Fortigate Coobook 502 PDF

The FortiGate Coobook
Essential Recipes for Success with your FortiGate
15 May 2013
Copyright© 2013 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortGuard®, are registered
trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All
other product or company names may be trademarks of their respective owners. Performance metrics
contained herein were attained in internal lab tests under ideal conditions, and performance may vary.
Network variables, different network environments and other conditions may affect performance results.
Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties,
whether express or implied, except to the extent Fortinet enters a binding written contract, signed by
Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will
perform according to the performance metrics herein. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims
in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable.
Visit these links for more information and documentation for your Fortinet products:
Fortinet Knowledge Base - http://kb.fortinet.com

Technical Documentation - http://docs.fortinet.com
Training Services - http://campus.training.fortinet.com
Technical Support - http://support.fortinet.com
You can report errors or omissions in this or any Fortinet technical document to techdoc@fortinet.com.
2
Contents
Introduction 5
Installing and Setup 7
Setting up a limited access administrator account 9

Setting up and troubleshooting FortiGuard services 13
Logging FortiGate system events to gather network traffic information 17
Using SNMP to monitor the FortiGate unit 21
Using FortiCloud to view log data and reports 27
Using two ISPs for redundant Internet connections with distributed sessions 31
Protect a web server on the DMZ network 35
Adding a second FortiGate unit to improve reliability 39
Setting up an explicit proxy for users on a private network 45
Using port pairing to simplify transparent mode 49
Adding packet capture to help troubleshooting 55
Wireless Networking 58
Providing remote users access to the internet and corporate network using FortiAP 59
Setting up a FortiGate and FortiAP to provide wired and wireless Internet access 65
Setting up guest wifi users with a captive portal 71
Security Policies and Firewall Objects 78
Controlling when BYOD users can access the Internet 79

Using AirPrint with iOS and OS X and a FortiGate unit 83
Using AirPlay with iOS, AppleTV, FortiAP and a FortiGate unit 93
Using port forwarding on a FortiGate unit 101
UTM Profiles 106
Visualizing and controlling the applications on your network using application control 107
Configuring web filter overrides and local ratings 113
Protecting a web server from vulnerabilities and DoS attacks using IPS 119
3
Blocking email/web traffic or files containing sensitive information 125
Monitoring your network for undesirable behavior using client reputation 131
Inspecting content on the network using flow-based UTM instead of proxy-based UTM 135
Blocking large files from entering the network 141
Blocking access to specific web sites 145
Blocking HTTPS traffic with web filtering 149
SSL and IPsec VPN 153
Protecting traffic between company headquarters and branch offices using IPsec VPN 155
Providing remote users with access to a corporate network and Internet using SSL VPN 161
Securing remote access to the office network using FortiClient IPsec VPN 169
Securing remote access to the office network for an iOS device over IPsec VPN 175
Redundant OSPF routing between two remote networks over IPsec VPN 183
Authentication 198
Providing single sign-on on a Windows AD network by adding a FortiGate 199
4
Introduction
This FortiGate Cookbook provides administrators who are new to FortiGate appliances with
examples of how to implement many basic and advanced FortiGate configurations. FortiGate
products offer administrators a wealth of features and functions for securing their networks, but
to cover the entire scope of configuration possibilities would easily surpass this book. Fortunately,
much more information can be obtained in the FortiOS Handbook. The latest version is available
from the Fortinet Technical Documentation website at http://docs.fortinet.com.
This cookbook contains a series of “recipes” that describe how to solve a problem. Each recipe
begins with a description the configuration requirements, followed by a step-by-step solution, and
concludes with results that show what should occur to verify the steps were completed successfully.
This FortiGate Cookbook was written for FortiOS 5.0 patch 2 (FortiOS 5.0.2).
A PDF copy of this document is available from the FortiGate Technical Documentation website at
http://docs.fortinet.com/cookbook.html. You can also find earlier editions of the FortiGate
Cookbook, that contains additional recipes and troubleshooting tips and video representations of
some of the content in this book.
You can send comments about this document and ideas for new recipes to techdoc@fortinet.com.
New recipes may be published on the FortiGate Cookbook website and added to future versions.
Web-based Manager
Also called the Web Interface or Web UI, the FortiGate web-based manager is an advanced point
and click, drag and drop interface that provides quick access to most FortiGate configuration
settings and includes visual monitoring and management tools.
Using the web-based manager you can add a security policy to monitor application activity on a
network, view the results of this application monitoring policy, and then create additional policies or
change the existing policy to block or limit the traffic produced by some applications.
The web-based manager also provides a wide range of monitoring and reporting tools that provide
detailed information about traffic and events occurring on the FortiGate unit.
You access the web-based manager using HTTP or a secure HTTPS connection from any web
browser. By default you can access the web-based manager by connecting to the FortiGate interface
usually attached to a protected network. Configuration changes made from the web-based manager
take effect immediately, without resetting the unit or interrupting service.
5
FortiExplorer
FortiExplorer provides a user-friendly and accessible tool that you can use to configure a FortiGate
unit over a standard USB connection. You can install FortiExplorer software on a PC running Windows
or Mac OS X and use a USB connection between the PC and your FortiGate unit. Use FortiExplorer
to register your FortiGate unit, check for and perform FortiOS firmware updates, use the FortiExplorer
configuration wizard to quickly set up the FortiGate unit and connect to the
web-based manager or CLI.
Registering your Fortinet product

Before you begin configuring and customizing features, take a moment to register your Fortinet product
at the Fortinet Technical Support web site, https://support.fortinet.com. Many Fortinet customer
services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard
services, require product registration.
For more information

Documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-to-date
versions of Fortinet publications.
Fortinet Knowledge Base

The Fortinet Knowledge Base provides additional Fortinet technical documentation, such as
troubleshooting and how-to-articles, examples, FAQs, technical notes, a glossary, and more. Visit the
Fortinet Knowledge Base at http://kb.fortinet.com.
Training
Fortinet Training Services provides a variety of training programs world-wide that orient you to your new
equipment, and provides certifications to verify your knowledge level. For more on training services, visit
the Fortinet Training Services web site at http://campus.training.fortinet.com.
6
Installing and Setup
Most people purchase a FortiGate unit with the intention of creating a secure connection between a
protected private network and the Internet. And in most cases they want the FortiGate unit to hide
the IP addresses of the private network from the Internet. This chapter describes how to setup a
number of common configurations with the FortiGate unit.
In addition this chapter describes a common transparent mode FortiGate installation in which a
FortiGate unit provides security services to a network without requiring any changes to the network.
7
8
Setting up a limited access administrator account
This example adds a new FortiGate administrator login that uses an administrator
profile that has limited access only to firewall features, and read-only access to
administrator information. It also shows how to identify the administrators using the
admin administrator account.
1. Create a new administrative profile

2. Add a new administrator and assign the profile
3. Results
Internet
wAN 1
172.20.120.22
FortiGate
LAN
192168.1.99/24
Internal Network
9
Step One: Create a new administrative
profile
Go to System > Admin > Admin Profle.
Create a new administer profile that allows

the administrator with this profile to view
and edit firewall objects and security
policies and only view administrator
information.
Step Two: Add a new administrator

and assign a profile
Go to System > Admin > Administrators.
Create a new administrator with the

Firewall_Admin_Access profile, to enable
full access to all FortiOS features.
The admin profile controls what features

of the FortiGate configuration the
administrator can see and configure from
web-based manager and CLI. You can
add multiple profiles and assign users and
administrators different profiles, depending
on what they are tasked to do with the
FortiGate unit.
10
Results
Log in to the FortiGate unit using the user

name of Terry_White.
As this administrator, you can and edit any

element of the FortiGate unit pertaining to
the firewall objects and security policies.
You can also view the other administrator
information. Note that any menu items for
other features do not appear.
Go to Log & Report > Event Log >

System.
Verify that the login activity occurred.
Select the entry for more information on

the administrator log in.
11
Go to System > Dashboard > Status, and
view the System Information widget.
The Current Administrator row indicates

the current administrators and the number
of administrators logged in.
Select Details for the Current

Administrator to view all administrators
logged in.
12
Setting up and troubleshooting FortiGuard services
If you have purchased FortiGuard services and registered your FortiGate unit,
the FortiGate unit it should automatically connect to the FortiGuard Distribution
Network (FDN) and display license information about your FortiGuard services.
In this example, you will verify whether the FortiGate unit is communicating with
the FDN by checking the License Information dashboard widget. The FortiGate
unit automatically connects with the FortiGuard network to verify the FortiGuard
Services status for the FortiGate unit.
Internet
FortiGuard
WAN 1
FortiGate
port 1
Internal Network
13
Verifying the connection
Any subscribed services should have

a green check mark, indicating that
connections are successful.
A grey X indicates that the FortiGate unit

cannot connect to the FortiGuard network,
or that the FortiGate unit is not registered.
A red X indicates that the FortiGate

unit was able to connect but that a
subscription has expired, or has not been
activated.
You can also view the FortiGuard

connection status by going to System >
Config > FortiGuard.
14
Troubleshooting connection issues
Use these steps to troubleshoot FortiGuard • If the command cannot find the numeric IP
services should connection issues arise. address of www.fortiguard.com, then the
FortiGate unit cannot connect to the configured
• Verify that you have registered your FortiGate DNS servers.
unit, purchased FortiGuard services, and that
the services have not expired. You can verify • Make sure that at least one security policy
the support status for your FortiGate unit at includes antivirus. If no security policies include
the Fortinet Support website (https://support. antivirus, the antivirus database may not be
fortinet.com/). updated.
• Verify that the FortiGate unit can communicate • Verify that the FortiGate unit can communicate
with the Internet. The FortiGate unit should with the FortiGuard network. Go to System
be able to communicate with the FortiGuard > Config > FortiGuard > Antivirus and IPS
network if it can communicate with the Internet. Options, you can select Update now to force
an immediate update of the antivirus and IPS
• Go to Router > Monitor > Routing Monitor databases. After a few minutes, you can verify if
and verify that a default route is available and the updates were successful.
configured correctly.
• Test the availability of web filtering and email
• Go to System > Network > DNS and make filtering lookups from System > Config
sure the primary and secondary DNS servers > FortiGuard > Web Filtering and Email
are correct. The FortiGate unit connects to the Filtering options by selecting Test Availability.
FortiGuard network using a domain name, not a If the test is not successful, try changing the
numerical IP address. If the FortiGate interface port that is used for web filtering and email
connected to the Internet gets its IP address filtering lookups. The FortiGate unit uses port
using DHCP, you should make sure Override 53 or 8888 to communicate with the FortiGuard
internal DNS is selected so that the FortiGate network and some ISPs may block one of these
unit gets its DNS server IP addresses from the ports.
ISP using DHCP.
• Determine if there is anything upstream that
• Verify that the FortiGate unit can connect to might be blocking FortiGuard traffic, either on
the DNS servers using the execute ping the network or on the ISP’s network. Many
command to ping them. firewalls block all ports by default, and often
ISPs block low-numbered ports (such as 53).
• You can also attempt a traceroute from FortiGuard uses port 53 by default, so if it is
FortiGate CLI to an external network using a being blocked, you need to either open the port
domain name for a location, for example, enter or change the port used by the FortiGate unit.
the command:
execute traceroute www.fortiguard.com
15
• Change the FortiGuard source port. It is If your ISP blocks the lower range of UDP ports
possible ports that are used to contact the (around 1024), you can configure your FortiGate
FortiGuard network are being changed before unit to use higher-numbered ports such as
reaching FortiGuard, or on the return trip, 2048-20000, using the following CLI command:
before reaching your FortiGate unit. A possible
solution for this is to use a fixed-port at the NAT config system global
firewall to ensure the port number remains the set ip-src-port-range 2048-20000
same. end
• FortiGate units contact the FortiGuard Network Trial and error may be required to select the
by sending UDP packets with typical source best source port range. You can also contact
ports of 1027 or 1031, and destination ports of your ISP to determine the best range to use.
53 or 8888. The FDN reply packets would then
have a destination port of 1027 or 1031. • Display the FortiGuard server list. The
diagnose debug rating CLI command
• If your ISP blocks UDP packets in this port shows the list of FortiGuard servers that the
range, the FortiGate unit cannot receive the FortiGate unit can connect to. The command
FDN reply packets. You can select a different should show more than one server.
source port range for the FortiGate unit to use.
16
Logging FortiGate system events to gather network
traffic information
This example shows how to enable logging to capture the details of network traffic
processed by the FortiGate unit.
1. Configure logging and event logging

2. Enable logging in the security policy
3. Results
Internet
WAN 1
172.20.120.123
FortiGate
port 1
192168.1.99
Internal Network
17
Step One: Configure logging and event
logging
Go to Log & Report > Log Config > Log

Setting.
Enable and configure logging.
Note that logging to disk is only available

on FortiGate units with a hard disk or flash
drive.
Logging to disk is enabled in the CLI

using the config log disk setting
commands.
Step Two: Enable logging in the

security policy
Go to Policy > Policy > Policy.
For any security policy, in the Logging

Options section, select Log all Sessions.
18
Results
To see information about network traffic

processed by the FortiGate unit, go to Log
& Report > Traffic Log > Forward Traffic.
Select an entry for more information.
19
20
Using SNMP to monitor the FortiGate unit
Simple Network Management Protocol (SNMP) enables you to monitor hardware

on your network. You configure the hardware, such as the FortiGate SNMP agent,
to report system information and send traps (alarms or event messages) to SNMP
managers. An SNMP manager, or host, is a typically a computer running an
application that reads the traps from the agent and sends out SNMP queries to the
SNMP agents.
In this example, you configure the SNMP agent and FortiGate interface to send
SNMP traps to the SNMP server for review.
1. Configure the SNMP agent and community

2. Enable SNMP on a FortiGate interface
3. Download the MIB files and configure the SNMP manager
4. Results
Internet
WAN 1
Internal Network
172.20.120.123
port 1
FortiGate
192168.1.99
SNMP Manager
192.168.1.114
21
Step One: Configure the SNMP agent
and community
Go to System > Config > SNMP.
Configure the agent.
Under the SNMP version, create a new

community.
You need to add a host IP address

where the SNMP manager is installed,
192.168.1.114/32, and select the port to
receive SNMP request and send SNMP
traps.
You can also set the IP address/Netmask

to 0.0.0.0/0.0.0.0 and the Interface to ANY
so that any SNMP manager at any network
connected to the FortiGate unit can use
this SNMP community and receive traps
from the FortiGate unit.
22
Step Two: Enable SNMP on a
FortiGate interface
Go to System > Network > Interface.
Enable SNMP on port 1.
Step Three: Download the MIB files

and configure the SNMP manager
Go to System > Config > SNMP to

download FortiGate SNMP MIB.
There are two MIB files for FortiGate units:

the Fortinet MIB, and the FortiGate MIB.
The Fortinet MIB contains traps, fields and
information that is common to all Fortinet
products. The FortiGate MIB contains
traps, fields and information that is specific
to FortiGate units.
Configure the SNMP manager at

192.168.1.114 to receive traps from the
FortiGate unit.
23
Results
This example uses SolarWinds SNMP trap
viewer.
In SolarWinds Toolset Launch Pad, go to

SNMP > MIB Viewer and select Launch.
Select Select Device and enter the IP

address of the FortiGate unit and the
community string.
Open the SNMP Trap Receiver and select

Launch.
24
Perform an action to trigger a trap, for
example, change the IP address of the
DMZ interface in the FortiGate.
Verify that the SNMP manager receives the

trap.
View the UTM log by going to Log &

Report > Event Log > System.
25
26
Using FortiCloud to view log data and reports
FortiCloud is an online hosted security management and log retention service. It

provides a centralized reporting, traffic analysis, configuration and log retention tool
without the need for additional hardware and software.
This example describes setting up and accessing log and reports in FortiCloud.
1. Activate FortiCloud
2. Configure logging and event logging
3. Enable logging in the security policy
4. Results
FortiCloud
Internet
WAN 1
172.20.120.123
FortiGate
port 1
192168.1.99
Internal Network
27
Step One: Activate FortiCloud
Go to System > Dashboard > Status.
On the License Information widget, in the

FortiCloud section, select Activate.
Once the account is created, you can

launch the FortiCloud portal from the
License Information widget.
Step Two: Configure logging
Go to Log & Report > Log Config > Log

Setting.
Enable and configure logging to

FortiCloud.
28
Step Three: Enable logging in the
security policy
For any security policy, in the Logging

Options section, select Log all Sessions.
Results
On the License Information widget, in the

FortiCloud section, select Launch Portal.
From the portal, you can see the log data

and reports.
29
30
Using two ISPs for redundant Internet connections with
distributed sessions
This example describes how to improve the reliability of a network’s connection
to the Internet by using two Internet connections. It also includes configuration of
equal cost multi-path load balancing to make efficient use of these two Internet
connections by distributing sessions to both, without allowing either one to become
overloaded.
1. Configure connections to the two ISPs

2. Add security policies
3. Configure fail over detection and spillover load balancing
4. Results
Internet
ISP 1 WAN1 WAN 2

ISP 2
FortiGate
LAN
Internal
Network
31
Step One: Configure connections to the
two ISPs
Step Two: Add security policies
Create a security policy for the primary

interface connecting to their ISPs and the
internal network.
32
Create a security policy for each interface
connecting to their ISPs and the internal
network.
Step Three: Configure fail over

detection and spillover load balancing
Go to Router > Static > Settings.
Create two new Dead Gateway Detection

entries.
Set the Ping Interval and Failover

Threshold to a smaller value for a more
immediate reaction to a connection going
down.
33
Go to Router > Static > Settings and set
the ECMP Load Balancing Method to
Spillover.
The Spillover Threshold value is calculated

in kbps (kilobit per second). However the
bandwidth on interfaces is calculated in
kBps (kilo Byte per second).
For wan1 interface, Spillover Threshold =

100 kbps = 100000 bps
100000 bps = 102400 bps = 102400/8 Bps

= 12800 Bps
Results
Go to Log & Report > Traffic Log >
Forward Traffic to see network traffic
from different source IP addresses flowing
through both wan1 and wan2.
Disconnect the wan1 port on the FortiGate

unit to see all traffic will automatically
flow through the wan2 port unit wan1 is
available again.
34
Protect a web server on the DMZ network
In this example, a web server on the DMZ network. An internal to DMZ security
policy allows internal users to access the web server using its internal IP address
(10.10.10.22). A WAN to DMZ security policy hides the internal address, allowing
external users to access the web server with a public IP address (172.20.120.22).
1. Configure the FortiGate unit DMZ interface

2. Add virtual IPs
3. Create security policies
4. Results
Internet
WAN 1
172.20.120.22 DMZ Network
DMZ
FortiGate
LAN
Web Server
10.10.10.22
Internal Network
35
Step One: Configure the FortiGate unit
DMZ interface
Edit the DMZ interface settings.
Your FortiGate unit may have an interface

named DMZ. Using the DMZ interface is
recommended but not required.
Step Two: Add virtual IPs
Go to Firewall Objects > Virtual IP >

Virtual IP.
Create two virtual IPs; one for HTTP

access and one for HTTPS access.
Each virtual IP will have the same address

mapping from the public-facing interface
to the DMZ interface. The difference is the
port for each traffic type; (port 80 for HTTP
and port 443 for HTTPS).
36
Step Three: Create security policies
Create a security policy to allow HTTP and

HTTPS traffic from the Internet to the DMZ
interface and web server.
Create a security policy to allow HTTP and

HTTPS traffic from the internal network to
the DMZ interface and web server.
Adding this policy reduces traffic on the

wan1 interface by allowing traffic to pass
directly from the Internal interface to
the DMZ interface, rather than from the
Internal interface, to the wan1 interface,
then back in through the wan1 interface to
the DMZ interface.
37
Results
External users can access the web

server on the DMZ network from the
internet using http://172.20.120.22 and
https://172.20.120.22.
Internal users can access the web

server using http://10.10.10.22 and
https://10.10.10.22.
Go to Policy > Monitor > Policy Monitor.
Use the policy monitor to verify that traffic

from the Internet and from the internal
network is allowed to access the web
server. This verifies that the policies are
configured correctly.

Forward Traffic.
The traffic log should shows sessions from

the internal network and from the Internet
accessing the web server on the DMZ
network.
38
Adding a second FortiGate unit to improve reliability
This example adds a second FortiGate unit to a currently installed FortiGate unit to
provide redundancy in the event one FortiGate unit fails. This example also steps
through upgrading the HA cluster to a new firmware version.
1. Add and connect the second FortiGate and configure HA

2. Test the failover functionality
3. Upgrade the firmware for the HA cluster
Internet
Switch
WAN 1 WAN 1
FortiGate Dual HA FortiGate

Links
Internal Internal
Switch
Internal Network
39
Step One: Add and connect the second
FortiGate and configure HA
Change the host name of the primary

FortiGate unit.
Go to System > Config > HA.
Configure the HA settings for the primary

FortiGate unit.
Change the host name of the backup

FortiGate unit.
40
Go to System > Config > HA.
Configure the HA settings for the backup

FortiGate unit.
Ensure that the Group Name and

Password are the same as on the primary
FortiGate unit.
Go to System > Config > HA to view the

cluster information.
Select View HA Statistics for more

information on the cluster.
41
Go to System > Dashboard > Status to
see the cluster information.
Step Two: Test the failover

functionality
Unplug the ethernet cable from the wan
1 interface of the primary FortiGate unit.
Traffic will divert to the backup FortiGate
unit.
Use the ping command to view the results.
Shut down the primary FortiGate unit, and

see that traffic fails over to the backup
FortiGate unit using a ping command.
42
Step Three: Upgrading the firmware
for the HA cluster
When a new version of the FortiOS
firmware becomes available, upgrade the
firmware on the primary FortiGate unit,
and the backup FortiGate unit will upgrade
automatically
Go to System > Dashboard > Status to

upgrade the firmware.
The firmware will load on the primary

FortiGate unit, and then on the backup
unit.

System.
Both FortiGate units have the new

firmware installed.
43
44
Setting up an explicit proxy for users on a private
network
This example sets up the explicit web proxy to accommodate faster web browsing.
Internal users will connect to an explicit web proxy using port 8080 rather than
surfing the Internet directly using port 80.
1. Enable explicit web proxy on the internal interface

2. Configure the explicit web proxy for HTTP/HTTPS traffic
3. Add a security policy for proxy traffic
4. Results
Internet
port 3
Explicit web FortiGate

proxy port 4
Internal Network
45
Step One: Enable explicit web proxy
on the internal interface
Go to System > Network > Interface and

enable web proxy on port 4.
You may need to enable Explicit Proxy

and WAN Opt. & Cache on the System
Information widget before you proceed.
Go to System > Dashboard > Status and

select Enable for these options.
Step Two: Configure the explicit web

proxy for HTT P/HTT PS traffic
Go to System > Network > Explicit Proxy

and enable the http/https explicit web
proxy.
Ensure to set the Default Firewall Policy

Action to Deny.
Later you will create a security policy for

webproxy traffic with web cache enabled.
46
Step Three: Add a security policy for
proxy traffic
Create a security policy for webproxy

traffic, and enable web cache.
Results
Configure web browsers on the private

network to connect using a proxy server.
The IP address of the HTTP proxy server is
10.10.1.99 (the IP address of the FortiGate
internal interface) and the port is 8080 (the
default explicit web proxy port).
Web browsers configured to use the proxy

server are able to connect to the Internet.
Go to Policy > Policy > Policy to see

the ID of the policy (3) allowing webproxy
traffic. Web proxy traffic is not counted by
firewall policy.
47
48
Using port pairing to simplify transparent mode
This example simplifies configuring a FortiGate unit operating in transparent mode

by using port pairing. When you create a port pair, all traffic accepted by one of the
ports of the pair can only exit out the other port. You add security policies to control
the traffic that can pass between these to ports and to apply UTM protection to the
traffic.
1. Switch the FortiGate unit to transparent mode and add a static route
2. Create an internal and wan 1 port pair
3. Create firewall addresses
4. Create a security policy
5. Results
Protected web server Internet

192.168.1.200
Router
192.168.1.99/24
wan 1
FortiGate Internal
Internal Network
Management IP
192.168.1.[110-150]
192.168.1.100
49
Step One: Switch the FortiGate unit to
transparent mode and add a static
route
In the System Information widget, select

Change beside the Operation mode.
Log into the FortiGate unit using the

management IP 192.168.1.100.
Go to System > Network > Routing

Table and set a static route.
Step Two: Create an internal and

wan 1 port pair
Create an internal/wan 1 pair.
50
Step Three: Create firewall addresses
Go to Firewall Objects > Address >

Address.
Create addresses for the web server and

address range for internal users.
Step Four: Create security policies
Create a security policy that allows internal

users to access the web server using
HTTP and HTTPS.
51
Create a security policy that allows

connections from the web server to the
internal users’ network and to the internet
using any service.
Results
Connect to the web server from the

internal network and surf the Internet from
the server itself.

Forward Traffic to verify that there is
traffic from the internal to wan 1 interface.
52
Select an entry for details.
Go to Policy > Monitor > Policy Monitor

to see the active sessions.
53
54
Adding packet capture to help troubleshooting
Packet capture is a means of logging traffic and its details to troubleshoot any
issues you may have with traffic flow or connectivity. This example shows the
basics of setting up packet capture on the FortiGate unit and analyze the results.
1. Create a packet capture filter

2. Start the packet capture
3. Stop the packet capture
4. Results
Internet
WAN 1
172.20.120.23 Internal network
Internal
FortiGate
192.168.1.99/24
55
Step One: Create a packet capture
filter
Go to System > Network > Packet

Capture and create a new filter.
For this example, the FortiGate unit will

capture 100 HTTP packets on the internal
interface from/to host 192.168.1.200.
• Host(s) can be a single or multiple

IPs separated by comma, IP range or
subnet.
• Port(s) can be single or multiple

separated by comma or range.
• Protocol can be simple, multiple

separated by comma or range. Use 6
for TCP, 17 for UDP, 1 for ICMP.
Step Two: Start the packet capture
Select Start to begin the packet capture,

and from an internal computer or device
set to IP address 192.168.1.200, surf the
Internet to generate traffic.
56
Step Three: Stop the packet capture
Once the maximum packets to save

is reached (in this example 100), the
capturing progress is stopped and allows
you to download the saved pcap file.
You can also stop the capturing at any

time before the maximum is reached.
Results
Open the pcap file with a pcap file viewer

such as tcpdump or Wireshark.
Depending on the kind of traffic you need

to capture, you may adjust the settings in
the filter to meet your needs.

System to verify that the packet capture
file was successfully downloaded.
57
Wireless Networking
FortiOS WiFi networking provides a wide range of capabilities for integrating wireless networks into
your organization’s network architecture. Each WiFi network, or SSID, is represented by a virtual
network interface to which you apply security policies, UTM features, traffic shaping, and so on, in
the same way as for physical wired networks.
You can create multiple WiFi networks to serve different groups of users. For example, you might
have one network for your employees and another for guests or customers. Also, with the increase
in use of Bring Your Own Devices (BYOD); smartphones, tablets and other mobile devices that use
WiFi technology, wireless networks are becoming busier than ever and have to be monitored and
accommodated accordingly.
A network that requires only one WiFi access point is easily created with a FortiWiFi unit operating as
a single thick Access Ppoint (AP). A thick AP such as a FortiWiFi unit contains the WiFi radio facility
as well as access control and authentication functionality.
A thin AP, such as a FortiAP unit contains only the radio facility and a microcontroller that receives
commands and exchanges data with a WiFi controller. If you already have a FortiGate unit, adding
a FortiAP unit as a thin AP managed by the FortiGate unit operating as a WiFi controller is a cost
effective solution for adding WiFi to your network.
The FortiOS WiFi controller feature is available on both FortiGate and FortiWiFi units. A FortiWiFi
unit’s WiFi controller also controls the unit’s internal (Local WiFi) radio facility, treating it much like a
built-in thin AP. Whenever multiple APs are required, a single FortiGate or FortiWiFi unit controlling
multiple FortiAP units is best. A network of multiple thick APs would be more expensive and more
complex to manage.
58
Providing remote users access to the internet and
corporate network using FortiAP
In this example, users in a remote location such as a hotel, use FortiAP to securely
connect to a corporate network and browse the Internet from behind the corporate
firewall.
1. Configure the corporate SSID and security policies

2. Configure the FortiGate unit to connect and configure FortiAP
3. Authorize the remote FortiAP connection
4. Results
WLAN_1
FortiAP
Wireless Network
Internet
WLAN 1 Internal Network
FortiGate Internal
59
Step One: Configure the FortiGate for
remote user connections
Go to WiFi Controller > WiFi Network

> SSID and create a new SSID for the
FortiAP.
Configure the WiFi Settings, and DHCP

Server so wireless users can connect
directly to the FortiAP.

Address.
Create addresses for the remote users and

the corporate network.
60
Go to Policy > Policy > Policy and create
two security polices.
Create a policy for remote wireless users to

access the Internet.
Create a policy for remote wireless users to

access the corporate network.
Step Two: Configure FortiAP to

connect to the corporate FortiGate
unit
In the System Information tab, enter
the AC IP Address of the public facing
interface of the FortiGate unit.
The remote user will plug an Ethernet

cable into the FortiAP and into the
network connection to the Internet at the
hotel. FortiAP searches for the FortiGate
interface you configure here.
61
Step Tthee: Configure the FortiGate
unit to connect, and configure FortiAP
Go to WiFi Controller > Managed

Devices > Managed FortiAP.
Right-click the FortiAP in the list and

select Authorize.
With the FortiAP authorized with the

FortiGate unit, you can use the FortiGate
to configure the wireless settings for the
FortiAP remotely.
Results
The remote user connects the FortiAP to
the network connection at the hotel. They
then connect to the RemoteWiFi wireless
network. They will be able to access the
corporate network and surf the Internet
securely.
Go to WiFi Controller > Monitor > Client

Monitor to see remote wireless users
connected to the FortiAP unit.
When the remote wireless user connects

to the corporate network, traffic appears in
the log messages.

Forward Traffic.
62
Selecting an entry for the WLAN_1
interface and internal destination interface
shows traffic using RDP to connect to the
corporate network.
Selecting an entry for the WLAN_1

interface and wan1 destination interface
shows internet traffic.
63
64
Setting up a FortiGate and FortiAP to provide wired
and wireless Internet access
This example sets up FortiAP to connect to the Internet using the FortiGate unit.
Wireless and wired users will be on the same subnet and thus can share network
resources.
1. Configure the FortiGate WAN 1 and LAN ports

2. Create an internal address range and security policy
3. Set up a wireless network with the FortiAP
4. Results
Internet
WAN 1
172.20.120.226
FortiGate
LAN
192.168.1.99/24
FortiAP wireless
network
Internal network
65
Step One: Configure the FortiGate
WAN 1 and LAN ports
Configure the WAN 1 interface to use

DHCP.
Configure the LAN interface to use a static

IP with a DHCP server enabled.
66
Step T WO: Create an internal address
range and security policy

Address.
Create a new address range for the

internal network users.
Create a security policy allowing users on

the wired network to access the Internet.
Step Three: Set up a wireless network

with the FortiAP
Connect the FortiAP to the LAN interface.
Go to WiFi Conroller > Managed Access

Points > Managed FortiAP and authorize
the FortiAP.
67
Go to WiFi Conroller > WiFi Network >
SSID and create a new SSID.
Ensure the Traffic Mode is set to Local

bridge with FortiAP’s Interface.
Go to WiFi Conroller > WiFi Network >

Custom AP Profile.
Select Create New and select My_SSID

for Radio 1 and Radio 2.
68
Go to WiFi Conroller > Managed Access
Points > Managed FortiAP.
Edit the FortiAP in the Wireless Settings

and select MyProfile for the AP Profile.
Results
Have the wifi users connect to My_SSID

and they should be able to surf the
internet. The wireless devices will be in the
same subnet as the internal wired network.
Go to WiFi Controller > Monitor > Client

Monitor to see wifi users and their IP
addresses.

Forward Traffic and verify that wifi users
accessing the internet with the same
security policy as the wired network users.
69
70
Setting up guest wifi users with a captive portal
In this example, a FortiGate unit provides your office with wired networking,
but guest users use laptops and mobile devices. These devices need secure
WiFi access to both the office network and the Internet. Guest users use
web applications and authenticate through a portal using a web browser. The
receptionist for the company is provided a limited access admin account to
distribute temporary password access to the wireless network.
1. Authorize the FortiAP over the DMZ interface

2. Add wifi guest users
3. Create an SSID using a captive portal
4. Add firewall addresses
5. Add security policies
6. Add a limited administrative role for the receptionist
7. Results
Wireless network
Internet 10.10.10.1/24
WAN 1
Internal network 172.20.120.23
Internal FortiGate DMZ

FortiAP
192.168.1.99/24 10.10.80.99/24
71
Step One: Authorize the FortiAP over
the DMZ interface
Set the DMZ interface to be dedicated to

FortiAP connections.
Connect the FortiAP to the DMZ interface

and go to WiFi Controller > Managed
Access Points > Managed FortiAP to
authorize the FortiAP.
Step Two: Add wifi guest users
Go to User & Device > User > User

Group.
Create guest wifi users group.
72
Step Three: Create an SSID using a
captive portal
Go to WiFi Controller > WiFi Network >

SSID.
Create new SSID using captive portal.
Step Four: Add firewall addresses

Address.
Create addresses for internal wired

network and guest wifi users.
73
Step Five: Add security policies
Create a security policy allowing wifi guest

users accessing the internal network.
Create a security policy allowing wifi guest

users accessing the Internet.
74
Step Six: Add a limited administrative
role for the receptionist
Go to System > Admin > Admin Profile.
Create a limited admin profile allowing the

receptionist to create new guest users.
Go to System > Admin > Administrators.
Create a new admin account for the

receptionist using the new limited profile.
75
Results
When a guest requires access to the

wireless network, the company receptionist
logs into the FortiGate unit with their
account. The receptionist creates guest
user names on the FortiGate unit.
Once logged in, they go to User & Device

> User > Guest Management and create
new user id.
The FortiGate unit generates a password

for the user. This password is only valid for
four hours.
Once this information is provided to the

guest user, they can log in through the
captive portal on the authentication page.
76
To verify that guest user logged in
successfully, go to WiFi Controller >
Monitor > Client Monitor.
Once authenticated, guest users can

surf on the internet and can also access
resources in the internal wired network.

and verify the active sessions.
Select one of the bars for more

information.
77
Security Policies and Firewall Objects
FortiGate units are used to control access between the Internet and a network, typically allowing
users on the network to connect to the Internet while protecting the network from unwanted access
from the Internet. The FortiGate unit has to know what access should be allowed and what should
be blocked. This is what security policies are for; controlling all network traffic attempting to pass
through a FortiGate unit. No traffic can pass through a FortiGate unit unless specifically allowed to
by a security policy. With a security policy, you can control address translation, control the addresses
and services used by the traffic, and apply features such as UTM, authentication, and VPNs. Most of
the examples in this cookbook at some point involve the creation of security policies to allow traffic
and then apply a feature to it. This chapter focuses more on firewall features and how to configure
policies to apply them.
It is simple to set up a FortiGate unit to allow users on a network to access the Internet while
blocking traffic from the Internet from accessing the protected network. All that is required is a single
security policy that allows traffic from the Internal network to connect to the Internet. As long as you
do not add a security policy to allow traffic from the Internet onto your internal network, your network
is protected. The same security policy that allows you to connect to the Internet also allows servers
you contact to respond to you. In effect, a single policy allows two-way traffic, but the incoming
traffic is only allowed in response to requests sent by you.
Firewall objects are those elements within the security policy that further dictate how and when
network traffic is routed and controlled. This includes addresses, services, and schedules that are
used in security policies to control the traffic accepted or blocked by a security policy. Addresses are
matched with the source and destination address of packets received by the FortiGate unit.
The examples in this chapter use a number of these elements and policies to build a secure network.
78
Controlling when BYOD users can access the Internet
This example uses FortiOS device identity and security policy scheduling to limit
use of Bring Your Own Device (BYOD) users during company time.
1. Add BYODs to the FortiGate unit

2. Add schedules for time allowed for use of a BYOD
3. Add a device identity security policy
4. Results
Internet
wan 1
wifi
FortiWiFi
Internal
wireless mobile
devices
internal
network
79
Step One: Add BYODs to the FortiGate
unit
Go to User & Device > Device > Device

Definition.
Alternatively, got to System > Network

Interface, and for the wireless interface,
select Detect and Identify Devices.
Devices not yet added may appear in the

list. Double-click on the entry and enter an
Alias to add it.
The BYOD information may not initially fill

in on the table until the user connects with
their device. Select Refresh if needed.
Step Two: Add schedules for time

allowed for use of a BYOD
Go to Firewall Objects > Schedule >

Recurring.
The schedule, when included with a

security policy, will allow users to access
the Internet with their personal wireless
devices over lunch time hours.
This schedule can also be used in other

security policies as well as this application.
80
Step Three: Add a device identity
security policy
Go to Policy > Policy > Policy and create

a Device Identity policy.
Create a new authentication rule that

includes the wireless devices and the new
schedule.
Results

Forward Traffic. When a mobile user
connects during the lunch break, they can
surf the Internet, as shown in the logs.
When the time in the schedule is reached,

further surfing cannot continue. This does
not appear in the logs, as only allowed
traffic is logged.
Evidence that the schedule and policy

are working appears when attempting to
connect to a web site, and possibly a few
questions from the BYOD users.
81
82
Using AirPrint with iOS and OS X and a FortiGate unit
This example sets up AirPrint services for use with an iOS device and OS X
computers using Bonjour and multicast security policies.
1. Configure the FortiAP and SSIDs

2. Add addresses for the wireless networks and printer
3. Add service objects for printing
4. Add multicast security policies
5. Add inter-subnet security policies
6. Results
SSID 1 (WLAN 1 )
ipad 10.10.10.3 10.10.10.1/24 Internal network
(connected to SSID 1 ) OS x
DMZ LAN
FortiAP 10.10.100.1/24 FortiGate 192.168.1.99/24
SSID 2 (WLAN 2)
20.20.20.1.24
AirPrint 20.20.20.2
(connected to SSID 2)
83
Step One: Configure the FortiAP and
SSIDs
Set the DMZ interface as dedicated for the

FortiAP unit.
Connect FortiAP to the DMZ interface.

Access Points > Managed FortiAP and
Once authorized, it will appear in the

authorized list.
84
SSID.
Create an SSID for the network for wireless

users.
Create an SSID for the network for the

AirPrint printer.
85
Step Two: Add addresses for the
wireless networks and printer

Address.
Create addresses for the SSID 1, SSID 2

and AirPrint printer.
86
Create an address for the internal network
with the OS X computers.
Step Three: Add service objects for

printing
Go to Firewall Objects > Service >

Service.
Create a new service for Internet Printing

Protocol (IPP) for iOS devices.
Create a new service for PDL Data Stream

for OS X computers.
87
Step Four: Add multicast security
policies
Go to Policy > Policy > Multicast Policy.
Create two policies to allow multicast

traffic from WLAN 1 and WLAN 2 for iOS
devices.
Create two policies to allow multicast

traffic from the LAN and WLAN 2 for OS X
computers.
88
Step Five: Add inter-subnet security
policies
Create policy allowing IPP service from

WLAN1 to WLAN2.
Create policy allowing printing from a OS X

computer to the AirPrint printer.
89
Results
Print a document from an iOS device.

Multicast Traffic to see the printing traffic
passing through the FortiGate unit.
Select an entry to see more information.

Forward Traffic and verify the entry with
the IPP service.
90
Print a document from an OS X computer.

Multicast Traffic to see the printing traffic
passing through the FortiGate unit.

Forward Traffic and filter the destination
interface for WLAN 2 traffic.
91
92
Using AirPlay with iOS, AppleT V, FortiAP and a
FortiGate unit
This example sets up AirPlay services for use with an iOS device using Bonjour and
multicast security policies.
Apple TV can also be connected to the internet wirelessly, from any iOS device
connected to the same SSID as Apple TV, AirPlay will function. No configuration is
required on the FortiGate unit.
1. Configure the FortiAP and SSIDs

2. Add addresses for the wireless network
3. Add service objects for multicasting
4. Add multicast security policies
5. Add inter-subnet security policies
6. Results
ipad 10.10.10.3
(connected to SSID 1 )
Internal network OS x
DMZ
FortiAP 10.10.100.1/24 FortiGate LAN
192.168.1.99/24
SSID1 (WLAN 1 )
10.10.10.1/24
Apple
TV
93
Step One: Configure the FortiAP and
SSIDs
Set the DMZ interface as dedicated for the

FortiAP unit.
Connect FortiAP to the DMZ interface.

Access Points > Managed FortiAP and
Once authorized, it will appear in the

authorized list.
94
SSID.
Create an SSID for the network for wireless

users.
Step Two: Add addresses for the

wireless network

Address.
Create addresses for SSID 1.
95
Step Three: Add two service object
for AirPlay
Go to Firewall Objects > Service >

Service.
Step Four: Add multicast security

policies
Create a policy to allow multicast traffic

from the LAN and WLAN 1 for AppleTV to
iOS devices.
96
Create a policy to allow multicast traffic

from the WLAN 1 and LAN for iOS
devices to AppleTV.
Step Five: Add inter-subnet security

policies
Create policy allowing traffic from the

Apple TV to the iOS device.
Create policy allowing traffic from the iOS

device to the Apple TV.
97
Results
Use Airplay from the iPad to stream video

to the Apple TV.

Multicast Traffic to see the multicast
traffic between the WLAN 1 and LAN
interfaces.
Select and entry for more information.
98
Go to Log & Report > Traffic Log > Log
Forward and filter on the policy id 6 and 7,
that allow AirPlay traffic.
99
100
Using port forwarding on a FortiGate unit
This example illustrates how to allow incoming connections from the Internet to a
server on the internal network so that the server can access a service that requires
open ports. The service requires opening TCP ports in the range 7882 to 7999, as
well as opening UDP ports 2119 and 2995. This involves creating multiple VIPs that
map sessions from the wan 1 IP address to the server IP address.
1. Create three virtual IPs

2. Add the virtual IPs to a group
3. Create a security policy to allow inbound traffic to the server
4. Results
Internet
WAN 1
172.20.120.226
Open TCP ports 7882-7999,
UDP port 2119 and 2995 for
traffic from the Internet FortiGate
to the Server LAN
192.168.1.99/24
Server
192.168.1.200
101
Step One: Create three virtual IPs
Go to Firewall Objects > Virtual IP >

Virtual IP.
Add a virtual IP for the TCP port range

7882 to 7999.
Add a virtual IP for the UDP port 2119.
Add a virtual IP for the UDP port 2995.
102
Step Two: Add virtual IPs to a group
Go to Firewall Objects > Virtual IP > VIP

Group.
Create a VIP group that includes all three

virtual IPs.
Step Three: Create a security policy to

allow inbound traffic to the server
Create a security policy allowing inbound

connections to the server from the
Internet.
103
Results

to see the active sessions.
Select the blue bar for more information.
104
Forward Traffic to see the logged activity.
105
UT M Profiles
UTM profiles, including antivirus, web filtering, application control, intrusion protection (IPS), email
filtering, and data leak prevention (DLP), apply core UTM security functions to traffic accepted by
security policies. The FortiGate unit includes default UTM profiles for all of these security features.
You can apply UTM features to traffic accepted by a security policy by selecting the default profiles
for the UTM features that you want to apply.
The default profiles are designed to provide basic protection. You can modify the default profiles,
and group them, for your needs or create new ones. Creating multiple profiles means you can apply
different levels of protection to different traffic types according to the security policies that accept the
traffic.
Endpoint control profiles are created to ensure that workstation computers, also known as
endpoints, on your network meet the network’s security requirements; otherwise, they are not
permitted access. Enhanced by Fortinet’s FortiClient Endpoint Security software, FortiGate endpoint
control can block or control access through the FortiGate unit for workstation computers depending
on the security functions enabled on the computers and the applications running on them. After
creating endpoint control profiles, you can add endpoint security profiles to security policies.
The final UTM profile feature, vulnerability scanning is independent of security policies. By using
vulnerability scanning, you can scan computers on your network for multiple vulnerabilities, and take
action to remove those vulnerabilities.
106
Visualizing and controlling the applications on your
network using application control
This example sets up application monitors in security policies to determine
what applications are contributing to high bandwidth usage on the network or
distractions for employees and blocking access from those applications.
1. Add an application control sensor

2. Add a security policy to use the application control sensor
3. Reviewing data from the application control monitor
4. Block high bandwidth applications
5. Add a security policy to use the block application control sensor
6. Results
Internet
1001001
001011100
010110011
WAN 1
FortiGate
Internal
Internal Network
107
Step One: Add application control
sensor
Go to UTM Security Profiles >

Application Control > Application
Sensor.
Select the plus icon in the upper right

corner of the window to create a new
sensor list for monitoring application
traffic.
Select Create New to add a new

application filter. Ensure you set the
Action to Monitor.
At this stage in the process, you want to

watch the application traffic to determine
where problems, if any, are occurring.
108
Step Two: Add a security policy to
use the application control sensor
Edit the security policy allowing internal

users to access the Internet and apply
the application control sensor in the UTM
Security Profiles section.
Step Three: Review the data from

the application control monitor
Go to UTM > Monitor > Application

Monitor.
109
Select on each blue bar to see further
details on the usage statistics.

Forward Traffic.
You can see the sensor is working and

picking up on various application traffic.
Step Four: Block high-bandwidth

applications
Go to UTM Security Profiles >

Application Control > Application
Sensor.

corner of the window to create a new
sensor list for blocking application traffic.
110
Select Create New to add a new
application filter.
Select the options for streaming media,

instant messaging clients, social media
and peer-to-peer file sharing.
Ensure you set the Action to Block.
Step Five: Add a security policy to use

the block application control sensor
Edit the security policy allowing internal

users to access the Internet and apply
the block application control sensor in the
UTM Security Profiles section.
111
Results

Forward Traffic.
You can see the sensor is working and

blocking the selected application traffic.
Select and entry to see more details.
112
Configuring web filter overrides and local ratings
This example sets up web site overrides for blocked sites. It will add web profiles
that prohibit viewing a web site until the user authenticates an override. Once
authenticated, they will still only have a limited amount of time to visit the site.
1. Configure users and user groups

2. Configure rating overrides and web filter profiles
3. Edit security profile to include the web filter UTM profile
4. Results
Internet
FortiGuard
WAN 1
FortiGate
LAN
Internal Network
113
Step One: Configure users and user
groups

Definition.
Add users. These users will be allowed to

override the web filter blocking.

Group and add users to a group.
Step Two: Configure rating overrides

and web filter profiles
Go to UTM Security Profiles > Web Filter

> Rating Overrides.
Select Lookup Rating to see the

FortiGuard rating for a URL.
Select Custom Categories and Create

New and add the new category name for
the URL.
114
> Profile.
Create web filter profile to allow the

Web News and Streaming Media and
Download categories.
Create a new profile to block the new

Web news category, as well as Streaming
Media and Download categories.
Select the blue arrow to expand the

Advanced Filter section.
Enable Allow Blocked Override and

Assign to Overrided_URLs profile.
115
Step Three: Edit the security profile to
include the web filter UT M profile
Edit the policy allowing outbound traffic

from internal network and add the web
filter profile .
Results
In a web browser, go to cnn.com. The

FortiGate unit blocks the web site wth an
override option.
116
Select Override. You are prompted to
authenticate to view the page.
Once successfully authenticated, you are

guaranteed access for 15 minutes from
your IP address only. This access will be
for all allowed categories according to the
Overrided_URLs web filter profile.
Go to Log & Report > Traffic Log

> Forward Traffic and filter the
destination to the IP address of cnn.com
(157.166.255.19)
117
118
Protecting a web server from vulnerabilities and DoS
attacks using IPS
This example uses IPS to protect a web server by placing the web server on the
internal network with a virtual IP, and creating a security policy that allows web
access from the Internet to the server. IPS is added to the policy to protect the
server from attacks.
1. Configure IPS to detect and protect against common attacks

2. Add a security profile that includes the IPS UTM profile
3. Add a DoS security policy using IPS
4. Results
Attacks
Internet
FortiGate WAN 1
172.20.120.24
LAN
192.168.1.99/24
Web server
Internal network VIP: 172.20.120.24 --> 192.168.1.200
119
Step One: Configure IPS to detect and
protect against common attacks
Go to UTM Security Profiles > Intrusion

Protection > IPS Sensor.
Create a new sensor.
Select Create New and add a new IPS

filter.
120
Step Two: Add a security profile that
includes the IPS UT M profile
Edit the security policy allowing traffic to

the web server from the Internet and add
the new IPS sensor.
121
Step Three: Add a DoS security policy
using IPS
Go to Policy > Policy > DoS Policy.
Create a new policy. The Incoming

Interface is the one connected to the
Internet.
122
Results
Perform an DoS tcp_sync_flood attack to the web

server IP address. The TCP sync session should be
blocked when the threshold of 20 is reached.
Note: Ensure you have the proper IP address of your

web server. Otherwise you may be unwillingly causing
a DoS attack on another server!
Go to Log & Report > UTM Security Log

> Intrusion Protection.
123
124
Blocking email/web traffic or files containing sensitive
information
This example sets up data leak prevention (DLP) for the network by analyzing data
using sensors for credit card numbers, watermarked files and file pattern matching.
With these filters, the FortiGate unit will scan outgoing data for potential sensitive
data breaches.
1. Create a DLP file matching pattern filter

2. Setup a DLP sensor with sensor criteria
3. Create an address range for the internal network
4. Add a security profile that includes the DLP sensor
5. Results
Internet
WAN 1 Data leak
LAN
FortiGate
Internal network
125
Step One: Create a DLP file matching
pattern filter
To create a file matching pattern, you need

to create a DLP file filter.
Go to UTM Security Profiles > Data Leak

Prevention > File Filter.
Create new file filter table and add the file

filter.
Step Two: Setup a DLP sensor with

sensor criteria

Prevention > Sensor.
Create a new sensor. To this sensor you

will add the filters the FortiGate unit uses
to scan outgoing data.
Select Create New to add a filter to look

for the file patterns.
126
for credit card number patterns.

for a corporate identifier, or watermark, in
outgoing files.
Step Three: Create an address range

for the internal network

Address.
Create an address range for the internal

network. The FortiGate unit will scan any
traffic for data loss from this range.
127
Step Four: Add a security profile that
includes the DLP sensor
Create a security policy and enable the

DLP sensor using the filters created.
Results
Upload a file containing a credit card

number to a server on the Internet such
as a local FTP server or web server.
The FortiGate unit will block the file
and prevent it from leaving the internal
network.

Forward Traffic and locate the blocked
log entry.
128
Upload a watermarked file to a server on
the Internet such as a local FTP server or
web server. The FortiGate unit will block
the file and prevent it from leaving the
internal network.

log entry.
Upload an exe file to a server on the

Internet such as a local FTP server or web
server. The FortiGate unit will block the
file and prevent it from leaving the internal
network.

log entry.
129
130
Monitoring your network for undesirable behavior
using client reputation
Client reputation enables you to monitor traffic from internal sources based on UTM
profiles and risk ratings. Client reputation tracks client behavior and reporting on the
activities you determine are risky or otherwise noteworthy. This example enables
client reputation on web filtering to monitor traffic from various sources to web sites.
1. Add client reputation to the network

2. Create a security policy
3. Results
Internet
WAN 1
FortiGate
Internal
Internal Network
131
Step One: Add client reputation on the
network
Go to User & Device > Client Reputation
> Reputation Definition.
Enable Client Reputation Tracking by

selecting the Off button to turn the feature
on.
To configure the profile, decide how risky

or dangerous each of the types of behavior
are to your network and rate them
accordingly. The higher you rate a type of
behavior the more visible clients engaging
in this behavior will become in the client
reputation monitor and the more easily you
can detect this behavior.
Step Two: Create a security policy
Go to Policy > Policy > Policy. In the

UTM Security Profiles section, enable the
web filter profile. You can use the default
profiles for data gathering purposes.
132
Results
Allow traffic to pass through the FortiGate

unit for a day. Then go to User & Device >
Client Reputation > Reputation Score to
view the results.
Each user by device that met the threshold

set appears in the chart. With this
information, you can see where potential
problems may occur or potential security
breaches are imminent.
Select the blue bar for a device to see

more information.
Client reputation only highlights risky

activity. It does not include tools to stop
the behavior. Rather, client reputation is
a tool that exposes risky behavior. When
you uncover risky behavior that you are
concerned about you can take additional
action to stop it. That action could include
adding more restrictive security policies
to block the activity or increase UTM
protection. You can also taking other
measures outside your FortiGate unit to
stop the activity.
133
134
Inspecting content on the network using flow-based
UT M instead of proxy-based UT M
Flow-based scans examine files as they pass through while proxy-based scans
require that files are cached as they come in and examined once completely
cached. Caching files takes more memory and system resources. UTM features
using flow-based scans will continue to protect network traffic without interruption.
Flow-based scanning is an ideal solution to ease the memory requirements of some

UTM scans.
1. Enable flow-based antivirus

2. Enable flow-based web filtering
3. Add a firewall policy to include the new UTM security profiles
4. Results
Web Filter
Internal Network
Viruses
Internal Internet
FortiGate WAN 1 Viruses
Viruses
135
Step One: Enable flow-based antivirus
Go to UTM Security Profiles > Antivirus

> Profile.

corner and add a new AV profile.
Step Two: Enable flow-based web

filtering

> Profile.

corner and add a new profile to block
search engines and portals.
136
Step Three: Add a firewall policy to
include the new UT M security profiles
Edit the policy allowing users to access

the Internet and apply the flow-based
profiles.
Results
To test the AV scanning, from a PC in the

internal network, go to
http://www.eicar.org and try to download a
test file.
The browser will time out and display a

message similar to what is shown here
from Google Chrome.
137
Forward Traffic to see the UTM profile is
activated when attempting to download
the file.
To test the web filtering, from a PC in the

internal network, go to google.com.
The FortiGate unit displays a block

message.
Go to UTM Security Profiles > Monitor >

Web Monitor.
138
Select the blue bar in the chart to see
further details by user.
139
140
Blocking large files from entering the network
If a file is too large to be properly scanned by the FortiGate unit, you need to
make sure they still do not enter the network. This example configures data leak
prevention (DLP) options to block files large files from entering the network.
1. Setup a DLP sensor with file matching pattern filter

2. Add a security profile that includes the DLP sensor
3. Results
Internal network
LAN Viruses/Spyware
Internet
FortiGate WAN 1
141
Step One: Setup a DLP sensor with
file matching pattern filter

Prevention > Sensor.
Create a new senor. To this sensor you will

add the filters the FortiGate unit uses to
check incoming files.

for a file size threshold.
142
Step Two: Add a security profile that
includes the DLP sensor
Create a security policy and enable the

DLP sensor using the filters created.
143
Results
Any attempt to download a file larger than

10 MB is blocked.
The FortiGate unit displays a replacement

message explaining why the attempt
failed.

Forward Traffic.
Select an entry to see information on the

blocked file.
144
Blocking access to specific web sites
This example sets up the FortiGate unit to block users from viewing specific web
sites using web filtering.
1. Create a new web filter block list

2. Add the block list to a web filter profile
3. Add a security profile that includes the web filter UTM profile
4. Results
Internet
Block Site
WAN 1
FortiGate
LAN
Internal network
145
Step One: Create a new web filter
block list

> URL Filter.
Create a new filter list for blocked URLs.
Select Create New to enter a list of URLs

you want to prevent users from accessing.
Using the asterisk (*) as a wildcard in the

URL, ensures any sub-domain for the site
is also blocked.
Step Two: Add the block list to a web

filter profile

> Profile.
Create a new profile and expand the

Advanced Filter. Select the new block list
in the Web URL Filter.
146
Step Three: Add a security profile
that includes the web filter UT M
profile
Edit the policy allowing outbound traffic

from the internal network to include UTM
security profiles and select the new profile.
Results
In a web browser, attempt to visit

fortinet.com and docs.fortinet.com. In
both cases, the FortiGate unit displays a
message.
147
Forward Traffic.
148
Blocking HTT PS traffic with web filtering
Some websites are accessible using http and https protocols, such as YouTube and
Facebook. This example steps through how to block https access to these websites
using either proxy-based or flow-based web filtering profiles. You will need to have
your FortiGate licensed for FortiGuard services.
1. Verify FortiGuard services are enabled

2. Create a web filter profile
3. Create an SSL inspection profile
4. Create a security profile with the web filter and SSL profiles
5. Results
HTT PS
YouTube Internet
Facebook FortiGuard
WAN 1
FortiGate
Internal
Internal Network
149
Step One: Verify FortiGuard services
are enabled
In the Licence Information widget, verify

that the FortiGate unit is connected to the
FortiGuard servers. A green check mark
should appear next to the services you are
subscribed to.
Step Two: Create a web filter profile

> Profile. Select the plus icon in the
upper-right corner to create a new profile.
Ensure the inspection mode is set to

Proxy. You can also set the Inspection
Mode to Flow-based or DNS.
150
Step Three: Create a SSL Inspection
protile
Go to Policy > Policy > SSL/SSH
Inspection.
Select the plus icon in the upper-right

corner to create a new profile and enable
only the HTTPS option.
Step Four: Create a security profile
Create a new security policy that uses the

new SSL/SSH inspection profile and the
HTTPS web filter profile.
151
Results
In a web browser, go to
https://youtube.com. The web page is
blocked and a FortiGate replacement
message is put up in its place.
Go to System > Admin > Settings.
Enable UTM Monitoring in the Display

Options on GUI area.
Go to UTM Security Profiles > Monitor >

Web Monitor.
If you chose DNS block or redirect, when

you visit https://youtube.com, the browser
will time out. FortiGuard will not display a
message.
152
SSL and IPsec VPN
SSL is an easy to use application-level, network-independent method of ensuring private
communication over the Internet. Commonly used to protect the privacy of online shopping
payments, customer’s web browsers can almost transparently switch to using SSL for secure
communication without customer’s being required to do any SSL-related configuration or have any
extra SSL-related software.
The FortiGate SSL VPN configuration requires an SSL VPN web portal for users to log into, a user
authentication configuration to allow SSL VPN users to login, and the creation of SSL VPN security
policies that control the source and destination access of SSL VPN users. SSL VPN security policies
can also apply UTM and other security features to all SSL VPN traffic.
IPsec VPN is a common method for enabling private, secure communication over the Internet.
IPsec supports a similar client server architecture as SSL VPN. However, to support a client
server architecture, IPsec clients must install and configure an IPsec VPN client (such as Fortinet’s
FortiClient Endpoint Security) on their PCs or mobile devices.
IPsec VPN, supports more configuration options than SSL VPN. A common application of IPsec
VPN is for a gateway to gateway configuration that allows users to transparently communicate
between remote networks over the Internet. When a user on one network starts a communication
session with a server on the other network, a security policy configured for IPsec VPN intercepts
the communication session and uses an associated IPsec configuration to both encrypt the session
for privacy but also transparently route the session over the Internet to the remote network. At the
remote network the encrypted communication session is intercepted and decrypted by the IPsec
gateway and the unencrypted traffic is forwarded to the server.
Many variations of the gateway to gateway configuration are available depending on the
requirements.
All communication over IPsec VPNs is controlled by security policies. Security policies allow for
full access control and can be used to apply UTM and other features to IPsec VPN traffic. Fortinet
IPsec VPNs employs industry standard features to ensure the best security and interoperability with
industry standard VPN solutions provided by other vendors.
153
154
Protecting traffic between company headquarters and
branch offices using IPsec VPN
This example uses a gateway-to-gateway IPsec VPN, and assumes that both
offices have connections to the Internet with static IP addresses. This configuration
uses a policy-based IPsec VPN.
1. Configure the HQ IPsec VPN Phase 1 and Phase 2 settings

2. Add HQ addresses for the local and remote LAN on the HQ
FortiGate unit
3. Create an HQ IPsec security policy
4. Configure the Branch IPsec VPN Phase 1 and Phase 2 settings
5. Add Branch addresses for the local and remote LAN on the HQ
FortiGate unit
6. Create an branch IPsec security policy
7. Results
wan1 port3
172.20.120.123 172.20.120.141
IPsec
FortiGate Internet FortiGate
port1 port4
192.168.1.99/24 10.10.1.99/24
Internal Internal
Network (HQ) Network (Branch)
155
Step One: Configure the HQ IPsec VPN
Phase 1 and Phase 2 settings
Go to VPN > IPsec > Auto Key (IKE).
Select Create New Phase 1.
156
Step Two: Add HQ addresses for
the local and remote LAN on the HQ
FortiGate unit

Address.
Create a local address and a remote LAN

address.
Step Three: Create an HQ IPsec

security policy
When complete, make sure it is at the top

of the policy list by clicking on the policy
sequence number and dragging the row to
the top of the policy table.
157
Step Four: Configure the Branch IPsec
VPN Phase 1 and Phase 2 settings
158
Step Five: Add Branch addresses for
the local and remote LAN on the HQ
FortiGate unit

Address.
Create a local address and a remote LAN

address.
Step Six: Create a Branch IPsec

security policy
When complete, make sure it is at the top

of the policy list by clicking on the policy
sequence number and dragging the row to
the top of the policy table.
159
Results
Go to VPN > Monitor > IPSec Monitor
to verify the status of the VPN tunnel. It
should be up.
A user on either of the office networks

should be able to connect to any address
on the other office network transparently.
For example, from a PC on the Branch

office with IP address 10.10.1.100 you
should be able to ping a device on the
Headquarters network with the IP address
192.168.1.114 and vice versa.
From the Headquarters FortiGate unit go

to Log & Report > Traffic Log > Forward
Traffic.
From the Branch FortiGate unit go to Log

& Report > Traffic Log > Forward Traffic.
160
Providing remote users with access to a corporate
network and Internet using SSL VPN
This example sets up remote users to connect to the corporate network using SSL
VPN, and use the FortiGate UTM for surfing the Internet. During the connecting
phase, the FortiGate unit will also verify that the remote user’s antivirus software is
installed and current.
1. Create an SSL VPN tunnel for remote users

2. Create user definitions and add them to a group
3. Add an address for the local network
4. Add security profiles for access to the Internet and internal network
5. Set the FortiGate unit to verify users have current antivirus software
6. Results
Internet
Remote sslvpn user
WAN 1
sslroot 172.20.120.123
browsing
FortiGate
Port 1
192.168.1.99/24
Internal Network Windows Server

192.168.1.114
161
Step One: Create an SSL VPN tunnel
for remote users
Go to VPN > SSL > Portal.
Edit the full-access portal.
The full-access portal allows the use of

tunnel mode and/or web mode. In this
scenario we are using both modes.
Enable Split Tunneling is not enabled

so that all internet traffic will go through
the FortiGate unit and be subject to the
corporate UTM profiles.
Select Create New in the Include

Bookmarks area to add a bookmark for a
remote desktop link/connection.
162
Step Two: Create user definitions and
add them to a group

Definition.
Add a remote user.

Group.
Add the user to a user group for SSL VPN

connections.
Step Three: Add an address for the

local network

Address.
Add the address for the local network.
163
Step Four: Add security profiles for
access to the Internet and internal
network
Add a security policy allowing access to

the internal network.
Add a security policy allowing access to

the Internet.
For this policy, the Incoming Interface

is sslvpn tunnel interface and Outgoing
Interface is wan1. This way, the remote
SSL VPN users accessing the Internet
through the FotiGate unit.
164
Step Five: Set the FortiGate unit to
verify users have current antivirus
software
Go to System > Status > Dashboard.
In the CLI Console widget, enter the

commands on the right to enable the host
check for compliant antivirus software on
the remote user’s computer.
Results
Log into the portal as twhite.
The FortiGate unit performs the host

check.
165
After the check is complete, the portal
appears.
Select the bookmark Remote Desktop link

to begin an RDP session.
Go to VPN > Monitor > SSL-VPN to verify

the list of SSL users. The Web Application
description indicates that the user is using
web mode.
166
Forward Traffic and view the details for
the SSL entry.
In the Tunnel Mode widget, select

Connect to enable the tunnel.
Select the bookmark Remote Desktop link

to begin an RDP session.
Go to VPN > Monitor > SSL-VPN to verify

the list of SSL users.
The Tunnel description indicates that the

user is using tunnel mode.
167
Forward Traffic and view the details for
the SSL entry.

Forward Traffic.
Internet access occurs simultaneously

through the FortiGate unit.
168
Securing remote access to the office network using
FortiClient IPsec VPN
This example sets up a remote user and user group to provide protected access to
the corporate network. The remote users use the FortiClient Endpoint Protection
software to connect to the VPN tunnel. This example sets up the user to access the
internal network as well as access the Internet through the FortiGate unit, to provide
a secure surfing experience using the FortiGate UTM features.
1. Create a new FortiClient user and add to a user group

2. Create an IPsec FortiClient VPN tunnel
3. Add addresses for the local LAN and remote FortiClient users
4. Create security policies for access to the internal network and Internet
5. Results
IPsec
FortiGate wan 1 Internet
port 1 172.20.120.123
Remote user
192.168.1.99/24 (FortiClient)
Internal Network
169
Step One: Create a new FortiClient
user and add to a user group
Definition.
Create a new user.

Group.
Create a user group for FortiClient users

and add user twhite.
Step Two: Create an IPsec FortiClient

VPN tunnel
Select Create FortiClient VPN.
170
Step Three: Add addresses for the
local LAN and remote FortiClient users

Address.
Step Four: Create security policies for

access to the internal network and
Internet
Create a security policy allowing remote

FortiClient users to access the internal
network.
171

FortiClient users to access the Internet
securely through the FortiGate unit.
Results
Launch FortiClient and go to Remote

Access and add new connection.
172
Connect using the user name twhite.
On the FortiGate unit, go to VPN >

Monitor > IPsec Monitor to see the satus
of the tunnel.
Verify the IP address assigned to the

remote user by the FortiGate unit. which is
10.10.1.100.
All hosts in the internal network should be

accessible using the FortiClient VPN, to
test this, ping an internal server set to IP
192.168.1.114 and logon to it using RDP.

Forward Traffic and filter by the policy ID
controlling the FortiClient VPN traffic.
173
174
Securing remote access to the office network for an
iOS device over IPsec VPN
This example sets up a remote user and user group to provide protected access
to the corporate network. The remote users use their iPad to connect to the VPN
tunnel. This example sets up the user to access the internal network as well
as access the Internet through the FortiGate unit, to provide a secure surfing
experience using the FortiGate UTM features. This example uses an iPad 2 running
iOS 6.1.2. Menu options may vary for different iOS versions and devices.
1. Create a new user and add to a user group

2. Add addresses for the local LAN and remote users
3. Configure the IPsec VPN Phase 1 and Phase 2 settings
4. Create security policies for access to the internal network and Internet
5. Results
wan 1
172.20.120.123
IPsec
FortiGate Internet
Port 1
192.168.1.99/24
Remote user
(iPad)
Internal Network
175
Step One: Create a new user and add
to a user group
Definition.
Create a new user.

Group.
Create a user group for ios users and add

user twhite.
Step Two: Add addresses for the local

LAN and remote users

Address.
176
Address.
Step Three: Configure the IPsec VPN

Phase 1 and Phase 2 settings
Go to VPN > IPSec > Auto Key (IKE).
Select Create Phase 1.
For the Mode, select Main.
In the Advanced section select Enable

IPsec Interface Mode and select 2 for
the DH Group.
Enable XAUTH and select the user group

ios_group.
177
Go to VPN > IPSec > Auto Key (IKE).
In the Advanced section select 2 for the

DH Group.
Once you complete the tunnel

configuration, go to System > Dashboard
> Status and enter the commands here in
the CLI widget.
178
Step Four: Create security policies for
access to the internal network and
Internet

iOS users to access the internal network.

ios users to access the Internet securely
through the FortiGate unit.
179
Results
On the iPad, go to Settings > General >

VPN and select Add VPN Configuration.
On the FortiGate unit, go to VPN >

Monitor > IPsec Monitor and see the
status of the tunnel.
Users on the internal network will be

accessible using the iPad.

Forward Traffic to see the traffic.
180
Select an entry to view more information.
Remote iOS users can also access the

internet securely via the FortiGate unit.

Forward Traffic to see the traffic.
Select an entry to view more information.
181
182
Redundant OSPF routing between two remote networks
over IPsec VPN
This example sets up secure communication between two remote networks using
redundant OSPF routes .
1. Create redundant IPSec tunnels on FortiGate 1

2. Create IP addresses for the IPsec interfaces on FortiGate 1
3. Configure OSPF on FortiGate 1
4. Configure firewall addresses on FortiGate 1
5. Configure security policies on FortiGate 1
6. Create redundant IPSec tunnels for FortiGate 2
7. Create IP addresses for the IPsec interfaces on FortiGate 2
8. Configure OSPF on FortiGate 2
9. Configure firewall addresses on FortiGate 2
10. Configure security policies on FortiGate 2
11. Results
WAN 1 OSPF WAN 1

172.20.120.24 172.20.120.123
IPsec
FortiGate 1 Internet FortiGate 2

IPsec
Internal WAN 2 WAN 2 Internal
10.20.1.1/24 172.20.120.23 172.20.120.127 10.21.1.1/24
OSPF
Internal Internal
Network (HQ) Network (Branch)
183
Step One: Create redundant IPSec
tunnels on FortiGate 1
Select Create Phase 1 and create the

primary tunnel.
Select Advanced and select Enable

IPSec Interface Mode.
184

secondary tunnel.

185
Step Two: Create IP addresses for the
IPsec interfaces on FortiGate 1
Select the arrow for wan1 to expand the

list. Edit the primary tunnel interface.

list. Edit the secondary tunnel interface.
Step Three: Configure OSPF on

FortiGate 1
Go to Router > Dynamic > OSPF.
Enter the Router ID for FortiGate 1.
Select Create New in the Area section.
Add the backbone area of 0.0.0.0.
186
Select Create New in the Networks
section.
Create the networks and select Area

0.0.0.0 for each one.
Select Create New in the Interfaces

section.
create primary and secondary tunnel

interfaces. Set the Cost of 10 for the
primary interface and 100 for the
secondary interface.
Step Four: Configure firewall

addresses on FortiGate 1

Address.
Edit the subnets behind FortiGate 1 and

FortiGate 2.
187
Edit the primary and secondary interfaces
of FortiGate 2.
Step Five: Configure security policies on

FortiGate 1
Create security policies for each primary

and secondary interface to the FortiGate 2
primary and secondary interfaces.
188
189
Step Six: Create redundant IPSec
tunnels on FortiGate 2

primary tunnel.

190

secondary tunnel.

191
Step Seven: Create IP addresses for
the IPsec interfaces on FortiGate 2

list. Edit the primary tunnel interface.

list. Edit the secondary tunnel interface.
Step Eight: Configure OSPF on

FortiGate 2
Go to Router > Dynamic > OSPF.
Enter the Router ID for FortiGate 2.
Select Create New in the Area section.
Add the backbone area of 0.0.0.0.
192
Select Create New in the Networks
section.
Create the networks and select Area

0.0.0.0 for each one.
Select Create New in the Interfaces

section.
create primary and secondary tunnel

interfaces. Set the Cost of 10 for the
primary interface and 100 for the
secondary interface.
Step Nine: Configure firewall addresses

on FortiGate 2

Address.
Edit the subnets behind FortiGate 1 and

FortiGate 2.
193
Edit the primary and secondary interfaces
of FortiGate 1.
Step Ten: Configure security policies on

FortiGate 2
Create security policies for each primary

and secondary interface to the FortiGate 1
primary and secondary interfaces.
194
195
Results
Verify the primary and secondary IPSec

vpn tunnel status on FortiGate1 and
FortiGate2.
Tunnels on both FortiGates should be UP.
Go to VPN > Monitor > IPsec Monitor to

verify the status.
Verify the routing table on FortiGate 1

and FortiGate 2. The primary OSPF route
(the one with cost =10) appears on both
FortiGates.
Go to Router > Monitor > Routing

Monitor. Type OSPF for the Type and
select Apply Filter to verify OSPF route.
Verify that traffic flows via the primary

tunnel.
From a PC1 set to IP:10.20.1.100 behind

FortiGate 1, run a tracert to a PC2 set to IP
address 10.21.1.00 behind fortiGate 2 and
vise versa.
From PC1, you should see the traffic goes

through 10.1.1.2 which is the primary
tunnel interface IP set on FortiGate 2.

through 10.1.1.1 which is the primary
196
The VPN network between the two
OSPF networks uses the primary VPN
connection. Disconnect the wan1 interface
and confirm that the secondary tunnel will
be used automatically to maintain a secure
connection.
Verify the IPSec vpn tunnels status

on FortiGate 1 and FortiGate 2. Both
FortiGates should show that primary
tunnel is DOWN and secondary tunnel is
UP.
Go to VPN > Monitor > IPsec Monitor to

verify the status.
Verify the routing table on FortiGate 1 and

FortiGate 2.
The secondary OSPF route (the one with

cost =100) appears on both FortiGate
units.
Go to Router > Monitor > Routing

Monitor. Type OSPF for the Type and
select Apply Filter to verify OSPF route.
Verify that traffic flows via the secondary

tunnel.
From a PC1 set to IP:10.20.1.100 behind

FortiGate 1, run a tracert to a PC2 set
to IP:10.21.1.100 behind fortiGate 2 and
vise versa. From PC1, you should see
the traffic goes through 10.2.1.2 which is
the secondary tunnel interface IP set on
FortiGate 2.

through 10.2.1.1 which is the secondary
197
Authentication
Authentication is the act of confirming the identity of a person or other entity. In the context of a
private computer network, the identities of users or host computers must be established to ensure
that only authorized parties can access the network. The FortiGate unit enables controlled network
access and applies authentication to users of security policies and VPN clients.
Identifying users and other computers (authentication) is a key part of network security. This chapter
describes some basic configurations.
198
Providing single sign-on on a Windows AD network by
adding a FortiGate
This example uses the Fortinet Single Sign-On (FSSO) Collector Agent to integrate a
FortiGate unit into the Windows AD domain.
1. Install the FSSO Collector Agent

2. Configure the Single Sign-on Agent
3. Configure the FortiGate unit to connect to the FSSO agent
4. Add a FSSO user group
5. Add an address for the internal network
6. Add a security profile that includes an authentication rule
7. Results
Internet
WAN 1
172.20.120.123
FortiGate
Port 1
192.168.1.99/24
Windows AD
Internal Network
192.168.1.114
199
Step One: Install the FSSO Collector
Agent
Run the setup for the Fortinet SSO

Collector Agent. After logging in, configure
the agent settings.
Add the Collector Agent address

information.
200
Select the domains to monitor, and any
users whose activity you do not wish to
monitor.
Set the working mode and complete the

installation.
201
Step Two: Configure the Single
Sign-on Agent
If required, select Require authenticatied

connection from FortiGate, and add a
password.
You will also enter this password when

configuring the FSSO on the FortiGate
unit.
Step Three: Configure the FortiGate

unit to connect to the FSSO agent
On the FortiGate unit, go to User &

Device > Authentication > Single Sign-
On.
Enter this password used configuring the

FSSO on the FortiGate unit in the previous
step.
Step Four: Add a FSSO user group

On the FortiGate unit, go to User &
Device > User > User Group.
202
Step Five: Add an address for the
internal network

Address.
Step Six: Add a security profile that

includes an authentication rule
Add an accept user identity security policy

and add the new FSSO group.
203
Results
Forward Traffic.
As users log into the Windows AD system,

the FortiGate collects their connection
information.
204

Fortigate Coobook 502 PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Fortigate Coobook 502 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

The FortiGate Coobook

Essential Recipes for Success with your FortiGate

Fortinet Knowledge Base - http://kb.fortinet.com

Installing and Setup 7

Setting up a limited access administrator account 9

Security Policies and Firewall Objects 78

Controlling when BYOD users can access the Internet 79

UTM Profiles 106

SSL and IPsec VPN 153

Providing single sign-on on a Windows AD network by adding a FortiGate 199

Registering your Fortinet product

For more information

Fortinet Knowledge Base

1. Create a new administrative profile

Go to System > Admin > Admin Profle.

Create a new administer profile that allows

Step Two: Add a new administrator

Go to System > Admin > Administrators.

Create a new administrator with the

The admin profile controls what features

Log in to the FortiGate unit using the user

As this administrator, you can and edit any

Go to Log & Report > Event Log >

Verify that the login activity occurred.

Select the entry for more information on

The Current Administrator row indicates

Select Details for the Current

Any subscribed services should have

A grey X indicates that the FortiGate unit

A red X indicates that the FortiGate

You can also view the FortiGuard

execute traceroute www.fortiguard.com

1. Configure logging and event logging

Go to Log & Report > Log Config > Log

Enable and configure logging.

Note that logging to disk is only available

Logging to disk is enabled in the CLI

Step Two: Enable logging in the

Go to Policy > Policy > Policy.

For any security policy, in the Logging

To see information about network traffic

Select an entry for more information.

Simple Network Management Protocol (SNMP) enables you to monitor hardware

1. Configure the SNMP agent and community

Configure the agent.

Under the SNMP version, create a new

You need to add a host IP address

You can also set the IP address/Netmask

Enable SNMP on port 1.

Step Three: Download the MIB files

Go to System > Config > SNMP to

There are two MIB files for FortiGate units:

Configure the SNMP manager at

In SolarWinds Toolset Launch Pad, go to

Select Select Device and enter the IP

Open the SNMP Trap Receiver and select

Verify that the SNMP manager receives the

View the UTM log by going to Log &

FortiCloud is an online hosted security management and log retention service. It

On the License Information widget, in the

Once the account is created, you can

Step Two: Configure logging

Go to Log & Report > Log Config > Log

Installing and Setup 7

Setting up a limited access administrator account 9

Security Policies and Firewall Objects 78

Controlling when BYOD users can access the Internet 79

UTM Profiles 106

SSL and IPsec VPN 153

Providing single sign-on on a Windows AD network by adding a FortiGate 199