forwarded to the server on the
private network. The client computer’s address does not appear in the packets the
server receives. After the FortiGate unit translates the network addresses, there is
no reference to the client computer’s network. The server has no indication that
another network exists. As far as the server can tell, all the communication is
coming directly from the FortiGate unit.
When the server answers the client computer, the procedure works the same way
but in the other direction. The server sends its response packets and the
FortiGate unit receives them at its internal interface. This time, however, the
firewall session table entry is used to determine what the destination address will
be translated to. The server computer’s address does not appear in the packets
the client receives. After the FortiGate unit translates the network addresses,
there is no reference to the server computer’s network. The client has no
indication that the server’s private network exists.
You add the virtual IP to a NAT firewall policy to actually implement the mapping
configured in the virtual IP. To add a firewall policy that maps addresses on an
external network to an internal network, add an external to internal firewall policy
and add the virtual IP to the destination address field of the policy.
For example, if the computer hosting a web server is located on the internal
network, it might have a private IP address such as 10.10.10.42. To get packets
from the Internet to the web server, there must be an external address for the web
server on the Internet. Add a virtual IP to the firewall that maps the external IP
address of the web server on the Internet to the actual address of the web server
on the internal network. To allow connections from the Internet to the web server,
add an external to internal firewall policy and set the Destination Address to the
virtual IP.
Virtual IPs also translate the source IP address or addresses of return packets
from the source address on the hidden network to be the same as the destination
address of the originating packets.

01-4200-0201-20100604 197
Virtual IP ranges can be of almost any size and can translate addresses to
different subnets. Virtual IP ranges have the following restrictions:
• The mapped IP cannot include 0.0.0.0 or 255.255.255.255.
• The external IP cannot be 0.0.0.0 if the virtual IP type is static NAT and is
mapped to a range of IP addresses. Only load balance virtual IPs and static
NAT virtual IPs mapped to a single IP address support an external IP of
0.0.0.0.
• Port mapping maps a range of external port numbers to a range of internal port
numbers. The number of ports in these two ranges must be equal.
Therefore, the external port must not be set so that its range exceeds 65535.
For example, an internal range of 20 ports mapped from external port 65530 is
invalid as the last port in the range would be 65550.
• When port forwarding, the external IP range cannot include any interface IP
addresses.
• The mapped IP range must not include any interface IP addresses.
• The virtual IP name cannot be the same as any address name or address
group name.
• No duplicate entries or overlapping ranges are permitted.
In addition to binding the IP address or IP address range to the interface, the
virtual IP also contains all of the information required to map the IP address or IP
address range from the interface that receives the packets to the interface
connected to the same network as the actual IP address or IP address range.
Different kinds of virtual IPs can be created, each of which can be used for a
different DNAT variation.

198 01-4200-0201-20100604
Virtual IP Mappings
Multiple virtual IP mappings can be added on the FortiGate device and the
appropriate mapping can be selected when creating a policy.
To view the list of available Virtual IP Mappings on the FortiGate unit, go to
Firewall > Virtual IP > Virtual IP.
To view or modify any virtual IP mappings in the list, select the mapping entry and

01-4200-0201-20100604 199
New virtual IP mappings can be defined by clicking Create New ( ) on the Virtual
IP Mappings list page, or by selecting [Create New...] from the drop-down list on
the New Policy page. Complete the parameters of the virtual IP mapping as
needed.
Name The name assigned to the Virtual IP

Mapping will be used to identify the
mapping on the New Policy page.
External Interface Select the external interface for the
mapping.
Type Static NAT is the only type available for
the Virtual IP Mapping.
External IP Address/Range Enter the IP address or IP address range
to be used for the mapping.
Mapped IP Address/Range Enter the IP address or IP address range
that the external IP address is to be
mapped to.
Port Forwarding Enable if port forwarding is to be
performed.

200 01-4200-0201-20100604
Virtual IP Groups
Multiple virtual IPs can be organized into a group to simplify the firewall policy list.
For example, instead of having five identical policies for five different but related
virtual IPs located on the same network interface, combine the five virtual IPs into
a single virtual IP group, which is used by a single firewall policy.
Firewall policies using VIP groups are matched by comparing both the member
VIP IP address(es) and port number(s).
Multiple virtual IP groups can be added on the FortiGate device and the
appropriate group can be selected when creating a policy.
To view the list of available virtual IP groups on the FortiGate unit, go to Firewall >
Virtual IP > VIP Group.

01-4200-0201-20100604 201
New virtual IP groups can be defined by clicking Create New ( ) on the Virtual IP
Group List page or by selecting [Multiple...] from the Destination Address drop-
down list on the New Policy page. Complete the parameters of the service group
as needed.

used to identify the virtual IP group on
the New Policy page.
Interface Select the interface to which the virtual IP
group will be bound.
Available VIPs The list of available virtual IP groups is
displayed. Select a virtual IP and click
to move it from the Available VIPs list
to the Members list.
Members The list of virtual IPs in the group is
displayed. Select a virtual IP and click
to remove the virtual IP from the
Available VIPs list.

202 01-4200-0201-20100604
Load Balancing
FortiGate load balancing intercepts incoming traffic and shares it across available
servers. By doing so, the FortiGate unit enables multiple servers to respond as if
they were a single device or server, allowing more simultaneous requests to be
handled.
Because the load is distributed across multiple servers, the service being
provided can be highly available. If one of the servers breaks down, the load can
still be handled by the other servers. If the load increases substantially, more
servers can be added behind the FortiGate unit in order to cope with the
increased load.
Virtual servers are configured on the FortiGate unit (load balancer) and bound to a
cluster of real servers. Up to eight real servers can be bound to one virtual server.
The topology of the cluster is transparent to end users, and the users interact with
the system as if it were only a single virtual server. The real servers may be
interconnected by high-speed LAN or by a geographically dispersed WAN. The
FortiGate unit schedules requests to the different servers and makes parallel
services of the cluster to appear as a virtual service on a single IP address.
Internet
User
FortiGate
LAN/WAN
Real Server Real Server
Real Server
Server Load Balancing is a dynamic, one-to-many NAT mapping. In this scenario,

an external IP address is translated to one of the mapped IP addresses, as
determined by the selected load balancing algorithm for more even traffic
distribution. The external IP address is not always translated to the same mapped
IP address. Server load balancing requires that at least one real server be
configured, but up to eight can be used.

01-4200-0201-20100604 203
Load Balancing Methods

Load balancing methods include:
Static
When static load balancing is used, traffic load is spread evenly across all servers,
no additional server is required.
Round Robin
When round robin load balancing is used, requests are redirected to the next
server, and all servers are treated as equals regardless of response time or
number of connections. Dead servers or non responsive servers are avoided. A
separate server is required.
Weighted
When weighted load balancing is used, servers with a higher weight value will
receive a larger percentage of connections. Set the server weight when adding a
server.
First Alive
When first alive load balancing is used, requests are always directed to the first
alive real server.
Least Round Time Trip
When least RTT load balancing is used, requests are always directed to the
server with the least round trip time. The round trip time is determined by a Ping
monitor and is defaulted to 0 if no ping monitors are defined.
Least Session
When least session load balancing is used, requests are always directed to the
server that has the least number of current connections. This method works best
in environments where the servers or other equipment you are load balancing
have similar capabilities.
Persistence
Persistence is the process of ensuring that a user is connected to the same server
every time they make a request within the boundaries of a single session.
Depending on the type of protocol selected for the virtual server, the following
persistence options are available:
None
No persistence option is selected.
HTTP Cookie
When HTTP Cookies is selected, persistence time is equal to the cookie age.
Cookie ages are set in the CLI using config firewall vip.
SSL Session ID
When SSL Session ID is selected, persistence time is equal to the SSL sessions.
SSL session states are set in the CLI using config firewall vip.

204 01-4200-0201-20100604
Virtual Servers
Configure a virtual server’s external IP address and bind it to a FortiGate unit
interface. When the virtual server’s external IP address is bound to an interface on
the FortiGate unit, the network interface responds to ARP requests for the bound
IP address by default.
Multiple virtual servers can be added on the FortiGate device and the appropriate
virtual server can be selected when creating a policy.
To view the list of available virtual servers on the FortiGate unit, go to Firewall >
Load Balance > Virtual Server.
To view or modify any individual virtual servers in the list, select the server and
click Edit ( ).

01-4200-0201-20100604 205
New virtual servers can be defined by clicking Create New ( ) on the Virtual
Server List page. Complete the parameters of the virtual server as needed.
Name The name assigned to the virtual server

will be used to identify it on the New
Policy page.
Type Select the type of server to be created,
either HTTP, TCP, UDP or IP.
Interface Select the interface to which the virtual
server will be bound.
Virtual Server IP Enter the IP address of the virtual server.
Virtual Server Port Enter the port used on the virtual server.
Load Balance Method Select the load balance method to be
used for this virtual server.
Persistence Select the persistence option for this
virtual server.

206 01-4200-0201-20100604
HTTP Multiplexing Enable if HTTP requests and responses

are to be multiplexed over a single TCP
connection.
Health Check The list of available health check

monitors is displayed. Select a health
check monitor and click to move the
monitor from the Available list to the
Selected list.
Click to remove the health check
monitors from the Selected list and move
it back to the Available list.

01-4200-0201-20100604 207
Real Servers
Real servers must be configured and bound to a virtual server.
Multiple real servers can be added on the FortiGate device. To view the list of
available real servers on the FortiGate unit, go to Firewall > Load Balance > Real
Server.
To view or modify any individual real servers in the list, expand the name for the
virtual server, select the real server and click Edit ( ) or double-click the entry.

208 01-4200-0201-20100604
New real servers can be defined by clicking Create New ( ) on the Real Server
List page. Complete the parameters of the real server as needed.
Virtual Server Select the name of the virtual server that

this real server will be bound to.
IP Address Enter the IP address of the real server.
Port Enter the port number of the real server.
Weight Assign a weight value to the real server
Maximum Connections Enter the maximum number of
connections allowed by the real server.
Mode Select the mode, either Active, Standby
or Disabled.

01-4200-0201-20100604 209
Health Check Monitors

To determine a virtual server’s connectivity status, a health check monitor must be
configured to use when polling.
The health check monitors are displayed on the Monitor page.
Multiple health check monitors can be added on the FortiGate device. To view the
list of available monitors on the FortiGate unit, go to Firewall > Load Balance >
Health Check Monitor.
To view or modify any individual health check monitors in the list, expand the type
of monitor, select the health check monitor and click Edit ( ) or double-click the
entry.

210 01-4200-0201-20100604
New health check monitors can be defined by clicking Create New ( ) on the
Health Check Monitors List page. Complete the parameters of the monitor as
needed.
Name Enter a name for the health check

monitor.
Type Select the type of monitor, either TCP,
HTTP, or PING.
Port Enter the port number of the health
check monitor.
Interval A health check occurs every number of
seconds indicated by the interval.
Timeout If a reply is not received within the
timeout period, it will attempt a health
check again.
Retry Enter the number of retry attempts that
should be made.

01-4200-0201-20100604 211
Monitors
The Load Balance Monitor List displays the status of virtual and real servers and
presents an option to start or stop the servers.

212 01-4200-0201-20100604
DoS Policy List

DoS policies are used to apply DoS sensors to network traffic based on the
FortiGate unit interface the traffic is leaving or entering the network on.
DoS policies are examined in detail in Course 301 - Secure Network Deployment
and IPSec VPN.

01-4200-0201-20100604 213
Sniffer Policy List

Sniffer policies can configure a FortiGate unit interface to operate as a one-arm
IPS appliance by sniffing packets for attacks without actually receiving and
otherwise processing the traffic.
One-arm IPS is examined in further detail in Course 301 - Secure Network


214 01-4200-0201-20100604
Firewall Policies Firewall Suggested Practices
Firewall Suggested Practices

Fortinet suggests the following practices related to maintaining the firewall:
General
The settings for a firewall policy should be as specific as possible. Use subnets or
specific IP addresses for source and destination addresses and use individual
services or service groups.
Use a 32-bit subnet mask when creating a single host address, for example,
255.255.255.255.
Use the external IP of 0.0.0.0 when creating a VIP for a FortiGate unit where
the external interface IP address is dynamically assigned.
Traffic shaping bandwidth management is in kilobytes; multiply by eight to
calculate the kilobits.
Policies
Arrange firewall policies in the policy list from more specific to more general. The
firewall searches for a matching policy starting at the top of the policy list. For
example, a very general policy matches all connection attempts. When creating
exceptions to a general policy, add them to the policy list above the general policy.
If all policies are removed from the firewall there are no policy matches and all
connections are dropped.
NAT
For security purposes, NAT mode is preferred because all the internal or DMZ
networks can have secure private addresses. NAT mode policies use network
address translation to hide the addresses in a more secure zone from users in a
less secure zone.
Do not enable source NAT for inbound traffic unless it is required by an
application. If, for example, NAT is enabled for inbound SMTP traffic, the SMTP
server might act as an open relay.
FortiGate units running FortiOS version 3.0 or greater can use Fortinet Discovery
Protocol (FDP), a UDP protocol, to locate a FortiAnalyzer unit. When a FortiGate
administrator selects Automatic Discovery, the FortiGate unit uses HELO packets
to locate FortiAnalyzer units on the network within the same subnet. If FDP has
been enabled for its interface to that subnet, the FortiAnalyzer unit will respond.
Once the FortiGate unit discovers a FortiAnalyzer unit, the FortiGate unit
automatically enables logging to the FortiAnalyzer and begins sending log data.
Depending on its configuration, the FortiAnalyzer unit may then automatically
register the device and save its data, add the device but ignore its data, or ignore
the device entirely.
The Syslog protocol (UDP port 514) is used by default by the FortiGate unit to
transport log messages to the FortiAnalyzer unit. TCP port 514 (OFTP) is used for
the transfer of the content-archive and the remote viewing of log files and reports.
If logging data is traversing a public network, an IPSec tunnel can be used to
secure the communication between the FortiGate and the FortiAnalyzer devices.
The FortiGate unit can send all log message types, as well as quarantine files, to
a FortiAnalyzer unit for storage. Log files stored on a FortiAnalyzer unit can be
uploaded to an FTP server for archival purposes.

01-4200-0201-20100604 215
Firewall Suggested Practices Firewall Policies
FortiGate devices can support up to three FortiAnalyzer devices and/or syslog

servers for logging. This allows load balancing of log traffic in busy network
environments. (Logging to multiple destinations is configured using the CLI.)

216 01-4200-0201-20100604
Firewall Policies Creating Firewall Policy Objects
Lab 3 Firewall Policies

Objectives
In this lab, firewall policy objects will be created and a new policy will be
configured and tested.
Tasks
In this lab, you will complete the following tasks:
• Exercise 1 Creating Firewall Policy Objects
• Exercise 2 Creating Firewall Policies
• Exercise 3 Testing Firewall Policies
• Exercise 4 Configuring Virtual IP Access
• Exercise 5 Debug Flow
Timing
Exercise 1 Creating Firewall Policy Objects

1 In Web Config, go to Firewall > Address > Address. Click Create New and
configure a new address object for the internal subnet IP using the following
settings:
Address Name all-dept

Type Subnet/IP Range
Subnet/IP Range 192.168.1.0/24
Interface Any
Click OK to save.
2 Go to Firewall > Service > Group. Click Create New to configure a new group
with the services shown below.
To select the services for the web group, click or to move them between
the Available Services and Members lists:
Group Name web

Members DNS, HTTP, HTTPS, PING
Click OK to save the change.

01-4200-0201-20100604 217
Creating Firewall Policies Firewall Policies
3 Go to Firewall > Schedule > Recurring. Click Create New to configure a new
recurring schedule using the following parameters:
Name office_hours
Day Monday to Friday
Start Hour: 08
Minute: 00
Stop Hour: 20
Minute: 00
Click OK.
Note: When using schedules, make sure that the system time is at the correct local
setting. From the CLI type the exec time command or go to System > Dashboard >
Status in Web Config and view the System Information widget.
Exercise 2 Creating Firewall Policies

When creating firewall policies, keep in mind that the FortiGate device is a stateful
firewall, therefore, a firewall policy only needs to be created for the direction of the
originating traffic.
1 Go to Firewall > Policy > Policy, expand the internal Æ wan1 interface list.
Select the default policy and click Edit ( ) (or double-click the entry) to view
the factory settings. Click Cancel to return to the Policy List.
2 Disable this unrestricted policy by unchecking the internal Æ wan1 policy in the
Status column.
Note: It is useful to keep the default internal Æ wan1 policy available for testing
purposes since it will allow all traffic types from any address to any address to pass
through the FortiGate device.
3 Create a new firewall policy that will be used to provide general Internet
access.
Go to Firewall > Policy > Policy. Click Create New and configure the following
settings:
Source Interface/Zone internal
Source Address all-dept
Destination Interface/Zone wan1
Destination Address all
Schedule office_hours
Service web
Action ACCEPT
Log Allowed Traffic Enabled
Enable NAT Enabled
Comments General Internet access
Click OK after entering all the parameters.

218 01-4200-0201-20100604
Firewall Policies Creating Firewall Policies
This new all-dept policy will be displayed in the section view of the Policy List
under internal Æ wan1.

01-4200-0201-20100604 219
4 Create a policy for an IP range used by a specific group of users, in this

scenario, the support department.
On the Policy List, click Create New to create the support department Internet
access policy using the following settings:
Source Interface / Zone internal

Source Address Select [Create New...]
Address Name: support-dept
Type: Subnet/IP Range
Subnet/IP Range: 192.168.1.110-
192.168.1.210
Interface: Any
Destination Interface / Zone wan1
Service web
Action ACCEPT
Enable NAT Enabled
Comments Support Internet access
Click OK.
This new support-dept policy will be displayed in the section view of the Policy
List under internal Æ wan1.

220 01-4200-0201-20100604
5 Select the support-dept policy created in step 4 and click Move ( ) to place
this policy above the all-dept general Internet access policy created in step 3.
In the Move Policy window, click Before and type the Policy ID of the general
Internet policy and click OK.
The re-ordered policy list will be displayed.

01-4200-0201-20100604 221
6 Create a policy allowing Internet access during a specific time period using the
settings below:

Source Address support-dept
Schedule Under Recurring, click [Create
New...]
Name: lunch_time
Day: Mon-Fri
Start Hour:11 Minute:45
Stop Hour:13 Minute:15
Service web
Action ACCEPT
Enable NAT Enabled
Comments Support lunch time Internet access
Click OK.
This new support-dept lunch time policy will be displayed in the section view of
the Policy List under internal Æ wan1.

222 01-4200-0201-20100604
7 Use Move to place the support-dept lunch time policy above the support-dept
office hours policy.
The section view of the firewall Policy List should appear as follows:
8 View the CLI configuration for the firewall policies created above:
show firewall policy
View the CLI configuration for a single firewall policy:
show firewall policy <ID>
Obtain the ID number of the policy from the show firewall policy output
used above.
Important Points For Firewall Policy Configuration

• Policies are organized according to the direction of traffic from the originator of
a request to the receiver of the request. Return traffic is automatically allowed
back through due to the stateful nature of the FortiGate device.
• Policies are matched to traffic in the order they appear in the policy list rather
than by ID number.
• Policies should be listed from most exclusive to most inclusive so that the
proper policies are matched. Matching is based on Source, Destination,
Schedule, and Service settings.

01-4200-0201-20100604 223
Testing Firewall Policies Firewall Policies
Exercise 3 Testing Firewall Policies

1 Open a web browser and browse to a valid web site.
2 Go to System > Dashboard > Status. In the Top Sessions pane, click the bar
on the chart for the student IP address to view the session details. (If this
widget is not visible, click Widget > Top Sessions.)
Locate the IP address for the student computer and HTTP port (TCP/80) and
check the policy ID column. Use the column filters to reduce the number of
session entries displayed to TCP only.
Note: Be mindful of testing the firewall policy schedule outside of the specified hours.
3 Check the traffic log at Log&Report > Log Access > Traffic to see evidence of
the FortiGate action, including the ID of the policy being used.
4 Change the action for the policies to Deny and ensure that Log Violation Traffic
is enabled.
5 Visit another web site. Access should be denied.
6 Return to the traffic log at Log&Report > Log Access > Traffic to see evidence
of the traffic violation.
7 Set the policy actions back to Accept.
8 **IMPORTANT** Before proceeding to the next exercise, go to Firewall >
Policy > Policy and re-enable the unrestricted policy by checking the policy in
the Status column of the firewall Policy List.

224 01-4200-0201-20100604
Firewall Policies Configuring Virtual IP Access
Exercise 4 Configuring Virtual IP Access

1 A virtual IP that uses port forwarding will be created to make the Fortinet web
server appear as if it was on the local subnet and not on a non-standard port.
Go to Firewall > Virtual IP > Virtual IP. Click Create New and configure the
virtual IP mapping as shown below.
Use nslookup to verify the address for www.fortinet.com.
Name special-web
External Interface internal
Type Static NAT
External IP Address 192.168.1.209
Mapped IP Address Enter the IP address of
www.fortinet.com
Port Forwarding Enable
Protocol TCP
External Service Port 8088
Map to Port 80

2 To view the VIP settings through the CLI, enter the following command:
show firewall vip
3 Create a new firewall policy to provide a guest PC access to the web server
with the following settings:

Source Address Name all-dept
Destination Address Name special-web
Service ANY
Action ACCEPT
Enable NAT Enabled
Comment Guest PC access to web server
Note: The Service setting for this policy is ANY. Due to the VIP port mapping, only the
configured ports will be allowed so it is unnecessary to further restrict traffic with the
Service setting.
Click OK.

01-4200-0201-20100604 225
Debug Flow Firewall Policies
4 Position this all-dept policy at the top of the internal Æ wan1 list as it has a
narrower scope compared to the other policies.
Note: This guest PC would need to be further secured by limiting the user
access to only the web browser and removing administrative access and the
ability to run other programs. These additional measures are operating-system
dependent.
5 In a new web browser window, access the following URL:

http://192.168.1.209:8088
If the special-web virtual IP operation is successful, the Fortinet web page
displays.
6 Try to access the following URL using the regular HTTP port of 80:
http://192.168.1.209
There should be no response.
7 To view the source and destination NAT mappings, enter the following CLI
command:
get system session list
Exercise 5 Debug Flow

1 From the CLI, type the following command to clear the session table:
diag sys session clear
If connecting to the CLI using SSH or Telnet, a log in will be required.

226 01-4200-0201-20100604
Firewall Policies Debug Flow
2 Type the CLI commands shown below to configure the debug flow to trace the
route selection and session establishment for an HTTP connection to
www.fortinet.com.
Use nslookup to confirm the address for www.fortinet.com.
Enter the following commands:
diag debug enable
diag debug flow filter addr <IP address of
www.fortinet.com>
diag debug flow show console enable
diag debug flow show function-name enable
diag debug flow trace start 100
3 From a web browser connect to the following URL and observe the debug flow
trace.
http://www.fortinet.com
Depending on the FortiGate model being used, the output displayed may vary
slightly.
SYN packet received:
id=36870 trace_id=1 func=resolve_ip_tuple_fast line=3395
msg="vd-root received a packet(proto=6,
192.168.1.110:1849->208.70.202.225:80) from internal."
SYN sent and a new session is allocated:
id=36870 trace_id=1 func=resolve_ip_tuple line=3522
msg="allocate a new session-00000483"
Lookup for next-hop gateway address:
id=36870 trace_id=1 func=vf_ip4_route_input line=1595
msg="find a route: gw-192.168.3.254 via wan1"
Source NAT, lookup next available port:
id=36870 trace_id=1 func=get_new_addr line=1615 msg="find
SNAT: IP-192.168.3.10, port-44977"
Matched firewall policy. Check to see which policy this session matches:
id=36870 trace_id=1 func=fw_forward_handler line=463
msg="Allowed by Policy-1: SNAT"
Apply source NAT:
id=36870 trace_id=1 func=__ip_session_run_tuple line=1840
msg="SNAT 192.168.1.110->192.168.3.10:44977"
SYN ACK received:
208.70.202.225:80->192.168.3.10:44977) from wan1."

01-4200-0201-20100604 227
Found existing session ID. Identified as the reply direction:

msg="Find an existing session, id-00000483, reply
direction"
Apply destination NAT to inverse source NAT action:
id=36870 trace_id=2 func=__ip_session_run_tuple line=1854
msg="DNAT 192.168.3.10:44977->192.168.1.110:1849"
Lookup for next-hop gateway address for reply traffic:
id=36870 trace_id=2 func=vf_ip4_route_input line=1595
msg="find a route: gw-192.168.1.110 via internal"
ACK received:
192.168.1.110:1849->208.70.202.225:80) from internal."
Match existing session in the original direction:
msg="Find an existing session, id-00000483, original
direction"
Apply source NAT:
id=36870 trace_id=3 func=ip_session_run_all_tuple
line=4378 msg="SNAT 192.168.1.110->192.168.3.10:44977"
Receive data from client:
192.168.1.110:1849->208.70.202.225:80) from internal."
Match existing session in the original direction:
msg="Find an existing session, id-00000483, original
direction"
Apply source NAT:
line=4378 msg="SNAT 192.168.1.110->192.168.3.10:44977"
Receive data from server:
msg="vd-root received a packet(proto=6, 208.70.202.225:80-
>192.168.3.10:44977) from wan1."
Match existing session in reply direction:
msg="Find an existing s ession, id-00000483, reply
direction"

228 01-4200-0201-20100604
Firewall Policies Debug Flow
Apply destination NAT to inverse source NAT action:

line=4390 msg="DNAT 192.168.3.10:44977-
>192.168.1.110:1849"
4 Enter the following command to disable the debug flow trace:
diag debug flow trace stop
5 Disable the special-web policy.

01-4200-0201-20100604 229

230 01-4200-0201-20100604
LESSON 4
Authentication
231
www.fortinet.com
Authentication
Lesson 4 Authentication
The computer network should only be used by those who are authorized to do so,
therefore there must be a measure in place to detect and exclude any
unauthorized access. On a FortiGate unit, access to network resources can be
controlled by defining lists of authorized users, called user groups. To use a
particular resource, the user must belong to one of the user groups that is allowed
access and correctly provide credentials to prove his or her identity if asked to do
so.
The FortiGate unit can be configured to prompt for credentials during the following
operations:
• When a user attempts to access a resource through an interface with a firewall
policy with the Action set to ACCEPT.
• When a user attempts remote access to a private network using an SSL VPN
connection.
• When a remote user attempts remote access to a private network through an
IPSec VPN dialup group.
• When an administrator attempts to log into the Web Config or CLI interface.
When user authentication is enabled, the user is presented with a request for
authentication when trying to access the protected resource. The way in which the
request is presented to the user depends on the method of access to that
resource.

01-4200-0201-20100604 233
Authentication Methods Authentication
Authentication Methods
Depending on the service requiring authentication, different mechanisms can be
configured to prompt the user for credentials.
Local Users
A local user is a user configured on a FortiGate unit. The FortiGate unit stores the
user names and passwords of the users and uses them to authenticate users.
Remote Users
In an enterprise environment, it might be more convenient to use the same system
that provides authentication for local area network access, email, and other
services. Users who access the corporate network from home or while traveling
could use the same user name and password that they use at the office.
If using authentication servers, the servers must be configured before configuring
FortiGate users or user groups that require them.
The FortiGate unit can be configured to work with external authentication servers
in two different ways:
• Add the authentication server to a user group.
Anyone in the server’s database is a member of the user group. This is a
simple way to provide access to the corporate VPN for all employees, for
example. Individual users do not need to be configured on the FortiGate unit.
• Specify the authentication server instead of a password.
The user name must exist on both the FortiGate unit and authentication server.
User names that exist only on the authentication server cannot authenticate on
the FortiGate unit. This method enables access only to selected employees,
for example.
These two uses of an authentication server cannot be combined in the same user
group. If adding the server to the user group, adding individual users with
authentication to that server is redundant. To use external authentication servers,
configure them before configuring users and user groups.
RADIUS
Remote Authentication and Dial-in User Service (RADIUS) servers provide
authentication, authorization, and accounting functions.
Using RADIUS authentication, the FortiGate unit forwards the user’s credentials to
the RADIUS server for authentication. If the RADIUS server can authenticate the
user, the user is successfully authenticated with the FortiGate unit. If the RADIUS
server cannot authenticate the user, the connection is refused by the FortiGate
unit.

234 01-4200-0201-20100604
Authentication Authentication Methods
LDAP
Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to
maintain databases of user names, passwords, email addresses, and other
information. If a user is required to authenticate using an LDAP server, the
FortiGate unit contacts the LDAP server for authentication.
To authenticate with the FortiGate unit, the user enters a user name and
password. The FortiGate unit sends this user name and password to the LDAP
server. If the LDAP server can authenticate the user, the user is successfully
authenticated with the FortiGate unit. If the LDAP server cannot authenticate the
user, the connection is refused by the FortiGate unit.
FortiGate LDAP supports all LDAP servers compliant with LDAP v3. In addition,
FortiGate LDAP supports LDAP over SSL/TLS. FortiGate LDAP support does not
extend to proprietary functionality, such as notification of password expiration, that
is available from some LDAP servers. FortiGate LDAP support does not supply
information to the user about why authentication failed.
Public-Key Infrastructure
Public Key Infrastructure (PKI) authentication utilizes digital certificates for
authentication; no username or password are necessary. For certificate
authentication, customized certificates will be installed on the FortiGate unit and
the end users can also have customized certificates installed on their browsers.
Directory Services
A Directory stores information about network objects, such as users, systems and
services. On networks that use Windows Active Directory (AD) or Novell
eDirectory servers for authentication, FortiGate units can transparently
authenticate users without asking them for their user name and password. The
Fortinet Server Authentication Extensions (FSAE) must be installed on the
network and the FortiGate unit configured to retrieve information from the
supported Directory.
TACACS+
Terminal Access Controller Access-Control System (TACACS+) is a remote
authentication protocol used to communicate with an authentication server.
TACACS+ allows a client to accept a username and password and send a query
to a TACACS+ authentication server. The server host determines whether to
accept or deny the request and sends a response back that allows or denies
network access to the user. The default port for a TACACS+ server is 49.

01-4200-0201-20100604 235
Authenticated Operations Authentication
Authenticated Operations
Firewall Authentication
When a firewall policy is created, the option to require authentication can be
enabled. When authentication is enabled in a firewall policy, network users must
respond to a firewall authentication challenge, and successfully authenticate,
before the FortiGate unit will allow any other traffic matching the firewall policy.
This option requires that the firewall Action setting be ACCEPT or SSL-VPN and
that an identity-based policy be configured for the allowed group.
Protocol Support
When authentication is enabled for a firewall policy, the authentication challenge
is issued for any of the four protocols (depending on the connection protocol):
• HTTP (can also be set to redirect to HTTPS)
• HTTPS
• FTP
• Telnet
The selections made in the Protocol Support list of the Authentication Settings
window control which protocols support the authentication challenge.
Depending on which of these supported protocols are included in the selected

firewall services group and which of those enabled protocols the network user
uses to trigger the authentication challenge, the authentication style will be either
certificate-based or user name and password-based. The administrator can
restrict which of these supported authentication protocols may be used to
authenticate by including only one of them in the firewall service selected in the
authentication rules of the identity-based policy.

236 01-4200-0201-20100604
Authentication Authenticated Operations
For example, if HTTPS certificate-based authentication is required before allowing

SMTP and POP3 traffic, an authentication rule that includes SMTP, POP3 and
HTTPS services must be selected in the firewall policy. Prior to using either POP3
or SMTP, the network user would send traffic using the HTTPS service, which the
FortiGate unit would use to verify the network user’s certificate; upon successful
certificate-based authentication, the network user would then be able to access
his or her email.
For user ID and password authentication, users must provide their user names
and passwords. For certificate authentication (HTTPS or HTTP redirected to
HTTPS only), customized certificates must be installed on the FortiGate unit and
the users can also have customized certificates installed on their browsers.
Otherwise, users will see a warning message and have to accept a default
FortiGate certificate.
In most cases, it is important to ensure that users can use DNS through the
FortiGate unit without authentication. If DNS is not available, users will not be able
to use a domain name when using a supported authentication protocol to trigger
the FortiGate unit’s authentication challenge.
The style of the authentication method varies by the authentication protocol. If
HTTP, FTP or Telnet is selected, user name and password-based authentication
occurs; the FortiGate unit prompts network users to input their firewall user name
and password. If HTTPS is selected, certificate-based authentication (HTTPS or
HTTP redirected to HTTPS only) occurs: customized certificates must be installed
on the FortiGate unit and on the browsers of network users, which the FortiGate
unit matches.
Firewall Authentication on Non-Standard Ports

By default, when a communication session is accepted by an identify-based
firewall policy the user must authenticate with the firewall before being able to
communicate through the FortiGate unit. By default, users can only authenticate
with a communication session that uses the standard FTP, HTTP, HTTPS, or
Telnet TCP ports (21, 80, 443, and 23 respectively).
The following commands are used if firewall users need to authenticate with the
FortiGate unit and if non-standard ports for FTP, HTTP, HTTPS, or Telnet
sessions are being used:
config user setting
config auth-ports
edit <auth_port_table_id_int>
set port <port_integer>
set type { ftp | http | https | telnet }
end
end
end
Where <auth_port_table_id_int> is any integer and <port_integer> is
the non-standard TCP authentication port number.

01-4200-0201-20100604 237
For each protocol, adding non-standard authentication ports does not change the
standard authentication port; use this command to add additional nonstandard
authentication ports. The standard authentication port is still valid and cannot be
changed.
If the FortiGate unit is operating with virtual domains enabled, each VDOM has a
different non-standard authentication port configuration.
This example illustrates firewall authentication on a non-standard port of 8080.
diagnose sys session list
Sample output:
session info: proto=6 proto_state=05 expire=107 timeout=3600
flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
ha_id=0 hakey=46703
policy_dir=0 tunnel=/
user=test group=Firewall_User state=may_dirty authed rem
statistic(bytes/packets/allow_err): org=30202/629/1
reply=1727262/1201/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=6->3/3->6
gwy=192.168.182.88/10.177.0.23
hook=post dir=org act=snat 10.177.0.23:3597-
>192.168.182.88:8080(192.168.182.108:42639)
hook=pre dir=reply act=dnat 192.168.182.88:8080-
>192.168.182.108:42639(10.177.0.23:3597)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 auth_info=1 chk_client_info=0 vd=0
serial=00156a95 tos=ff/ff app=0
dd_type=0 dd_rule_id=0

238 01-4200-0201-20100604
SSL VPN Authentication

Remote users must be authenticated before they can request services and/or
access network resources through an SSL VPN web portal. The authentication
process relies on FortiGate user group definitions, which can optionally use
established authentication mechanisms such as RADIUS, LDAP and TACACS+
to authenticate remote clients.
If password protection will be provided through a RADIUS, LDAP and TACACS+
server, the FortiGate unit must be configured to forward authentication requests to
the appropriate server. In the case of certificate authentication, the required
certificates must be installed.
When a remote client connects to the FortiGate unit, the FortiGate unit
authenticates the user based on user name, password, and authentication
domain. A successful login determines the access rights of remote users
according to user group. The user group settings specify whether the connection
will operate in web-only mode or tunnel mode.
Strong authentication can be used to verify the identities of SSL VPN user group
members. The accounts for individual users and user groups containing those
users have to be created prior to configuring strong authentication, and a firewall
encryption policy has to be created to permit access by that user group.

01-4200-0201-20100604 239
IPSec Authentication
The FortiClient application can establish an IPSec tunnel with a FortiGate unit
configured to act as a dialup server. When the FortiGate unit acts as a dialup
server, it does not identify the client using the phase 1 remote gateway address.
The IPSec tunnel is established if authentication is successful and the IPSec
firewall policy associated with the tunnel permits access.
The options for authentication of an IPSec connection include:
• Permit access only for remote peers or clients who use certificates that are
recognized.
This is available only if the FortiGate unit authenticates using certificates.
When a VPN peer or dialup client is configured to authenticate using digital
certificates, it sends the DN of its certificate to the FortiGate unit. This DN can
be used to allow VPN access for the certificate holder. That is, a FortiGate unit
can be configured to deny connections to all remote peers and dialup clients
except the one having the specified DN.
• Permit access only for remote peers or clients that have certain peer identifier
(local ID) value configured.
This is available with both certificate and preshared key authentication.
Whether certificates or pre-shared keys are used to authenticate the FortiGate
unit, remote peers or clients can be required to have a particular peer ID. This
adds another piece of information that is required to gain access to the VPN.
More than one FortiGate/FortiClient dialup client may connect through the
same VPN tunnel when the dialup clients share a preshared key and assume
the same identifier. A peer ID is not required for a remote peer or client that
uses a pre-shared key and has a static IP address.
• Permit access to remote peers or dialup clients who each have a unique
preshared key.
Each peer or client must have a user account on the FortiGate unit. Access
can be permitted only to remote peers or dialup clients that have pre-shared
keys and/or peer IDs configured in user accounts on the FortiGate unit. If two
VPN peers (or a FortiGate unit and a dialup client) are required to accept
reciprocal connections based on peer IDs, enable the exchange of their
identifiers when defining the phase 1 parameters.
• Permit access to remote peers or dialup clients who each have a unique peer
ID and a unique preshared key.
Each peer or client must have a user account on the FortiGate unit. The client
must have an account on the FortiGate unit and be a member of the dialup
user group. The FortiGate dialup server compares the local ID specified at
each dialup client to the FortiGate user-account user name. The dialup-client
preshared key is compared to a FortiGate user-account password.
Extended Authentication
Extended Authentication (XAuth) increases security by requiring authentication of
the user of the remote dialup client in a separate exchange at the end of phase 1.
XAuth draws on existing FortiGate user group definitions and uses established
authentication mechanisms such as PAP, CHAP, RADIUS and LDAP to
authenticate dialup clients. A FortiGate unit can be configured to function either as
an XAuth server or an XAuth client.

240 01-4200-0201-20100604
A FortiGate unit can act as an XAuth server for dialup clients. When the phase 1
negotiation completes, the FortiGate unit challenges the user for a user name and
password. It then forwards the user’s credentials to an external RADIUS or LDAP
server for verification.
If the FortiGate unit acts as a dialup client, the remote peer, acting as an XAuth
server, might require a user name and password. The FortiGate unit can be
configured as an XAuth client, with its own user name and password, which it
provided when challenged.

01-4200-0201-20100604 241
Administrator Authentication
Administrators can be authenticated using a password stored on the FortiGate
unit, a RADIUS, LDAP, or TACACS+ server, or digital certificates. The RADIUS
server authenticates users and authorizes access to internal network resources
based on the access profile of the user. To authenticate an administrator with an
LDAP or TACACS+ server, the server must be created, included in a user group,
and associated with the administrator with the user group. Users authenticated
with the PKI-based certificate are permitted access to internal network resources
based on the user group they belong to and the associated access profile.
Trusted Hosts
Setting trusted hosts for administrators increases the security of the network by
further restricting administrative access. In addition to knowing the password, an
administrator must connect only through the subnet or subnets specified. The
administrator can even restrict access to a single IP address if defined with only
one trusted host IP address with a netmask of 255.255.255.255.
When trusted hosts are set for all administrators, the FortiGate unit does not
respond to administrative access attempts from any other hosts. This provides the
highest security. If even one administrator is left unrestricted, the unit accepts
administrative access attempts on any interface that has administrative access
enabled, potentially exposing the unit to attempts to gain unauthorized access.
The trusted hosts defined apply both to the web-based manager and to the CLI
when accessed through telnet or SSH. CLI access through the console connector
is not affected. The trusted host addresses all default to 0.0.0.0/0. If one of the
trusted host addresses is set to a non-zero address, the other 0.0.0.0/0 will be
ignored. The only way to use a wildcard entry is to leave the trusted hosts at
0.0.0.0/0. However, this configuration is less secure.

242 01-4200-0201-20100604
Authentication Users
Users
A user is an identity configured on the FortiGate unit or on an external
authentication server. Users can access resources that require authentication
only if they are members of an allowed user group.
An identity can be:
• A local user account with a user name and password stored on the FortiGate
unit
• A local user account with a password stored on an external RADIUS, LDAP, or
TACACS+ server
• A user account with a digital certificate stored on the FortiGate unit
• A RADIUS, LDAP, or TACACS+ server. All user identities stored on the server
will be able to authenticate.
• A user group defined on a Microsoft Active Directory or Novell eDirectory
server
To view the list of users available on the FortiGate unit, go to User > Local >
Local.
To view or modify any individual users in the User List, select them and click Edit

01-4200-0201-20100604 243
Users Authentication
New users can be added by clicking Create New on the User List page. Complete
the parameters of the user as needed.
User Name Assign a name to the user.

Click Disable to preserve the user entry
in the list but prevent them from
authenticating.
Password Enable if the user is to authenticate using
a password stored on the FortiGate unit.
Type the password that will used for user
authentication.
Match user on LDAP server Enable if the user is to authenticate using
a password stored on a remote LDAP
server. When enabled, select the pre-
configured LDAP server from the list.
Match user on RADIUS server Enable if the user is to authenticate using
a password stored on a remote RADIUS
server. When enabled, select the pre-
configured RADIUS server from the list.
Match user on TACACS+ server Enable if the user is to authenticate using
a password stored on a remote
TACACS+ server. When enabled, select
the pre-configured TACACS+ server
from the list.
Note: LDAP, RADIUS and TACASC+ servers can be configured by going to User >
Remote and providing the information required for identifying the server.
In most cases, the FortiGate unit authenticates users by requesting their user
name and password. The FortiGate unit checks local user accounts first. If a
match is not found, the FortiGate unit checks the RADIUS, LDAP and TACACS+
servers that belong to the user group. Authentication succeeds when a matching
user name and password are found.

244 01-4200-0201-20100604
Authentication User Groups
User Groups
User groups have users or authentication servers as members. Firewall policies
and SSL VPNs allow access to user groups, not to individual users. An
administrator will need to determine the number and membership of user groups
appropriate to the authentication requirements of the organization.
The FortiGate unit will check user authentication based on top-to-bottom scan of
user groups listed in identify-based policies. Authentication succeeds when a
matching user name and password are found.
User groups are assigned one of two types:
• Firewall
• Directory Service
To view the list of available user groups on the FortiGate unit, go to User > User
Group > User Group.
Expand each user group type in the list to view the member groups.

01-4200-0201-20100604 245
User Groups Authentication
Firewall User Group

A firewall user group provides access to a firewall policy that requires
authentication and lists the user group as one of the allowed groups. The
FortiGate unit requests the group member’s user name and password when the
user attempts to access the resource that the policy protects.
A firewall user group can also provide access to an IPSec VPN for dialup users. In
this case, the IPSec VPN phase 1 configuration uses the Accept peer ID in dialup
group peer option. The user’s VPN client is configured with the user name as peer
ID and the password as pre-shared key. The user can connect successfully to the
IPSec VPN only if the user name is a member of the allowed user group and the
password matches the one stored on the FortiGate unit.
Expand Firewall in the User Group List to view the member groups.
To view or modify any individual firewall user groups in the list, select them and

246 01-4200-0201-20100604
New firewall user groups can be added by clicking Create New on the list page.
Complete the parameters of the firewall user group as needed.
User Name Assign a name to the firewall user group.

The name will be used to identify the
firewall user group when the
Authentication Rule is created.
Type Click to enable Firewall.
Allow SSL-VPN Access Enable to allow members of the Firewall
group to access an SSL VPN.
When enabled, select the level of
access, either full-access, tunnel-access
or web-access.
Available Users/Groups The list of available users and user
groups is displayed. Select a user or
group and click to move them from
the Available Users/Groups list to the
Members list.
Members The list of members in the group is
displayed. Select a user or user group
and click to remove them from the
Members list and move them back to the
Available Services list.

01-4200-0201-20100604 247
User Groups Authentication
Directory Service User Group

Select this type of group to require Directory Service authentication. The FortiGate
unit can be configured to allow access to members of Directory Service user
groups who have been authenticated on the network. The Fortinet Server
Authentication Extensions (FSAE) must be installed on the network domain
controllers to enable Directory Service authentication.
For a Directory Service user group, the Directory Service server authenticates
users when they log on to the network. The FortiGate unit receives the user’s
name and IP address from the FSAE collector agent.
A Directory Service user group provides access to an identity-based policy that
requires Directory Service type authentication and lists the user group as one of
the allowed groups. The members of the user group are Directory Service users
or groups that are selected from a list that the FortiGate unit receives from the
configured Directory Service server User Group List to view the member groups.
To view or modify any individual Directory Service user groups in the list, select
them and click Edit ( ) or double-click the entry.

248 01-4200-0201-20100604
New Directory Service user groups can be added by clicking Create New on the
list page. Complete the parameters of the Directory Service user group as
needed.
User Name Assign a name to the Directory Service

user group.
The name will be used to identify the
Directory Service user group when the
Authentication Rule is created.
Type Click to enable Directory Service.
Available Users/Groups The list of available users and user group
is displayed. Select a user or group and
click to move them from the Available
Users/Groups list to the Members list.

01-4200-0201-20100604 249
Identity-Based Policies Authentication
Identity-Based Policies
Identity-based policies enforce authentication options for firewall policies with an
Action set to ACCEPT or SSL-VPN.
Identity-based policies are optional for ACCEPT policies, but will be enforced in
SSL-VPN policies.

250 01-4200-0201-20100604
Authentication Identity-Based Policies
Authentication Rules
Authentication Rules define aspects of the authentication being enforced,
including the user groups affected by the policy, services to which the policy will
apply as well as the schedule, threat management, traffic shaping and logging
options.
When identity-based policies are enabled, threat management elements are
defined in the authentication rules.
An Implicit_Deny authentication rule is added by default to the list of rules.
In the Policy window with Identity-Based Policy enabled, click Add to define the
Authentication Rules.

01-4200-0201-20100604 251
Identity-Based Policies Authentication
Including User Groups

Any identity-based policies must reference the groups to require authentication,
such as:
• Firewall user groups defined locally on the FortiGate unit as well as on any
connected LDAP, RADIUS or TACACS+ servers. This option is enabled by
default.
• Any Directory Service groups authenticating using Fortinet Server
Authentication Extensions (FSAE)
• Any Directory Service groups authenticating using NTLM

252 01-4200-0201-20100604
Authentication Monitoring Firewall Authentication
Monitoring Firewall Authentication

A list of users currently authenticated using firewall authentication can be viewed
through the User Monitor. For each authenticated user the list includes:
• The authenticated user’s name
• The user group of the authenticated user
• How long the user has been authenticated
• How long until the user’s session times out
• The authenticated user’s source IP address
• The amount of traffic through the FortiGate unit caused by the user (traffic
volume)
An administrator can sort and filter the information on the authentication monitor
according to any of the columns in the monitor.
Go to User > Monitor > Firewall to display the list of users authenticated by the
FortiGate unit. From the list, all currently authenticated users can be de-
authenticated, or select single users to de-authenticate. To permanently stop a
user from re-authenticating, disable the user account (in User > Local > Local)
and then use the monitor list to immediately end the user’s current session.

01-4200-0201-20100604 253
Creating an Identity-Based Firewall Policy Authentication
Lab 4 Authentication
Objectives
In this lab, a new policy to implement user authorization will be added for after-
hours Internet web access. User disclaimer messages will also be added to the
Internet-bound policies and sessions will be redirected to a specified URL.
Tasks
• Exercise 1 Creating an Identity-Based Firewall Policy
• Exercise 2 Testing the Firewall Policy For Web Traffic
• Exercise 3 Adding User Disclaimers and Redirecting URLs
Timing
Exercise 1 Creating an Identity-Based Firewall Policy

1 In Web Config, go to User > User > User. Click Create New and enter a user
name and password.
Click OK.
2 Go to User > User Group > User Group. Click Create New and create a group
that includes the authorized user with the following settings:
Name auth-user
Type Firewall
Members Select the user created in step 1
from the Available Users Group list
and use the right arrow to move it to
the Members list.

254 01-4200-0201-20100604
Authentication Creating an Identity-Based Firewall Policy
3 Go to Firewall > Policy > Policy and configure a new policy with the following
settings:

Source Address Name all-dept
Destination Address Name all
Schedule always
Service web
Action ACCEPT
Enable NAT Enabled
Enable Identity Based Policy Enabled
Click Add to create an
Authentication Rule.
Move auth-user to the Selected
User Groups List.
Move ANY to the Selected Services
List.
Comment After-hours Internet web access
Click OK.
4 Move this new all-dept policy to the top of the internal Æ wan1 policy list.
5 Enable Authentication Keep-alive for the web traffic firewall policies using the
CLI commands below.
config system global
set auth-keepalive enable
end
Note: Authentication keepalive extends the time of the session when traffic is
present. In this mode it acts as an idle timer rather than a hard timeout.

01-4200-0201-20100604 255
Testing the Firewall Policy For Web Traffic Authentication
Exercise 2 Testing the Firewall Policy For Web Traffic

1 In a new web browser window, attempt to access a new web site.
At the login prompt, enter the username and password of the user created in
Exercise 1.
2 In the Authentication Keepalive window, click the Logout link and attempt to
browse to another web site.
3 When prompted to authenticate, enter an incorrect user name or password.

256 01-4200-0201-20100604
Authentication Adding User Disclaimers and Redirecting URLs
4 In the Web Config, go to Log&Report > Log Access > Event.

Locate event log messages for the firewall policy authentication events. Click
the entry in the list to view the details. Note the log message level used for this
type of event.
5 Clear all authenticated sessions (be careful with this command on a live
system!) with the following CLI command:
diagnose firewall iprope resetauth
6 Re-connect to the web site, only this time enter the correct credentials.
7 From the CLI, view the IP addresses and users which have successfully
authenticated to the FortiGate unit with the following CLI command
diagnose firewall iprope authuser
Exercise 3 Adding User Disclaimers and Redirecting URLs

1 In Web Config go to Firewall > Policy > Policy and edit the authenticating all-
dept policy by modifying the following settings:
Enable Disclaimer and Redirect URL Enable

Redirect URL Enter the URL of a web page to be
redirected to.
Click OK.
2 Clear all authenticated sessions using the CLI command:
3 In a new web browser window, access a web site. When the first user
disclaimer message appears. Click Yes, I agree.
When prompted by the authentication login page, log in as the user created in
Exercise 1.
After logging in, an authentication keep-alive page opens. Click the new
window link. This directs the user to the redirect URL specified in the firewall
policy created in Step 1.

01-4200-0201-20100604 257
Adding User Disclaimers and Redirecting URLs Authentication
4 Go to System > Config > Replacement Message. Expand Authentication and

click Edit to modify the Disclaimer Page. Replace the text the network access
provider with the student name.
Click OK.
5 Clear the authenticated sessions before each test with the following CLI
command:
6 Browse to a web page and note the change to the replacement message.
7 Examine the following CLI commands for the users, user groups, and for one
of the authentication firewall policies:
show user local
show user group
show firewall policy <id>
8 Go to Firewall > Policy > Policy and disable all the internal Æ wan1 policies
except for the default all policy.

258 01-4200-0201-20100604
LESSON 5
SSL VPN
259
www.fortinet.com
SSL VPN FortiGate VPN
Lesson 5 SSL VPN

A Virtual Private Network (VPN) is a way to use a public network, such as the
Internet, to provide remote offices or individual users with secure access to private
networks. For example, a company that has two offices in different cities, each
with its own private network, can use a VPN to create a secure tunnel between
the offices. Similarly, telecommuters can use VPN clients to access private data
resources securely from a remote location.
With the FortiGate unit’s built-in VPN capabilities, small home offices, medium-
sized businesses, enterprises, and service providers can ensure the
confidentiality and integrity of data transmitted over the Internet. The FortiGate
unit provides enhanced authentication, strong encryption, and restricted access to
company network resources and services.
FortiGate VPN
The FortiGate unit supports SSL, and IPSec VPN technologies. Each combines
encryption and VPN gateway functions to create private communication channels
over the Internet which helps to defray physical network costs and enables an
administrator to define and deploy network access and firewall policies using a
single management tool. In addition, they support simple client/user
authentication processes (including X.509 digital certificates).
An organization has the freedom to use either of the VPN technologies, however,
one may be better suited to their requirements.
SSL VPN
SSL VPNs are a good choice for roaming users who depend on a wide variety of
thin-client computers to access enterprise applications and/or company resources
from a remote location. SSL is typically used for secure web transactions. After a
secure HTTP link has been established between the web browser and web
server, application data is transmitted directly between selected client and server
applications through the tunnel.
When the SSL VPN feature is used, all client traffic is encrypted and sent to the
SSL VPN. This includes both traffic intended for the private network and Internet
traffic that is normally sent unencrypted. Split tunneling ensures that only the
traffic for the private network is sent to the SSL VPN gateway. Internet traffic is
sent through the usual unencrypted route. This conserves bandwidth and
alleviates bottlenecks.
SSL supports sign-on to a web portal front-end, from which a number of different
enterprise applications may be accessed. The Fortinet implementation enables a
specific port to be assigned for users to log in to the web portal and to customize
the login page, if desired.
SSL forms a connection between two end points such as a remote client and an
enterprise network. Transactions involving three (or more) parties are not
supported because traffic only passes between client and server applications.

01-4200-0201-20100604 261
FortiGate VPN SSL VPN
To access server-side applications with SSL VPN, the remote user must have a
web browser and if Telnet/VNC/RDP are used, the Sun Java Runtime
Environment (JRE) must be enabled. Tunnel-mode client computers must also
have ActiveX (IE) or Java Platform enabled.
SSL VPNs provide secure access to certain applications. Web-only mode
provides remote users with access to server applications from any thin-client
computer equipped with a web browser. Tunnel-mode gives remote users the
ability to connect to the internal network from laptop computers, as well as airport
kiosks, Internet cafes, and hotels. Access to SSL VPN applications is controlled
through user groups.
IPsec VPN
FortiGate units support Internet Protocol Security (IPSec), a framework for the
secure exchange of packets at the IP layer, to authenticate and encrypt traffic.
FortiGate units implement the Encapsulated Security Payload (ESP) protocol in
tunnel mode. The encrypted packets look like ordinary packets that can be routed
through any IP network. Internet Key Exchange (IKE) is performed automatically
based on pre-shared keys or X.509 digital certificates. As an option, manual keys
can be specified.
IPSec VPNs are a good choice for site-to-site connections where appliance-based
firewalls are used to provide network protection and company-sanctioned client
computers are issued to users. IPSec is well suited to network-based legacy
applications that are not web-based. As a layer 3 technology, IPSec creates a
secure tunnel between two host devices. IP packets are encapsulated by the VPN
client and server software running on the hosts.
The FortiGate IPSec VPN feature is compatible with the VPN client feature of the
FortiClient Host Security application. A FortiGate unit can act as a policy server,
enabling FortiClient users to download and apply VPN settings automatically.
Because FortiGate units support industry standard IPSec VPN technologies, an
IPSec VPN can be configured between a FortiGate unit and most third-party
IPSec VPN devices or clients. IPSec supports multiple connections to the same
VPN tunnel (a number of remote VPN devices effectively become part of the
same network).
Dedicated IPSec VPN software must be installed on all IPSec VPN peers and
clients and the software has to be configured with compatible settings.
IPSec VPNs provide secure network access only. Access to the network
resources on a corporate IPSec VPN can be enabled for specific IPSec peers
and/or clients. The amount of security that can be applied to users is limited.

262 01-4200-0201-20100604
SSL VPN SSL VPN
SSL VPN
Operating Modes
The operating mode of the SSL VPN to be used depends on the number and type
of applications installed on the remote computer. The following modes of SSL
VPN operation are only supported on FortiGate units running in NAT/Route mode:
• Web-only mode
• Tunnel mode
When a remote client connects to the FortiGate unit, the FortiGate unit
authenticates the user based on user name, password, and authentication
domain. A successful login determines the access rights of remote users
according to user group. The user group settings specify whether the connection
will operate in web-only mode or tunnel mode.
Web-Only Mode
Web-only mode is for thin, remote clients equipped with only a web browser.
When the FortiGate unit provides services in web-only mode, a secure web
connection between the remote client and the FortiGate unit is established using
the SSL VPN security in the FortiGate unit and the SSL security in the web
browser. After the connection has been established, the FortiGate unit provides
access to selected services and network resources through a web portal.
Web-only mode provides remote users with a fast and efficient way to access
server applications from any thin client computer equipped with a web browser. It
offers true clientless network access using any web browser that has built-in SSL
encryption and the Sun Java Runtime Environment.
Support for SSL VPN web-only mode is built into the FortiOS operating system.
The feature comprises an SSL daemon, running on the FortiGate unit, and a web
portal which provides users with access to network services and resources
including HTTP/HTTPS, Telnet, FTP, SMB/CIFS, VNC, and RDP.
In web-only mode, the FortiGate unit acts as a secure HTTP/HTTPS gateway and
authenticates remote users as members of a user group. After successful
authentication, the FortiGate unit redirects the web browser to the web portal
home page and the user can access the server applications behind the FortiGate
unit.
Configuring the FortiGate unit involves enabling SSL VPN, setting up an
appropriate policy and selecting web-only mode access in the user group settings.
The user group settings determine which server applications can be accessed.
SSL encryption is used to ensure traffic confidentiality.
The remote client computer must be equipped with the following software:
• Microsoft Windows 2000/XP/2003/Vista/7, Linux, or UNIX operating system
• Internet Explorer, Firefox or any other supported browser
• If Telnet/VNC or RDP are used, a Sun Java Runtime Environment 1.4 (or
later), with Java, JavaScript, and Accept Cookies enabled.
Web browsers offer different SSL security capabilities. The FortiGate unit offers
an SSL version 2 option through the CLI, if required, to support older browsers. In
addition, the FortiGate unit supports a range of cipher suites for negotiating SSL
communications with a variety of web browsers. The web browser must, at a
minimum, support a 64-bit cipher length.

01-4200-0201-20100604 263
SSL VPN SSL VPN
Tunnel Mode
Tunnel mode is used for remote computers that run a variety of client and server
applications. In tunnel mode, a secure SSL connection is established initially for
the FortiGate unit to download SSL VPN client software to the web browser. After
the user installs the SSL VPN client software, they can initiate a VPN tunnel with
the FortiGate unit whenever the SSL connection is open. Where users have
complete administrative rights over their computers and use a variety of
applications, tunnel mode allows remote clients to access the local internal
network as if they were connected to the network directly.
Tunnel mode offers remote users the freedom to connect to the internal network
using the traditional means of web-based access from laptop computers, as well
as from airport kiosks, hotel business centers, and Internet cafés. If the
applications on the client computers used within a user community vary greatly,
deploy a dedicated SSL VPN client to any remote client through the web browser.
The SSL VPN client encrypts all traffic from the remote client computer and sends
it to the FortiGate unit through an SSL VPN tunnel over the HTTPS link between
the web browser and the FortiGate unit. Split tunneling is also available which
ensures that only the traffic for the private network is sent to the SSL VPN
gateway. Internet traffic is sent through the usual unencrypted route. This
conserves bandwidth and alleviates bottlenecks.
In tunnel mode, remote clients connect to the FortiGate unit and the web portal
login page using a web browser. The FortiGate unit acts as a secure
HTTP/HTTPS gateway and authenticates remote users as members of a user
group. After successful authentication, the FortiGate unit redirects the web
browser to the web portal home page. The user can then download the SSL VPN
client (available as an ActiveX, Java or stand alone application) and install it using
controls provided through the web portal.
When the user initiates a VPN connection with the FortiGate unit through the SSL
VPN client, the FortiGate unit establishes a tunnel with the client and assigns the
client a virtual IP address from a range of reserved addresses. The client uses the
assigned IP address as its source address for the duration of the connection. After
the tunnel has been established, the user can access the network behind the
FortiGate unit.
Configuring the FortiGate unit to establish a tunnel with remote clients involves
enabling SSL VPN, setting up an appropriate policy and selecting tunnel-mode
access in the user group settings. The firewall policy and threat management
profiles on the FortiGate unit ensure that inbound traffic is screened and
processed securely.
The remote computer must be equipped with the following software:
• Microsoft Windows 2000/XP/2003/Vista/7, Linux or Macintosh
• Microsoft Internet Explorer with ActiveX enabled or another supported web
browser with Java enabled

264 01-4200-0201-20100604
SSL VPN User Groups
User Groups
User groups provide access to firewall policies that require SSL VPN access.
Local user accounts, or users with accounts in remote LDAP, RADIUS or
TACACS+ servers can be members of a user group. If all accounts in a remote
server are to be added to the user group, add the server itself to the group. The
FortiGate unit requests the user name and password when the user accesses the
SSL VPN web portal. The user group settings include the choice of portals to be
used by user group members.
User groups whose members will have access to the SSL VPN will have Allow
SSL-VPN Access enabled along with the type of portal to be presented to those
users.
To view the list of available user groups available on the FortiGate unit, go to User
> User Group > User Group and expand Firewall.
To view or modify any individual user groups in the User Group List, select the
group and click Edit ( ) or double-click the entry.

01-4200-0201-20100604 265
User Groups SSL VPN
New user groups can be added to the list by clicking Create New on the User
Group List page. Complete the parameters of the user group as needed.
Name Assign a name to the user group.

The name of the user group will be used
to identify the group when the
Authentication Rules are specified in an
SSL VPN policy.
Type Select the type of user group to be
created. In this scenario, enable Firewall.
Allow SSL-VPN Access Enable to allow members of the user
group to access the SSL-VPN.
When enabled, select the portal type that
will be accessible by members of the
user group.
• Tunnel-access will allow access to
Tunnel Mode portals only.
• Web-access will allow access to
Web-Only Mode portals only.
• Full-access will allow access to both
portal modes.
Available Users/Groups The list of available users and user
groups is displayed. Select a user or
group and click to move them from
the Available Users/Groups list to the
Members list.

266 01-4200-0201-20100604
SSL VPN Portals
Portals
A portal is the web page that is displayed when a member of a user group logs
into the SSL VPN.
The FortiGate unit includes the following pre-defined portal types:
• Web-Access
• Tunnel-Access
• Full-Access
The portal displays a collection of widgets which allow access to functionality on
the portal.
Web-Access Portal
The Web-Access portal allows members of a user group to access a Web-Only
Mode SSL VPN.
Click a bookmarked link on the portal page to access a web site. Bookmarks are
hyperlinks to frequently accessed web pages or server applications that can be
used to start any session from the home page. The FortiGate unit forwards the
client requests to servers on the Internet or internal network.

01-4200-0201-20100604 267
Portals SSL VPN
Users can click Add to create new bookmarks or Edit to modify existing
bookmarks.
Name The name entered will be used as the link

on the Web-Access Portal.
Type Identify the type of link for either web
pages or web applications.
Location Identify the destination of the link.
Description Enter a description to provide desciptive
information regarding the bookmarked link.
SSO Define whether single sign-on capabilities
will be Disabled, Automatic or Static.

268 01-4200-0201-20100604
SSL VPN Portals
Tunnel-Access Portal
The Tunnel-Access Portal allows access to a Tunnel-Only Mode SSL VPN.
Click Connect to create the tunnel to the destination IP address identified in the
Tunnel Mode policy.
A link is presented to allow users to download a stand-alone application used to
create the Tunnel Mode link to the destination IP address. The application is
downloaded to the local hard drive and must be manually installed.

01-4200-0201-20100604 269
Portals SSL VPN
Full-Access Portal
The Full-Access Portal combines the functionality of the Web and Tunnel-Access
Portals.

270 01-4200-0201-20100604
SSL VPN Enabling SSL VPN
Enabling SSL VPN

The process of enabling SSL VPNs on the FortiGate unit is similar for both
operating modes.
Go to VPN > SSL > Config to enable SSL VPN connections and set the basic
options needed to support SSL VPN configurations.
Enable SSL-VPN Click to enable SSL VPNs on the FortiGate

unit.
IP Pools If configuring a tunnel mode SSL VPN, IP
Pools must be defined. Click [Edit] to
select an IP address range. A pre-defined
IP address range called
SSLVPN_TUNNEL_ADDR1 can be used,
or a custom addressing range can be
defined through Firewall > Address >
Address.
The IP Pools allows a range of IP
addresses to be reserved for remote SSL
VPN clients. After the FortiGate unit
authenticates a request for a tunnel-mode
connection, the SSL VPN client connects
to the FortiGate unit and is assigned an IP
address from this range. The FortiGate
unit uses the assigned address to
communicate with the SSL VPN client.
Web Mode SSL VPNs do not require IP
Pools to be defined.

01-4200-0201-20100604 271
Enabling SSL VPN SSL VPN
Server Certificate Choose the certificate that will be

presented to the client initiating the SSL
VPN session. By default, the FortiGate unit
will use a self-signed certificate which will
produce security warnings in most
browsing software. If the SSL VPN will be
publicly available, it is good practice to use
a certificate signed by a recognized
certificate authority. Certificates and CRLs
can be imported onto the FortiGate unit
through System > Certificates.
Require Client Certificate Enable if mutual authentication is required
between the client and server. This setting
will require a client certificate to complete
authentication. Before enabling, ensure
that the required certificates have been
installed on the client.
Encryption Key Algorithm Select a level of encryption used for SSL
VPN connections. Keep in mind that if a
higher level of encryption is chosen than
the web browser supports, the client will
not be able to establish a connection
Idle Timeout The value specified controls how long the
connection can remain idle before the
system forces the remote user to log in
again.
Advanced Expand Advanced to define the WINS or
DNS servers that are made available to the
SSL VPN clients. Up to two DNS servers
and WINS servers can be specified.

272 01-4200-0201-20100604
SSL VPN SSL VPN Firewall Policies
SSL VPN Firewall Policies

All SSL VPNs require at least one SSL VPN firewall policy. The firewall policy
specifies the originating IP address of a packet (Source Address) and the
destination address(es) of the intended recipient(s) or network(s) (Destination
Address).
Web-Only Mode Firewall Policies

A firewall policy for Web-Only Mode requires selecting appropriate Source and
Destination Addresses, selecting an Action of SSL VPN and an appropriate
identity-based policy.
• For the Source Address, select the predefined address of ALL.
• For the Destination Address, select the IP address or addresses that remote
clients need to access. The Destination Address may correspond to an entire
private network behind a FortiGate unit, a range of private IP addresses or the
private IP address or a server or host.
Go to Firewall > Policy > Policy to define the attributes of the Web-Only Mode SSL
VPN policy.
Source Interface/Zone Select the source interface for the policy.

Source Address Specify the originating IP address of the
SSL VPN connection.
Destination Interface/Zone Select the destination interface for the
policy.
Destination Address Specify the destination address(es) of the
intended recipient(s) or network(s) for the
SSL VPN connection

01-4200-0201-20100604 273
SSL VPN Firewall Policies SSL VPN
Action Select SSL VPN.

SSL Client Certificate Restrictive Enable if the client certicate accepted must
be of a certain cipher strength. When
enabled, select the cipher strength from
the drop-down list.
Identity Based Policy Identity Based Policy is automatically
enabled when the Action of SSL VPN is
selected. Click Add to define an
Authentication Rule.
Select a User Group with Allow SSL VPN
Access enabled.

274 01-4200-0201-20100604
Authentication Rules
Authentication Rules define the authentication options and other parameters for
users affected by the SSL VPN policy.
User Group Select the user group that requires access

to the SSL VPN and click to move to
the Selected User Groups list.
Service Select the services accessible by allowed
users through the SSL VPN and click
to move the Services to the Selected
Services list.
Schedule Select the schedule the allowed users will
be bound by.
Log Allowed Traffic Click to enable logging of traffic by allowed
users.
UTM Click to enable the UTM elements required
for traffic through the web-only mode VPN.
Select the appropriate profile or sensor
from the list for any enabled UTM
elements.

01-4200-0201-20100604 275
SSL VPN Firewall Policies SSL VPN
Tunnel Mode Firewall Policies

A firewall policy for Tunnel Mode requires selecting an appropriate Source
Interface and Source and Destination Addresses.
• For the Source Interface, SSL VPN Tunnel Mode policies use a virtual
interface, called sslvpn tunnel interface. This interface appears in the firewall
policy interface lists and static route interface lists and allows remote user
access to additional networks.
• For the Source Address, identify the range of IP addresses that can be
connected to the FortiGate unit. A default IP address range called
SSLVPN_TUNNEL_ADDR1 is available, and can be edited if necessary
through Firewall > Address > Address.
• For the Destination Address, select the IP address or addresses that remote
clients need to access. The Destination Address may correspond to an entire
private network behind a FortiGate unit, a range of private IP addresses or the
private IP address or a server or host.
Go to Firewall > Policy > Policy to define the attributes of the Tunnel Mode SSL.

276 01-4200-0201-20100604
Source Interface/Zone Select sslvpn tunnel interface. This

interface is available by default on the
FortiGate unit.
Source Address Corresponds to the range of IP addresses
permitted to setup SSL VPN connections.
Select SSLVPN_TUNNEL_ADDR1. This
address range is available by default on
the FortiGate unit.
Destination Interface/Zone Select the destination interface for the
policy
Destination Address Select the IP addresses that represent the
local network, servers or hosts to which IP
packets may be delivered.
Schedule Select the schedule the allowed users will
be bound by.
Service Select the services accessible by allowed
users through the VPN.
Action For tunnel mode SSL VPN, the Action of
ACCEPT is selected.
Log Allowed Traffic Click to enable logging of traffic by allowed
users.
NAT Click to select If NAT is used.
Enable Identity Based Policy Identity Based Policy can be enabled when
the Action of ACCEPT is selected. Click
Add to define an Authentication Rule.
Select a User Group with Allow SSL VPN
Access enabled.
UTM Click to enable the UTM elements required
for traffic through the tunnel mode VPN.
Select the appropriate profile or sensor
from the list for any enabled UTM
elements.
Traffic Shaping Enable if traffic shaping is required on the
tunnel mode traffic. Select the required
traffic shaper from the list.
Per-IP Traffic Shaping Enable if per-IP traffic shaping is required
on the tunnel mode traffic. Select the
required per-IP traffic shaper from the list
Enable Endpoint NAC Enable is Endpoint Control is applied to
tunnel mode traffic.

01-4200-0201-20100604 277
Connecting to the SSL VPN SSL VPN
Connecting to the SSL VPN

Connect to the FortiGate SSL VPN Portal home page by entering the following
address in the web browser:
https://<FortiGate_IP_address>:10443
Optionally, a different TCP port number can be specified for users to access the
portal login page by modifying the SSLVPN Login Port under System > Admin >
Settings.
If port 443 is being used for another purpose, ensure that this does not conflict
with the port used for administrative connections to the FortiGate unit through
Web Config.
Web Portal Page

The portal page that is displayed after logging in will depend on the type selected
in the user group settings.
Web-Access Portals will present the list of bookmarks that can be clicked to
access web sites.
Tunnel-Access Portals will present the widgets to connect to the tunnel.
Full-Access Portals will present the widgets for both Web-Access and Tunnel-
Access portals.

278 01-4200-0201-20100604
SSL VPN Configuring SSL VPN for Full Access
Lab 5 SSL VPN

Objectives
In this lab, an SSL VPN will configured to allow both web-only mode and tunnel
mode access to public web sites.
Tasks
• Configuring SSL VPN for Full Access
Timing
Exercise 1 Configuring SSL VPN for Full Access

1 Go to VPN > SSL > Config. Configure the following settings to enable the SSL
VPN service:
Enable SSL-VPN Enable

IP Pools Click [Edit] and add
SSLVPN_TUNNEL_ADDR1 to the
Selected list.
Leave all the other settings at default.

Click Apply.
2 Configure authentication for an internal user to access the SSL VPN gateway
service. Go to User > User > User. Click Create New and add a new user with
the User Name of Test SSL and Password of 123456.
Click OK.
3 Create a new user group that includes the new local user. Go to User > User
Group > User Group and click Create New. Configure the following settings:
Name SSLVPN
Type Firewall
Allow SSL-VPN Access Enable and select the full-access
portal from the list.
Available Users/Groups Move the Test SSL user from the
Available Users/Groups list to the
Members list.
Click OK.

01-4200-0201-20100604 279
Configuring SSL VPN for Full Access SSL VPN
4 Create a new firewall policy to allow access to the SSL VPN and authenticate
the user. Go to Firewall > Policy > Policy. Click Create New to configure a
policy with the following settings:
Source Interface internal

Source Address all
Destination Interface wan1
Action SSL-VPN
SSL Client Certificate Restrictive Disabled
Click Add to configure a new identity-based policy with the following settings:
Available User Groups Move SSLVPN from the Available
User Groups list to the Selected
User Groups list.
Service Move ANY from the Available
Services list to the Selected
Services list.
Schedule always
Click OK.
5 Move this SSLVPN policy to the top of the internal Æ wan1 policy list.

280 01-4200-0201-20100604
6 Test the SSL VPN by connecting to the portal by typing the following address
in the web browser:
https://192.168.1.99:10443/
Confirm the first-time Security Alert that is displayed.
Note: By default, the SSL VPN gateway listens to port 10443. In an actual deployment,
use port 443 as this port is typically open on Firewalls allowing easy remote access
using SSL. This can be changed by going to System > Admin > Settings and changing
the Web Admin HTTPS service from 443 to a different port number (for example,
8443). Then, change the SSL VPN login port from 10443 to 443.
7 When prompted, log in as the Test SSL user with the password of 123456.
If the connection fails, check the following:

• The Test SSL user is a member of the SSLVPN user group.
• The SSLVPN user group is associated with the internal Æ wan1 SSL VPN
policy.
• The SSL VPN policy is at the top of the policy list for internal Æ wan1.
If after performing these checks, the connection still fails try re-entering the
password in the local user configuration .
8 On the portal page, click Add to create a new bookmark with the following
details:
Name Fortinet
Type HTTP/HTTPS
Location http://www.fortinet.com
Description Optional
SSO Disabled
Click OK.

01-4200-0201-20100604 281
9 Click the newly created bookmark. A new window displays the selected web
site.
Note the URL of the web site in the web browser address bar:
https://192.168.1.99:10443/proxy/http/www.fortinet.com
The first part of the address, https://192.168.1.99:10443, is the
encrypted link to the FortiGate SSL VPN gateway.
The second part of the address, /proxy/http is the instruction to use the
SSL VPN HTTP proxy.
The final part of the address, /www.fortinet.com, is the destination of the
connection from the HTTP proxy.
In this example, the connection is encrypted up to the SSL VPN gateway. The
connection to the final destination from the HTTP proxy is unencrypted.
10 Examine the PC’s current routing table by typing the following command from
a DOS command prompt:
route print
Note that the current default gateway is 192.168.1.99.
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.99 192.168.1.xxx 10
11 If this is the first time an SSL VPN tunnel is used on the PC, install the Fortinet
SSL VPN Client plug-in for the browser. Click the Click here to download and
install it link that appears in the Tunnel Model widget.
Download the client software to the PC desktop and close the web browser.
12 Run the installation application for the client software from the PC desktop.
13 Reopen the web browser and enter the address of the VPN portal:
https://192.168.1.99:10443/
14 Click the Connect button in the Tunnel Mode widget. When the tunnel is active,
the local interface fortissl will be listed as UP. Return to the routing table
through the DOS prompt and note that the default gateway is now 10.0.0.1,
which is the local tunnel endpoint. Because split tunnelling is not enabled, a
default route is displayed for the tunnel interface
.
Note: Split tunneling is a computer networking concept which allows a VPN
user to access a public network, for example, the Internet, and a local LAN or
WAN at the same time, using the same physical network connection. This
connection service is usually facilitated through a program such as a VPN
client software application.
For example, a user connects to a corporate network using a remote access

VPN software client and a hotel wireless network. The user with split tunneling
enabled is able to connect to file servers, database servers, mail servers, and
other servers on the corporate network through the VPN connection. In
contrast, when the user connects to Internet resources, for example, web sites
and FTP sites, the connection request doesn't go through the VPN link but
rather through the wireless connection and out the gateway provided by the
hotel network.

282 01-4200-0201-20100604
15 Open a new web browser window and attempt to connect to the following web
site:
www.fortiguard.com
Note that the connection fails when tunnel mode is active.
In addition to the SSL VPN policy, additional objects must be created to allow
access from the ssl.root interface which is the source of all SSL VPN tunnel
traffic.
16 To observe the cause of the configuration problem run a packet sniffer
command in the CLI with the following filter and observe the output while trying
to reload the webpage.
diag sniffer packet any "port 80" 4
If not using DNS forwarding on the FortiGate and DNS queries are forwarded
from the PC to external DNS servers, test using the servers IP address. Use
the nslookup command to get the IP address of the server before testing in
this case.
TCP SYN packets should be observed incoming to the ssl.root interface. The
ssl.root interface represents the clients from the SSL VPN tunnel. To allow
these packets, this session must be accepted by creating a policy from the
ssl.root interface to the wan1 interface. We also need to define a route back to
the SSL VPN client for both RPF criteria and new session establishment.
17 Logout of the SSL VPN portal by clicking Logout ( ).
18 Create a static route for the SSL VPN tunnel client IP address. In Web Config,
go to Router > Static > Static Route and click Create New.
Configure the static route with following settings:
Destination IP/Mask 10.0.0.1/24
Device ssl.root
Leave the remaining default settings and click OK.
19 Create a new firewall policy from the sslvpn tunnel interface, this time using a
regular Accept action.
Source Interface sslvpn tunnel interface

Source Address all
Destination Interface wan1
Schedule always
Service ANY
Action ACCEPT
Enable NAT Enabled
Click OK.

01-4200-0201-20100604 283
This new ssl.root Æ wan1 policy will be displayed in the Policy list.
20 Log back into the SSL VPN portal and click Connect to activate the SSL VPN
tunnel.
21 From the DOS prompt, confirm that the default route is now the tunnel
endpoint (10.0.0.1).
22 Connect directly to the following web site through the web browser:
www.fortiguard.com
The connection should be successful.
23 Run the packet sniffer command once again to verify that the traffic from the
ssl.root interface is now permitted.
24 Disable the two SSL policies created in this lab.

284 01-4200-0201-20100604
LESSON 6
FortiGuard Subscription Services
285
www.fortinet.com
FortiGuard Subscription Services FortiGuard Distribution Network
Lesson 6 FortiGuard Subscription

Services
FortiGuard Subscription Services provide continuously updated security solutions
to Fortinet security device users, including antivirus, intrusion prevention, as well
as web and email filtering. Subscription services are delivered through the
FortiGuard Distribution Network. With the FortiGuard Subscription Services
enabled, administrators can ensure that their FortiGate, FortiMail, and FortiClient
installations are performing optimally and are protecting their corporate assets
with the latest security technology.
FortiGuard Distribution Network

The FortiGuard Distribution Network delivers updates to FortiGate, FortiMail, and
FortiClient products from secure, high availability data centers in locations
worldwide. Delivery methods include push, pull, or customized delivery frequency
that can be configured based on the requirements of the organization; set it up
once and updates arrive automatically. This system ensures that devices are
updated to provide high levels of detection for both known and unknown threats.
FortiGuard Subscription Services are continuously updated to provide up-to-date
protection from new and emerging threats before they can harm corporate
resources or infect end-user computing devices.
Worldwide coverage of FortiGuard services is provided by FortiGuard Service

Points. When a FortiGate unit connects to the FortiGuard Distribution Network, it
is connecting to the closest FortiGuard Service Point. Fortinet adds new Service
Points as required. If the Service Point becomes unreachable for any reason, the
FortiGate unit contacts another Service Point and information is available within
seconds. By default, the FortiGate unit communicates with the Service Point using
UDP on port 53.

01-4200-0201-20100604 287
FortiGuard Distribution Network FortiGuard Subscription Services
Alternately, the UDP port used for Service Point communication can be switched
to port 8888 through Web Config. If the default FortiGuard Service Point
hostname must be changed, use the system fortiguard hostname
CLI command. The FortiGuard Service Point hostname can not be changed
through Web Config.
If the FortiGate unit is unable to connect to the FortiGuard Distribution Network,
check the configuration. For example, routes may need to be added to the
FortiGate routing table of the network to allow the FortiGate unit to use HTTPS on
port 443 to connect to the Internet.

288 01-4200-0201-20100604
FortiGuard Subscription Services FortiGuard Distribution Network
Connecting to the FortiGuard Servers

The following steps illustrate the process used by the FortiGate unit to locate and
connect to the FortiGuard servers to submit a query.
service.fortiguard.net FortiGuard Server 1
DNS FortiGuard Server 2
FortiGate
X The FortiGate unit submits a DNS A Record lookup for

service.fortiguard.net.
Y The DNS server returns the IP address for service.fortiguard.net to
the FortiGate unit.
Z The FortiGate unit submits an INIT message, license check and server list
request to the service.fortiguard.net server.
[ The service.fortiguard.net server returns the service status and
server list information to the FortiGate unit.
\ The FortiGate unit submits a query to the FortiGuard Server (for example, in what
category is www.google.com?).
] The FortiGuard Server returns the response to the query (for example,
www.google.com is in the Search Engine category).
^ If no response is obtained from the first server within 2 seconds, the next
FortiGuard Server in the server list is contacted.
_ The next available FortiGuard server returns the response to the query.
The server list is initially ordered by weight. The weight is equal to the time zone
difference between the FortiGate unit and the FortiGuard servers multiplied by 10.
The top servers on the list have the best round-trip time. All other servers are
listed by weight. The server list can be viewed in the CLI using the following
command:
diag debug rating

01-4200-0201-20100604 289
FortiGuard Antivirus Service FortiGuard Subscription Services
FortiGuard Antivirus Service

The FortiGuard Antivirus Service keeps FortiGate, FortiMail and FortiClient
devices fully up-to-date with the latest antivirus defenses against network-based
threats. Updates to the FortiGate and FortiMail devices and FortiClient
installations are fully automated to ensure protection against the latest content
level threats. The FortiGuard Antivirus Service prevents both new and evolving
virus, spyware, and malware threats and vulnerabilities from gaining access to the
network, applications, or data assets. Fortinet collaborates with the world’s
leading threat monitoring organizations to advise and learn of new vulnerability
discoveries.
The following steps illustrate how new threats and vulnerabilities are addressed
through the service:
1 Fortinet engineers identify a new virus threat.
2 An antivirus signature is developed and tested by Fortinet engineers.
3 The antivirus signature database is uploaded to FortiGuard Distribution
Network.
4 The FortiGuard Antivirus Service automatically pushes the update to
FortiGate/FortiClient/FortiMail devices which are dynamically updated.
5 When the cyber attack is launched, the FortiGate/FortiClient/FortiMail units
block the attack.
Signature updates are continually updated through the FortiGuard Antivirus
Service.
Lesson 8 - Antivirus of this course will discuss antivirus filtering in further detail.

290 01-4200-0201-20100604
FortiGuard Subscription Services FortiGuard Intrusion Prevention System Service
FortiGuard Intrusion Prevention System Service

The FortiGuard Intrusion Prevention System (IPS) Service arms FortiGate
customers with the latest defenses against stealthy, malicious, and suspicious
network-level threats. Fortinet works with organizations worldwide to isolate the
latest application and OS vulnerabilities to prevent both new and yet unknown
threats and vulnerabilities from gaining access to network, applications, or data
assets. The FortiGuard IPS Service includes a library of over 4000 IPS signatures
and the latest anomaly inspection, deep packet inspection, full content inspection,
and activity inspection engines. Policies allow full control of all attack detection
methods to provide flexibility to the organization.
The FortiGuard IPS Service also supports behavior-based heuristics adding
valuable recognition capabilities beyond simply matching content against known
signatures.
The 301 - Secured Network Deployment and IPSEc VPN course discusses the
Intrusion Prevention System in further detail.

01-4200-0201-20100604 291
FortiGuard Web Filtering Service FortiGuard Subscription Services
FortiGuard Web Filtering Service

Surfing the Internet has become a critical part of conducting business and often a
requirement for government and educational institutions. However, inappropriate
Internet usage has led to lower productivity, inappropriate use of company
resources, harassment, legal liability, and human resource issues. The FortiGuard
Web Filtering Service is a hosted service designed to provide Web URL filtering
for schools, libraries, government agencies, and enterprise businesses of all
sizes.
The FortiGuard Web Filtering Service delivers updates through the FortiGuard
Distribution Network to regulate web activities to meet different usage polices and
compliance requirements. The FortiGuard Web Filtering Service provides policy-
based access control for over 77 web content categories, over 60 million rated
web sites, and more than two billion web pages.
The FortiGuard Web Filtering Service has been developed to attain CIPA
Compliance with HR4577.
When a user requests access to a web page, the request is sent to the web site
and a rating request is made simultaneously to the FortiGuard Web Filtering
Service. When the rating response is received by the FortiGate unit, it is
compared to the policy rules. If the policy allows the page, the web site response
is passed to the user. Otherwise, a user-definable blocked message is sent to the
user and the event is logged in the content filtering log. If the rating for the web
page is cached in the FortiGate unit, it is immediately compared with the policy for
the user.
Lesson 10 - Web Filtering of this course will discuss web filtering in further detail.

292 01-4200-0201-20100604
FortiGuard Subscription Services FortiGuard Antispam Service
FortiGuard Antispam Service

With the heavy and growing reliance on email for business communications, the
ability to keep email servers running smoothly and spam free is becoming more
critical than ever. If legitimate email becomes falsely classified as spam it can be
equally disastrous for a corporation as critical communications can become
impaired. Unsolicited email (spam) has created tremendous pressure on the
communication infrastructure. Some side effects include wasteful email server
build-out, downtime, unknowing transport of spyware, greyware, intrusions, or
even embedded viruses.
The FortiGuard Antispam Service delivers antispam signature updates for
FortiGate, FortiMail, and FortiClient customers to help reduce the amount of spam
at the network perimeter. To increase detection rates, the FortiGuard Antispam
Service deploys dual scan technology to quickly identify, tag, or block obvious
spam messages.
The FortiGuard Antispam Service uses an IP address black list compiled from
email captured by spam probes located around the world along with other spam
filtering tools. Spam probes are decoy email addresses purposely configured to
attract spam and identify known spam sources to create the antispam IP address
list. A dedicated team of engineers and analysts monitor global spam activities
and analyze latest spam techniques to provide comprehensive protection against
spams.The FortiGuard Antispam Service is automated by Fortinet to provide
constant monitoring and dynamic updates.
Lesson 9 - Email Filtering of this course will discuss email filtering in further detail.

01-4200-0201-20100604 293
FortiGuard Vulnerability Management Service FortiGuard Subscription Services
FortiGuard Vulnerability Management Service

The FortiGuard Vulnerability Management Service provides periodic delivery of
signatures to aid in the detection of vulnerabilitties in an organization's network
due to flaws in software or faulty application configuration. Used in conjunction
with the vulnerability scanning capabilities of the FortiAnalyzer device, the
FortiGuard Vulnerability Management Service can enable the detection, removal
of risks while providing up to date information to mitigate those risks. Core to this
solution is the ever expanding vulnerability database, delivered though the
FortiGuard Distribution Network.
For more information on the FortiGuard Vulnerability Management Service, visit:

http://www.fortiguard.com.

294 01-4200-0201-20100604
FortiGuard Subscription Services FortiGuard Subscription Services Licensing
FortiGuard Subscription Services Licensing

FortiGate units come with a free 30-day trial license for the FortiGuard
Subscriptions Services. To renew the FortiGuard license after the free trial,
contact Fortinet Technical Support.
The License Information pane in System > Dashboard > Status in Web Config
displays the status of the support contract and FortiGuard subscriptions for the
FortiGate device. The FortiGate unit updates the license information status
indicators automatically by connecting to the FortiGuard network.
FortiGuard subscription status indicators are green for OK, grey if the FortiGate
unit cannot connect to the FortiGuard network, and yellow if the license has
expired.

01-4200-0201-20100604 295
Updating Antivirus and IPS Services FortiGuard Subscription Services
Updating Antivirus and IPS Services

FortiGuard update information is displayed in Web Config at System >
Maintenance > FortiGuard.
To receive scheduled updates to the antivirus and IPS definitions, the FortiGate
unit must be able to connect to the FortiGuard Distribution Network using HTTPS
on port 443.
Subscription services that are properly registered and are receiving updates are
identified with a green check mark ( ). Services that are not valid or expired are
identified with a red X ( ).

296 01-4200-0201-20100604
FortiGuard Subscription Services Updating Antivirus and IPS Services
Scheduled Updates
On the System > Maintenance > FortiGuard page, expand AntiVirus and IPS
Options. The Schedule Update options include the ability to check for updates to
the antivirus and IPS definitions at the following times:
• Hourly: Specify the number of hours and minutes between each update
request.
• Daily: Specify the time of day to check for updates.
• Weekly: Specify the day of the week and the time of day to check for updates.
Override Server
If the organization provides updates to the FortiGuard Subscription Services using
their own FortiGuard server (for example, through a FortiManager device) or if a
connection to the FortiGuard Distribution Network can not be made, the Use
override server address option may be used. When enabled, enter the IP address
or domain name the server to be used, for example, the IP address of a
FortiManager configured to provide FortiGuard services.
Push Updates
The FortiGuard Distribution Network can push antivirus and IPS updates to
FortiGate units to provide the fastest possible response to critical situations. The
FortiGate unit must be registered before it can receive push updates.
When a FortiGate unit is configured to allow push updates, it sends a SETUP
message to the FortiGuard Distribution Network. The next time new antivirus or
IPS definitions are released, the FortiGuard Distribution Network notifies all
FortiGate units that are configured for push updates that a new update is
available. Within 60 seconds of receiving a push notification, the FortiGate unit
requests an update from the FortiGuard Distribution Network.
When the network configuration permits, configuring push updates is
recommended in addition to configuring scheduled updates. On average the
FortiGate unit receives new updates sooner through push updates than if the
FortiGate unit receives only scheduled updates.
Enabling push updates is not recommended as the only method for obtaining
updates. The FortiGate unit might not receive the push notification. Also, when the
FortiGate unit receives a push notification it makes only one attempt to connect to
the FortiGuard Distribution Network and download updates.
The SETUP message that the FortiGate unit sends when push updates are
enabled include the IP address of the FortiGate interface to which the FortiGuard
Distribution Network connects. The interface used for push updates is the
interface configured in the default route of the static routing table.
The FortiGate unit sends the SETUP message if the IP address of this interface is
changed manually or if the interface addressing mode has been set to DHCP or
PPPoE and the DHCP or PPPoE server changes the IP address. The FortiGuard
Distribution Network must be able to connect to this IP address for the FortiGate
unit to be able to receive push update messages.
If redundant connections to the Internet are available, the FortiGate unit also
sends the SETUP message when one Internet connection goes down and the
FortiGate unit fails over to the other Internet connection.

01-4200-0201-20100604 297
If the FortiGate device is operating in Transparent mode and the management IP

address is changed, the FortiGate unit also sends the SETUP message to notify
the FortiGuard Distribution Network of the address change.
Push updates might be unavailable if:
• The FortiGate unit has not been registered.
• There is a NAT device installed between the FortiGate unit and the FortiGuard
Distribution Network (see the section Push Updates Through a NAT Device in
this lesson).
• The FortiGate unit connects to the Internet using a proxy server. If the
FortiGate unit must connect to the Internet through a proxy server, use the
config system autoupdate tunneling command to allow the
FortiGate unit to connect or tunnel to the FortiGuard Distribution Network using
the proxy server.
Push Updates Through a NAT Device

If the FortiGuard Distribution Network can only connect to the FortiGate unit
through a NAT device, port forwarding must be configured on the NAT device and
port forwarding information must be added to the push update configuration.
The FortiGate unit can only receive update messages on UDP port 9443.
In the example below, the FortiGate unit is configured to allow push updates. The
override push IP address is configured for 172.16.1.1 using UDP port 12443.
This tells the FortiGuard Server to send updates to that address and port.
Push updates will be sent by the FortiGuard Server to 172.16.1.1 using port
12443 as configured. The NAT device will then map this IP address to
10.10.10.1 port 9443. The update is received by the FortiGate unit.
Internet
FortiGate NAT Device FortiGuard Server
- Allow Push Update - Destination NAT

- Use Override Push IP 172.16.1.1 172.16.1.1 udp port 12443
- Port udp 12443 - Maps to:
10.10.10.1 udp port 9443

298 01-4200-0201-20100604
FortiGuard Subscription Services Updating Antivirus and IPS Services
Manual Updates
The FortiGuard antivirus and IPS definitions can be updated manually at any time
if a connection to the Fortinet Distribution Network is available
Click Update Now in the Antivirus and IPS Options to force a manual update to
the antivirus and IPS definitions.

01-4200-0201-20100604 299
If a connection to the Fortinet Distribution Network is not available from the

FortiGate device, the latest definition files can be downloaded from another
computer and copied to the computer used to connect to Web Config. Click the
[Update] link for either the Antivirus or IPS Definitions.
Click Browse to locate the antivirus or IPS definition files.

300 01-4200-0201-20100604
FortiGuard Subscription Services Web Filtering and Antispam Options
Web Filtering and Antispam Options

FortiGuard Web Filtering and Antispam Options are configured at System >
Maintenance > FortiGuard.
Port Selection
FortiGuard services are reachable over port 53. An alternate port of 8888 can be
used. Click Test Availability to verify that FortiGuard Services are available
through either the default or alternate port.
Caching
Caching is available for web filtering and antispam. Caching is strongly
recommended as it improves performance by reducing FortiGate unit requests to
the FortiGuard server. The cache uses a small percentage of the FortiGate
system memory.

01-4200-0201-20100604 301
Web Filtering and Antispam Options FortiGuard Subscription Services
When the cache is full, the last recently used IP address or URL is deleted.
A Time To Live (TTL) setting controls the number of seconds webfilter and
antispam query results are stored in the cache before contacting the server again.

302 01-4200-0201-20100604
FortiGuard Subscription Services Configuring FortiGuard Subscription Services Using the CLI
Configuring FortiGuard Subscription Services Using the CLI

The CLI can also be used to configure communications with the FortiGuard
Distribution Network for FortiGuard Services.
By default, FortiGate units connect to the FDN using a set of default connection
settings. These settings can be overriden to use IP addresses and port numbers
other than the defaults. For example, a FortiManager unit can be used as a local
FortiGuard Distribution Server; service updates are downloaded to the
FortiManager device, and those updates are redistributed to the FortiGate units.
The following CLI command can be used to view the configuration options for the
FortiGuard Services:
config system fortiguard

01-4200-0201-20100604 303
FortiGuard Center FortiGuard Subscription Services
FortiGuard Center
The FortiGuard Center is a comprehensive on-line resource providing a rich
security knowledge base and technical resources including:
• Spyware, virus, intrusion prevention, web content filtering, and antispam attack
library
• Vulnerability encyclopedia which provides detailed descriptions of popular
operating systems and applications
• Virus, spyware, spam, and dangerous Web URL Submission Service
The Fortinet FortiGuard Center is where to find timely threat and vulnerability
information, as well as other online resources provided by Fortinet's Global Threat
Response Team. The FortiGuard Center is updated around-the-clock as new
information becomes available.
The FortiGuard Center is accessed at the following address:
http://www.FortiGuard.com

304 01-4200-0201-20100604
FortiGuard Subscription Services Enabling FortiGuard Services and Updates
Lab 6 Fortinet Subscription

Services
Objectives
In this exercise, access to the FortiGuard Distribution Network will be configured
and services updated.
Note: This exercise can only be completed if the FortiGate unit has already been
registered on the Fortinet Support web site (https://support.fortinet.com).
Tasks
In this lab, the following task will be completed:
• Exercise 1 Enabling FortiGuard Services and Updates
Timing
Exercise 1 Enabling FortiGuard Services and Updates

1 In Web Config, go to System > Maintenance > FortiGuard to verify the details
of the FortiGuard licensing entitlement for the FortiGate unit.
What is the antivirus definition version, expiry, and last update attempt for the
FortiGate unit?
If only the version field is showing, the FortiGate unit firmware was upgraded
recently and there have been no further update attempts.
Note: In the classroom environment, the FortiGate unit is behind a NAT device. Port
forwarding must be configured on the NAT device, otherwise the Push Update feature
will not work.
2 On the FortiGuard Distribution Network page, expand Antivirus and IPS

Options and enable a scheduled update for every four hours. Click Apply.
3 Return to the AntiVirus and IPS Options and click Update Now to force the
FortiGate unit to obtain the latest antivirus and IPS definitions. This action
sends a request to an FDN server. After 3 to 5 minutes, if properly entitled and
depending on Internet congestion, the FortiGate unit will receive and install
updated definitions.
Wait a few minutes and return to System > Maintenance > FortiGuard and
check for the new updates. Today’s date should appear next to the [Update]
link for both AV and IPS Definitions.
The AV and IPS signature databases can also be updated either individually or
together through the CLI using the following commands:
exec update-av Update AV engine/definitions
exec update-ips Update IPS engine/definitions

01-4200-0201-20100604 305
Enabling FortiGuard Services and Updates FortiGuard Subscription Services
exec update-now Update now
Note: Antivirus and IPS updates can also be set to be pushed automatically to the
FortiGate unit. To allow push updates, expand AntiVirus and IPS Options and enable
Allow Push Update and set the update schedule required, for example, every 4 hours.
Note: The update-now command is only for updating antivirus and IPS definitions only
and not for upgrading the system firmware.
4 View the CLI settings by entering the following commands in the CLI:
get system autoupdate schedule
get system fortiguard
The defined FortiGuard autoupdate interval was set to 4 hours through Web
Config but the CLI shows 4:60. This means that the additional minutes interval
will be randomly picked from 0 to 59 minutes. This helps to spread out the
request load on the FortiGuard server. An exact hour and minute interval can
be set through the CLI as illustrated in this example:
config system autoupdate schedule
set time 4:0
end
Verify the change with:

show system autoupdate schedule
5 On the FortiGuard Distribution Network page, expand Web Filtering and Email
Filtering Options and configure the following FortiGuard service settings:
Web Filter Cache Enabled

Web Filter Cache TTL 1800 seconds (30 minutes)
Antispam Cache enable
Antispam Cache TTL 900 seconds (15 minutes)
Port Selection 53 (default)
Click Apply.
6 Confirm that the FortiGuard Services are reachable by expanding Web
Filtering and Email Filtering Options once again and clicking Test Availability to
establish connectivity between the FortiGate unit and the FDN server.
Note: By default, FortiGuard uses UDP/53, because this port is almost always open for
DNS traffic. If there is another IPS device on the network that is decoding DNS data on
port 53, the FortiGuard request/response may trigger an alert, as the data is encrypted.
Change to UDP/8888 for FortiGuard communication and ensure upstream devices
permit this traffic to pass.

306 01-4200-0201-20100604
FortiGuard Subscription Services Enabling FortiGuard Services and Updates
7 Before proceeding to the next lab, save the changes to the FortiGate
configuration.
Go to System > Dashboard > Status and in the System Information widget
click the Backup link. Save the file to the local hard disk and change the
backup file name to reflect that this backup was created at the end of Lab 7.

01-4200-0201-20100604 307
Enabling FortiGuard Services and Updates FortiGuard Subscription Services

308 01-4200-0201-20100604
LESSON 7
Threat Management
309
www.fortinet.com
Threat Management Content Scanning Techniques
Lesson 7 Threat Management

The FortiGate unit controls communications and protects network content from
vulnerabilities and malicious security threats through the integration of
technologies which are normally found in separate products.
Threat management features on the FortiGate unit include the following:

• Antivirus
• Intrusion prevention
• Web filtering
• Email filtering
• Data leak prevention
• Application control
• VoIP filtering
Content Scanning Techniques

Two prevailing techniques are used by security software vendors to inspect data
in hopes of identifying and blocking malicious content as it enters the
organization. These techniques include:
• Flow-based scanning
• File-based scanning
Flow-Based Scanning
Flow-based scanning is a technique where data is inspected as it enters the
organization at a packet-by-packet level. This technique uses signatures to match
the data being received; if data in the flow matches an exisiting signature, the data
is deemed to be malicious and the transfer is cancelled.
Hackers, aware of the operation of flow-based scanners, will deliberately
compress or archive their malicious files and content to evade these scanners.
Once the file is received by a browser, the file is decompressed for display or
execution.
Course 201-v4.1 Administration, Content Inspection and Basic VPN Access

01-4200-0201-20100604 311
Content Scanning Techniques Threat Management
Flow-based scanners, and their reliance on static signatures are at best guessing
the contents of the file, increasing the likelihood of false positives and potentially
blocking legitimate file traffic. Flow-based scanning vendors may defend the
method by claiming that it is easy to write signatures to match the compressed or
uncompressed files. Some viruses, however, are considered to be polymorphic,
meaning they are programmed to mutate themselves by randomizing the use of
different algorithms and keying information to create multiple permutations of a
virus. This can pose some scalability issues in that the number of signatures
developed by the vendor to catch the original and mutant viruses can increase
significantly. The signature database will in turn grow to the point where system
performance is affected. Flow-based techniques do offer marginal performance
gains, but these gains are often negated by having to match the stream of data
against a large and ever swelling database of virus variants. The perfomance
gains are also weighed against the price of lower detection rates.
Flow-based scanning can be enabled on certain specific FortiGate devices
through the CLI.
File-Based Scanning
The FortiGate device uses an alternate technique where files are reassembled
before application-aware proxy methods are used for file analysis. This approach
allows the FortiGate unit to counteract evasion techniques by unpacking and
decrypting files prior to inspection.
As data is transferred between the hosts, the FortiGate system intercepts the file
fragments as they are delivered to the client who requested the file download.
Once all the fragments have been received, the FortiGate unit reassembles the
complete file for analysis. If the file is found to be compressed, an unpacker is
called upon to expose the true contents of the file. If the file is encrypted, the
FortiGate unit emulates the file execution to decrypt the data to the point where
the contents are exposed and can be accurately analyzed for threats. The final
exposed data is subject to application-specific scanning, designed to best capture
and thwart any threat.
By using emulation routines, the FortiGate unit requires just one signature to
detect any variation of the polymorphic virus. Only the signature of the exposed
file needs to be checked, removing the need to manage a collection of signatures
for each permutation of the virus.
By going the extra length to unpack and decrypt files, the FortiGate method
delivers higher detection and accuracy rates.
Using deep-file analysis and proxy-based application engines, the FortiGate unit
subjects files to multple layers of content, protocol and heuristic analysis allowing
the system to detect even the most sophisticated polymorphic content.
The FortiGate unit’s file-based scanning technique has proven to be very effective
and monthly testing by an independent third-party organization (ICSA) shows a
100% capture rate for active viruses on the Internet, a claim that can not be made
by stream-based vendors. Fortinet’s solution provides protection beyond wild list
viruses to include heuristics analysis and file emulation techniques to dynamically
detect polymorphic virus and new threat variants.

312 01-4200-0201-20100604
Threat Management Threat Management Architectural Components
Threat Management Architectural Components

The architectural components involved in threat management on the FortiGate
unit include the following:
• Proxies
• Application proxies
• SSL proxy
• Web proxy
• SSL VPN proxy
• IPS engine
• Scanunit daemon
• URL filter daemon
• Update daemon
Proxies
Application Proxies
Each protocol that can be inspected has a dedicated transparent proxy in the
FortiOS architecture. This proxy sits between the client and the server
intercepting all connections (requests and responses).
Tasks performed by the application proxies include:
Making Decisions
The proxy, in cooperation with the inspection daemons (antivirus, antispam or
webfiltering) is responsible for making the decision to buffer, pass or block data
passing through the FortiGate based on the policies in place.
Buffering Files
When a client connects to a server and makes a request, it expects to receive
data in response. The proxy for certain protocols will buffer the server's response
before flushing it to the client. While buffering and flushing, the proxy sends no
information to the client and server.
A problem arises if the server response is large, or the proxy to server or proxy to
client connection is slow since the buffering or flushing stage can take a relatively
long time. This delay can be longer than the minimum timeout dictated by the
application protocol. As well, some clients do not follow standards and may close
a connection before the minimum timeout interval has elapsed. The client
therefore closes the connection without receiving a response.
Splicing is a technique that keeps the client from timing out and closing the
connection. This features sends some of the server's response to the client while
buffering it. The final part is withheld from the client while the proxy inspects it. If
the response is clean the final part is sent; if the inspection daemon identifies this
portion as infected the client and server connections are closed after sending any
appropriate error responses or replacement message. Depending on the details
of the application protocol, the client either discards the incomplete response or
accepts the substituted infection notification. Splicing is used for FTP uploads, or
for email protocols such as SMTP, POP and IMAP.

01-4200-0201-20100604 313
Threat Management Architectural Components Threat Management
To avoid timeouts on HTTP and FTP upload a similar technique called client
comforting can be used. Client comforting can be fine tuned by configuring the
following parameters:
• Interval: time in seconds before client comforting starts after the download or
upload has begun. It is also the time between subsequent intervals.
• Amount: number of bytes sent at each interval.
Logging Content, Replacement Messages and File Size Calculations

The proxies are also responsible for logging content, displaying replacement
messages when a specific action has been triggered, calculating the file size and
taking the corresponding action when oversized file limits are put in place.
SSL Proxy
To provide antivirus, antispam and web filtering inspection on SSL encrypted data
streams, an SSL proxy has been introduced. The SSL proxy is used to
encrypt/decrypt data streams before feeding them to the standard application
proxies.
Web Proxy
The FortiGate device can be configured to operate as an explicit web proxy for
HTTP and HTTPS sessions through the use of an internal web proxy.
SSL VPN Proxy

The SSL VPN Proxy provides the ability to establish secure connections between
remote clients and the FortiGate unit through an SSL VPN. When the connection
is established the FortiGate unit provides access to selected services and network
resources through a web portal.
IPS Engine
The IPS engine is responsible for examining traffic and comparing it against
known and customized intrusion signatures. The IPS engine and signature
database on the FortiGate unit are updated automatically through the FortiGuard
Distribution Network.
Scanunit Daemon
The scanunit daemon is responsible for much of the functionality of the threat
management system. The scanunit daemon performs the first level of parsing on
data arriving at the FortiGate unit. The antivirus engine is invoked by the daemon
to perform scanning on the data and communicate the result of the scan back to
the proxies. Based on this result, the proxies will decide which action to take.
The scanunit daemon will decompress or unpack files received by the FortiGate
unit and will examine the files to determine their final uncompressed size. This
information is returned to the proxies to allow it to determine if the file is over the
size limits in place.
The scanunit will also examine data to determine if any banned words have been
used or if any banned ActiveX and Java applets have been used.
If file pattern filtering has been configured on the FortiGate unit, the scanunit
daemon will be responsible for checking if the patterns exist.

314 01-4200-0201-20100604
Threat Management Threat Management Architectural Components
When file quarantine is configured, the scanunit will determine if the file matches
the quarantine requirements.
The file checksum values will be calculated and compared to the values for known
viruses.
The antispam engine is also invoked by the daemon to perform various filtering
techniques depending on the mailing protocol used.
URLFilter Daemon
The URLFilter Daemon will query the FortiGuard service for URL ratings on behalf
of the proxy and will calculate and forward the appropriate action as described in
the protection profile.
Update Daemon
The update daemon will query for, and download, signature and engine updates.
When a virus is detected, the update daemon will report its existence back to the
FortiGuard Service in order to maintain the active and extended virus database
contents.

01-4200-0201-20100604 315
Threat Management Architectural Components Threat Management

316 01-4200-0201-20100604
LESSON 8
Antivirus
317
www.fortinet.com
Antivirus Virus Types
Lesson 8 Antivirus
The antivirus capabilities of the FortiGate unit detect and eliminate viruses,
trojans, worms and spyware, in real-time. The FortiGate unit scans incoming and
outgoing email attachments (SMTP, POP3, IMAP) and all FTP and HTTP traffic,
including web-based email, without degrading web performance. Antivirus
gateways close the vulnerability window by stopping viruses, trojans, spyware and
worms before they enter the network.
Virus Types
A computer virus infects a computer without the permission or knowledge of the
user. While the term virus is used generically to define any infectious software,
threats can vary.
Virus
A true virus is a self-replicating piece of programming code spread through the
network when executable code is passed to another computer by a user on the
infected computer. The user unknowingly sends the data over the network or the
Internet, or carries it on a removable device such as a CD, DVD, or USB drive.
Viruses are usually malicious, and can cause a variety of damage to the infected
computer such as deleting data, reformatting the hard drive or passing control of
the computer to a hacker.
Trojan
An application contains a trojan when it unloads hidden programs, scripts, or any
number of commands without the user's knowledge or consent. Malicious trojans
conceal and install applications on an affected computer. A trojan is not really a
virus, since the code is not self-replicating. Trojans often appear to perform a
desirable function, but in fact, perform undisclosed malicious functions, such as
allowing unauthorized access to the host machine.
Worm
A worm is a self-replicating computer program that exploits network weaknesses
to send copies of itself to other computers on the network without any user
intervention. Unlike a virus, worms do not need to attach themselves to an
existing program. Worms almost always cause at least some harm to the network,
if only by consuming bandwidth, whereas viruses almost always corrupt or modify
files on a targeted computer.
The FortiGate unit uses virus definitions to detect and remove viruses, worms,
trojans, and other threats from content as it passes through the FortiGate unit.

01-4200-0201-20100604 319
Antivirus Elements Antivirus
Antivirus Elements
The antivirus elements work in sequence to provide an efficient method of
scanning incoming files. Some elements have specific functions, while heuristics
is used to cover any new, previously unknown, virus threats. These elements work
together to offer the network unparalleled virus protection. To ensure that the
system is providing the most protection available, all virus definitions and
signatures are up dated regularly through the FortiGuard Subscription Services.
The FortiGate unit performs antivirus processing in the following order:
• File size
• File pattern
• Virus scan
• File type
• Grayware
• Heuristics
The antivirus scan starts from the least resource-intensive element to the most
resource-intensive element. If a file fails any of the elements of the antivirus scan,
no further scans are performed. For example, if the file fakefile.exe, is recognized
as a blocked pattern, the FortiGate unit will send the end user a replacement
message and the file will be deleted or quarantined. The virus scan, grayware and
heuristic scans will not be performed as the file has already been found to be a
threat and has been dealt with; there is no need to use further system resources
on the file at this time.
File Size
The size of a file will be checked against preset thresholds and will be blocked if it
is outside the allowed range. This scan is performed first as further checks against
the file will not be necessary on oversized files, saving system resources for other
processing operations. File size checks are enabled though Protocol Options.
File Pattern
Once the full file is received, the FortiGate unit verifies the file against the file
pattern filter. If the file is a blocked pattern, .exe for example, then it is stopped
and a replacement message is sent to the end user. No other levels of protection
are applied. If the file is not a blocked pattern or type, the next level of protection is
applied. File filters should be configured to block all files that are a potential threat
and to prevent active computer virus attacks.
Virus Scan
If the file is passed by the file pattern filter, a virus scan will be applied to it. The
virus definitions are kept up to date through the FortiGuard Subscription Services.
File Type
In addition to file pattern checking, the FortiGate unit can be configured to analyze
the file and determine its type, regardless of the file name. A list predefined types
is available on the FortiGate unit.

320 01-4200-0201-20100604
Antivirus Antivirus Elements
Grayware
Once past the file pattern filter, file type filter and the virus scan, the incoming file
will be checked for grayware. Grayware programs are unsolicited commercial
software programs that get installed on computers, often without the user’s
consent or knowledge. Grayware programs are generally considered an
annoyance, but these programs can cause system performance problems or be
used for malicious ends.
Heuristics
After an incoming file has passed the grayware scan, it is subjected to a heuristics
scan. The FortiGate heuristic engine performs tests on the file to detect virus-like
behavior or known virus indicators. In this way, heuristic scanning may detect new
viruses, but may also produce some false positive results.

01-4200-0201-20100604 321
File Filters Antivirus
File Filters
File filters are configured to block files that are a potential threat and to prevent
active computer virus attacks.
Files can be blocked by name, extension, or any other pattern. For example,
adding *.exe to the File Pattern List will block any files ending in .exe. File pattern
entries are not case sensitive. In addition to the built-in patterns provided by
default on the FortiGate unit, customized file patterns can be added to the File
Pattern List.
In addition to file pattern checking, the FortiGate unit can analyze a file and
determine its type, regardless of the file name. The list of types available to filter
against is pre-configured on the FortiGate unit.
File Filter Actions

The FortiGate unit can apply one of the following actions towards files that match
a configured pattern or type.
Allow
If the file filter action is set to Allow, a matching file will be allowed to pass and the
next antivirus action will be performed.
Files are compared to enabled file patterns from top to bottom. If a file does not
match any specified patterns, it is passed along to antivirus scanning. In effect,
files are allowed if not explicitly blocked. Using the Allow action, this behavior can
be reversed with all files being blocked unless explicitly passed. Simply enter all
the file patterns to be passed with the Allow attribute. At the end of the list, an all-
inclusive wildcard (*.*) can be added with a Block action. Files that were allowed
continue to antivirus scanning while files not matching any allowed patterns are
blocked by the wildcard at the end.
Block
If the file filter action is set to Block, the file will be stopped and a replacement
message will be sent to the user.
If both File Filter and Virus Scan are enabled, the FortiGate unit will block files that
match the enabled file filters and will not pass the files along to be scanned for
viruses.
When the file is blocked by the file filter, the FortiGate unit writes a message to the
virus log and sends an alert email message if configured to do so.

322 01-4200-0201-20100604
Antivirus File Filters
Defining File Filters

Multiple File Filter Lists can be added on the FortiGate device and the appropriate
list can be selected within individual antivirus profiles.
To view the list of file filters currently available on the FortiGate unit, go to UTM >
Antivirus > File Filter.
To view or modify any individual file filter, click to select the filter from the list and

01-4200-0201-20100604 323
New file filters can be defined by clicking Create New on the File Filter List page
and assigning a name for the filter.
Click OK.
New File Patterns or File Types can be defined.

324 01-4200-0201-20100604
File Pattern Filtering

File patterns can be up to 80 characters long. The maximum number of file
patterns in a list is 5000.
A pre-defined File Pattern List called built-in patterns contains common file
patterns to block. To view these patterns, click to select the built-in pattern list and
click Edit ( ) or double-click the entry. Click the arrow to expand the File Patterns
list.
To enable the blocking of a pattern in this list, click the checkbox for the name of
pattern and click Enable ( ).

01-4200-0201-20100604 325
To create a new file pattern filter, click Create New and define the parameters of
the file pattern filter as needed.
Filter Type Select File Name Pattern.

Pattern Type the pattern to filter against.
Action Select Allow or Block.
Enable Click to enable the filter.

326 01-4200-0201-20100604
File Type Filtering

To filter based on a file type, click Create New and define the parameters of the
filter, selecting a file type from the pre-defined list.
Filter Type Select File Type.

File Type Select the File Type to be filtered from
the list.

01-4200-0201-20100604 327
Only supported file types can be used in the filter. File types available for selection
include:
Archive arj, cab, lzh, rar, tar, zip, bzip, gzip,
bzip2
Batch File bat
Common Console Document msc
Encoded Data uue, mime, base64, binhex
Executable elf, exe
HTML Application hta
HTML File html
Java Application Descriptor jad
Java Compiled Bytecode cod
Javascript File javascript
Microsoft Office msoffice
Packer fsg, upx, petite, aspack
Palm OS Application prc
Symbian Installer System File sis
Windows Help File hlp
activemime activemime
Images jpeg, gif, tiff, png, bmp
Ignored Filetype ignored
Unknown Filetype unknown
The Ignored Filetype is used for traffic that the FortiGate unit typically does not
scan, including streaming audio and video.
The Unknown Filetype is used for any file type that is not listed in the table.

328 01-4200-0201-20100604
Antivirus Virus Databases
Virus Databases
The FortiGate unit uses virus definitions to detect threats as content passes
through the FortiGate unit. The virus definitions on the FortiGate unit are
refreshed every time the FortiGate unit receives an update from the FortiGuard
Server. A valid FortiGuard Subscription Services license is required to receive
antivirus definition updates once the initial one-month trial period has expired.
Three different virus databases can be enabled on the FortiGate unit.
To view the database information, go to UTM > Antivirus > Virus Database.
Regular Virus Database

The Regular Virus Database includes the most commonly seen viruses on the
network. These viruses are referred to as being “in the wild” since FortiGuard
Subscription Services has detected recent activity for the viruses. This database
is usually adequate for virus filtering on most networks.
Extended Virus Database

The Extended Virus Database is used in enhanced security environments since it
contains viruses which are displaying current activity, plus “zoo” viruses which
FortiGuard Subscription Services has not detected any recent activity on, but
have been found in the past.

01-4200-0201-20100604 329
Virus Databases Antivirus
Flow-Based Virus Scanning

Flow-based virus scanning provides an alternative to the file-based scanning
methods traditionally used on the FortiGate unit. With flow-based scanning, files
are scanned for viruses as they are read by the device, improving performance
over file-based virus scanning but with a lower catch rate. Flow-based virus
scanning is available on certain specific device models and is enabled though the
CLI using the following commands:
config antivirus settings
set default-db flow-based

330 01-4200-0201-20100604
Antivirus Virus Databases
Updating the Antivirus Definitions

Usually the antivirus definitions are updated automatically through the FortiGuard
Subscription Services. Go to System > Maintenance > FortiGuard to view the
details of the antivirus definitions currently in use on the FortiGate unit. A valid
FortiGuard Subscription Services license is required to receive antivirus definition
updates once the initial one-month trial period has expired.
The antivirus definitions can also be updated manually by clicking Update Now in
the Antivirus and IPS Options.
See Lesson 6 - FortiGuard Subscription Services for further details on updating
antivirus definitions.

01-4200-0201-20100604 331
Grayware Antivirus
Grayware
The FortiGate unit scans for known grayware executable programs. The list is
refreshed whenever the FortiGate unit receives a virus update package. Grayware
detection is enabled through the Virus Database list.
Grayware Categories
Grayware filtering is applied to a variety of program types. All Grayware
categories are filtered on when Grayware Detection is enabled.
Adware
Adware is usually embedded in freeware programs and causes ads to pop up
whenever the program is opened or used. This advertising content may take many
forms, but is typically in the form of browser pop-up advertisements. Under most
circumstances a user is not aware of the adware component being installed on the
local machine, it may be surreptitiously installed along with a desired piece of
software or as an upgrade for additional functionality in one's web browsing
software. There can be a fine line between Adware and Spyware, as often adware
contains a spyware component.
Browser Helper Objects

Browser Helper Objects (BHO) are designed to be supplementary applications or
plug-ins designed to add additional capabilities to a web browser. However, BHOs
can be used for malicious purposes. BHOs can also be used to capture search
results, install software without user knowledge, display advertisements, change
the default web page, and so forth. An operating BHO can be undetectable to a
user during regular browser use and can control the behavior of Internet Explorer.
Not all BHOs are malicious, but the potential exists to track surfing habits and
gather other information.

332 01-4200-0201-20100604
Antivirus Grayware
Dialers
Dialers can be used to make unwanted calls through a user's modem or Internet
connection. As with most forms of spyware it is typically installed without the
user's knowledge, or educated consent. In the event that a dialer is installed a
user may discover unexpected toll charges on their phone bill as dialers allow
others to use the PC modem to call premium numbers or make long distance
calls.
Downloaders
Downloaders are malicious applications that retrieve files, such as advertising and
dial software from a remote location. Typically the files are for local installation. A
downloader application is under most circumstances stealthily installed without
user consent or knowledge. There are also times when a downloader will be
installed during the installation of a desired program. One of the signs that a
downloader is operating on a host is the detection of a spurious connection
attempt by a personal firewall. Under many circumstances this connection is
initiated by an unrecognized application.
Games
Games are computer programs that are intended for computer users' pastime.
Games are usually joke or nuisance games that could be blocked from network
users.
Hacker Tools
Hacker tools are typically used for security auditing and analysis. They do,
however, have an alternative purpose. Such tools are typically used to subvert
existing network and host security. Hacker tools can also be downloaded to crack
server password files, or overwhelm network servers. Many corporate
environments have policies prohibiting the possession of such software.
Hijackers
These are applications that manipulate the web browser or other settings to
change the user's favorite or bookmarked sites, start pages, or menu options.
Some hijackers have the ability to manipulate DNS settings to reroute DNS
requests to a malicious DNS server.
Jokes
These are applications typically received by email. The intent of joke software is to
cause the user confusion and/or distress. Jokes will often cause undesired visual
effects on the user's display. Some jokes alter the look of the display by changing
color schemes or backgrounds. Others will open a large number of Internet
browser windows, or display inappropriate content on the screen. Jokes have
been reported that analyze the host system seemingly scanning for viruses. Once
finished the joke may inform the user that a selection of randomly selected files
are viruses. Joke programs can include custom cursors and programs that appear
to affect the system.

01-4200-0201-20100604 333
Grayware Antivirus
Keyloggers
Keyloggers are applications that log input to the computer through the keyboard
and/or mouse. Keylogging applications under many circumstances are
downloaded and installed purposefully by a malicious user. These applications
can be used to capture passwords, record instant messaging conversations, send
email and so forth. The keylogger may record the information locally for later
retrieval. Alternatively, some keyloggers will transmit data to a third party in a
remote location. Typically, keylogger applications are operating in an obscured
manner.
Misc
These applications or components are uncategorized due to multiple
functionalities, or otherwise non-malicious behavior. These applications may also
qualify as Grayware.
NMT
These are applications that could be used for malicious purposes. They may
function as applications that alter network settings, disrupt network security, or
possibly cause other forms of network disruption. These applications could also
be used for legitimate purposes or in-house research such as risk management
amplitude tests.
P2P
These are applications that are installed to perform file exchanges. P2P, while a
legitimate protocol, is synonymous with file sharing programs that are used to
swap music, movies, and other files. Some P2Ps are being used as an entry point
for viruses.
Plugins
These are applications that are aimed to add additional programs or features to an
existing application in an attempt to control, record, and send browsing
preferences or other information back to an external destination.
Remote Access Tools

Remote Access Tools (RAT) allow outside users to remotely change and monitor
a computer on a network.
Spyware
Spyware typically refers to the component of an adware that is responsible for
tracking a user's activities. Under most circumstances, the activities the author of
the spyware is interested in, are those performed online. The spyware component
will usually report online activities to a central server, or network. This network can
then compile a profile of the user's activities. Targeted advertising can then be
displayed based on the user's online habits. Under rare circumstances the
spyware can be particularly malicious in that it can report very detailed activities to
a third party. This may include personally identifiable data.

334 01-4200-0201-20100604
Antivirus Grayware
Toolbars
Toolbars are applications installed into a user's Internet browser. Under most
circumstances Toolbars are not hidden from plain view. Toolbars are often
installed to augment the capabilities of Internet browsing software. Toolbars are
offered by many legitimate companies for harmless reasons; often allowing easier
or faster access to content. This may take the form of offering such things as a
search box, or perhaps buttons allowing access to often-visited web sites.
Toolbars can however be used to cause undesired browser behavior. Some
toolbars work with adware. Still others, like BHOs, may re-direct search results, or
send personally identifying data or user browsing habits to a third party.

01-4200-0201-20100604 335
Heuristics Antivirus
Heuristics
After an incoming file has passed the first three antivirus elements, it is subjected
to a heuristics inspection. The FortiGate heuristic engine performs tests on the file
to detect virus-like behavior or known virus indicators. In this way, heuristic
scanning may detect new viruses, but may also produce some false positive
results.

336 01-4200-0201-20100604
Antivirus Quarantine
Quarantine
FortiGate units with a local disk can quarantine blocked and infected files. The
Quarantined File List displays the file name and status information about the file
that has been quarantined. Also, specific files can be submitted and file patterns
added to the AutoSubmit list for automatic uploading to Fortinet for further
analysis.
FortiGate units without a local disk can quarantine blocked and infected files to a
FortiAnalyzer unit. Files stored on the FortiAnalyzer unit can be retrieved for
viewing.
Quarantine Options
Infected, suspicious and blocked files can be quarantined based on their protocol.
Go to UTM > Antivirus > Quarantine to configure the quarantine options.
When quarantining to a local disk, define the attributes for the quarantined files.
Quarantine Infected Files Select the protocols to be filtered for

quarantine files.
Quarantine Suspicious Files Select the protocols to be filtered for
suspicious files.
Quarantine Blocked Files Select the protocols to be filtered for
blocked files.
Quarantine To Select the destination for the
Quarantined Files, either the hard disk
on the FortiGate unit or a FortiAnalyzer
device.
Max Filesize to Quarantine The file quarantine will be limited to the
size defined here. Files beyond this limit
will not be able to be quarantined.

01-4200-0201-20100604 337
Quarantine Antivirus
Disk Age Limit Quarantine files will be kept on the disk

for the time limit defined.
Low Disk Space When disk space becomes limited, older
files can be overwritten or new files can
be dropped.
Enable AutoSubmit Enable to allow the FortiGate unit to
submit suspicious files to FortiGuard
Subscription Services for further
analysis.
When quarantining to a FortiAnalyzer device, only the following attribute needs to

be defined:
Max Filesize to Quarantine The file quarantine will be limited to the

size defined here. Files beyond this limit
will not be able to be quarantined.

338 01-4200-0201-20100604
Quarantined Files List

The Quarantined Files list displays information about each file quarantined as a
result of virus infection or file blocking. The list can be sorted by file name, date,
service, status, duplicate count, or time to live (TTL). The list can also be filtered
to view only Quarantined Files with a specific status or from a specific service. To
view the Quarantined Files list, go to Log&Report > Archive Access > Quarantine.

01-4200-0201-20100604 339
Quarantine Antivirus
Quarantine Virus Senders

Client sending viruses can also be quarantined based on their source IP address
or interface. In the antivirus profile, enable Quarantine Virus Sender (to Banned
User List).

340 01-4200-0201-20100604
Banned User List

The Banned User list displays all quarantined users and can be used by the
administrator to selectively release users from quarantine. Optionally, quarantine
can be configured to expire after a selected time period. Depending on the
quarantine settings, the user’s quarantine might apply only to particular traffic,
such as traffic to the victim of an IPS attack.
To view the Banned User List, go to User > Monitor > Banned User.

01-4200-0201-20100604 341
Antivirus Profiles Antivirus
Antivirus Profiles
Antivirus operations to be applied to network traffic are defined through antivirus
profiles. The antivirus profiles are in turn enabled within firewall policies; any traffic
being examined by the policy will have the antivirus operations applied to it.
The view the list of antivirus profiles on the FortiGate unit, go to UTM > Antivirus >
Profile.
To vew or modify an antivirus profiles in the list and click Edit ( ) or double-click
the entry.

342 01-4200-0201-20100604
Antivirus Antivirus Profiles
New antivirus profiles can be defined by clicking Create New on the Antivurs
Profile List. Define the parameters of the profile.
Name Enter name for the antivirus profile.

Virus Scan Identify the protocols to be scanned for
viruses. Click Logging if virus activity is to
be logged.
File Filter Identify the protocols to be scanned for
file filter matching. The File Filter List to
be used within this antivirus profile is
selected from the Options column. Click
Logging if file filter matching activity is to
be logged.
Quarantine Identify the protocols to be scanned for
quarantine matching.
Quarantine Virus Sender Check to add the sender of a virus to the
Banned User List. The user’s source IP
address or the interface of the incoming
virus can be used as the basis for the
quarantine. The length of time for the
quarantine can be defined as a period of
minutes or indefinitely. Click Logging if
quarantine activity is to be logged.

01-4200-0201-20100604 343
Antivirus Profiles Antivirus
Enabling Antivirus Profiles in Firewall Policies

The antivirus profile used to enable the antivirus elements is identified when a
firewall policy is created. Any traffic passing through the firewall when the policy is
in use will be filtered based on the elements identified in the antivirus profile.
Click to enable UTM filtering in the policy. Click to enable Antivirus filtering and
select the name of the antivirus profile. Click Edit ( ) to modify the attributes of
the antivirus profile directly from the New Policy window.
A Protocol Options list must be selected when Antivirus is enabled.

344 01-4200-0201-20100604
Antivirus Antivirus Suggested Practices
Antivirus Suggested Practices

Oversize Threshold
To optimize memory utilization, consider lowering thresholds on some protocols
(for example, mail protocols and HTTP) leaving a higher threshold on FTP. This is
particularly important if the FortiGate unit is frequently entering conserve mode.
Configure the FortiGate unit to buffer one to 15 percent of available memory to
store oversized files and email. The FortiGate unit then blocks a file or email that
exceeds this limit instead of bypassing antivirus scanning and sending the file or
email directly to the server or receiver. The FortiGate unit sends a replacement
message for an oversized file or email attachment to the HTTP or email proxy
client.
Administrators can block oversized files by selecting block for Oversized
File/Email in the Protocol Options window.
Consider reducing the Oversize Threshold memory settings if the FortiGate unit
shows persistently high memory usage.
File Pattern Checking

Blocking based upon file patterns can improve the overall performance of the
FortiGate unit by avoiding the need to scan the file.
Note: Use of the file filters can adversely affect the ability of individual proxies to
perform early detection of streaming media and bypass buffering of files. If streaming
media needs to be passed, disable file filters to ensure that the streaming media is not
buffered.
Scanning (General)
To optimize performance, avoid scanning files twice. This is of particular
importance with email. Where possible, scan email either as it arrives at the mail
server or is retrieved by the client, rather than on both occasions.
Quarantine
Use quarantine if false positives are anticipated and there is a need to be able to
release files to end users or conduct further antivirus analysis/submission.
Content Archive
Full content archiving can place great demands on storage capacity and on the
network used to transmit the data.
Consider using summary-level content archiving and/or use content archiving
selectively unless transaction archiving is required for auditing purposes.
If full archiving for all traffic is required, make sure that any remote logging device
is located in close proximity to the FortiGate unit using a dedicated network
interface on the FortiGate device.

01-4200-0201-20100604 345
Configuring Global Antivirus Settings Antivirus
Lab 7 Antivirus Scanning

Objectives
In this exercise, global antivirus settings will be explored including:
• Ensuring that antivirus definitions are updated through the FortiGuard
Subscription Services.
• Enabling file pattern blocking.
• Enabling Grayware scanning.
• Setting up file quarantine with the FortiAnalyzer device.
• Enabling antivirus scanning for web proxy server.
• Customizing antivirus replacement messages.
Tasks
• Exercise 1 Configuring Global Antivirus Settings
• Exercise 2 Configuring an Antivirus Profile
• Exercise 3 Testing Antivirus Scanning for HTTP
Timing
Exercise 1 Configuring Global Antivirus Settings

1 Confirm that the FortiGate Antivirus Database versions are up to-date. Go to
the FortiGuard Center web page at the following address:
www.fortiguard.com
Locate and note the current database version shown in the Update Center
pane of the FortiGuard Center web page.
2 From Web Config, go to System > Maintenance > FortiGuard. Locate the AV
Definitions version information for the FortiGate unit.
This information can also be accessed from the License Information widget at
System > Dashboard > Status.
The equivalent CLI commands are:
get system status
diagnose autoupdate versions
3 If required, update the AV definition versions by going to System >
Maintenance > FortiGuard. Expand Antivirus and IPS Options. Click Update
Now.
Note: The update may take several minutes to complete. In the meantime, continue
with the lab.

346 01-4200-0201-20100604
Antivirus Configuring Global Antivirus Settings
The equivalent CLI commands to invoke an FDN check and AV/IPS update are
as follows:
exec update-av
exec update-now
4 To help slow the spread of potentially malicious viruses and unauthorized
program applications from being installed, all *.exe and *.com files will be
blocked from being downloaded from the web, by FTP as well as all email
attachments.
In Web Config, go to UTM > AntiVirus > File Filter. Select the builtin-patterns
list and click Edit ( ) or double click the entry in the list. Expand File Patterns
and select the *.exe and *.com file patterns. Click Enable ( ).
Click OK.
5 Go to UTM > AntiVirus > Virus Database. Enable Grayware Detection to scan
for malicious grayware-type installers.
Click Apply.
6 File quarantine is available if the FortiGate unit model has an internal hard disk
or if a FortiAnalyzer device is available. Go to UTM > AntiVirus > Quarantine
and enable quarantine to Disk. (If using a FortiGate device without a hard disk,
enable quarantine to the online FortiAnalyzer device.)
Configure the quarantine settings as follows:
Quarantine Infected Files enable all protocols

Quarantine Suspicious Files enable all protocols
Quarantine Blocked Files enable all protocols
Max Filesize to Quarantine 50 MB
Disk Age Limit 168 hours (7 days)
Low Disk Space Overwrite oldest file
Click Apply.
7 Replacement messages are substituted for the infected file when the FortiGate
antivirus engine detects a virus. Go to System > Config > Replacement
Message. Expand HTTP. Click Edit ( ) to view the default Virus message and
File block messages for HTTP.
Alternately, display the same Replacement Messages in the CLI with the
following commands:
show system replacemsg http [http-virus/http-block/...]
Note: Some replacement messages are stored in raw HTML code. Make sure that the
correct syntax is used and preserve the existing HTML tags. An external HTML editor
can be used to create the replacement message and then copy and paste the resulting
HTML code into the FortiGate replacement message text windows.

01-4200-0201-20100604 347
Configuring an Antivirus Profile Antivirus
Exercise 2 Configuring an Antivirus Profile

1 Go to UTM > Antivirus > Profile. Click Create New and assign the following
settings to the profile:
Name Standard
Virus Scan Enable all protocols and Logging.
File Filter Enable all protocols and Logging.
Select builtin-patterns from the
Options drop-down list.
Quarantine Enable all protocols.
Click OK.
2 Go to Firewall > Policy > Policy. Modify the default policy to enable UTM.
Enable Antivirus and select the Standard antivirus profile.
A Protocol Options list must be selected when Antivirus is enabled. Select the
the default list.
Click OK.
Exercise 3 Testing Antivirus Scanning for HTTP

1 In a web browser, type the following address:
http://eicar.org
2 On the page presented, click the Anti-Malware Test File link and attempt to
download the eicar.com file.
This file does not contail a real virus but will trigger a virus or grayware
signature and will be stopped by the FortiGate unit.
The HTTP Virus message is shown when the files that are infected or blocked
have been quarantined. In the message that is displayed, there is a link to the
Fortinet Virus Encyclopedia that provides information about the detected virus.
3 Go to Log&Report > Archive Access > Quarantine. The files that have been
quarantined will be listed.
Note: There may be policies in place from previous exercises that could allow the files
to be downloaded. If the above steps do not work, go to the firewall policies and ensure
that all other policies other than the default are disabled.
4 Go to Log&Report > Log Access > Antivirus. Click Disk to view the Antivirus
event messages.

348 01-4200-0201-20100604
LESSON 9
Email Filtering
349
www.fortinet.com
Mail Filtering
Lesson 9 Email Filtering

Email filtering can be configured to manage unsolicited commercial email by
detecting spam email messages and identifying spam transmissions from known
or suspected spam servers.
To judge an email message as spam is quite subjective. Most people easily agree
on some email message as being spam, such as Viagra ads and Nigerian scam
messages. Some may include all advertisements and newsletters as spam,
others may consider newsletters as legitimate email.
FortiGuard uses the industry standard's definition of spam as Unsolicited Bulk
Email (UBE). Unsolicited means that the recipient has not granted verifiable
permission for the message to be sent and the sender has no discernible
relationship with all or some of the recipients. Bulk means the message is sent as
part of a larger collection of messages, all having substantively identical content.
A message is considered spam if it is both unsolicited and bulk. Unsolicited email
can be normal email, such as first contact enquiries, job enquiries, and sales
enquiries. Bulk email can be normal email, such as subscriber newsletters,
customer communications and discussion lists. The message content is generally
irrelevant in determining whether a message is spam though most are commercial
in nature.
Generally, an email message is considered to be spam if:
• The recipient's personal identity and context are irrelevant because the
message is equally applicable to many other potential recipients.
• The recipient has not verifiably granted deliberate, explicit, and still-revocable
permission for it to be sent.
FortiGuard uses spam probes located around the world to attract spam email.
This information is continuously updated to ensure accurate spammer lists and
improves spam detection rates.

01-4200-0201-20100604 351
Email Filtering Actions Mail Filtering
Email Filtering Actions

The FortiGate unit can either tag or discard email that it determines to be spam.
Tagging affixes a custom word or phrase to the subject line or a MIME header and
value into the body of email identified as spam. Any email filter action can be
logged to the event log. Each email filter passes the email to the next filter if no
matches or problems are found.
Tag
To affix the tag to the subject line, the FortiGate unit will convert the entire subject
line, including the tag, to UTF-8 by default. This improves the display for some
email clients that cannot properly display subject lines that use more than one
encoding.
Discard
For SMTP, if virus scanning is enabled, spam email can only be discarded.
Discarding immediately drops the connection. If virus scanning is not enabled
SMTP spam can be either tagged or discarded.

352 01-4200-0201-20100604
Mail Filtering Email Filtering Methods
Email Filtering Methods

The FortiGate unit will filter email based on a variety of methods.
IP Address Check
FortiGuard provides a spam IP address blacklist. Fortinet keeps the FortiGuard IP
blacklist up-to-date as new spam sources are found. The FortiGuard service
extracts the SMTP mail server source address and sends the IP address to a
FortiGuard server to see if this IP address matches the list of known spammers. If
the IP address is found, FortiGuard terminates the session. If FortiGuard does not
find a match, the mail server sends the email to the recipient.
URL Check
FortiGuard Subscription Services provides a spam URL blacklist. Fortinet keeps
the FortiGuard URLs up-to-date as new spam sources are found. The FortiGuard
service checks the body of email messages to extract any URL links. These URL
links are sent to a FortiGuard server to see if any are listed. Spam messages
often contain URL links to advertisements (also called spamvertizing). If a URL
match is found, The Fortigate unit terminates the session. If FortiGuard does not
find a match, the mail server sends the email to the recipient.
Email Checksum Check

FortiGuard Subscription Services provides an email message checksum blacklist.
This filtering method calculates the checksum of an email message and sends
this checksum to the FortiGuard servers to determine if the checksum is on the
blacklist. The FortiGate unit then passes or marks/blocks the email message
according to the server response.
Black/White List
The Black/White list can check incoming IP and email addresses against the
configured spam filter IP and Email Address List (SMTP only). An administrator
can add to and edit IP and email addresses to the list and can configure the action
to take as spam, clear, or reject for each IP address. An IP address can be placed
anywhere in the list. The filter checks each IP address in sequence.
HELO DNS Lookup

An administrator can enable or disable checking the source domain name against
the registered IP address in the Domain Name Server. If the source domain name
does not match the IP address, the email is marked as spam and the action
selected in the email filter profile is taken. The logic of this check is that if a
domain is capable of sending mail it should be capable of receiving mail routed by
DNS records.
Return E-mail DNS Check

An administrator can enable or disable checking the incoming email return
address domain against the registered IP address in the Domain Name Server. If
the return address domain name does not match the IP address, the email is
marked as spam and the action selected in the email filter profile is taken.

01-4200-0201-20100604 353
Email Filtering Methods Mail Filtering
Banned Word
Spam can be controlled by blocking email messages containing specific words or
patterns. If enabled in the email filter profile, the FortiGate unit searches for words
or patterns in email messages. If matches are found, values assigned to the
words are totalled. If a threshold value is exceeded, the message is marked as
spam. If no match is found, the email message is passed along to the next filter.
Perl regular expressions or wildcards can be when adding banned word patterns
to the list.
The language to scan against must be defined as well as whether to search the
email body, subject, or both as well as the action to take for each word.
Multipurpose Internet Mail Extensions (MIME) Headers Check

An administrator can enable or disable checking source Multipurpose Internet Mail
Extensions (MIME) headers against the configured spam filter MIME header list.
MIME header filtering is enabled within each email filter profile.
The FortiGate unit compares the MIME header key-value pair of incoming email to
the list pair in sequence. If a match is found, the corresponding action is taken. If
no match is found, the email is passed on to the next spam filter.
MIME headers are added to email to describe content type and content encoding,
such as the type of text in the email body or the program that generated the email.
MIME headers can be added or edited with the option of using wildcards and
regular expressions. Also, the action for each MIME header must be configured as
spam or clear.
Some examples of MIME headers include:
• X-mailer: outgluck
• X-Distribution: bulk
• Content_Type: text/html
• Content_Type: image/jpg
The first part of the MIME header is called the header key, or just header. The
second part is called the value. Spammers often insert comments into header
values or leave them blank. These malformed headers can fool some spam and
virus filters.
Use the MIME headers list to mark email from certain bulk mail programs or with
certain types of content that are common in spam messages. Mark the email as
spam or clear for each header configured.
DNS Blackhole List and Open Relay Database List

An administrator can enable or disable checking email traffic against configured
DNS Blackhole List (DNSBL) and Open Relay Database List (ORDBL) servers.
Some vendors publish a list of IP addresses that users may want to avoid
because of suspicious spamming activities. Add or remove DNSBL and ORDBL
servers the organization subscribes to from the list and configure the action to
take as spam or reject for email identified as spam from each server.
The FortiGate unit compares the IP address or domain name of the sender to any
database lists configured, in sequence. If a match is found, the corresponding
action is taken. If no match is found, the email is passed on to the next spam filter.

354 01-4200-0201-20100604
Mail Filtering Email Filtering Methods
Some spammers use unsecured third-party SMTP servers to send unsolicited

bulk email. Using DNSBLs and ORDBLs is an effective way to tag or reject spam
as it enters the network. These lists act as domain name servers that match the
domain of incoming email to a list of IP addresses known to send spam or allow
spam to pass through.
There are several free and subscription servers available that provide reliable
access to continually updated DNSBLs and ORDBLs. Please check with the
service being used to confirm the correct domain name for connecting to the
server.
Because the FortiGate unit uses the server domain name to connect to the
DNSBL or ORDBL server, it must be able to look up this name on the DNS server.

01-4200-0201-20100604 355
FortiGuard Email Filters Mail Filtering
FortiGuard Email Filters

Fortinet takes a comprehensive and multi-layer approach and uses a number of
filtering techniques to detect and filter spam. A dedicated service team of
engineers and analysts is committed to respond to and resolve any false positive
report and other issues in 24 hours, monitor and analyze latest spam techniques,
continuously update FortiIP and FortiSig databases, and research and design new
spam filters.
Global Filters
FortiGuard Subscription Services provides databases to be used as global filters.
FortiIP is a sender IP reputation database while FortiSig are spam signature
databases. These global filters are constantly updated and enable the FortiGate,
FortiClient and FortiMail products to detect and filter most prevailing spam in the
Internet.
FortiIP Sender IP Reputation Database

Most spam is presently sent from mis-configured or virus-infected hosts.
FortiGuard maintains a global IP reputation database where the reputation of
each IP is built and maintained based on multiple properties relating to this IP
address gathered from various sources. The properties of an IP address include
its Who-is information, geographical location, its service provider, whether it is an
open relay or hijacked host, etc. One of the key properties used to maintain the
reputation is the email volume from this sender as gathered from the FortiGuard
service network. By comparing a sender's recent email volume with its historical
pattern, FortiGuard updates each IP's reputation in real-time and provides a highly
effective sender IP address filter.
FortiSig1
The FortiSig1spam signature database contains spamvertised URLs. About 90%
of spam has one or more URLs in the message body. These URLs are links to
spammers' web sites promoting their products and services. In phishing spam,
these URLs direct one to a fake bank or other financial institution's web site
preying for private financial information. FortiGuard collects spam samples
through the Fortinet global spam trap network and spam sample submissions
received from customers and partners. The URLs are then extracted from the
spam samples which go through rigorous QA processing before they are injected
into the FortiSig Database. The URLs are then subject to a continuous aging
process where obsolete ones are promptly removed.
FortiSig2
The FortiSig2 spam signature database contains spamvertised email addresses.
This database is similar to the spamvertised URLs. Most spam messages have an
email address in the message body that prompts one to contact the spammers.
By extracting these email addresses from the spam sample, these spamvertised
email addresses provide another powerful global filter to identify and filter spam.

356 01-4200-0201-20100604
Mail Filtering FortiGuard Email Filters
FortiSig3
The FortiSig3 spam signature database contains spam object checksums. Using
a proprietary algorithm, objects in spam are identified and a fuzzy checksum is
calculated from each object. The object can be part of the message body or an
attachment. The checksum is then added into the FortiSig database, providing
another highly effective global filter with virtually no false positives.
FortiRule
This global filter uses dynamically updated heuristic rules to identify spam,
exploiting various attributes in the spam message header, body, mime header,
and attachments. With manually crafted heuristic rules for specific spam attacks,
FortiRule further increases the catch rate with virtually no false positives.
Customized Filters
Various customized spam filters are provided to compliment the email filtering
solution on the FortiGate, FortiClient and FortiMail devices. These customized
filters range from banned word filters, local white and black lists of sender email
address, heuristic rules, to techniques such as Bayesian training available with
FortiMail units.

01-4200-0201-20100604 357
Banned Word Mail Filtering
Banned Word
Spam can be controlled by blocking email messages containing specific words or
patterns. If enabled in the email filter profile, the FortiGate unit searches for words
or patterns in email messages. If matches are found, values assigned to the
words are totalled. If a user-defined threshold value is exceeded, the message is
marked as spam. If no match is found, the email message is passed along to the
next filter. Perl regular expressions or wildcards can be used to add banned word
patterns to the list.
Banned words can be one word or a phrase up to 127 characters long. For a
single word, the FortiGate unit blocks all email containing the word. For a phrase,
the FortiGate unit blocks all email containing the exact phrase. To block any word
in a phrase, use Perl regular expressions.
Defining Banned Word Lists

Multiple Banned Word Lists can be added on the FortiGate device and the
appropriate list can be selected for each email filter profile.
To view the list of banned word filters currently available on the FortiGate unit, go
to UTM > Email Filter > Banned Word.
To view or modify any individual Banned Word List, click to select from the list and

358 01-4200-0201-20100604
Mail Filtering Banned Word
New Banned Word Lists can be defined by clicking Create New and assigning a
name for the list.
Click OK and define the parameters of the banned word as needed.

01-4200-0201-20100604 359
Click Create New to define new banned words to appear in the list.
Pattern Type the banned word pattern to filter

against.
Pattern Type Select a pattern type, either Wildcard or
Regular Expression.
Language Select the language the banned word is
filtered against.
Where Identify which part of the message will be
scanned for the banned word, either the
Body of the message, the Subject line, or
Both.
Score The score value of each banned word
appearing in the message is added, and
if the total is greater than the threshold
value set in the email filter profile, the
message is processed according to the
Spam Action. The score for a pattern is
applied only once even if it appears in
the message multiple times.
Enable Click to enable the banned word list.

360 01-4200-0201-20100604
Edit the Banned Words List at any time to add new words or edit or disable any
entries in the list.

01-4200-0201-20100604 361
Using Perl Regular Expressions

The Email Address List, MIME headers list, and Banned Word List entries can
include wildcards or Perl regular expressions.
Regular Expressions and Wildcard Match Pattern

A wildcard character is a special character that represents one or more other
characters. The most commonly used wildcard characters are the asterisk (*),
which typically represents zero or more characters in a string of characters, and
the question mark (?), which typically represents any one character.
In Perl regular expressions, the period (.) refers to any single character. It is
similar to the question mark (?) in a wildcard match pattern. As a result:
• fortinet.com not only matches fortinet.com but also fortinetacom,
fortinetbcom, fortinetccom, and so on.
To match a special character such as (.) and (*) use the escape character (\). For
example:
• To match fortinet.com, the regular expression should be fortinet\.com
In Perl regular expressions, (*) means match 0 or more times of the character
before it, not 0 or more times of any character. For example:
• forti*.com matches fortiiii.com but does not match fortinet.com
To match any character 0 or more times, use (.*) where (.) means any character
and the (*) means 0 or more times. For example, the wildcard match pattern
forti*.com should therefore be fort.*\.com.
Word Boundary
In Perl regular expressions, the pattern does not have an implicit word boundary.
For example, the regular expression test not only matches the word test but also
any word that contains test such as atest, mytest, testimony, atestb. The
notation \b specifies the word boundary. To match exactly the word test, the
expression should be \btest\b.
Case Sensitivity
Regular expression pattern matching is case sensitive in the web and antispam
filters. To make a word or phrase case insensitive, use the regular expression /i.
For example, /bad language/i will block all instances of bad language regardless
of case.

362 01-4200-0201-20100604
Perl Regular Expression Formats

The following table describes some of the Perl regular expression formats.
Expression Matches
abc “abc” (the exact character sequence, but anywhere in the string)
âbc “abc” at the beginning of the string
abc$ “abc” at the end of the string
a|b Either of “a” and “b”
âbc|abc$ The string “abc” at the beginning or at the end of the string
ab{2,4}c “a” followed by two, three or four “b”s followed by a “c”
ab{2,}c “a” followed by at least two “b”s followed by a “c”
ab*c “a” followed by any number (zero or more) of “b”s followed by a
“c”
ab+c “a” followed by one or more “b”s followed by a “c”
ab?c “a” followed by an optional ” b” followed by a “c”; that is, either
“abc” or ”ac“
a.c “a” followed by any single character (not a new line) followed by
a “c”
a\.c “a.c” exactly
[abc] Any one of “a”, “b” and “c”
[Aa]bc Either of “Abc” and “abc”
[abc]+ Any (nonempty) string of “a”s, “b”s and “c”s (such as a, abba,
acbabcacaa)
[âbc]+ Any (nonempty) string which does not contain any of “a”, “b”, and
“c” (such as “defg”)
\d\d Any two decimal digits, such as 42; same as \d{2}
/i Makes the pattern case insensitive. For example, /bad
language/i blocks any instance of bad language regardless of
case
\w+ A “word”: A nonempty sequence of alphanumeric characters and
lines (underscores), such as foo and 12bar8 and foo_1 low
100\s*mk The strings “100” and “mk” optionally separated by any amount
of white space (spaces, tabs, newlines)
abc\b “abc” when followed by a word boundary (for example, in abc!
but not in abcd)
perl\B “perl” when not followed by a word boundary (for example, in
perlert but not in perl stuff)
\x Tells the regular expression parser to ignore white space that is
neither preceded by a backslash character nor within a character
class. Use this to break up a regular expression into (slightly)
more readable parts
/x Used to add regular expressions within other text. If the first
character in a pattern is forward slash '/', the '/' is treated as the
delimiter. The pattern must contain a second '/'. The pattern
between ‘/’ will be taken as a regular expressions, and anything
after the second ‘/’ will be parsed as a list of regular expression
options ('i', 'x', etc). An error occurs if the second '/' is missing. In
regular expressions, the leading and trailing space is treated as
part of the regular expression

01-4200-0201-20100604 363
Examples
To block any word in a phrase use this format:
/block|any|word/
Spammers often insert other characters between the letters of a word to fool spam
blocking software. To block purposely misspelled words use this format:
/^.*v.*i.*a.*g.*r.*o.*$/i
/cr[eéèêë][\+\-
\*=<>\.\,;!\?%&§@\^°\$£€\{\}()\[\]\|\\_01]dit/i
To block common spam phrases use this format: (These phrases are some
examples of common phrases found in spam messages.)
/try it for free/i
/student loans/i
/you’re already approved/i
/special[\+\-\*=<>\.\,;!\?%&~#§@\^°\$£€\{\}()\[\]\|\\_1]offer/i

364 01-4200-0201-20100604
Mail Filtering IP Address Filtering
IP Address Filtering
The FortiGate unit uses both an IP Address List and an Email Address List to filter
incoming email.
When performing an IP address check, the FortiGate unit compares the IP
address of the message’s sender to the IP Address List in sequence. If a match is
found, the action associated with the IP address is taken. If no match is found, the
message is passed to the next enabled spam filter.
Defining IP Address Lists

Multiple IP Address Lists can be added on the FortiGate device and the
To view the list of IP Address Lists currently available on the FortiGate unit, go to
UTM > Email Filter> IP Address.
To view or modify any individual IP Address List, select the list and click Edit ( )
or double-click the entry.

01-4200-0201-20100604 365
IP Address Filtering Mail Filtering
New IP Address Lists can be defined by clicking Create New on the IP Address
List page and assigning a name for the list.
Click OK and define the parameters of the IP address as needed.

366 01-4200-0201-20100604
Mail Filtering IP Address Filtering
Click Create New to add a new IP address entry to the list.
IP/Netmask Type the IP address and netmask to filter

against.
Action Select the action to be taken when an
email message is received from the IP
address being filtered. The message can
be Marked as Spam, Marked as Clear or
Marked as Rejected.
Enable Click to enable the IP Address List.
IP addresses and netmask can be entered in the following formats:

x.x.x.x, for example, 62.128.69.100
x.x.x.x/x.x.x.x, for example, 62.128.69.100/255.255.255.0
x.x.x.x/x, for example, 62.128.69.100/24

01-4200-0201-20100604 367
IP Address Filtering Mail Filtering
Edit the Banned Words List at any time to add new words or edit or disable any
entries in the list.
IP Trust
If the FortiGate unit sits behind a company’s Mail Transfer Units (MTU), it may be
unnecessary to check email IP addresses because they are internal and trusted.
The only IP addresses that need to be checked are those from outside of the
company. In some cases, external IP addresses may be added to the IP trust
table if it is known that they are not sources of spam. Use the iptrust command
from the CLI to add an entry to a list of trusted IP addresses.

368 01-4200-0201-20100604
Mail Filtering Email Address Filtering
Email Address Filtering

When performing an email check, the FortiGate unit compares the email address
of the message’s sender to the Email Address List in sequence. If a match is
found, the action associated with the email address is taken. If no match is found,
the message is passed to the next enabled antispam filter.
Defining Email Address Filters

Multiple Email Address Lists can be added on the FortiGate device and the
To view the Email Address Lists currently available on the FortiGate unit, go to
UTM > Email Filter> E-mail Address.
To view or modify any individual Email Address List, click to select the list and

01-4200-0201-20100604 369
Email Address Filtering Mail Filtering
New Email Address Lists can be defined by clicking Create New on the Email
Address List page and assigning a name.
Click OK.
Click Create New to add a new email address to the list.

370 01-4200-0201-20100604
Mail Filtering Email Address Filtering
Define the parameters of the email address as needed..
E-mail Address Type the email address to filter against.

Pattern Type Select Wildcard or Regular Expression.
Action Select Mark as Spam or Mark as Clear.
Enable Click to enable the email address filter.

01-4200-0201-20100604 371
Email Address Filtering Mail Filtering
Edit the Email Address List at any time to add new addresses or edit or disable
any entries in the list.

372 01-4200-0201-20100604
Mail Filtering Multipurpose Internet Mail Extensions (MIME) Headers Check
Multipurpose Internet Mail Extensions (MIME) Headers Check

An administrator can enable or disable checking source Multipurpose Internet
Mail Extensions (MIME) headers against the configured spam filter MIME header
list.
The FortiGate unit compares the MIME header key-value pair of incoming email to
the list pair in sequence. If a match is found, the corresponding action is taken. If
no match is found, the email is passed on to the next spam filter.
MIME headers are added to email to describe content type and content encoding,
such as the type of text in the email body or the program that generated the email.
Add to and edit MIME headers, with the option of using wildcards and regular
expressions. Also, configure the action for each MIME header as spam or clear.
Some examples of MIME headers include:
• X-mailer: outgluck
• X-Distribution: bulk
• Content_Type: text/html
• Content_Type: image/jpg
The first part of the MIME header is called the header key, or just header. The
second part is called the value. Spammers often insert comments into header
values or leave them blank. These malformed headers can fool some spam and
virus filters.
Use the MIME headers list to mark email from certain bulk mail programs or with
certain types of content that are common in spam messages. Mark the email as
spam or clear for each header configured.
MIME headers check can only be configured using the config
spamfilter mheader command in the CLI.

01-4200-0201-20100604 373
DNS Blackhole List and Open Relay Database List Mail Filtering
DNS Blackhole List and Open Relay Database List

An administrator can enable or disable checking email traffic against configured
DNS Blackhole List (DNSBL) and Open Relay Database List (ORDBL) servers.
Some vendors publish a list of IP addresses that users may want to avoid
because of suspicious spamming activities. Add or remove DNSBL and ORDBL
servers the organization subscribes to from the list and configure the action to
take as spam or reject for email identified as spam from each server (SMTP only).
The FortiGate unit compares the IP address or domain name of the sender to any
database lists configured, in sequence. If a match is found, the corresponding
action is taken. If no match is found, the email is passed on to the next spam filter.
Some spammers use unsecured third-party SMTP servers to send unsolicited
bulk email. Using DNSBLs and ORDBLs is an effective way to tag or reject spam
as it enters the network. These lists act as domain name servers that match the
domain of incoming email to a list of IP addresses known to send spam or allow
spam to pass through.
There are several free and subscription servers available that provide reliable
access to continually updated DNSBLs and ORDBLs. Please check with the
service being used to confirm the correct domain name for connecting to the
server.
Because the FortiGate unit uses the server domain name to connect to the
DNSBL or ORDBL server, it must be able to look up this name on the DNS server.
DNSBL and ORDBL configuration can only be changed using the config
spamfilter dnsbl command in the CLI.

374 01-4200-0201-20100604
Mail Filtering Email Filter Profiles
Email Filter Profiles

Email filtering operations are defined through email filter profiles. The email filter
profiles are in turn enabled within firewall policies; any traffic being examined by
the policy will have the email filtering operations applied to it.
To view the list of email filter profiles on the FortiGate unit, go to UTM > Email
Filter > Profile.
To vew or modify any email filter profiles in the list, select the item and click Edit

01-4200-0201-20100604 375
Email Filter Profiles Mail Filtering
New email filter profiles can be defined by clicking Create New on the Email Filter
Profile List page. Define the parameters of the profile.
IP Address Check Identify the protocols to be scanned for

FortiGuard IP address checks.
URL Check Identify the protocols to be scanned for
FortiGuard URL checks.
Email Checksum Check Identify the protocols to be scanned for
FortiGuard email checksums.
Spam Submission Identify the protocols from which spam
will be submitted to FortiGuard for
examination.
IP Address BWL Check Identify the protocols to be scanned for
IP addresses as well as the name of the
Black/White list to be used.
HELO DNS Lookup Enable to look up the soruce domain
name for SMTP mail messages.
E-Mail Address BWL Check Identify the protocols to be scanned for
email addresses as well as the name of
the Email Address List to be used.
Return E-Mail DNS Check Enable to check that the domain
specified in the reply to or from address
has an A or MX record.

376 01-4200-0201-20100604
Banned Word Check Identify the protocols to be scanned for

banned words as well as the name of the
Banned Words List to be used.
Spam Action Identify the spam action to be taken on
SMTP messages that match a
configured filter, either Tagged or
Discarded.
Tag Location Identify where the tag will be added to
filtered email messages, either the
Subject or MIME (the message body).
Tag Format Type the tag that will be inserted into the
email message when filtered.

01-4200-0201-20100604 377
Email Filter Profiles Mail Filtering
Email Filtering Logging

Logging for email filtering can be enabled within the email filter profile.

378 01-4200-0201-20100604
Enabling Email Filter Profiles in Firewall Policies

The email filter profile used to enable the email filtering elements is identified
when a firewall policy is created. Any traffic passing through the firewall when the
policy is in use will be filtered based on the elements identified in the email filter
profile.
Click to enable UTM filtering in the policy. Click to enable Email Filter and select
the name of the email filter profile. Click Edit ( ) to modify the attributes of the
email filter profile directly from the New Policy window.
When email filtering is enabled in the policy, a Protocol Options list must be
selected.

01-4200-0201-20100604 379
FortiMail Email Filtering Mail Filtering
FortiMail Email Filtering

The FortiMail unit is an integrated hardware and software solution that provides
powerful logging and reporting, antispam, antivirus, and email archiving
capabilities to incoming and outgoing email traffic. The FortiMail unit has an
enhanced set of features for detecting and blocking spam messages and
malicious attachments.
The FortiMail unit employs additional sophisticated antispam technologies that are
not available through the FortiGate unit. The FortiMail unit is able to operate as a
stand-alone email filtering system, or as the second layer of Fortinet’s multi-
layered email filtering solution, to screen both incoming and outgoing email.
FortiMail email filtering techniques for incoming email include:
• Forged IP scanning
• Graylist scanning
• DNSBL scanning
• Deep header scanning
• SURBL scanning
• Bayesian scanning
• Heuristic scanning
• Image spam scanning
• PDF scanning
• Locally-administered black/white lists
• Banned word scanning
• Dictionary scanning
• Sender reputation
The following table compares some of the differentiating features between a

FortiMail and FortiGate unit:
FortiMail FortiGate
Wildlist Virus Protection Yes Yes
Legacy Virus Protection Yes No
Advanced Spam Filtering Yes Limited
Email Quarantine Yes No
Email Archiving Yes Yes, if using a
FortiAnalyzer unit
Email Routing Yes No

380 01-4200-0201-20100604
LESSON 10
Web Filtering
381
www.fortinet.com
Web Filtering Web Filtering Elements
Lesson 10 Web Filtering

FortiGate Web Filtering processes all web content against known malicious URLs
to block inappropriate material and malicious scripts including Java applets,
cookies, and ActiveX scripts entering the network. Fortinet categorizes more than
40 million domains and billions of web pages to ensure its customers steer clear
of malware on the Internet. FortiGuard Web Filtering works dynamically with
FortiGate systems, providing automated updates with any newly categorized
content in 78 categories. FortiGuard services are also user-customizable to allow
corporate network URL additions to prevent access to additional undesirable sites
including phishing-target websites.
The three main sections of the web filtering function, namely Web Content Filter,
URL Filter, and FortiGuard Web Filter, interact with each other in such a way as to
provide maximum control and protection for Internet users.
Web Filtering Elements

The FortiGate unit performs web filtering processing in the following order:
• URL Filtering (Exempt/Block/Allow)
• FortiGuard Web Filtering
• Web Content Exempt
• Web Content Block
• Script Filter
After these web filtering steps have been completed, antivirus scanning is
performed. A Web Exempt List match will terminate any further checking including
antivirus scanning. An allow match exits the URL Filter List and the other web
filters are processed.

01-4200-0201-20100604 383
URL Filter Web Filtering
URL Filter
Access to specific URLs can be allowed or blocked by adding them to the URL
Filter list. Patterns can be added using text, regular expressions or wildcard
characters, to allow or block URLs. If the FortiGate unit blocks web pages
matching any specified URLs or patterns, a replacement message is displayed in
its place.
Defining URL Filter Lists

Multiple URL Filter Lists can be added on the FortiGate device and an appropriate
filter can be selected within individual web filter profiles. The URL Filter List can
have up to 5000 entries.
To view the list of URL filters currently available on the FortiGate unit, go to UTM >
Web Filter > URL Filter.
To view or modify any individual URL filters, click to select the filter from the list

384 01-4200-0201-20100604
Web Filtering URL Filter
New URL Filter Lists can be defined by clicking Create New on the URL Filter
page and assigning a name for the filter.
Click OK.

01-4200-0201-20100604 385
URL Filter Web Filtering
Click Create New to define the parameters of the URL filter.
URL Type the URL of the web site to be

filtered.
Type Type the pattern to filter against, either
Simple, Regex or Wildcard.
Type the top-level URL or IP address to control access to all pages on that web
site. For example, www.example.com or 192.168.144.155 controls
access to all pages at this web site.
Enter a top-level URL followed by the path and filename to control access to a
single page on a web site. For example, www.example.com/news.html or
192.168.144.155/news.html controls the news page on this web site.
To control access to all pages with a URL that ends with example.com, add
example.com to the filter list. For example, adding example.com controls
access to www.example.com, mail.example.com,
www.finance.example.com, etc.
Access to all URLs that match patterns created can be controlled using text along
with regular expressions or wildcard characters. For example, example.*
matches example.com, example.org, and example.net.
URLs with an action set to Exempt are not scanned for viruses. If users on the
network download files through the FortiGate unit from a trusted website, add the
URL of this website to the URL Filter List with an action set to Exempt so the
FortiGate unit does not apply virus scanning to files downloaded from this URL.

386 01-4200-0201-20100604
Web Filtering URL Filter
FortiGate URL blocking supports standard regular expressions (see Using Perl
Regular Expressions in Lesson 9 - Email Filtering).

01-4200-0201-20100604 387
FortiGuard Web Filter Web Filtering
FortiGuard Web Filter

FortiGuard Web Filtering is a managed web filtering solution that sorts hundreds
of millions of web pages into a wide range of categories administrators can allow,
block, log, or override. The FortiGate unit accesses the nearest FortiGuard Web
Filtering Service Point to first determine the category of a requested web page
and then follows the firewall policy configured for that user or interface.
FortiGuard Web Filtering includes millions of individually rated web sites. Pages
are sorted and rated into 78 categories. Categories may be added to or updated
as the Internet evolves. To make configuration simpler, administrators can also
choose to allow, block, log, or override entire groups of categories. Blocked pages
are replaced with a message indicating that the page is not accessible according
to the Internet usage policy.
FortiGuard Web Filtering ratings are performed by a combination of methods
including text analysis, exploitation of the Web structure, and human raters. Users
can notify the FortiGuard Web Filtering Service if they feel a web page is not
categorized correctly. FortiGuard Web Filtering will rate new sites quickly, as
required.

388 01-4200-0201-20100604
Web Filtering FortiGuard Web Filter
FortiGuard Web Filtering Categories

FortiGuard Web Filtering Categories are based upon the web content viewing
suitability of three major groups of customers: enterprises, schools, and
home/families. They also take into account customer requirements for Internet
management.
The categories are defined to be easily manageable and patterned to industry
standards. Each category contains websites or web pages that have been
assigned based on their dominant web content. A website or web page is
categorized into a specific, likely to be blocked category according to its content.
When a website contains elements in different categories, web pages on the site
are separately categorized.
Categories Groups
Potentially Liable Drug Abuse, Folklore, Hacking, Illegal or Unethical,
Marijuana, Occult, Phishing, Plagiarism, Proxy
Avoidance, Racism and Hate, Violence, Web
Translation, Child Abuse
Controversial Abortion, Adult Materials, Advocacy Organizations,
Alcohol, Extremist Groups, Gambling, Lingerie and
Swimsuit, Nudity and Risque, Pornography, Sex
Education, Sports Hunting and War Games, Tasteless,
Tobacco, Weapons
Potentially Non- Advertising, Brokerage and Trading, Digital Postcards,
Productive Freeware and Software Downloads, Games, Instant
Messaging, Newsgroups and Message Boards, Web
Chat, Web-based Email
Potentially Internet Radio and TV, Internet Telephony, Multimedia
Bandwidth Download, Peer-to-Peer File Sharing, File Sharing and
Consuming Storage
Potential Security Spyware and Malware
Risks
General Interest Arts and Entertainment, Child Education, Culture,
Education, Finance and Banking, General Organizations,
Health and Wellness, Homosexuality, Job Search,
Medicine, News and Media, Personal Vehicles, Personal
Websites and Blogs, Political Organizations, Real
Estate, Reference, Religion, Restaurant and Dining,
Search Engines and Portals, Shopping and Auction,
Society and Lifestyles, Sports, Travel
Business Armed Forces, Business, Government and Legal
Oriented Organizations, Information Technology, Information and
Computer Security, Web-based Application
Others Content Servers, Dynamic Content, Miscellaneous,
Secure Websites, Web Hosting, Domain Parking,
Unrated

01-4200-0201-20100604 389
FortiGuard Web Filtering Categories are defined in a web filter profile. Expand
FortiGuard Web Filtering, and identify the action on specific categories or
classifications..

390 01-4200-0201-20100604
FortiGuard Web Filtering Classes

In addition to categorizing web page content into categories, the FortiGuard Web
Filtering Service further classifies the web pages based on media types or
sources. Similar to categorization, this classification enables customers to further
refine the web access management. Customers will have the capability to block
offensive materials, such as pornographic images, by preventing the finding of
such materials in the first place.
Class Description
Cached Contents Web pages that are stored or cached in a second
website, generally a search engine website.
Image Search Websites providing a search of images or photos, or the
results of image or photo searches.
Audio Search Websites providing a search of audio clips or the results
of audio searches.
Video Search Websites providing a search of video clips or the results
of video searches.
Multimedia Search Websites providing a mixed search of images, photos,
audio, and video materials or the results of such
searches.
Spam URL Websites or web pages whose URLs are found in spam
emails. These web pages often advertise sex sites,
single clubs, and other potentially nuisance or offensive
materials.
Unclassified This class includes all other web pages that do not fall
into one of the above classes, including regular web
searches and others.

01-4200-0201-20100604 391
FortiGuard Web Filtering Overrides

FortiGuard Web Filtering Overrides can be used when access is required to web
sites that would be blocked by FortiGuard web filtering.
On the web filter profile web page, expand FortiGuard Web Filtering Overrides
and click the protocols that web filtering overrides are to be applied to (HTTP or
HTTPS). A protocol must be selected or the options will be inaccessible.

392 01-4200-0201-20100604
Override Scope The scope defines who may use the override rule. Select
one of the following choices from the list:
• User
• User Group
• IP
• Profile
• Ask
Override Type The type defines the level of access to sites where an
override has been applied. Select one of the following
choices from the list:
• Exact Domain
• Categories
• Ask
• Directory
Off-site URLs This option defines whether the override web page will
display the images and other contents from the blocked
offsite URLs.
Allow
Deny
Ask
Override Time Specifies when the override rule will end.
User Group If User Group has been specified in Override Scope,
select the user group in the Available column and move
that group to the Selected column.

01-4200-0201-20100604 393
Web Filtering Overrides Web Filtering
Web Filtering Overrides

Users may require access to web sites that are blocked by a firewall policy. In
these cases, an administrator can allow an override of the block for a specified
period of time.
When a user attempts to access a blocked site, if override is enabled, a link
appears on the block page directing the user to an authentication form. The user
must provide a correct user name and password or the web site remains blocked.
Authentication is based on user groups and can be performed for local, RADIUS,
and LDAP users.
An administrator can give the user the ability to override a web site that would
have been blocked by a firewall policy. When a user attempts to access a blocked
site for which the override option is enabled, the FortiGuard override page will be
displayed.
Administrative Overrides
Administrative overrides are defined by an administrator to allow access to
blocked web sites based on directory, domain name, or category. These overrides
are backed up with the main configuration and managed by the FortiManager
system. Administrative overrides are not cleaned up when they expire and these
override entries can be reused by extending their expiry dates. Administrative
overrides can be created using both the CLI and Web Config
To view the overrides, or to add Override Rules, go to UTM > Web FIlter >
Override.
Select Administrative Overrides from the list and click Edit ( ) or double-click the
entry.

394 01-4200-0201-20100604
Web Filtering Web Filtering Overrides
Override Rules
Override Rules allow access to blocked web sites based on a directory, domain
name, or category.
On the Administrative Overrides page, click Create New to configure the new rule.

01-4200-0201-20100604 395
Directory and Exact Domain Rules

Directory and domain rules allow the URL or domain name of a website to be
used as the basis of the override rule
Type Select Directory or Exact Domain.

URL Type the URL or domain name of the
website.
Scope Select the user or user group who may use
the rule, either User, User Group, IP or
IPv6
User/UserGroup/IP/IPv6 When a Scope of User is selected, enter
the username.
When a Scope of User Group is selected,
choose the user group name from the list.
When a Scope of IP is selected, type the
IP address.
When a Scope of IPv6 is selected, type the
v6 IP address.
Off-site URLs This option defines whether the override
web page will display the images and other
content from blocked offiste URLs.
Select Allow or Block
Date and Time Specify when the override rules will end
using the displayed time options.

396 01-4200-0201-20100604
Category Rules
Category Rules allow an override based on FortiGuard Categories. Select
Categories from the Type drop-down list. Click in the Override column to enable
the Categories and Classifications to be overriden.
Type Select Categories.

Categories Select the appropriate category to be
overriden.
Classifications Select the appropriate classifications to
be overriden.
Scope Select User, User Group, IP or RPv6.

01-4200-0201-20100604 397
User When a Scope of User is selected, enter

the username.
When a Scope of User Group is
selected, choose the user group name
from the list.
When a Scope of IP is selected, type the
IP address.
When a Scope of IPv6 is selected, type
the v6 IP address.
Off-site URLs Select Allow or Block.
Date and Time Specify when the override rules will end
using the displayed time options.

398 01-4200-0201-20100604
Web Filtering Override Page

When an Override Rule match is found, users are presented with the Web Page
Blocked page.
Web Filtering Authentication Page

If the Override Scope is User or User Group, the user must provide a correct user
name and password to access the web page. Authentication is based on user
groups and can be performed for local, RADIUS, and LDAP users.
When required, the following FortiGuard Web Filter Block Override authentication
page is displayed to the user.

01-4200-0201-20100604 399
User Overrides
Entries are added to the user override list when a user authenticates to enable a
user override. User overrides are not backed up as part of the FortiGate unit
configuration, and are purged when they expire. An administrator can view and
delete user overrides.
To view the user overrides select User Overrides and click Edit ( ) or double-
click the entry..

400 01-4200-0201-20100604
Web Filtering Local Ratings
Local Ratings
Local Ratings override the rating or classification applied to a URL by the
FortiGuard Web Filtering Service. This allows an administrator to assign any URL
to a different category, which will appear in reports as Local Category.
To view the local rating configured on the FortiGate device, go to UTM > Web
Filter > Local Ratings.

01-4200-0201-20100604 401
Local Ratings Web Filtering
To assign a URL a different rating, click Create New.
URL Type the URL of the web site that will be

assigned a new local rating.
Category Rating Click the category that the URL will be
reassigned to.
Classifications Alternately, click the classification that
the URL will be reassigned to.

402 01-4200-0201-20100604
Web Filtering Local Categories
Local Categories
Local Categories can be created for applying Local Ratings. Administrator-
created categories will appear in the Local Ratings window, allowing ratings to be
applied.
Go to UTM > Web Filter > Local Categories. Type the name of the Local Category
and click Create New.

01-4200-0201-20100604 403
Local Categories Web Filtering
The new Local Category will be displayed in the New Local Rating window by
expanding the Local Categories item.

404 01-4200-0201-20100604
Web Filtering Web Content Filter
Web Content Filter

Web content can be controlled by blocking specific words or patterns. With a Web
Content Filter enabled in a web filter profile, every requested web page is checked
against the content filter. The score value of each pattern appearing on the page
is added and if the total is greater than the threshold value set in the profile, the
page is blocked. The score for a pattern is applied only once, even if it appears on
the page multiple times.
Perl regular expressions or wildcards can be used to add banned word patterns to
the list.
Defining Web Content Filters Lists

Multiple Web Content Filter Lists can be added on the FortiGate device and the
most appropriate list can be selected within individual web filter profiles. Web
content patterns can be one word or a text string of up to 80 characters long. The
maximum number of patterns in the list is 5000.
To view the Web Content Filter Lists currently available on the FortiGate unit, go
to UTM > Web Filter > Web Content Filter.
To view or modify any individual Web Content Filter Lists, click to select the filter

01-4200-0201-20100604 405
Web Content Filter Web Filtering
New Web Content Filter Lists can be defined by clicking Create New and
assigning a name for the filter.
Click OK.

406 01-4200-0201-20100604
Web Filtering Web Content Filter
Click Create New and define the parameters of the Web Content Filter.
Action Select Block or Exempt.

• If the action is set to Block and the
patterns defined in the Web Content
Filter appears on a web page, the
page will be blocked.
• If the action is set to Exempt, the
page will not be blocked even if the
Web Content Filter would otherwise
block it.
Pattern Type the pattern for the filter.
Pattern Type Select the type of pattern used, either
Wildcard or Regular Expression.
Score Enter the value for the rating score.
Enable Click to enable the Web Content Filter.

01-4200-0201-20100604 407
Web Filter Profiles Web Filtering
Web Filter Profiles

Web filtering operations are defined through web filter profiles. The web filter
profiles are in turn enabled within firewall policies; any traffic being examined by
the policy will have the web filtering operations applied to it.
To view the list of web filter profiles on the FortiGate unit, go to UTM > Web Filter
> Profile.
To vew or modify any web filter profiles in the list, select the profile and click Edit

408 01-4200-0201-20100604
Web Filtering Web Filter Profiles
To create a new web filter profile, click Create New on the Web Filter Profile List
page and define the parameters of the profile.
Name The name entered will be used to identify

the web filter profile when enabling web
filtering within a policy.
Web Content Filter Identify the protocols to be scanned for
web content. Click Logging if Web
Content Filtering activity is to be logged.
The Web Content Filter to be used within
this Web Content Profile is selected from
the Option column.
Web URL Filter Identify the protocols to be scanned for
web URL matching. Click Logging if web
URL filtering activity is to be logged. The
Web URL Filter to be used within this
web filter profile is selected from the
Option column.
Safe Search Select the search engine to be used.

01-4200-0201-20100604 409
FortiGuard Web Filtering Identify the protocols to be scanned for

Fortiguard Web Filtering. Click Logging if
FortiGuard Web Filtering activity is to be
logged.
Click the blue arrow to define the
categories to Allow, Block and Log.
When Allow is enabled, quota values can
be defined for the category
Click in the appropraite column to allow
overrides of categories.
FortiGuard Web Filtering Identify the protocols to be scanned for
Overrides Fortiguard Web Filtering Overrides.

410 01-4200-0201-20100604
Advanced Filtering Settings

Advanced settings are configured in the web filter profile. Expand Advanced Filter
and enable the filtering options for the required protocols and enable logging if
necesary.
ActiveX Filter Enable to block ActiveX applications.

Enable logging if required.
Cookie Filter Enable to block web browser cookies.
Enable logging if required
Java Applet Filter Enable to block Java applications.
Enable logging if required.
Web Resume Download Block Enable to force file downloads to always
begin again from the beginning when
web downloads are interrupted.
Block Invalid URLs Enable to block URLs that are improperly
formed, for example when they contain
unsupported encoding formats.

01-4200-0201-20100604 411
HTTP Post Action Select the post action from the drop-
down list.
Provide Details for Blocked HTTP When enabled for HTTP, the FortiGate
4xx and 5xx Errors unit will replace 4xx and 5xx HTTP errors
with its own internal pages.
Rate Images by URL Blocks images that have been rated by
FortiGuard Subscription Services.
Blocked images are replaced on the
originating web pages with blanks. Rated
image types are GIF, JPEG, PNG, BMP,
and TIFF.
Allow Websites When a Rating When enabled for HTTP or HTTPS, the
Error Occurs FortiGate unit will allow users to access
websites that returned an error when
queried for a rating from FortiGuard
Subscription Services.
Strict Blocking When enabled for HTTP or HTTPS, web
site access is disallowed if any
classification or category matches the
block rating or lists. When disabled, web
site access is allowed if any classification
or category matches the allowed list.
Rate URLs by Domain and IP When enabled for HTTP and HTTPS,
Address this option sends both the URL and the
IP address of the requested site for
checking, providing additional security
against attempts to bypass the
FortiGuard system. However, because
IP rating is not updated as quickly as
URL rating, some false ratings may
occur.
Block HTTP Redirects by Rating When enabled for HTTP and HTTPS,
this option applies the rating of the
original web site to redirections. Many
web sites use HTTP redirects
legitimately; however, in some cases,
redirects may be designed specifically to
circumvent web filtering as the initial web
page could have a different rating than
the destination web page of the redirect.
Daily log of remaining quota Enable to generate a daily log entry with
remaining quota values.

412 01-4200-0201-20100604
Enabling Web Filter Profiles in Firewall Policies

The web filter profile used to enable the web filtering elements is identified when a
firewall policy is created. Any traffic passing through the firewall when the policy is
in use will be filtered based on the elements identified in the web filter profile.
Click to enable UTM filtering in the policy. Click to enable the web filter and select
the name of the web filter profile. Click Edit ( ) to modify the attributes of the web
filter profile directly from the New Policy window.
When Web Filter is enabled, a Protocol Options list must be selected.

01-4200-0201-20100604 413
Configuring Local Web URL and Content Filtering Web Filtering
Lab 8 Web Filtering

Objectives
In this lab, web and content filtering will be configured. The interaction of local
categories and overrides will also be examined.
Tasks
• Exercise 1 Configuring Local Web URL and Content Filtering
• Exercise 2 Testing Web Category Filtering
• Exercise 3 Web Filtering Overrides
Timing
Exercise 1 Configuring Local Web URL and Content Filtering

1 Log in to Web Config as the admin user. To create a new URL filter, go to UTM
> Web Filter > URL Filter.
Click Create New and enter the name URL_List.
Click OK.
2 In the URL_List window, click Create New to define the following attributes for
the URL filter.
URL ^.*$
Type Regex
Action Block
Enable enable
Note: ^.*$ means “at the beginning of the line” (^) match any single character (.)
followed by the same preceding match (*) until the end of the line ($). There are many
references on the web for Regular Expressions or Perl compatible regular expressions,
for example, http://perldoc.perl.org or
http://www.regexlib.com/CheatSheet.aspx.
Click OK.
3 Go to UTM > Web Filter > Profile.
Click Create New and enter the name URL_Profile. Enable HTTP, HTTPS, and
Logging for Web URL Filter. Select the URL filter called URL_List from the
Options list.
Click OK.
4 Go to Firewall > Policy > Policy. Select the default internal Æ wan1 policy and

414 01-4200-0201-20100604
Web Filtering Configuring Local Web URL and Content Filtering
5 Click to enable UTM. Enable Web Filter and select the URL_Profile web filter
profile. When Web Filter is enabled, a Protocol Options list must be selected.
Select the default list and click OK.
6 Open a new web browser window and browse to a random web site. Note that
all web sites are now blocked and that the URL Filter Block Replacement
Message is displayed.
Note: Web browser caching may interfere with web filtering. If the web site is not
blocked, clear the cache in the web browser and try again.
7 Go to System > Config > Replacement Message. Expand HTTP. Edit the URL
block message and add a custom message.
8 Go to UTM > Web Filter > URL Filter. Click to select the URL List filter and
click Edit ( ) or double click the entry.
9 Click Create New and add the following filter:
URL www.fortinet.com
Type Simple
Action Allow
Enable enable

10 In the URL filter list click to select the new www.fortinet.com entry and
click Move To ( ) to place this entry above the global blocking URL entry in
the list.
11 Test access to www.fortinet.com.
12 On the www.fortinet.com web page, pick three words to add to a web
content filter and a phrase in which one of the words occurs.
Note: Ensure that the words selected do not appear as part of the graphics or flash
movies on this web page. For example, chose technology, program, or partner.
Word 1
Word 2
Word 3
Phrase

01-4200-0201-20100604 415
Configuring Local Web URL and Content Filtering Web Filtering
13 Go to UTM > Web Filter > Web Content Filter. Click Create New. Enter the
name Content_Filter and click OK.
On the Content_Filter page, click Create New and add Word 1 to the content
pattern list as follows:
Action Block
Pattern <Word 1>
Pattern Type Wildcard
Language Western
Score 5
Enable enabled
Click OK.
14 Go to UTM > Web Filter > Profile and edit URL_Profile. Enable HTTP and
Logging for Web Content Filter. Select the Content_Filter from the Options list
Set the Threshold to 5.
15 Reload www.fortinet.com to test that this page is blocked and that the
Banned Word Block Replacement Message is displayed.
(If the page appears, clear the cache on the browser and try again.)
16 Go to Log&Report > Log Access > Web Filter. Check the Disk log messages
for the web content block entry.
17 Go to UTM > Web Filter > Web Content Filter. Click to select Content_Filter
and click Edit ( ).
Click to select the Word 1 pattern and click Disable ( ) before continuing.
18 Click Create New to add Word 2 to the web content filter list as follows:
Action Block
Pattern Type Word 2 using the form: /Word/i
Pattern Type Regular Expression
Language Western
Score 5
Enable enabled
The regular expression /word/i is used to accept any combination of upper-

and lowercase letters.
19 Clear the cache in the web browser and reload the www.fortinet.com
web page to test that the page is blocked and the replacement message is
displayed. View the log messages again to locate the entry for the web content
block event.

416 01-4200-0201-20100604
Web Filtering Testing Web Category Filtering
20 Go to UTM > Web Filter > Web Content Filter. Click to select Content_Filter
and click Edit ( ).
Click Create New to add an exempt pattern to the web content filter list as
follows:
Action Exempt
Pattern Type the phrase chosen earlier.
Pattern Type Regular Expression
Language Western
Enable enabled
Click OK.
21 Test the access to www.fortinet.com.
The web page should be displayed because of the exempt phrase.
22 Add Word 3 to the web content filter list with a score of 5 and test.
The page should still pass even if the threshold has been reached since the
exempt phrase is tested first.
Exercise 2 Testing Web Category Filtering

1 Go to UTM > Web Filter > Profile. Click Create New and configure a new web
filter profile called Category_Test.
2 Expand FortiGuard Web Filtering. Click to enable HTTP, HTTPS and Logging
and enable category blocking and logging as follows.
Potentially Liable Block and Log

Controversial Block and Log
Potentially Non-productive Block and Log
Potentially Bandwidth Consuming Block and Log
Potential Security Violating Block and Log
General Interest Block and Log
Business Oriented Block and Log
Others Block and Log
Unrated Block and Log
3 Expand Advanced Filter and enable the settings as follows:

Rate Images by URL enable for HTTP
Strict Blocking enable for HTTP and HTTPS
Rate URLs by Domain and enable for HTTP and HTTPS
IP Address
4 Go to Firewall > Policy > Policy and edit the default internalÆ wan1 policy.
Change the web filter profile to Category_Test.
Click OK.
5 Try to connect to a few different web sites. The FortiGuard Web Filtering Block
Message should be displayed.

01-4200-0201-20100604 417
6 Go to System > Config > Replacement Message to configure a custom

replacement message. Expand FortiGuard Web Filtering and edit the URL
block message.
7 Go to UTM > Web Filter > Local Categories. Enter a new Local Category name
of Local-1 and click Create New.
8 Go to UTM > Web Filter > Local Ratings. Click Create New to create new
entries for some of the web sites visited previously that were blocked.
Enter the URL of a web site. Expand Local Categories in the Category Rating
table and enable the rating for Local-1.
Click OK.
9 Go to UTM > Web Filter > Profile. Edit the Category_Test profile and expand
FortiGuard Web Filtering. Expand Local Categories in the category table. Click
to enable the Local-1 category and set to Allow. Click to enable Log.
10 Try to visit a URL in the local category. Verify that other web sites not found in
the local category are still blocked.
Note: Some parts of an allowed web page may be blocked if off-site URLs are used
that are not in the allowed category.
Exercise 3 Web Filtering Overrides

1 Go to User > User Group > User Group. Click Create New and configure a new
user group with the following settings:
Name web-override
Type Firewall
Members Enter the User Name of the sample
user created in the Authentication
lab.
Click OK.
2 Go to UTM > Web Filter > Profile and edit the Category_Test profile. Expand
FortiGuard Web Filtering and enable Allow Override for all categories.
3 Expand FortiGuard Web Filtering Overrides and enable HTTP and HTTPS.
Set the following:
Override Scope IP
Override Type Exact Domain
Off-site URL Deny
Override Time Constant/15 minutes
User Group web-override
Click OK.
Note: Do not use a web proxy, otherwise the Web Category Override web page will not
work.

418 01-4200-0201-20100604
4 Try to visit a blocked category website. This time the blocked page
replacement message will have an Override link.
Click the Override link to view a Web Filter Block Override. Enter the user
name of and the password of a sample user created in Lab 5 - Authentication.
Note that other fields are grayed out as they are set by the override user
group. After completing the required fields that will grant access to the desired
website, click Continue.
5 Go to UTM > Web Filter > Override. Click to select User Overrides and click
Edit ( ) (or double-click the entry) to view the web filter override list. Note the
Expiry Date column of the dynamically added entries.
6 Go to Log&Report > Log Access > Web Filter.
Locate the log messages related to category blocking. Scroll or page down to
locate the log messages from the URL and content filtering performed earlier
in this lab.
7 Disable the web filter profile in the firewall policy.

01-4200-0201-20100604 419

420 01-4200-0201-20100604
LESSON 11
Data Leak Prevention
421
www.fortinet.com
Data Leak Prevention Monitored Data Types
Lesson 11 Data Leak Prevention

An organization's data requires protection, not only from illegitimate access from
the outside, but also from careless handling by those on the inside. Users might
not be aware of the value of the data they could potentially be disclosing, or how it
could be used by another party who would receive the data.
Organizations process large amounts of information that can often be classified
as sensitive, either from a business or legal point of view. Sensitive information
could include personal information such as health data or credit card information,
or confidential and proprietary information held by the organization such as
product designs, release schedules and other intellectual property. The impact of
sensitive data leaving the organization could be severe, including harm to their
reputation, violation of regulatory requirements and potential legal action.
The FortiGate Data Leak Prevention (DLP) system prevents sensitive data from
leaving the network. An administrator can define sensitive data patterns, and data
matching these patterns will be blocked and/or logged when passing through the
FortiGate unit. The DLP system is configured by creating individual rules,
combining the rules into sensors, and then assigning a sensor to a firewall policy.
Although the primary use of the DLP feature is to stop sensitive data from leaving
the network, it can also be used to prevent unwanted data from entering the
network.
Possible data leak points in the organization could include employee email, blogs,
instant messaging, personal webmail and wiki entries. The risk can increase in
email exchange as the number of participants increases. Participants in the
exchange might not remember that earlier in a conversation thread that sensitive
information was being discussed, or a user could forward or add a participant who
should not have access to sensitive information.
Protecting the organization against the loss of important information through data
leakage will require a solution to perform the following:
• Monitor and audit the possible locations where data may be leaking.
• Restrict the channels through which the leak may be occurring.
• Detect and block any data leaks as they occur.
Monitored Data Types

The FortiGate Unit’s Data Leak Prevention features build on the threat
management capabilities of the proxies and the scanunit. A variety of file types
can be monitored including:
• Text, including HTML and email content
• Plaintext contents of PDF files
• Pre-2007 Microsoft Word files
• Microsoft Office 2007 files
The file option settings within each DLP rule will define whether the rule applies to
files within an archive.

01-4200-0201-20100604 423
Data Leak Prevention Rules Data Leak Prevention
Data Leak Prevention Rules

Rules are the core element of the Data Leak Prevention feature.
Regular Rules
A regular rule contains a single parameter used to define data to be protected.
Rules can define the types of data to look for, for example strings, cookies, or
URLs. Rules also describe where to look for this data for example file types or
transaction types in addition to where the data is originating from, or being
requested.
Multiple regular rules can be added on the FortiGate device, and combined to
create compound rules or added directly to a DLP sensor.
To view the list of DLP regular rules currently available on the FortiGate unit, go to
UTM > Data Leak Prevention > Rule.
There are some built-in DLP regular rules available to help illustrate how rules
could be used to address certain data leak issues using known patterns, for
example credit card numbers.
To view or modify any individual regular rules, click to select the rule from the list

424 01-4200-0201-20100604
Data Leak Prevention Data Leak Prevention Rules
New DLP regular rules can be defined by clicking Create New on the DLP Rules
List page. Assign a name for the rule, select the protocol and define the parameter
by selecting the rule and defining the rule criteria.
A variety of rule types are available for use in regular rules.
Email Rules
Email rules are used to scan SMTP, IMAP and POP3 traffic and contains criteria
common to mail messages.

01-4200-0201-20100604 425
HTTP Rules
HTTP rules contain criteria common to HTTP POST and GET traffic.

426 01-4200-0201-20100604
HTTPS Rules
HTTPS rules contains a single criteria which is always enabled.

01-4200-0201-20100604 427
FTP Rules
FTP rules contain criteria common to FTP PUT and GET traffic.

428 01-4200-0201-20100604
NNTP Rules
NNTP rules contain criteria common to NNTP traffic.

01-4200-0201-20100604 429
Instant Messaging Rules

Instant messaging rules contain criteria common to AIM, ICQ, MSN and Yahoo!
instant messaging traffic.

430 01-4200-0201-20100604
Compound Rules
DLP regular rules can be combined into compound rules that can be included in
sensors. If regular rules are specified directly in a sensor, traffic matching any
single rule will trigger the configured action. If the rules are first combined into a
compound rule and then specified in a sensor, every rule in the compound rule
must match the traffic to trigger the configured action. Compound rules allow an
administrator to group individual rules to specify far more detailed activation
conditions. Each included rule is configured with a single attribute, but every
attribute must be present before the rule is activated.
Individual regular rules in a sensor are linked with an implicit OR condition while
rules within a compound rule are linked with an implicit AND condition.
To view the list of DLP compound rules currently available on the FortiGate unit,
go to UTM > Data Leak Prevention > Compound.
There are some built-in compound rules available to help illustrate how compound
rules could be used to address certain data leak issues.
To view or modify any individual compound rules, click to select the rule from the
list and click Edit ( ) or double-click the entry.

01-4200-0201-20100604 431
New DLP compound rules can be defined by clicking Create New on the DLP
Rules List page. Assign a name for the compound rule, select the protocol and
regular rules to be included.
For each protocol selected, select the individual regular rules to be included in the
compound rule. Click to add an additional regular rule to the compound rule.
Click to remove a regular rule from the compound rule.

432 01-4200-0201-20100604
Rule Processing
When a DLP rule is configured, traffic passes through the proxies as usual. Some
of the rules are matched in the proxies (for example URL, cookie content, CGI
parameters, HTTP header, hostname, server, user, and user group), while others
are matched in the scanunit (for example, body, subject, sender, receiver,
attachment size, attachment text, file text, binary patterns, encrypted, attachment
type and file type).
DLP rules differ from other types of rules on the FortiGate unit in that it is not the
first rule matched which determines the behavior, but instead the proxy and
scanunit work together to match as many of the rules as possible. The order of the
rules is not important, all the rules are combined to determine the resulting action.
Some actions, such as Block will affect the current request, others such as Ban or
Quarantine will affect future requests.
• Traffic coming into the FortiGate unit along the network connection passes
through the proxy. The headers in the data are examined and some DLP rules
may be matched. No action is taken at this point.
• The files associated with that session are sent to the scanunit for scanning and
archiving (if required).
• The results are sent back to the proxy and final action is determined if all the
DLP rules matched.
Rule Priority
If multiple DLP rules are matched, the order of priority for the rules are as follows:
1 If archive is selected, it will always be performed
2 Exempt overrides all other actions
3 Ban and quarantine
Actions in this grouping will be simultaneously applied. The actions are listed in
order from most restrictive to least restrictive:
• Quarantine interface
• Quarantine IP
• Ban IP
• Ban user
• Ban sender
4 Block
5 None

01-4200-0201-20100604 433
Data Leak Prevention Sensors Data Leak Prevention
Data Leak Prevention Sensors

DLP sensors are simply collections of DLP regular and compound rules. Create a
new DLP sensor and configure it to include the regular and compound rules
required to protect the traffic leaving the network.
To view the list of DLP sensors currently available on the FortiGate unit, go to
UTM > Data Leak Prevention > Sensor.
There are some built-in sensors available to help illustrate how sensors could be
used to address certain data leak issues.
To view or modify any individual sensors, click to select the sensor from the list

434 01-4200-0201-20100604
Data Leak Prevention Data Leak Prevention Sensors
New DLP sensors can be defined by clicking Create New on the Sensor List page
and assigning a name for the sensor.
Click OK.

01-4200-0201-20100604 435
Click Create New to define the attributes of the sensor.
Action Select the action to be taken when any

individual regular rule or all the regular
rules in the compound rules are
triggered.
Archive Select the archive level for data
triggering the sensor, including no
archiving, Summary Only or Full.
Severity Select the severity level.
Member Type Select Rule to choose from a list of
regular rules available on the FortiGate
unit, select Compound Rule to choose
from a list of the compound rules.
Expires Certain actions will allow the definition of
an expiry period to define how long users
will be banned or the the time data is
kept in quarantine when these options
are enabled.

436 01-4200-0201-20100604
Data Leak Prevention Sensor Actions

The action to be taken against traffic matching the configured DLP regular rule or
DLP compound rule are defined during the sensor creation process.
None
This prevents the DLP rule from taking any action on network traffic. Other
matching rules in the same sensor and other sensors may still operate on
matching traffic.
Block
This action prevents the traffic matching the rule from being delivered.
Exempt
This action prevents any DLP sensors from taking action on matching traffic. This
action overrides any other action from any matching sensors.
Ban
This action will block all traffic using the protocol that triggered the rule if the user
is authenticated. If the user is not authenticated, all traffic using the protocol that
triggered the rule will be blocked.
Ban Sender
This action will add the sender of matching email/IM messages to the Banned
User list. This action is available only for IM and email protocols.
Quarantine IP address
This action is a more restrictive approach and will block access to the network
from any IP address that sends traffic matching a sensor with this action.
Quarantine Interface
This action will block access to the network from any client on the interface that
sends traffic matching a sensor with this action.

01-4200-0201-20100604 437
Any ban or quarantine actions will place an entry in the Banned User list. If an
entry is listed in the Application Protocol column of the Banned User list, the item
has had a ban action applied. If the protocol is not listed, then a quarantine action
has been applied because it applies to all protocols, not just the ones mentionned.
To view the Banned User list, go to User > Monitor > Banned User.
Note: DLP for instant messaging (IM) requires that application control be enabled since
application detection is performed before handing off to the IM proxy. Due to data
latency issues, only file transfers performed through instant messaging will be subject
to DLP filtering, not the content of the messages exchanged.
The text of IM messages can be archived, however. To indicate that text should also be
archived, be sure to add a DLP rule which specifies transfer size >=0 and then select
the Archive option when applying this rule to the DLP sensor.

438 01-4200-0201-20100604
Enabling Data Leak Prevention in Firewall Policies

The DLP sensor used to define the data leak rules is identified when the firewall
policy is created. Any traffic passing through the firewall when the policy is in use
will be filtered based on the rules identified in the sensor.
Click to enable UTM filtering in the policy and enable DLP Sensor. Select the
name of the sensor to be used from the list. Click Edit ( ) to modify the attributes
of the DLP sensor directly from the New Policy window.

01-4200-0201-20100604 439
Data Leak Prevention Logging

Logging DLP actions is enabled when the sensor is created.
Any DLP-triggered log entries will be displayed in Log&Report > Log Access >
DLP.

440 01-4200-0201-20100604
Data Leak Prevention Data Leak Prevention Suggested Practices
Data Leak Prevention Suggested Practices

Specific rules related to HTTP posts can be created, but if the requirement is to
block all HTTP posts, a better solution is to use application control or the Post
Block option in a protection profile. Use DLP to block posts selectively based on
their content.
In the File Options for a DLP rule, it is preferable to scan the text of a file rather
than the archive if possible.
A complete DLP solution may include other components such as application
control to limit access to some communication channels such as instant
messaging or peer-to-peer communications.

01-4200-0201-20100604 441
Blocking Encrypted Files Data Leak Prevention
Lab 9 Data Leak Prevention

Objectives
In this lab, the DLP features of the FortiGate unit will be tested to block the
transmission of sensitive data outside the network. Users who attempt to send
sensitive data outside the network will be banned from sending further email.
Tasks
• Exercise 1 Blocking Encrypted Files
• Exercise 2 Blocking Leakage of Credit Card Information
• Exercise 3 Blocking Oversize Files by Type
• Exercise 4 DLP Banning and Quarantining
Timing
Estimate time to complete this lab: 40 minutes
Exercise 1 Blocking Encrypted Files

1 Download a copy of the dlp-test-encrypt.zip file from Fortinet Online Campus at
the following location:
Click Class Descriptions, then 201 - FortiGate I tab to access the file. Save the
file a location on the local PC.
2 In the Web Config, go to UTM > Data Leak Prevention > Rule. Create a new
DLP rule called Block_Encrypted_Rule with the following details:
Protocol: HTTP
HTTP POST: enabled
Rule: File is encrypted
Click OK.
3 Go to UTM > Data Leak Prevention > Sensor. Create a new DLP Sensor called
Block_Encrypted. Enable logging and click Create New to define a new rule
with the following details:
Action: Block
Archive: disable
Severity: 1 (Lowest)
Member Type: Rule
Enable Block_Encrypted_Rule.
Click OK.

442 01-4200-0201-20100604
Data Leak Prevention Blocking Leakage of Credit Card Information
4 Edit the default internal Æ wan1 policy. Enable UTM and DLP Sensor. Select
the Block_Encrypted DLP sensor.
When DLP Sensor is enabled, a Protocol Options list must be defined. Select
the default list. Disable any other UTM elements that are enabled from
previous exercises and click OK.
5 Using a web-based file transfer tool (for example, www.yousendit.com or
www.sendspace.com) attempt to send the dlp-test-encrypt.zip file to an
email address.
The DLP block replacement message should be presented.
6 Locate the DLP log entry for this action.
7 Change the extension on the file name to *.txt and attempt to send the file
again. The file should still be blocked.
Exercise 2 Blocking Leakage of Credit Card Information

1 Go to UTM > Data Leak Prevention > Rule and locate the built-in DLP rule
called HTTP-Visa-Mastercard. This rule has been designed to block any HTTP
transfer that contains a Visa or Mastercard number in the message body. Edit
the rule and note the regular expression used to identify the credit card
number.
Enable HTTP GET.
Enable the file option Scan archive contents.
Click OK.
2 Go to UTM > Data Leak Prevention > Sensor and create a new DLP sensor
called Sensitive_Data. Enable logging and create a new rule with the following
details:
Action: Block
Archive: Full
Severity: 1 (Lowest)
Member Type: Rule
Enable HTTP-Visa-Mastercard.
Click OK.
3 Go to Firewall > Policy > Policy and edit the default internal Æ wan1 policy.
Enable DLP sensor and select the Sensitive_Data sensor from the list.
Click OK.
4 Test the ability to download a file called creditcards.xlsx containing credit card
numbers from the Fortinet Online Campus at the following location:
Click Class Descriptions, then 201 - FortiGate I tab to access the file.
The DLP block replacement message should be presented when the file
download is attempted.
5 Locate the full archived entry of the file on the FortiAnalyzer unit.

01-4200-0201-20100604 443
Blocking Oversize Files by Type Data Leak Prevention
Exercise 3 Blocking Oversize Files by Type

An alternate use of DLP is to control bandwidth usage by limiting the size of files
of certain file-types. In this exercise compound rules will be used.
1 Go to UTM > Data Leak Prevention > Rule and create a new DLP rule called
Big_File with the following details:
Protocol: HTTP
HTTP-POST enabled
HTTP-GET enabled
Rule: Transfer Size >= 1000KB
Click OK.
2 Go to UTM > AntiVirus > File Filter and create a new file filter called No_MP3
to block files with a file name pattern of *.mp3.
3 Create a second DLP rule called MP3 with the following details:
Protocol: HTTP
HTTP-POST enabled
HTTP-GET enabled
Rule: File type is found in No_MP3
Click OK.
4 Go to UTM > Data Leak Prevention > Compound and create a compound
called MP3_Compound with the following details:
Protocol: HTTP
HTTP-POST enabled
HTTP-GET enabled
Rules: Big_File
MP3
Click OK.
5 Edit the Sensitive_Data sensor to include the compound rule:
Action: Block
Archive: Full
Severity: 1
Member Type: Compound rule
Enable the MP3_Compound compound rule.
Click OK.
6 Attempt to download the file called big.mp3 from Fortinet Online Campus at the
following location:
Click Class Descriptions, then 201 - FortiGate I tab to access the file.
The DLP block replacement message should be presented when the file
download is attempted.
7 Locate the full archived entry of the file on the FortiAnalyzer unit.

444 01-4200-0201-20100604
Data Leak Prevention DLP Banning and Quarantining
Exercise 4 DLP Banning and Quarantining

1 Edit the DLP sensor called Sensitive_Data and change the action for the
HTTP-VISA-MASTERCARD rule to Ban.
2 Attempt to download the creditcard.xlsx file once again. The user should be
banned.
3 Go to User > Monitor > Banned User and locate the ban entry in the list.
By looking at the user ban list, how can an administrator tell whether the entry
is a ban entry and not a quarantine entry?
4 Click Clear ( ) to remove the ban entry.
5 Modify the Sensitive_Data sensor to change the action for the No_Big_MP3
rule to Quarantine IP address. Set the expiry to 5 minutes.
6 Attempt to download the big.mp3 file once again. The user should be
quarantined.
Check the banned user list once again and the locate the user entry. Note that
the Application Protocol column is empty, indicating that the user is
quarantined.
7 Disable the Sensitive_Data DLP sensor in the default internal Æ wan1 policy.

01-4200-0201-20100604 445
DLP Banning and Quarantining Data Leak Prevention

446 01-4200-0201-20100604
LESSON 12
Application Control
447
www.fortinet.com
Application Control
Lesson 12 Application Control

Application Control is used to detect and take actions on network traffic based on
the applications generating the traffic. Using FortiGate Intrusion Prevention
protocol decoders, Application Control can log and manage the behavior of
application traffic passing through the FortiGate unit.
Since Application Control detects based on protocols, traffic running on non-
standard ports can be easily monitored, for example HTTP traffic passing through
ports other than the default port of 80. Proprietary pattern matching technologies
allow the Application Control feature to detect application traffic even if contained
within other protocols. This allows for the detection of application traffic within
another protocol, for example in the case of HTTP tunneling.
Application control can regulate the behavior of applications with a fine level of
granularity, including:
• Performing actions such as blocking, passing, traffic shaping and adding user
controls.
• Blocking certain commands, for example, blocking the PUT command for FTP.
• Blocking file transfers for instant messaging.
• Inspecting files for malicious content within instant messaging protocols.
• Archiving content for instant messaging.
Reporting can be configured to log and display traffic based on ports, protocols or
applications configured by the user.

01-4200-0201-20100604 449
Application Types Application Control
Application Types
Application Control on the FortiGate unit supports over 100 applications, grouped
into 18 categories.
Application Category Description Examples
Instant Messaging Includes IM (Instant Messaging) software and online AIM, Google.Talk, MSN, Yahoo
chatting applications.
Peer-to-Peer Includes P2P (Peer to Peer) applications and associated BitTorrent, Edonkey, Gnutella,
P2P protocols, which can establish a P2P network to Kazaa, Skype
provide fast data sharing.
Voice over IP Includes voice communication software using VoIP H.245, MGCP, Net2phone,
technologies (e.g. SIP, H.323, etc.), which can deliver Netmeeting, SIP.TCP
voice over network.
File Transfer Includes file transfer applications and associated FTP, HTTP.Audio, HTTP.EXE,
protocols, which enable two or more people to exchange RapidShare, YouSendIt
files over the network.
Video/Audio Includes streaming video/audio applications and iTunes, Peercast, PPStream,
Streaming associated protocols, which can provide online Quicktime, RealPlayer
video/audio.
Internet Proxy Includes proxy software and websites, which can make Ghostsurf, Hamachi,
indirect network connections to other networks and HTTP.Tunnel, Tor.Web.Proxy,
bypass the firewall policy. Ultrasurf
Remote Access Includes remote management software and associated Gotomypc, MS.RDP.Request,
Connection protocols, which can be used to log in and operate PCAnywhere, Teamviewer,
remote machines. VNC.Request
Games Includes network and Internet games. AIM.Game, KnightOnline,

Second.Life, WorldofWarcraft
Web Browser Toolbar Includes third-party toolbars adding functionality and Alexa.Toolbar, AOL.Toolbar,
ease-of-use options to web browsers. Mcafee.SiteAdvisor, MSN.Toolbar,
Yahoo.Toolbar
Database Includes database applications. DB2, MSSQL, MySQL, Oracle,
Postgres, Sybase
Web-based Mail Includes email services intended to be primarily accessed Gmail, Hotmail, Yahoo.Webmail
through web browsers.
Web Includes web sites and browser-based applications. Amazon, Ebay, Facebook,
Google. Myspace, Wikipedia
Protocol Command Includes specific commands of some protocols. FTP.Command, HTTP.Method,
IMAP.Command,
POP3.Command,
SMTP.Command
Internet Protocol Includes protocols used for communicating data across a ICMP, IGMP, IPv6, L2TP, RDP,
network. RSVP
Network Services Includes application layer protocols over TCP or UDP. LDAP, MSRPC, RADIUS, SSH,
SSL, Telnet
Enterprise Includes enterprise applications used in the daily work of entric.CRM, IBM.Lotus.Notes,
Applications a company. Salesforce, Webex.Weboffice
System Update Includes self-upgrade function of a particular software or Adobe.Update,
system, which could be automatic or scheduled. Apple.MacOS.Update,
McAfee.Update, Microsoft.Update,
TrendMicro.Update
Network Backup Includes backup software and network backup Big.Brother, CA.MQ.Backup,
applications. IBM.Tivoli.Storage.Manager,
Rsync

450 01-4200-0201-20100604
Application Control Application Types
To view the entire list of applications that can be managed through FortiGate
Application Control, go to UTM > Application Control > Application List.
Columns can be filtered to help limit the display of applications in the list. Click
Filter ( ) for a specific column and edit the filters as needed.

01-4200-0201-20100604 451
Application Control Lists Application Control
Application Control Lists

The Application Control Lists define the applications that will be subject to
inspection as well as settings for each of the applications. For each application,
the administrator can specify whether to pass or block the applicaton traffic and
enable logging of the application traffic.
Depending on the application, specific commands normally allowed by the
application can be blocked.
Defining Application Control Lists

Multiple Application Control Lists can be added on the FortiGate device and the
appropriate list can be selected within a firewall policy.
To view the Application Control Lists currently available on the FortiGate unit, go
to UTM > Application Control > Application Control List.
To view or modify any individual Application Control Lists, click to select the list

452 01-4200-0201-20100604
Application Control Application Control Lists
New Application Control Lists can be created by clicking Create New on the
Application Control List page and assigning a name for the list.
Click OK.

01-4200-0201-20100604 453
Click Create New to define a new application entry in the list.
Category Select the Application Category from the

list.
Application Based on the category selected, a list of
Applications will be displayed. Select the
required Application from the list.
Action Select Block or Pass for the Application
selected.
Options Click to enable Session TTL and indicate
the time value.
Click to enable Logging of activity for this
application entry if requried.
Click to enable Packet Log for this
application entry if required.
Note: Depending on the Application and Action selected, different parameters may
become available for configuration. For example, when certain applications are set with
an Action of Pass, traffic shaping parameters may become available for configuration.

454 01-4200-0201-20100604
Application Control Application Control Lists
Enabling Application Control in a Firewall Policy

The Application Control List used to enable the Application Control elements is
identified when a firewall policy is created. Any traffic passing through the firewall
when the policy is in use will be filtered based upon the elements identified in the
Application Control List.
Click to enable UTM filtering in the policy. Click to enable Application Control and
select the name of the Application Control List, or select [Create New...] to define
a new list. Click Edit ( ) to modify the attributes of the Application Control List
directly from the New Profile window.

01-4200-0201-20100604 455
Application Control Logging

Logging Application Control actions is enabled when the Application Control List is
defined.
Any Application Control-triggered log entries will be displayed in Log&Report >

Log Access > Application Control.

456 01-4200-0201-20100604
Application Control Creating an Application Control List
Lab 10 Application Control

Objectives
In this lab, access to specific applications will be blocked using the Application
Control features on the FortiGate unit.
Tasks
• Exercise 1 Creating an Application Control List
• Exercise 2 Testing Application Control
Timing
Exercise 1 Creating an Application Control List

1 In Web Config, go to UTM > Application Control > Application Control List.
Create a new Application Control List called App_Control_Lab.
Click OK.
2 Create new application entries in the App_Control_Lab list as follows:
Category: media
Application: YouTube.Download
Action: Pass
Logging: Enabled
Category: web
Application: Myspace
Action: Block
Logging: Enabled
3 Go to Firewall > Policy > Policy and edit the default policy. Enable UTM, and
Application Control. Select the App_Control_Lab control list. Click OK.
Exercise 2 Testing Application Control

1 In a web browser, attempt to play a video on youtube.com.
2 Go to Log&Report > Log Access > Application Control and locate the log entry
for this action.
3 In a web browser, go to myspace.com.
4 Locate the log entry for this action in the Application Control log. Double-click
the entry to view the details of the log entry.

01-4200-0201-20100604 457
Testing Application Control Application Control
5 Edit the App_Control_Lab Application Control List and set the action for
youtube.com to Block.
6 In a web browser, attempt to play a video on youtube.com once again.
7 Locate the log entry for this action in the Application Control log. Double-click
the entry to view the details of the log entry.

458 01-4200-0201-20100604
LESSON 13
Endpoint Control
459
www.fortinet.com
Endpoint Control Endpoint Network Access Control
Lesson 13 Endpoint Control

The FortiGate unit can monitor client computers on the network to ensure their
compliance to corporate standards for installed software. The device can detect
software running on the client computer, including FortiClient and display the
status for administrators.
Endpoint Network Access Control

Endpoint Network Access Control (NAC) can be enabled in the firewall policy to
enforce compliance of client software running on the host computer. This feature
can also be used to enforce the use of FortiClient or other antivirus applications
on the host computer.
Application Sensors
Application sensors describe the applications to be allowed, denied or monitored
through FortiGate Endpoint NAC.
Applications available for use within the sensors are predefined on the FortiGate
device. To view the list of predefined application available on the FortiGate
device, go to Endpoint > NAC > Application Database.
Each application is assigned to one of 37 categories. Columns can be filtered to

help limit the display of applications in the list. Click Filter ( ) for a specific
column and edit the filters as needed.

01-4200-0201-20100604 461
Endpoint Network Access Control Endpoint Control
Defining Application Sensors

An application sensor defines the application to be detected and the action to be
taken. Actions can include allowing the application, denying the application or
monitoring the application through the logs.
Multiple application sensors can be added on the FortiGate device and the
appropriate sensor can be selected when creating the Endpoint NAC profile.
To view the list of available application sensors, go to Endpoint > NAC >
Application Sensor.
There are some built-in sensors available to help illustrate how sensors could be
used to control application use on client computers.
To view or modify any application sensor in the list, select the sensor and click

462 01-4200-0201-20100604
New application sensors can be defined by clicking Create New ( ) on the

Application Sensor List page or by selecting [Create New...] from the Application
Detection List drop-down list on the New Endpoint NAC Profile page. Assign a
name for the list.
Click OK and define the parameters of the application sensor.

01-4200-0201-20100604 463
Name The name assigned to the application

sensor will be used to identify the sensor
on the Endpoint NAC Profile page.
Other Applications Select how any applications not specified
in the application sensor will be handled,
either Allow, Deny or Monitor.
Multiple application entries can be added to the sensor by clicking Create New
( ) on the Application Entry List page and defining the parameters and status of
the application as well as the action to be taken.
Category Select the Category for the application

entry. Categories are assigned by
Fortinet and can be viewed in the
Application Database.
Vendor Select the Vendor for the application
entry. Vendors are assigned by Fortinet
and can be viewed in the Application
Database.
Application Select the Application for the application
entry. Applications can be viewed in the
Application Database.
Status Select the state for the selected
application, including Installed, Running,
Not Installed or Not Running.
Action Select the action to be taken when the
selected application, in the selected state
is detected, either Allow, Deny or
Monitor.
To view or modify any application entries, select the entry and click Edit ( ) or
double-click the entry.

464 01-4200-0201-20100604
FortiClient Compliance
The use of FortiClient Endpoint Security can be enforced on network through
Endpoint NAC. This will ensure that clients have both the most recent version of
the FortiClient software and the most up-to-date antivirus signatures.
The FortiGate unit retrieves FortiClient software and antivirus updates from
FortiGuard servers. If the FortiGate unit contains a hard disk drive, these files are
cached to more efficiently serve downloads to multiple end points.
Go to Endpoint > NAC > FortiClient to see the software and antivirus signature
versions that the Endpoint NAC will enforce.

01-4200-0201-20100604 465
Endpoint NAC Profiles

Endpoint NAC operations are defined through endpoint NAC profiles. The
endpoint NAC profiles are in turn enabled within firewall policies; any traffic being
examined by the policy will have the endpoint NAC operations applied to it.
Some predefined endpoint NAC profiles are available on the FortiGate device.
The view the details or modify the attributes of the pre-defined profiles, go to
Endpoint > NAC > Profile. Click to select the profile in the list and click Edit ( ) or

466 01-4200-0201-20100604
To create a new endpoint NAC profile, click Create New and define the
parameters of the profile.
Name The name assigned to the endpoint NAC

profile will be used to identify the profile
Endpoint NAC Checks for Select the action to be taken on hosts
FortiClient without FortiClient installed or enabled.
Hosts can be notified to install FortiClient
or they can be quarantined.
Additonal Host Checks Hosts running FortiClient can also be
quarantined if any of the additional
checks fail, including antivirus scanning
is not enabled, antivirus definitions are
not up to date, or the firewall is not
enabled. The host can also be
quarantined if the application sensor
check is successful. The sensor used is
selected from the list.

01-4200-0201-20100604 467
Enabling Endpoint NAC in Firewall Policies

The endpoint NAC profile used to enable the endpoint NAC elements is identified
when a firewall policy is created. Any traffic passing through the firewall when the
policy is in use will be filtered based on the elements identified in the endpoint
NAC profile.
Click to enable Endpoint NAC. Select an appropriate endpoint NAC profile from
the list. Click Edit ( ) to modify the attributes of the endpoint NAC profile directly
from the New Policy window.

468 01-4200-0201-20100604
Endpoint Control Vulnerability Scanning
Vulnerability Scanning
A vulnerability scan can help determine whether an organization’s client
computers are vulnerable to attack. Scans are perfomed against configured hosts
and information is summarized for review by an administrator.
The FortiGuard Vulnerability Management Service provides a database of
common vulnerabilties for which to scan. This database is kept up to date through
a subscription service to ensure that new vulnerabilities are added to the
database as they are discovered, allowing hosts to be scanned for the most
current security risks.
Assets
Before the FortiGate unit can scan for vulnerabilties, an administrator must
identify the client computers to be included in the scan. The client computers can
be identified using a specific IP address or a range of IP addresses. The FortiGate
unit can search an IP range to automatically discover assets to be added to the
scan.
To view the list of assets to be scanned for vulnerabilties, go to Endpoint >
Network Vulnerability Scan > Asset.
To view or modify any assets in the list, select the asset and click Edit ( ) or

01-4200-0201-20100604 469
Vulnerability Scanning Endpoint Control
Asset Discovery
Client computers can be added to the Asset List by using the Asset Discovery
mechanism. Once added to the Asset List, client computer can be scanned
regularly based on the schedule settings.
New assets can be defined by clicking Create New ( ) on the Asset List page.
To discover a specific host computer, click Asset Discover Only. Select Host from
the Type list and identify the IP address of the client computer.
To discover hosts within a range of IP addresses, select Range from the type list
and identify a range of IP addresses to search.

470 01-4200-0201-20100604
Endpoint Control Vulnerability Scanning
Vulnerability Scan
Any host computer displayed in the Asset List can be scanned regularly based on
the schedule settings that have been defined.
Assets can also be scanned without adding them to the Asset List. To scan a
client computer withought adding it to the Asset List, go to Endpoint > Vulnerability
Scan > Asset.
Clicking Create New ( ) on the Asset List page and identify a host or a range of
IP addresses and click Vulnerbaility Scan. If authentication is used on the client
computer, the administrator username and password must be defined.

01-4200-0201-20100604 471
Vulnerability Scanning Endpoint Control
Manual or scheduled scans can be performed on any client computers on the

Asset List for which Enable Scan is enabled.
Go to Endpoint > Network Vulnerability Scan > Scan to define the scan options.
Scan Mode Select the type of scan to be performed,

Quick, Standard or Full.
Schedule Select whether scans are to be triggered
manually or based on a schedule. When
Schedule is selected, the timing settings
are displayed.

472 01-4200-0201-20100604
Endpoint Control Monitoring Endpoints
Monitoring Endpoints
Administrators can monitor the compliance of client computes through the
endpoint monitor. Compliant or non-compliant client computers, or both, can be
displayed on the monitor list.
To view the endpoint monitor, go to Endpoint > Monitor > Endpoint Monitor.
Select the type of client to be displayed from the View list. Columns can be filtered
to help limit the display of clients in the list. Click Filter ( ) for a specific column
and edit the filters as needed.

01-4200-0201-20100604 473
Monitoring Endpoints Endpoint Control

474 01-4200-0201-20100604
www.fortinet.com

201 v4-1 Final

Uploaded by

Copyright:

Available Formats

201 v4-1 Final

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

201 v4-1 Final

Uploaded by

Copyright:

Available Formats

FortiGate Multi-Threat Security Systems I

Administration, Content Inspection and SSL VPN

Lesson 1 - Overview and System Setup ................................ 7

Course 201-v4.1 Administration, Content Inspection and SSL VPN

FortiGate Unit Components.......................................................................... 21

Lesson 2 - Logging and Alerts ............................................. 81

Course 201-v4.1 Administration, Content Inspection and SSL VPN

Log Types .................................................................................................... 88

Lesson 3 - Firewall Policies ................................................ 125

Course 201-v4.1 Administration, Content Inspection and SSL VPN

Firewall Policy Elements............................................................................. 131

Lesson 4 - Authentication .................................................. 233

Course 201-v4.1 Administration, Content Inspection and SSL VPN

Lesson 5 - SSL VPN ............................................................ 261

Lesson 6 - FortiGuard Subscription Services .................. 287

Course 201-v4.1 Administration, Content Inspection and SSL VPN

Configuring FortiGuard Subscription Services Using the CLI..................... 303

Lesson 7 - Threat Management .......................................... 311

Lesson 8 - Antivirus ............................................................ 319

Course 201-v4.1 Administration, Content Inspection and SSL VPN

Antivirus Profiles ........................................................................................ 342

Lesson 9 - Email Filtering ................................................... 351

Lesson 10 - Web Filtering ................................................... 383

Course 201-v4.1 Administration, Content Inspection and SSL VPN

Web Filtering Overrides.............................................................................. 394

Lesson 11 - Data Leak Prevention ..................................... 423

Lesson 12 - Application Control ........................................ 449

Course 201-v4.1 Administration, Content Inspection and SSL VPN

Lesson 13 - Endpoint Control ............................................ 461

Course 201-v4.1 Administration, Content Inspection and SSL VPN

Course 201-v4.1 Administration, Content Inspection and SSL VPN

Who Should Attend

Course 201-v4.1 Administration, Content Inspection and SSL VPN

Self-Paced Training Course

Course Evaluation (for Self-Paced Training Students)

Course 201-v4.1 Administration, Content Inspection and SSL VPN

Lesson 1 Overview and System

Most standalone network security offerings generally consist of single-purpose

Unified Threat Management

Course 201-v4.1 Administration, Content Inspection and SSL VPN

The Fortinet Solution

FortiGate Network Security Product Portfolio

Course 201-v4.1 Administration, Content Inspection and SSL VPN

PWRACC STA IPM

PWRACC STA IPM

FortiGate 5000 series

Esc Enter POWER

FSM FSM CONSOLE

Redundant power supply

FortiGate 1000 series

High port density

1/2 3/4 5/6 7/8 9/10 USB CONSOLE ASM

25 26 WAN1 WAN2 USB CONSOL

ALARM HA STATUS POWER HDD1 HDD2

ALARM HA STA TUS POWER

POWERSTATUS HA ALARM WAN 1 WAN 2 DMZ 2 4 6

POWERSTATUS HA ALARM WIFI WAN 1 WAN 2 DMZ 2 4 6

High availability, VLAN support

POWERSTATUS HA ALARM WAN1 WAN2 DMZ 2 4 6

POWERSTATUS HA ALARM Wifi WAN1 WAN2 DMZ 2 4 6