Fortinet FortiGate Series, FortiGate-50 Series, FortiGate-5000 Series, FortiGate-5001SX, FortiGate-5001A Administration Manual

FortiGate

™

Version 4.0 MR1

Administration Guide

Preliminary version: This version of the FortiGate Administration Guide includes fixes to a number of bugs reported about the 24 August 2009 version of this guide. We expect to correct more errors and omissions and release multiple versions between now and October 2009. See the most recent FortiOS 4.0 MR1 release notes for up-to-date information about new 4.0 MR1 features. Contact techdoc@fortinet.com if you have any questions or comments about this preliminary version of the FortiOS 4.0 MR1 FortiGate Administration Guide.

Visit http://support.fortinet.com to register your FortiGate product. By registering you can

receive product updates, technical support, and FortiGuard services.

FortiGate Administration Guide

Version 4.0 MR1 3 September 2009 01-410-89802-20090903

© Copyright 2009 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

Trademarks

Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Contents

Introduction ............................................................................................ 23

Fortinet products .......................................................................................................... 23

About this document .................................................................................................... 24

Registering your Fortinet product............................................................................... 26

Customer service and technical support.................................................................... 26

Training .......................................................................................................................... 27

Documentation ............................................................................................................. 27

Fortinet Tools and Documentation CD ..................................................................... 27

Fortinet Knowledge Base.......................................................................................... 27

Comments on Fortinet technical documentation ..................................................... 27

Scope ............................................................................................................................. 27

Conventions .................................................................................................................. 28

IP addresses............................................................................................................. 28

Notes, Tips and Cautions ......................................................................................... 28

Typographical conventions....................................................................................... 29

Command syntax conventions.................................................................................. 29

What’s new in FortiOS Version 4.0 MR1 .............................................. 33

New SIP ALG configuration options ........................................................................... 34

Opening and closing SIP register and non-register pinholes.................................... 34

Support for RFC 2543-compliant branch commands ............................................... 34

Easy FortiCare and FortiGuard services registration and renewal.......................... 35

Endpoint control enhancements ................................................................................. 35

Per-VDOM replacement messages.............................................................................. 35

Content archiving is now DLP archive........................................................................ 36

Topology viewer is now a custom web-based manager page.................................. 36

Usage page shows application, policy, and DLP archive usage .............................. 37

Alert Message Console enhancements ...................................................................... 37

WCCP widget................................................................................................................. 37

SSL VPN enhancements............................................................................................... 38

Single Sign-On.......................................................................................................... 38

IP address ranges are now defined as firewall addresses ....................................... 39

OS Check changes................................................................................................... 40

Client check changes................................................................................................ 40

Virtual Desktop enhancements................................................................................. 41

Virtual Desktop Application Control .......................................................................... 42

Two-factor authentication ............................................................................................ 43

Force UTF-8 login..................................................................................................... 44

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 3

http://docs.fortinet.com/ • Feedback

Contents

FortiGate wireless controller ....................................................................................... 44

Interface status detection for gateway load balancing ............................................. 44

Enhanced ECMP route failover and load balancing .................................................. 44

SCEP extensions........................................................................................................... 44

Dynamic routing for IPv6 traffic................................................................................... 47

Additions to router bgp command............................................................................. 47

router access-list6..................................................................................................... 51

router ospf6............................................................................................................... 52

router prefix-list6....................................................................................................... 56

router ripng ............................................................................................................... 58

get router info6 {bgp | ospf | protocols | rip} .............................................................. 62

IPv6 DNS ........................................................................................................................ 63

IPv6 transparent mode ................................................................................................. 63

IPv6 administrative access .......................................................................................... 63

Network interface changes for IPv6.......................................................................... 64

Administrator settings ............................................................................................... 65

UTM features support IPv6 traffic................................................................................ 66

HTTP basic authentication in firewall policies ........................................................... 66

VDOM dashboard .......................................................................................................... 66

IPsec protocol improvements...................................................................................... 67

Support for IKE v2 .................................................................................................... 67

Support for DH-2048 (Group 14) .............................................................................. 67

Support for SHA256.................................................................................................. 68

Auto-configuration of IPsec VPNs............................................................................... 69

IPsec Phase 1 CLI configuration for IKE Configuration Method ............................... 69

IPsec Phase 2 configuration for IKE Configuration Method...................................... 71

Integral basic DNS server............................................................................................. 72

Creating local DNS entries ....................................................................................... 72

Enabling DNS on an interface .................................................................................. 73

Per-VDOM DNS configuration...................................................................................... 74

Password policy............................................................................................................ 75

Use LDAP groups in firewall and SSL-VPN authentication ...................................... 76

Traffic shaping enhancements .................................................................................... 77

Shared traffic shaping............................................................................................... 77

Per-IP traffic shaping ................................................................................................ 77

Accounting and quota enforcement.......................................................................... 78

Logging enhancements................................................................................................ 79

Support for per-VDOM FortiAnalyzer units or syslog devices .................................. 79

SQL log format for Executive Summary reports ....................................................... 81

Antivirus changes ......................................................................................................... 82

FortiGate Version 4.0 MR1 Administration Guide

4 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Contents

Reliable syslog .............................................................................................................. 83

Web filtering combined block/exempt list .................................................................. 83

Web filtering by content header .................................................................................. 85

Safe search .................................................................................................................... 86

Data Leak Prevention supports international character sets ................................... 86

SNMPv3 enhancements................................................................................................ 87

Support for snmpEngineID ....................................................................................... 87

Authentication and privacy........................................................................................ 87

Schedule groups........................................................................................................... 88

Web-based manager.............................................................................. 89

Common web-based manager tasks........................................................................... 90

Connecting to the web-based manager.................................................................... 90

Changing your FortiGate administrator password .................................................... 91

Changing the web-based manager language........................................................... 91

Changing administrative access to your FortiGate unit ............................................ 92

Changing the web-based manager idle timeout ....................................................... 92

Connecting to the FortiGate CLI from the web-based manager ............................... 93

Button bar features ....................................................................................................... 93

Contacting Customer Support..................................................................................... 93

Backing up your FortiGate configuration ................................................................... 94

Using FortiGate Online Help ........................................................................................ 94

Searching the online help ......................................................................................... 96

Logging out ................................................................................................................... 97

Web-based manager pages.......................................................................................... 97

Using the web-based manager menu....................................................................... 98

Using web-based manager lists................................................................................ 99

Adding filters to web-based manager lists ................................................................ 99

Using page controls on web-based manager lists .................................................. 102

Using column settings to control the columns displayed ........................................ 103

Using filters with column settings............................................................................ 104

Web-based manager icons......................................................................................... 105

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 5

http://docs.fortinet.com/ • Feedback

Contents

System Status ...................................................................................... 107

Viewing the system dashboard ................................................................................. 107

VDOM and global dashboards................................................................................ 108

Viewing the system dashboard............................................................................... 108

System Information................................................................................................. 109

License Information ................................................................................................ 110

Unit Operation......................................................................................................... 113

System Resources.................................................................................................. 114

Alert Message Console........................................................................................... 115

Log and Archive Statistics ...................................................................................... 117

CLI Console............................................................................................................ 119

Top Sessions.......................................................................................................... 120

Viewing the current sessions list............................................................................. 122

Top Viruses............................................................................................................. 124

Top Attacks............................................................................................................. 124

Traffic History.......................................................................................................... 124

Changing system information ................................................................................... 125

Configuring system time ......................................................................................... 125

Changing the FortiGate unit host name.................................................................. 126

Changing the FortiGate firmware .............................................................................. 126

Upgrading to a new firmware version ..................................................................... 127

Reverting to a previous firmware version ............................................................... 128

Viewing operational history ....................................................................................... 129

Manually updating FortiGuard definitions................................................................ 129

Viewing Log and Archive Statistics .......................................................................... 130

Viewing DLP Archive information on the Statistics widget...................................... 130

Viewing the Attack Log ........................................................................................... 132

Configuring AMC modules......................................................................................... 133

Auto-bypass and recovery for AMC bridge module.......................................... 134

Enabling or disabling bypass mode for AMC bridge modules ................................ 135

Viewing application, policy, and DLP archive usage data ...................................... 137

Top Application Usage............................................................................................ 137

Top Policy Usage.................................................................................................... 139

DLP Archive Usage ................................................................................................ 141

Using the topology viewer ......................................................................................... 142

Adding a subnet object ........................................................................................... 145

Customizing the topology diagram ......................................................................... 146

Managing firmware versions............................................................... 147

Backing up your configuration .................................................................................. 148

Backing up your configuration through the web-based manager ........................... 148

Backing up your configuration through the CLI....................................................... 148

Backing up your configuration to a USB key .......................................................... 149

FortiGate Version 4.0 MR1 Administration Guide

6 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Contents

Testing firmware before upgrading........................................................................... 150

Upgrading your FortiGate unit................................................................................... 151

Upgrading to FortiOS 4.0 through the web-based manager................................... 151

Upgrading to FortiOS 4.0 through the CLI.............................................................. 152

Verifying the upgrade.............................................................................................. 153

Reverting to a previous firmware image................................................................... 154

Downgrading to a previous firmware through the web-based manager ................. 154

Verifying the downgrade......................................................................................... 155

Downgrading to a previous firmware through the CLI ............................................ 155

Restoring your configuration..................................................................................... 157

Restoring your configuration settings in the web-based manager.......................... 157

Restoring your configuration settings in the CLI ..................................................... 157

Using virtual domains.......................................................................... 159

Virtual domains ........................................................................................................... 159

Benefits of VDOMs ................................................................................................. 159

VDOM configuration settings.................................................................................. 160

Global configuration settings .................................................................................. 163

Enabling VDOMs ......................................................................................................... 164

Configuring VDOMs and global settings .................................................................. 165

VDOM licenses ....................................................................................................... 165

Creating a new VDOM............................................................................................ 166

Working with VDOMs and global settings............................................................... 167

Adding interfaces to a VDOM ................................................................................. 168

Inter-VDOM links .................................................................................................... 169

Assigning an interface to a VDOM.......................................................................... 170

Assigning an administrator to a VDOM................................................................... 171

Changing the management VDOM......................................................................... 172

Configuring VDOM resource limits ........................................................................... 172

Setting VDOM global resource limits...................................................................... 173

Configuring resource usage for individual VDOMs................................................. 174

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 7

http://docs.fortinet.com/ • Feedback

Contents

System Network ................................................................................... 177

Configuring interfaces................................................................................................ 177

Switch Mode ........................................................................................................... 180

Interface settings .................................................................................................... 181

Creating a VLAN subinterface ................................................................................ 185

Creating a loopback interface................................................................................. 185

Creating an 802.3ad aggregate interface ............................................................... 186

Creating a redundant interface ............................................................................... 187

Configuring DHCP on an interface ......................................................................... 188

Configuring an interface for PPPoE........................................................................ 190

Configuring Dynamic DNS on an interface ............................................................. 191

Configuring a virtual IPSec interface ...................................................................... 191

Configuring administrative access to an interface .................................................. 192

Interface status detection for gateway load balancing............................................ 193

Interface MTU packet size...................................................................................... 195

Secondary IP Addresses ........................................................................................ 196

Adding a software switch interface ......................................................................... 197

Configuring zones....................................................................................................... 198

Configuring the modem interface.............................................................................. 199

Configuring modem settings................................................................................... 199

Redundant mode configuration............................................................................... 201

Standalone mode configuration.............................................................................. 202

Adding firewall policies for modem connections ..................................................... 203

Connecting and disconnecting the modem............................................................. 203

Checking modem status ......................................................................................... 204

Configuring Networking Options............................................................................... 204

DNS Servers........................................................................................................... 205

Configuring FortiGate DNS services......................................................................... 205

About split DNS ...................................................................................................... 206

Configuring FortiGate DNS services....................................................................... 206

Configuring the FortiGate DNS database ............................................................... 208

Configuring the explicit web proxy ........................................................................... 210

Configuring WCCP...................................................................................................... 212

Routing table (Transparent Mode)............................................................................. 213

Transparent mode route settings............................................................................ 214

System Wireless................................................................................... 215

FortiWiFi wireless interfaces ..................................................................................... 215

Channel assignments ................................................................................................. 216

IEEE 802.11a channel numbers............................................................................. 216

IEEE 802.11b channel numbers............................................................................. 216

IEEE 802.11g channel numbers............................................................................. 217

FortiGate Version 4.0 MR1 Administration Guide

8 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Contents

Wireless settings......................................................................................................... 218

Adding a wireless interface..................................................................................... 219

Wireless MAC Filter .................................................................................................... 221

Managing the MAC Filter list................................................................................... 222

Wireless Monitor ......................................................................................................... 223

Rogue AP detection .................................................................................................... 224

Viewing wireless access points .............................................................................. 224

System DHCP ....................................................................................... 227

FortiGate DHCP servers and relays .......................................................................... 227

Configuring DHCP services ....................................................................................... 228

Configuring an interface as a DHCP relay agent.................................................... 229

Configuring a DHCP server .................................................................................... 229

Viewing address leases.............................................................................................. 231

Reserving IP addresses for specific clients ............................................................ 231

System Config...................................................................................... 233

HA ................................................................................................................................. 233

HA options .............................................................................................................. 233

Cluster members list............................................................................................... 236

Viewing HA statistics .............................................................................................. 238

Changing subordinate unit host name and device priority...................................... 239

Disconnecting a cluster unit from a cluster ............................................................. 240

SNMP............................................................................................................................ 241

Configuring SNMP.................................................................................................. 242

Configuring an SNMP community........................................................................... 242

Fortinet MIBs .......................................................................................................... 244

Fortinet and FortiGate traps.................................................................................... 245

Fortinet and FortiGate MIB fields............................................................................ 248

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 9

http://docs.fortinet.com/ • Feedback

Contents

Replacement messages ............................................................................................. 250

VDOM and global replacement messages ............................................................. 251

Viewing the replacement messages list.................................................................. 251

Changing replacement messages .......................................................................... 252

Mail replacement messages................................................................................... 254

HTTP replacement messages ................................................................................ 254

FTP replacement messages................................................................................... 255

NNTP replacement messages................................................................................ 256

Alert Mail replacement messages........................................................................... 256

Spam replacement messages ................................................................................ 257

Administration replacement message..................................................................... 257

Authentication replacement messages................................................................... 258

FortiGuard Web Filtering replacement messages .................................................. 259

IM and P2P replacement messages....................................................................... 260

Endpoint NAC replacement message..................................................................... 261

NAC quarantine replacement messages ................................................................ 261

Traffic quota control replacement messages.......................................................... 262

SSL VPN replacement message ............................................................................ 262

Replacement message tags ................................................................................... 262

Operation mode and VDOM management access ................................................... 263

Changing operation mode ...................................................................................... 263

Management access............................................................................................... 264

System Admin ...................................................................................... 267

Administrators............................................................................................................. 267

Viewing the administrators list ................................................................................ 269

Configuring an administrator account..................................................................... 270

Changing an administrator account password........................................................ 272

Configuring regular (password) authentication for administrators .......................... 272

Configuring remote authentication for administrators ............................................. 272

Configuring PKI certificate authentication for administrators .................................. 278

Admin profiles ............................................................................................................. 280

Viewing the admin profiles list ................................................................................ 283

Configuring an admin profile................................................................................... 284

Central Management................................................................................................... 285

Settings ........................................................................................................................ 286

Monitoring administrators.......................................................................................... 289

FortiGate IPv6 support ............................................................................................... 289

Customizable web-based manager ........................................................................... 290

FortiGate Version 4.0 MR1 Administration Guide

10 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Contents

System Certificates.............................................................................. 301

Local Certificates ....................................................................................................... 302

Generating a certificate request.............................................................................. 303

Downloading and submitting a certificate request .................................................. 304

Importing a signed server certificate....................................................................... 305

Importing an exported server certificate and private key ........................................ 305

Importing separate server certificate and private key files...................................... 306

Remote Certificates .................................................................................................... 306

Importing Remote (OCSP) certificates ................................................................... 307

CA Certificates ............................................................................................................ 307

Importing CA certificates......................................................................................... 308

CRL............................................................................................................................... 309

Importing a certificate revocation list ...................................................................... 309

System Maintenance............................................................................ 311

About the Maintenance menu .................................................................................... 311

Backing up and restoring........................................................................................... 312

Basic backup and restore options........................................................................... 313

Upgrading and downgrading firmware.................................................................... 316

Upgrading and downgrading firmware through FortiGuard .................................... 317

Configuring advanced options ................................................................................ 318

Managing configuration revisions............................................................................. 319

Using script files ......................................................................................................... 320

Creating script files ................................................................................................. 321

Uploading script files............................................................................................... 321

Configuring FortiGuard Services .............................................................................. 322

FortiGuard Distribution Network ............................................................................. 322

FortiGuard services ................................................................................................ 322

Configuring the FortiGate unit for FDN and FortiGuard subscription services ....... 323

Troubleshooting FDN connectivity ........................................................................... 328

Updating antivirus and attack definitions................................................................. 328

Enabling push updates............................................................................................... 330

Enabling push updates when a FortiGate unit IP address changes....................... 330

Enabling push updates through a NAT device ....................................................... 331

Adding VDOM Licenses.............................................................................................. 333

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 11

http://docs.fortinet.com/ • Feedback

Contents

Router Static ........................................................................................ 335

Routing concepts ....................................................................................................... 335

How the routing table is built .................................................................................. 336

How routing decisions are made ........................................................................... 336

Multipath routing and determining the best route ................................................... 336

Route priority ......................................................................................................... 337

Blackhole Route...................................................................................................... 337

Static Route ................................................................................................................ 338

Working with static routes ...................................................................................... 338

Default route and default gateway ......................................................................... 340

Adding a static route to the routing table ............................................................... 343

ECMP route failover and load balancing .................................................................. 344

Configuring spill-over or usage-based ECMP......................................................... 346

Configuring weighted static route load balancing ................................................... 348

Policy Route ............................................................................................................... 351

Adding a policy route .............................................................................................. 352

Moving a policy route.............................................................................................. 354

Router Dynamic.................................................................................... 357

RIP ................................................................................................................................ 357

Viewing and editing basic RIP settings................................................................... 358

Selecting advanced RIP options............................................................................. 360

Configuring a RIP-enabled interface....................................................................... 361

OSPF ............................................................................................................................ 362

Defining an OSPF AS—Overview .......................................................................... 363

Configuring basic OSPF settings............................................................................ 364

Selecting advanced OSPF options......................................................................... 366

Defining OSPF areas.............................................................................................. 367

Specifying OSPF networks ..................................................................................... 368

Selecting operating parameters for an OSPF interface .......................................... 369

BGP .............................................................................................................................. 370

Viewing and editing BGP settings........................................................................... 371

Multicast....................................................................................................................... 372

Viewing and editing multicast settings.................................................................... 373

Overriding the multicast settings on an interface.................................................... 374

Multicast destination NAT ....................................................................................... 374

Bi-directional Forwarding Detection (BFD) .............................................................. 375

Configuring BFD ..................................................................................................... 375

FortiGate Version 4.0 MR1 Administration Guide

12 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Contents

Customizable routing widgets ................................................................................... 377

Access List.............................................................................................................. 377

Distribute List.......................................................................................................... 378

Key Chain ............................................................................................................... 378

Offset List................................................................................................................ 379

Prefix List................................................................................................................ 380

Route Map .............................................................................................................. 380

Router Monitor ..................................................................................... 383

Viewing routing information ...................................................................................... 383

Searching the FortiGate routing table....................................................................... 385

Firewall Policy ...................................................................................... 387

How list order affects policy matching ..................................................................... 387

Moving a policy to a different position in the policy list ........................................... 388

Enabling and disabling policies............................................................................... 389

Multicast policies ........................................................................................................ 389

Viewing the firewall policy list ................................................................................... 390

Configuring firewall policies ...................................................................................... 391

Adding authentication to firewall policies ................................................................ 396

Identity-based firewall policy options (non-SSL-VPN) ............................................ 397

IPSec firewall policy options ................................................................................... 399

Configuring SSL VPN identity-based firewall policies............................................. 400

Using DoS policies to detect and prevent attacks................................................... 404

Viewing the DoS policy list...................................................................................... 404

Configuring DoS policies ........................................................................................ 406

Using one-arm sniffer policies to detect network attacks ...................................... 406

Viewing the sniffer policy list................................................................................... 407

Configuring sniffer policies...................................................................................... 409

How FortiOS selects unused NAT ports ................................................................... 410

Global pool.............................................................................................................. 411

Global per-protocol pool ......................................................................................... 411

Per NAT IP pool...................................................................................................... 411

Per NAT IP, destination IP, port, and protocol pool ................................................ 412

Firewall policy examples ............................................................................................ 414

Scenario one: SOHO-sized business ..................................................................... 414

Scenario two: enterprise-sized business ................................................................ 417

Firewall Address .................................................................................. 421

About firewall addresses............................................................................................ 421

Viewing the firewall address list................................................................................ 422

Configuring addresses ............................................................................................... 423

Viewing the address group list .................................................................................. 424

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 13

http://docs.fortinet.com/ • Feedback

Contents

Configuring address groups...................................................................................... 424

Firewall Service.................................................................................... 427

Viewing the predefined service list ........................................................................... 427

Viewing the custom service list................................................................................. 432

Configuring custom services..................................................................................... 433

Viewing the service group list ................................................................................... 435

Configuring service groups ....................................................................................... 435

Firewall Schedule................................................................................. 437

Viewing the recurring schedule list........................................................................... 437

Configuring recurring schedules .............................................................................. 438

Viewing the one-time schedule list ........................................................................... 438

Configuring one-time schedules ............................................................................... 439

Configuring schedule groups .................................................................................... 439

Traffic Shaping..................................................................................... 441

Guaranteed bandwidth and maximum bandwidth ................................................... 441

Traffic priority.............................................................................................................. 442

Traffic shaping considerations.................................................................................. 442

Configuring shared traffic shapers ........................................................................... 443

Configuring Per IP traffic shaping............................................................................. 444

Accounting and quota enforcement.......................................................................... 445

Firewall Virtual IP ................................................................................. 447

How virtual IPs map connections through FortiGate units..................................... 447

Inbound connections............................................................................................... 447

Outbound connections............................................................................................ 450

VIP requirements.................................................................................................... 451

Viewing the virtual IP list............................................................................................ 451

Configuring virtual IPs................................................................................................ 452

Adding a static NAT virtual IP for a single IP address ............................................ 454

Adding a static NAT virtual IP for an IP address range .......................................... 455

Adding static NAT port forwarding for a single IP address and a single port.......... 457

Adding static NAT port forwarding for an IP address range and a port range........ 459

Adding dynamic virtual IPs ..................................................................................... 460

Adding a virtual IP with port translation only........................................................... 461

Virtual IP Groups......................................................................................................... 462

Viewing the VIP group list.......................................................................................... 462

Configuring VIP groups.............................................................................................. 462

FortiGate Version 4.0 MR1 Administration Guide

14 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Contents

IP pools ........................................................................................................................ 463

IP pools and dynamic NAT ..................................................................................... 464

IP Pools for firewall policies that use fixed ports..................................................... 464

Source IP address and IP pool address matching.................................................. 464

Viewing the IP pool list ............................................................................................... 465

Configuring IP Pools................................................................................................... 465

Double NAT: combining IP pool with virtual IP........................................................ 466

Adding NAT firewall policies in transparent mode .................................................. 468

Firewall Load Balance ......................................................................... 471

How load balancer works ........................................................................................... 471

Configuring virtual servers ........................................................................................ 472

Configuring real servers............................................................................................. 475

Configuring health check monitors........................................................................... 476

Monitoring the servers ............................................................................................... 478

Firewall Protection Profile................................................................... 479

What is a protection profile?...................................................................................... 479

Adding a protection profile to a firewall policy ........................................................ 480

Default protection profiles ......................................................................................... 480

Viewing the protection profile list ............................................................................. 481

SSL content scanning and inspection ...................................................................... 481

Supported FortiGate models................................................................................... 482

Setting up certificates to avoid client warnings ....................................................... 482

Configuring SSL content scanning and inspection ................................................. 484

Configuring a protection profile ................................................................................ 486

Protocol recognition options ................................................................................... 487

Anti-Virus options.................................................................................................... 489

IPS options ............................................................................................................. 492

Web Filtering options.............................................................................................. 493

FortiGuard Web Filtering options............................................................................ 495

Email Filtering options ............................................................................................ 498

Data Leak Prevention Sensor options .................................................................... 501

Application Control options..................................................................................... 502

Logging options ...................................................................................................... 503

SIP support........................................................................................... 505

VoIP and SIP ................................................................................................................ 505

The FortiGate unit and VoIP security ........................................................................ 507

SIP NAT.................................................................................................................. 507

How SIP support works .............................................................................................. 509

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 15

http://docs.fortinet.com/ • Feedback

Contents

Configuring SIP ........................................................................................................... 510

Enabling SIP support and setting rate limiting from the web-based manager ........ 510

Enabling SIP support from the CLI ......................................................................... 511

Enabling SIP logging .............................................................................................. 512

Enabling advanced SIP features in an application list ............................................ 512

AntiVirus ............................................................................................... 517

Order of operations..................................................................................................... 517

Antivirus tasks ............................................................................................................ 518

FortiGuard antivirus ................................................................................................ 519

Antivirus settings and controls ................................................................................. 519

File Filter ...................................................................................................................... 521

Built-in patterns and supported file types................................................................ 521

Viewing the file filter list catalog.............................................................................. 522

Creating a new file filter list..................................................................................... 522

Viewing the file filter list .......................................................................................... 523

Configuring the file filter list..................................................................................... 523

File Quarantine ............................................................................................................ 524

Viewing the AutoSubmit list .................................................................................... 525

Configuring the AutoSubmit list .............................................................................. 525

Configuring quarantine options............................................................................... 525

Selecting the virus database...................................................................................... 527

Antivirus CLI configuration........................................................................................ 528

Intrusion Protection............................................................................. 531

About intrusion protection......................................................................................... 531

Intrusion Protection settings and controls............................................................... 532

When to use Intrusion Protection............................................................................ 532

Signatures.................................................................................................................... 532

Viewing the predefined signature list...................................................................... 533

Using display filters................................................................................................. 534

Custom signatures...................................................................................................... 535

Viewing the custom signature list ........................................................................... 535

Creating custom signatures.................................................................................... 535

Protocol decoders....................................................................................................... 536

Viewing the protocol decoder list............................................................................ 536

Upgrading the IPS protocol decoder list ................................................................. 537

FortiGate Version 4.0 MR1 Administration Guide

16 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Contents

IPS sensors.................................................................................................................. 537

Viewing the IPS sensor list ..................................................................................... 537

Adding an IPS sensor............................................................................................. 538

Configuring IPS sensors ......................................................................................... 538

Configuring filters.................................................................................................... 540

Configuring pre-defined and custom overrides....................................................... 541

Packet logging ........................................................................................................ 543

DoS sensors ................................................................................................................ 545

Viewing the DoS sensor list .................................................................................... 546

Configuring DoS sensors........................................................................................ 546

Understanding the anomalies................................................................................. 547

Intrusion protection CLI configuration ..................................................................... 548

Web Filter.............................................................................................. 549

Order of web filtering.................................................................................................. 549

How web filtering works ............................................................................................. 550

Web filter controls....................................................................................................... 550

Web content filter........................................................................................................ 552

Viewing the web content filter list catalog ............................................................... 553

Creating a new web content filter list ...................................................................... 553

Viewing the web content filter list............................................................................ 553

Configuring the web content filter list...................................................................... 554

URL filter ...................................................................................................................... 555

Viewing the URL filter list catalog ........................................................................... 556

Creating a new URL filter list .................................................................................. 556

Viewing the URL filter list........................................................................................ 556

Configuring the URL filter list .................................................................................. 557

URL formats............................................................................................................ 558

Moving URLs in the URL filter list ........................................................................... 559

FortiGuard - Web Filter ............................................................................................... 559

Configuring FortiGuard Web Filtering..................................................................... 560

Viewing the override list.......................................................................................... 560

Configuring administrative override rules ............................................................... 561

Creating local categories ........................................................................................ 563

Viewing the local ratings list.................................................................................... 563

Configuring local ratings ......................................................................................... 564

Category block CLI configuration ............................................................................. 565

FortiGuard Web Filtering reports .............................................................................. 565

Email filtering ....................................................................................... 567

FortiGuard Email Filtering (also called the FortiGuard Antispam Service)........... 567

Order of email filtering ............................................................................................ 567

Email filter controls ................................................................................................. 568

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 17

http://docs.fortinet.com/ • Feedback

Contents

Banned word ............................................................................................................... 570

Viewing the banned word list catalog ..................................................................... 570

Creating a new banned word list ............................................................................ 571

Viewing the email filtering banned word list............................................................ 571

Adding words to the banned word list..................................................................... 572

IP address and email address black/white lists ....................................................... 573

Viewing the Email Filter IP address list catalog ...................................................... 573

Creating a new IP address list ................................................................................ 573

Viewing the IP address list...................................................................................... 574

Adding an IP address ............................................................................................. 575

Viewing the Email Filter email address list catalog................................................. 575

Creating a new email address list........................................................................... 576

Viewing the email address list ................................................................................ 576

Configuring the email address list........................................................................... 577

Advanced Email Filter configuration......................................................................... 577

config spamfilter mheader ...................................................................................... 577

config spamfilter dnsbl............................................................................................ 578

Using wildcards and Perl regular expressions ........................................................ 578

Perl regular expression formats.............................................................................. 579

Example regular expressions ................................................................................. 580

Data Leak Prevention........................................................................... 583

DLP Sensors................................................................................................................ 583

Viewing the DLP sensor list .................................................................................... 583

Adding and configuring a DLP sensor .................................................................... 584

Adding or editing a rule or compound rule in a DLP sensor ................................... 585

DLP archiving .............................................................................................................. 588

Configuring DLP archiving ...................................................................................... 589

Configuring spam email message archiving........................................................... 593

Viewing DLP archives............................................................................................. 594

DLP Rules .................................................................................................................... 594

Viewing the DLP rule list......................................................................................... 594

Adding or configuring DLP rules ............................................................................. 596

DLP Compound Rules ................................................................................................ 599

Viewing the DLP compound rule list....................................................................... 599

Adding and configuring DLP compound rules ........................................................ 600

Application Control.............................................................................. 603

What is application control? ...................................................................................... 603

FortiGuard application control database.................................................................. 603

Viewing the application control black/white lists .................................................... 604

Creating a new application control black/white list................................................. 605

Configuring an application control black/white list................................................. 605

FortiGate Version 4.0 MR1 Administration Guide

18 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Contents

Adding or configuring an application control black/white list entry...................... 606

Application control statistics..................................................................................... 608

IPSec VPN............................................................................................. 611

Overview of IPSec VPN configuration....................................................................... 611

Policy-based versus route-based VPNs ................................................................... 612

Auto Key ...................................................................................................................... 613

Creating a new phase 1 configuration .................................................................... 614

Defining phase 1 advanced settings....................................................................... 616

Creating a new phase 2 configuration .................................................................... 619

Defining phase 2 advanced settings....................................................................... 619

Manual Key .................................................................................................................. 622

Creating a new manual key configuration .............................................................. 622

Internet browsing configuration ................................................................................ 624

Concentrator ............................................................................................................... 625

Defining concentrator options................................................................................. 625

Monitoring VPNs ......................................................................................................... 626

PPTP VPN ............................................................................................. 629

PPTP configuration using FortiGate web-based manager...................................... 629

PPTP configuration using CLI commands ............................................................... 631

SSL VPN................................................................................................ 633

ssl.root ......................................................................................................................... 634

Configuring SSL VPN ................................................................................................. 634

SSL VPN web portal.................................................................................................... 635

Default web portal configurations ........................................................................... 636

Configuring web portal settings .............................................................................. 638

Configuring the virtual desktop ............................................................................... 638

Configuring security control .................................................................................... 639

Configuring web portal layout ................................................................................. 640

Session Information widget..................................................................................... 641

Bookmarks widget .................................................................................................. 641

Connection Tool widget .......................................................................................... 644

Tunnel Mode widget ............................................................................................... 645

Virtual Desktop Application Control ......................................................................... 647

Host Check list ............................................................................................................ 648

SSL VPN monitor list .................................................................................................. 649

User ....................................................................................................... 651

Getting started - User authentication........................................................................ 651

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 19

http://docs.fortinet.com/ • Feedback

Contents

Local user accounts ................................................................................................... 652

Configuring Local user accounts ............................................................................ 652

Remote ......................................................................................................................... 655

RADIUS ........................................................................................................................ 655

Configuring a RADIUS server................................................................................. 656

LDAP ............................................................................................................................ 657

Configuring an LDAP server ................................................................................... 658

TACACS+ ..................................................................................................................... 661

Configuring TACACS+ servers............................................................................... 661

Directory Service......................................................................................................... 662

Configuring a Directory Service server ................................................................... 663

PKI ............................................................................................................................... 664

Configuring peer users and peer groups ................................................................ 665

User Group .................................................................................................................. 666

Firewall user groups ............................................................................................... 667

Directory Service user groups ................................................................................ 668

SSL VPN user groups............................................................................................. 668

Viewing the User group list..................................................................................... 669

Configuring a user group ........................................................................................ 669

Configuring FortiGuard Web filtering override options............................................ 672

Dynamically assigning VPN client IP addresses from a user group ............... 673

Options......................................................................................................................... 675

Monitor ......................................................................................................................... 676

Firewall user monitor list......................................................................................... 676

IM user monitor list ................................................................................................. 677

NAC quarantine and the Banned User list................................................................ 678

NAC quarantine and DLP ....................................................................................... 678

NAC quarantine and DLP replacement messages ................................................. 679

Configuring NAC quarantine................................................................................... 679

The Banned User list .............................................................................................. 680

WAN optimization and web caching .................................................. 683

Configuring WAN optimization .................................................................................. 683

Moving a rule to a different position in the rule list.................................................. 685

Configuring a WAN optimization rule ....................................................................... 685

About WAN optimization addresses ....................................................................... 687

Configuring WAN optimization peers ....................................................................... 688

Configuring authentication groups ........................................................................... 689

WAN optimization monitoring.................................................................................... 690

Changing web cache settings.................................................................................... 692

FortiGate Version 4.0 MR1 Administration Guide

20 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Contents

Endpoint NAC....................................................................................... 695

Configuring Endpoint NAC overview ........................................................................ 695

Configuring FortiClient installer download and version enforcement .................. 696

Configuring application detection lists..................................................................... 697

Viewing the application list...................................................................................... 699

Configuring Endpoint NAC profiles .......................................................................... 699

Monitoring endpoints ................................................................................................. 700

Wireless Controller .............................................................................. 703

Configuration overview .............................................................................................. 703

Enabling the wireless controller................................................................................ 703

Configuring FortiWiFi units as managed access points ......................................... 704

Configuring a virtual wireless access point ............................................................. 704

Configuring a physical access point......................................................................... 705

Configuring DHCP for your wireless LAN ................................................................ 707

Configuring firewall policies for the wireless LAN .................................................. 707

Monitoring wireless clients ........................................................................................ 707

Monitoring rogue APs................................................................................................. 707

Log&Report .......................................................................................... 709

Configuring how a FortiGate unit stores logs.......................................................... 710

Remote logging to a FortiAnalyzer unit................................................................... 710

Remote logging to the FortiGuard Analysis and Management Service .................. 712

Remote logging to a Syslog server......................................................................... 713

Local logging to memory......................................................................................... 714

Local logging to disk ............................................................................................... 714

Configuring Alert Email .............................................................................................. 715

Configuring Event logging ......................................................................................... 717

Data Leak Prevention log ....................................................................................... 718

Application Control log............................................................................................ 718

Antivirus log ............................................................................................................ 719

Web filter log........................................................................................................... 719

Spam filter log......................................................................................................... 719

Attack log (IPS)....................................................................................................... 720

Accessing and viewing log messages...................................................................... 720

Accessing logs stored in memory........................................................................... 721

Accessing logs stored on the hard disk .................................................................. 722

Accessing logs stored on the FortiAnalyzer unit..................................................... 722

Accessing logs stored on the FortiGuard Analysis and Management Service ....... 723

Customizing the display of log messages............................................................... 723

Column settings...................................................................................................... 724

Filtering log messages............................................................................................ 725

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 21

http://docs.fortinet.com/ • Feedback

Contents

Viewing DLP Archives ................................................................................................ 725

Viewing the File Quarantine list................................................................................. 726

Configuring FortiAnalyzer report schedules............................................................ 727

Viewing Executive Summary reports from SQL logs .............................................. 730

Viewing FortiAnalyzer reports ................................................................................... 730

Printing your FortiAnalyzer report ........................................................................... 731

Viewing basic traffic reports ...................................................................................... 731

Log severity levels ...................................................................................................... 733

Log types ..................................................................................................................... 734

Traffic log................................................................................................................ 734

Example configuration: logging all FortiGate traffic ............................................... 735

Index...................................................................................................... 737

FortiGate Version 4.0 MR1 Administration Guide

22 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Introduction Fortinet products

Introduction

Ranging from the FortiGate®-50 series for small businesses to the FortiGate-5000 series for large enterprises, service providers and carriers, the FortiGate line combines the FortiOS™ security operating system with FortiASIC™ processors and other hardware to provide a high-performance array of security and networking functions including:

• firewall, VPN, and traffic shaping

• Intrusion Prevention system (IPS)

• antivirus/antispyware/antimalware

• web filtering

• antispam

• application control (for example, IM and P2P)

• VoIP support (H.323, SIP, and SCCP)

• Layer 2/3 routing

• multiple redundant WAN interface options FortiGate appliances provide cost-effective, comprehensive protection against network,

content, and application-level threats, including complex attacks favored by cybercriminals, without degrading network availability and uptime. FortiGate platforms include sophisticated networking features, such as high availability (active/active, active/passive) for maximum network uptime, and virtual domain capabilities to separate various networks requiring different security policies.

This chapter contains the following sections:

• Fortinet products

• About this document

• Registering your Fortinet product

• Customer service and technical support

• Training

• Documentation

• Scope

• Conventions

Fortinet products

Fortinet's portfolio of security gateways and complementary products offers a powerful blend of ASIC-accelerated performance, integrated multi-threat protection, and constantly updated, in-depth threat intelligence. This unique combination delivers network, content, and application security for enterprises of all sizes, managed service providers, and telecommunications carriers, while providing a flexible, scalable path for expansion. For more information on the Fortinet product family, go to www.fortinet.com/products.

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 23

http://docs.fortinet.com/ • Feedback

About this document Introduction

About this document

This FortiGate Version 4.0 MR1 Administration Guide provides detailed information for system administrators about FortiGate™ web-based manager and FortiOS options and how to use them. This guide also contains some information about the FortiGate CLI.

This section of the guide contains a brief explanation of the structure of the guide, and gives an overview of each chapter.

The administration guide describes web-based manager functions in the same order as the web-based manager (or GUI) menu. The document begins with several chapters that provide an overview to help you start using the product: the FortiGate web-based manager, System Status, Managing Firmware, and Using virtual domains. Following these chapters, each item in the System, Router, Firewall, UTM, and VPN menus gets a separate chapter. Then User, WAN optimization, Endpoint NAC, and Log&Report are all described in single chapters. The document concludes with a detailed index.

VDOM and Global icons appear in this administration guide to indicate that a chapter or section is part of either the VDOM or Global configuration. VDOM and Global configuration settings apply only to a FortiGate unit operating with virtual domains enabled. No distinction is made between these configuration settings when virtual domains are not enabled.

The most recent version of this document is available from the FortiGate page of the

Fortinet Technical Documentation web site. The information in this document is also

available in a slightly different form as FortiGate web-based manager online help. You can also find more information about FortiOS from the same FortiGate page, as well

as from the Fortinet Knowledge Base. This administration guide contains the following chapters:

• What’s new in FortiOS Version 4.0 MR1 lists and describes some of the new features

and changes in FortiOS Version 4.0 MR1.

• Web-based manager introduces the features of the FortiGate web-based manager,

and explains how to connect to it. It also includes information about how to use the web-based manager online help.

• System Status describes the System Status page, the dashboard of your FortiGate

unit. At a glance you can view the current system status of the FortiGate unit including serial number, uptime, FortiGuard license information, system resource usage, alert messages and network statistics. You can also access the CLI from this page. This section also describes status changes that you can make, including changing the unit firmware, host name, and system time. Finally this section describes the topology viewer that is available on all FortiGate models except those with model numbers 50 and 60.

• Managing firmware versions describes upgrading and managing firmware versions.

You should review this section before upgrading your FortiGate firmware because it contains important information about how to properly back up your current configuration settings and what to do if the upgrade is unsuccessful.

• Using virtual domains describes how to use virtual domains to operate your FortiGate

unit as multiple virtual FortiGate units, which effectively provides multiple separate firewall and routing services to multiple networks.

• System Network explains how to configure physical and virtual interfaces and DNS

settings on the FortiGate unit.

• System Wireless describes how to configure the Wireless LAN interface on a

FortiWiFi-60 unit.

FortiGate Version 4.0 MR1 Administration Guide

24 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Introduction About this document

• System DHCP explains how to configure a FortiGate interface as a DHCP server or

DHCP relay agent.

• System Config contains procedures for configuring HA and virtual clustering,

configuring SNMP and replacement messages, and changing the operation mode.

• System Admin guides you through adding and editing administrator accounts, defining

admin profiles for administrators, configuring central management using the FortiGuard Management Service or FortiManager, defining general administrative settings such as language, timeouts, and web administration ports.

• System Certificates explains how to manage X.509 security certificates used by

various FortiGate features such as IPSec VPN and administrator authentication.

• System Maintenance details how to back up and restore the system configuration

using a management computer or a USB disk, use revision control, enable FortiGuard services and FortiGuard Distribution Network (FDN) updates, and enter a license key to increase the maximum number of virtual domains.

• Router Static explains how to define static routes and create route policies. A static

route causes packets to be forwarded to a destination other than the factory configured default gateway.

• Router Dynamic explains how to configure dynamic protocols to route traffic through

large or complex networks.

• Router Monitor explains how to interpret the Routing Monitor list. The list displays the

entries in the FortiGate routing table.

• Firewall Policy describes how to add firewall policies to control connections and traffic

between FortiGate interfaces, zones, and VLAN subinterfaces. Also describes how to add DoS policies to apply DoS sensors to network traffic and how to add sniffer policies to operate the FortiGate unit as an IDS appliance by sniffing packets for attacks without actually receiving and otherwise processing the packets

• Firewall Address describes how to configure addresses and address groups for firewall

policies.

• Firewall Service describes available services and how to configure service groups for

firewall policies.

• Firewall Schedule describes how to configure one-time and recurring schedules for

firewall policies.

• Traffic Shaping how to create traffic shaping instances and add them to firewall

policies.

• Firewall Virtual IP describes how to configure and use virtual IP addresses and IP

pools.

• Firewall Load Balance describes how to use FortiGuard load balancing to intercept

incoming traffic and balance it across available servers.

• Firewall Protection Profile describes how to configure protection profiles for firewall

policies.

• SIP support includes some high-level information about VoIP and SIP and describes

how FortiOS SIP support works and how to configure the key SIP features.

• AntiVirus explains how to enable antivirus options when you create a firewall protection

profile.

• Intrusion Protection explains how to configure IPS options when a firewall protection

profile is created.

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 25

http://docs.fortinet.com/ • Feedback

Registering your Fortinet product Introduction

• Web Filter explains how to configure web filter options when a firewall protection profile

is created.

• Email filtering explains how to configure email filter options when a firewall protection

profile is created.

• Data Leak Prevention explains how use FortiGate data leak prevention to prevent

sensitive data from leaving your network.

• Application Control describes how to configure the application control options

associated with firewall protection profiles.

• IPSec VPN provides information about the tunnel-mode and route-based (interface

mode) Internet Protocol Security (IPSec) VPN options available through the webbased manager.

• PPTP VPN explains how to use the web-based manager to specify a range of IP

addresses for PPTP clients.

• SSL VPN provides information about basic SSL VPN settings.

• User describes how to control access to network resources through user

authentication.

• WAN optimization and web caching describes how to use FortiGate units to improve

performance and security of traffic passing between locations on your wide area network (WAN) or over the Internet by applying WAN optimization and web caching.

• Endpoint NAC describes how to use FortiGate endpoint NAC to enforce the use of

FortiClient End Point Security (Enterprise Edition) in your network.

• Wireless Controller describes how to configure a FortiGate unit to act as a wireless

network controller, managing the wireless Access Point (AP) functionality of FortiWiFi units

• Log&Report describes how to enable logging, view log files, and view the basic reports

available through the web-based manager.

Registering your Fortinet product

Before you begin, take a moment to register your Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com.

Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration.

For more information, see the Fortinet Knowledge Center article Registration Frequently

Asked Questions.

Customer service and technical support

Fortinet Technical Support provides services designed to make sure that your Fortinet products install quickly, configure easily, and operate reliably in your network.

To learn about the technical support services that Fortinet provides, visit the Fortinet Technical Support web site at https://support.fortinet.com.

You can dramatically improve the time that it takes to resolve your technical support ticket by providing your configuration file, a network diagram, and other specific information. For a list of required information, see the Fortinet Knowledge Center article What does

Fortinet Technical Support require in order to best assist the customer?

FortiGate Version 4.0 MR1 Administration Guide

26 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Introduction Training

Training

Fortinet Training Services provides classes that orient you quickly to your new equipment, and certifications to verify your knowledge level. Fortinet provides a variety of training programs to serve the needs of our customers and partners world-wide.

To learn about the training services that Fortinet provides, visit the Fortinet Training Services web site at http://campus.training.fortinet.com, or email them at

training@fortinet.com.

Documentation

The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-to-date versions of Fortinet publications, as well as additional technical documentation such as technical notes.

In addition to the Fortinet Technical Documentation web site, you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet Knowledge Center.

Fortinet Tools and Documentation CD

Scope

Many Fortinet publications are available on the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For current versions of Fortinet documentation, visit the Fortinet Technical Documentation web site, http://docs.fortinet.com.

Fortinet Knowledge Base

The Fortinet Knowledge Center provides additional Fortinet technical documentation, such as troubleshooting and how-to-articles, examples, FAQs, technical notes, a glossary, and more. Visit the Fortinet Knowledge Center at http://kb.fortinet.com.

Comments on Fortinet technical documentation

Please send information about any errors or omissions in this or any Fortinet technical document to techdoc@fortinet.com.

This document assumes you have already successfully installed a FortiGate unit by following the instructions in the appropriate FortiGate Installation Guide.

At this stage:

• You have administrative access to the web-based manager and/or CLI.

• The FortiGate unit is integrated into your network.

• The operation mode has been configured.

• The system time, DNS settings, administrator password, and network interfaces have

been configured.

• Firmware, FortiGuard Antivirus and FortiGuard Antispam updates are completed. Once that basic installation is complete, you can use this document. This document

explains how to use the web-based manager to:

• maintain the FortiGate unit, including backups

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 27

http://docs.fortinet.com/ • Feedback

Conventions Introduction

• reconfigure basic items that were configured during installation

• configure advanced features This document does not cover all commands for the command line interface (CLI). For

information on the CLI, see the FortiGate CLI Reference. This document is intended for administrators, not end users.

Conventions

Fortinet technical documentation uses the conventions described below.

IP addresses

To avoid publication of public IP addresses that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918.

Notes, Tips and Cautions

Fortinet technical documentation uses the following guidance and styles for notes, tips and cautions.

Tip: Highlights useful additional information, often tailored to your workplace activity.

Note: Also presents useful information, but usually focused on an alternative, optional

method, such as a shortcut, to perform a step.

Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment.

FortiGate Version 4.0 MR1 Administration Guide

28 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Introduction Conventions

Typographical conventions

Fortinet documentation uses the following typographical conventions:

Table 1: Typographical conventions in Fortinet technical documentation

Convention Example Button, menu, text box,

field, or check box label CLI input* config system dns

CLI output FGT-602803030703 # get system settings

Emphasis HTTP connections are not secure and can be intercepted by

File content <HTML><HEAD><TITLE>Firewall

Hyperlink Visit the Fortinet Technical Support web site,

Keyboard entry Type a name for the remote VPN peer or client, such as

Navigation Go to VPN > IPSEC > Auto Key (IKE). Publication For details, see the

From Minimum log level, select Notification.

set primary <address_ipv4>

end

comments : (null) opmode : nat

a third party.

Authentication</TITLE></HEAD> <BODY><H4>You must authenticate to use this service.</H4>

https://support.fortinet.com.

Central_Office_1.

FortiGate Administration Guide.

* For conventions used to represent command syntax, see “Command syntax conventions” on

page 29.

Command syntax conventions

The command line interface (CLI) requires that you use valid syntax, and conform to expected input constraints. It will reject invalid commands.

Brackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as <address_ipv4>, indicate which data types or string patterns are acceptable value input.

Table 2: Command syntax notation

Convention Description Square brackets [] A non-required word or series of words. For example:

[verbose {1 | 2 | 3}]

indicates that you may either omit or type both the verbose word and its accompanying option, such as:

verbose 3

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 29

http://docs.fortinet.com/ • Feedback

Conventions Introduction

Table 2: Command syntax notation

Angle brackets <> A word constrained by data type.

To define acceptable input, the angled brackets contain a descriptive name followed by an underscore ( _ ) and suffix that indicates the valid data type. For example:

<retries_int>

indicates that you should enter a number of retries, such as 5. Data types include:

• <xxx_name>: A name referring to another part of the configuration, such as policy_A.

• <xxx_index>: An index number referring to another part of the configuration, such as 0 for the first static route.

• <xxx_pattern>: A regular expression or word with wild cards that matches possible variations, such as *@example.com to match all email addresses ending in @example.com.

• <xxx_fqdn>: A fully qualified domain name (FQDN), such as mail.example.com.

• <xxx_email>: An email address, such as admin@mail.example.com.

• <xxx_url>: A uniform resource locator (URL) and its associated protocol and host name prefix, which together form a uniform resource identifier (URI), such as http://www.fortinet./com/.

• <xxx_ipv4>: An IPv4 address, such as 192.168.1.99.

• <xxx_v4mask>: A dotted decimal IPv4 netmask, such as

255.255.255.0.

• <xxx_ipv4mask>: A dotted decimal IPv4 address and netmask separated by a space, such as

192.168.1.99 255.255.255.0.

• <xxx_ipv4/mask>: A dotted decimal IPv4 address and CIDRnotation netmask separated by a slash, such as such as

192.168.1.99/24.

• <xxx_ipv6>: A colon( : )-delimited hexadecimal IPv6 address, such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.

• <xxx_v6mask>: An IPv6 netmask, such as /96.

• <xxx_ipv6mask>: An IPv6 address and netmask separated by a space.

• <xxx_str>: A string of characters that is not another data type, such as P@ssw0rd. Strings containing spaces or special characters must be surrounded in quotes or use escape sequences.

<xxx_int>: An integer number that is not another data type,

• such as 15 for the number of minutes.

Curly braces {} A word or series of words that is constrained to a set of options

delimited by either vertical bars or spaces. You must enter at least one of the options, unless the set of options is

surrounded by square brackets [ ].

FortiGate Version 4.0 MR1 Administration Guide

30 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Introduction Conventions

Table 2: Command syntax notation

Options delimited by vertical bars |

Options delimited by spaces

Mutually exclusive options. For example:

{enable | disable}

indicates that you must enter either enable or disable, but must not enter both.

Non-mutually exclusive options. For example:

{http https ping snmp ssh telnet}

indicates that you may enter all or a subset of those options, in any order, in a space-delimited list, such as:

ping https ssh

Note: To change the options, you must re-type the entire list. For example, to add snmp to the previous example, you would type:

ping https snmp ssh

If the option adds to or subtracts from the existing list of options, instead of replacing it, or if the list is comma-delimited, the exception will be noted.

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 31

http://docs.fortinet.com/ • Feedback

Conventions Introduction

FortiGate Version 4.0 MR1 Administration Guide

32 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1

This section lists and describes some of the new features and changes in FortiOS Version

4.0 MR1.

Note: This document is a work in progress. Some sections may be inaccurate or incomplete.

• New SIP ALG configuration options

• Easy FortiCare and FortiGuard services registration and renewal

• Endpoint control enhancements

• Per-VDOM replacement messages

• Content archiving is now DLP archive

• Topology viewer is now a custom web-based manager page

• Usage page shows application, policy, and DLP archive usage

• Alert Message Console enhancements

• WCCP widget

• SSL VPN enhancements

• Two-factor authentication

• FortiGate wireless controller

• Interface status detection for gateway load balancing

• Enhanced ECMP route failover and load balancing

• SCEP extensions

• Dynamic routing for IPv6 traffic

• IPv6 DNS

• IPv6 transparent mode

• IPv6 administrative access

• UTM features support IPv6 traffic

• HTTP basic authentication in firewall policies

• VDOM dashboard

• IPsec protocol improvements

• Auto-configuration of IPsec VPNs

• Integral basic DNS server

• Per-VDOM DNS configuration

• Password policy

• Use LDAP groups in firewall and SSL-VPN authentication

• Traffic shaping enhancements

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 33

http://docs.fortinet.com/ • Feedback

New SIP ALG configuration options What’s new in FortiOS Version 4.0 MR1

• Logging enhancements

• Antivirus changes

• Reliable syslog

• Web filtering combined block/exempt list

• Web filtering by content header

• Safe search

• Data Leak Prevention supports international character sets

• SNMPv3 enhancements

• Schedule groups

New SIP ALG configuration options

The following SIP application level gateway (ALG) configuration options for have been added to FortiOS 4.0 MR1. You can configure these options from the CLI using the following command:

config application list

edit <list_name>

config entries

edit 1

set category voip set application SIP set open-register-pinhole {disable | enable} set open-contact-pinhole {disable | enable} set rfc2543-branch {disable | enable}

end

Opening and closing SIP register and non-register pinholes

You can use open-register-pinhole and open-contact-pinhole to control whether the FortiGate unit opens register and non-register pinholes. Non-register pinholes are usually opened for SIP invite requests.

For more information, see “Opening and closing SIP register and non-register pinholes”

on page 515.

Support for RFC 2543-compliant branch commands

The rfc2543-branch CLI keyword of the config application list command has been added to support RFC 2543-complaint SIP calls involving branch commands that are missing or that are valid for RFC 2543 but invalid for RFC 3261.

For more information, see “Support for RFC 2543-compliant branch commands” on

page 516.

FortiGate Version 4.0 MR1 Administration Guide

34 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 Easy FortiCare and FortiGuard services registration and renewal

Easy FortiCare and FortiGuard services registration and renewal

FortiOS Version 4.0 MR1 firmware helps you to register your FortiGate unit for FortiGuard and FortiCare services. When a new FortiGate unit is powered on, it automatically searches for FortiGuard services. If the unit is configured for central management, it will look for FortiGuard services on its FortiManager system. The FortiGate unit sends its serial number to FortiGuard services, which then determines whether the FortiGate unit is registered and has a valid contract for either a FortiGuard subscription or FortiCare support services.

For more information, see “License Information” on page 110.

Endpoint control enhancements

Endpoint Control is now called Endpoint NAC (Network Access Control), which better describes its role in controlling endpoint access to the network.

The configuration for required FortiClient software version is now in Endpoint NAC > Config. Configuration options are the same as in the previous release.

FortiOS 4.0 provided only software detection on endpoints. FortiOS 4.0 MR1 can allow or block endpoints based on detected software. The Software Detection List is now called an Application Detection List and you can create multiple lists.

FortiGuard services provides all application signatures. You create your application detection list entries by selecting applications from lists of categories, vendors, and application names. Go to Endpoint NAC > Application Detection > Detection List. to create detection lists. To view application information from FortiGuard services, go to Endpoint NAC > Application Detection > Predefined.

Endpoint check options are no longer configured in the firewall policy. These options and the application detection list are now selected in an Endpoint NAC profile. In the firewall policy, you simply enable Endpoint NAC and select the Endpoint NAC profile to apply.

For more information, see “Endpoint NAC” on page 695.

Per-VDOM replacement messages

FortiOS 4.0 MR1 enables you to define replacement messages in each VDOM. In previous releases, replacement messages were defined only at the global level. By default, the VDOM uses the global replacement messages. You can modify any message for your VDOM as needed, overriding the global message.

When defining replacement messages, you can optionally reset the message to its original value. At the global level, you can reset the message to the factory default. At the VDOM level, you can reset the message to the current global value.

In the web-based manager, each VDOM has a replacement messages configuration page at System > Config > Replacement Messages, as exists at the global level. Modify the messages as needed.

For more information, see “Replacement messages” on page 250.

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 35

http://docs.fortinet.com/ • Feedback

Content archiving is now DLP archive What’s new in FortiOS Version 4.0 MR1

Content archiving is now DLP archive

In FortiOS 4.0 MR1 the content archiving feature has been renamed DLP archive. Just like content archiving, administrators use DLP archiving to collect and view historical logs that have been archived to a FortiAnalyzer unit or FortiGuard Analysis server. DLP archiving is available for FortiAnalyzer when you add a FortiAnalyzer unit to the FortiGate configuration. A FortiGuard Analysis server becomes available when you subscribe to the FortiGuard Analysis and Management Service.

For more information, see “Configuring DLP archiving” on page 589.

Topology viewer is now a custom web-based manager page

The Topology page is no longer part of the default web-based manager configuration. To access this feature, create a custom menu layout in your administrative profile and add the Topology page. It is in the Additional content category.

FortiGate Version 4.0 MR1 Administration Guide

36 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 Usage page shows application, policy, and DLP archive usage

Usage page shows application, policy, and DLP archive usage

In FortiOS 4.0 MR1, you can view statistics about application traffic passing through your FortiGate unit.

The Usage widget has three modules:

• Top Application Usage

• Top Policy Usage

• DLP Archive Usage By default, the Usage widget displays on the System > Status > Usage page for both

global and VDOM administrators. You can also add the Usage widget to custom webbased manager pages.

For more information, see “Viewing application, policy, and DLP archive usage data” on

page 137.

Alert Message Console enhancements

In FortiOS 4.0 MR1, the Alert Message Console provides more types of alerts, is more configurable, and enables you to acknowledge messages one at a time.

To view the Alert Message Console, go to System > Status. For more information, see “Alert Message Console” on page 115.

WCCP widget

Using the FortiOS 4.0 customizeable GUI feature you can add a WCCP widget to the web-based manager and use this widget to add WCCP entries to the FortiGate configuration.

For more information, see “Configuring WCCP” on page 212.

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 37

http://docs.fortinet.com/ • Feedback

SSL VPN enhancements What’s new in FortiOS Version 4.0 MR1

SSL VPN enhancements

Single Sign-On

With this new feature, a web bookmark can include login credentials so that the SSL VPN automatically logs the user into the web site. This means that the user logs into the SSL VPN and then does not have to enter any more credentials to visit preconfigured web sites. When the administrator configures bookmarks, the web site credentials must be the same as the user’s SSL VPN credentials. Users configuring their own bookmarks can specify alternative credentials for the web site.

To configure Single Sign-On bookmarks - web-based manager 1 Go to VPN > SSL > Portal and select the Edit icon for the portal. 2 Select the Edit icon in the Bookmarks widget title bar.

If the Bookmarks widget is missing, select Bookmarks from the Add Widget list.

3 In the Bookmarks widget, select Add. 4 Enter the following information:

Figure 1: Configuring an SSO bookmark

Name Enter a name for the bookmark. Type The type must be HTTP/HTTPS for an SSO bookmark. Location Enter the bookmark location (URL without “http://” or “https://”). Description Optionally, enter a description of the web site. SSO Disabled — This is not an SSO bookmark.

Automatic — Use user’s SSL VPN credentials for login.

Static — Fill in the login credentials as defined below. Field Name Enter a required login page field name, “User Name” for example. Value Enter the value to enter in the field identified by Field Name.

If you are an administrator configuring a bookmark for users:

• enter %usrname% to represent the user’s SSL VPN user name

• enter %passwd% to represent the user’s SSL VPN password

Add Enter another Field Name / Value pair, for the password, for example.

A new set of Field Name / Value fields is added. Fill them in.

5 Select OK. 6 Select Done.

FortiGate Version 4.0 MR1 Administration Guide

38 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 SSL VPN enhancements

IP address ranges are now defined as firewall addresses

Several IP address ranges for tunnel mode SSL VPNs are defined in FortiOS 4.0 MR1 using firewall addresses and you can specify multiple ranges:

Tunnel IP ranges

In the tunnel widget configuration, the start-ip and end-ip keywords have been removed. Instead, you specify one or more firewall addresses using the new ip-pools keyword, like this:

config vpn ssl web portal

edit <portal_name>

config widget

edit <widget_id>

set name <name_str> set type tunnel set ip-pools ip_pool1 ip_pool2

end

You define ip_pool1 and ip_pool2 using the config firewall address command. Only range and subnet address types are allowed.

Split tunnel IP ranges

Use the new split-tunneling-routing-address keyword to specify one or more ranges of IP addresses that are reached through the SSL VPN, like this:

config vpn ssl web portal

edit <portal_name>

config widget

edit <widget_id>

set name <name_str> set type tunnel set split-tunneling enable set split-tunneling-routing-address ip_pool1 ip_pool2

end

You define ip-pool1 and ip_pool2 using the config firewall address command. Only range and subnet address types are allowed.

Tunnel mode client address ranges

In the SSL VPN settings, the tunnel-startip and tunnel-endip keywords have been removed. Instead, use the new tunnel-ip-pools keyword to define the one or more ranges of IP addresses reserved for remote clients:

config vpn ssl settings

set tunnel-ip-pools ip_pool1 ip_pool2

end

You define ip_pool1 and ip_pool2 using the config firewall address command. Only range and subnet address types are allowed.

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 39

http://docs.fortinet.com/ • Feedback

SSL VPN enhancements What’s new in FortiOS Version 4.0 MR1

OS Check changes

The client operating system checks are now configurable only in the CLI, but the supported operating systems now include Windows Vista.

config vpn ssl web portal

edit <portal_name>

set os-check enable config os-check-list {windows-2000 | windows-xp |

windows-vista} set action {allow | check-up-to-date | deny} set latest-patch-level {disable | 0 - 255} set tolerance {tolerance_num}

end

Client check changes

The client check, which ensures that clients have antivirus or firewall software installed, is now called Host Check. You no longer specify whether to check for FortiClient Endpoint Security or third-party software. If the client computer is running any antivirus or firewall software that the Windows Security Center recognizes, it will pass the Host Check. You can also add applications to the FortiGate unit’s list of acceptable host check software.

To configure host check - web-based manager 1 Go to VPN > SSL > Portal. 2 Select the Edit icon for the web portal. 3 Select the Settings button.

4 Select the Security Control tab. 5 From the Host Check list, select one of the following options:

• None — no host check

• AV — antivirus software required

• FW — firewall software required

• AV-FW — antivirus and firewall software required

• Custom — check for software defined in VPN > SSL > Host Check

6 Enter the Interval, in seconds, between host checks. Or, enter 0 to disable repeated

host checks.

7 Select OK.

To configure host check - CLI

config vpn ssl web portal

edit <portal_name>

set host-check {none | av | fw | av-fw | custom} set host-check-interval <seconds>

end

FortiGate Version 4.0 MR1 Administration Guide

40 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 SSL VPN enhancements

Variable Description Default

<portal_name> Enter the portal name. No default.

host-check {none | av | fw | av-fw | custom}

host-check-interval <seconds>

Select the type of host check.

none — no host check av — antivirus software required fw — firewall software required av-fw — antivirus and firewall software required custom — check for software defined in config

vpn ssl web host-check-software

Enter period between host checks, in seconds. Range 120 to 259 200. Enter 0 to disable repeated

host checks.

none

Virtual Desktop enhancements

In FortiOS 4.0 MR1, the virtual desktop is more configurable and can interact with removable media, network shares, and printers.

To configure Virtual Desktop - web-based manager 1 Go to VPN > SSL > Portal. 2 Select the Edit icon for the web portal. 3 Select the Settings button.

4 Select the Virtual Desktop tab. 5 Enter the following information and select OK.

Figure 2: Configuring Virtual Desktop

Enable Virtual Desktop Enable the virtual desktop and the following settings. If this is

Allow switching between virtual desktop and regular desktop

Allow clipboard contents to be shared with regular desktop

Allow use of removable media

Allow network share access Enable to allow the user to copy files between the virtual

not enabled, user has browser access on the regular desktop. By default, the regular desktop is not accessible while the

virtual desktop is active. With this option enabled, user can switch between them.

Enable to allow cut-and-paste operations between the virtual desktop and the regular desktop.

Enable to allow the user to copy files between the virtual desktop and removable media such as USB drives.

desktop and network drives.

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 41

http://docs.fortinet.com/ • Feedback

SSL VPN enhancements What’s new in FortiOS Version 4.0 MR1

Allow printing Enable to allow the user to use printers from the virtual

Quit the virtual desktop and logout session when browser is closed

Application Control List Optionally, select an application control list. This controls which

desktop. By default, the virtual desktop remains in effect even if the user

closes the browser. Enable to automatically close the virtual desktop and logout if the user closes the browser.

applications the user can run on the virtual desktop. See

“Virtual Desktop Application Control”.

To configure virtual desktop - CLI

conf vpn ssl web portal

edit "portal-name"

set virtual-desktop {enable | disable} set virtual-desktop-desktop-switch {enable | disable} set virtual-desktop-clipboard-share {enable | disable} set virtual-desktop-removable-media-access

{enable | disable}

set virtual-desktop-network-share-access {enable | disable} set virtual-desktop-printing {enable | disable} set virutal-desktop-logout-when-browser-close

{enable | disable}

set virtual-desktop-app-list <applist_name>

end

All options are disabled by default, except virtual-desktop-desktop-switch.

Virtual Desktop Application Control

You can control which applications users can run on their virtual desktop. To do this, you create a list of either allowed or blocked applications which you then select when you configure the virtual desktop.

To create an application control list - web-based manager 1 Go to VPN > SSL > Virtual Desktop Application Control.

2 Select Create New. 3 Enter a Name for the list. 4 Select either Allow the applications on this list and block all others or Block the

applications on this list and allow all others.

5 Select Add. 6 In the Application Signatures window, enter the Name of the application and its

MD5 Signature. There are utilities you can use to calculate the MD5 signature of the executable file.

You can enter multiple signatures to support multiple versions of the application.

7 Select OK. 8 Repeat steps 5 through 7 to add additional applications to the list. 9 Select OK.

To create an application control list - CLI

config vpn ssl web virtual-desktop-app-list

edit <applist_name>

set action {allow | block}

FortiGate Version 4.0 MR1 Administration Guide

42 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 Two-factor authentication

config apps

edit <appname_str>

set md5s <md5_str>

end

Variable Description Default

<applist_name> Enter a name for the application control list. No default.

action {allow | block}

<appname_str> Enter a name for the application. No default. md5s <md5_str> Enter one or more MD5 checksums, separated by

allow — Allow only the applications on this list block — Block these applications, allow all others

spaces.

allow

No default.

Two-factor authentication

In FortiOS 4.0 MR1, PKI users can be required to authenticate by password in addition to their certificate authentication, for both administrative and SSL VPN access. This provides additional security to meet ICSA 4.0 requirements.

To enable two-factor authentication for a PKI user - web-based manager 1 Go to User > PKI. 2 Select the Edit icon for the user.

3 Expand Two-factor authentication. 4 Select Require two-factor authentication and enter the Password for this user. 5 Select OK. 6 Repeat steps 2 through 5 for each user who must use two-factor authentication.

To enable two-factor authentication for a PKI user - CLI

config user peer

edit <peer1_name>

set two-factor enable

set password <password_str> next edit <peer2_name> ... end

To require two-factor authentication in an SSL VPN

conf vpn ssl settings

set force-two-factor-auth enable

end

If this option is enabled, only users with two-factor authentication can log in to the SSL VPN.

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 43

http://docs.fortinet.com/ • Feedback

FortiGate wireless controller What’s new in FortiOS Version 4.0 MR1

Force UTF-8 login

To facilitate authentication with some LDAP servers, the login credentials must use UTF-8 encoding. Enable this as follows:

config vpn ssl settings

set force-utf8-login enable

end

FortiGate wireless controller

Most FortiGate units, but not FortiWiFi models, can act as a wireless network controller, managing the wireless Access Point (AP) functionality of FortiWiFi units. All units must be running the most FortiOS 4.0 MR1 firmware.

For more information, see “Wireless Controller” on page 703.

Interface status detection for gateway load balancing

FortiOS 4.0 MR1 interface status detection now includes enabling up to three different protocols to confirm that an interface can connect to the IP address of a server. Usually the server is the next-hop router that leads to an external network or the Internet.

For more information, see “Interface status detection for gateway load balancing” on

page 193.

Enhanced ECMP route failover and load balancing

Previous versions of FortiOS provided source IP-based load balancing for ECMP routes. FortiOS 4.0 MR1 includes three configuration options for ECMP route failover and load balancing:

Source based (also called source IP based)

Weighted (also called weight-based)

Spill-over (also called usage-based)

The FortiGate unit load balances sessions among ECMP routes based on the source IP address of the sessions to be load balanced. This is the default load balancing method. No configuration changes are required to support source IP load balancing.

The FortiGate unit load balances sessions among ECMP routes based on weights added to ECMP routes. More traffic is directed to routes with higher weights.

The FortiGate unit distributes sessions among ECMP routes based on how busy the FortiGate interfaces added to the routes are.

After selecting spill-over you add route Spillover Thresholds to interfaces added to ECMP routes. The FortiGate unit sends all ECMP-routed sessions to the lowest numbered interface until the bandwidth being processed by this interface reaches its spillover threshold. The FortiGate unit then spills additional sessions over to the next lowest numbered interface.

The Spillover Thresholds range is 0-2097000 KBps.

For more information, see “ECMP route failover and load balancing” on page 344.

SCEP extensions

FortiOS 4.0 MR1 supports automatic update of system certificates. When a certificate is about to expire, the FortiGate unit uses SCEP to request and download a new certificate. This applies to both Local and CA certificates. You can also configure periodic updating of a Certificate Revocation List (CRL).

FortiGate Version 4.0 MR1 Administration Guide

44 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 SCEP extensions

Certificate auto-update is configured in the CLI:

To configure auto-update of a local certificate

config vpn certificate local

edit <certificate_name>

set scep-url <URL_str>

set scep-password <password_str>

set auto-regenerate-days <days_int>

set auto-regenerate-days-warning <days_int> end

end

Variable Description Default

<certificate_name> The name of the local certificate. No default. scep-url <URL_str> Enter the URL of the SCEP server. No default.

scep-password <password_str>

auto-regeneratedays <days_int>

auto-regeneratedays-warning <days_int>

Enter the password for the SCEP server. No default.

Enter how many days before expiry the FortiGate unit requests an updated local certificate. Enter 0 for no auto-update.

Enter how many days before local certificate expiry the FortiGate generates a warning message. Enter 0 for no warning.

To configure auto-update of a CA certificate

config vpn certificate ca

edit <certificate_name>

set scep-url <URL_str>

set auto-update-days <days_int>

set auto-update-days-warning <days_int> end

end

Variable Description Default

<certificate_name> The name of the CA certificate. No default. scep-url <URL_str> Enter the URL of the SCEP server. No default.

auto-update-days <days_int>

auto-update-dayswarning <days_int>

Enter how many days before expiry the FortiGate unit requests an updated CA certificate. Enter 0 for no auto-update.

Enter how many days before CA certificate expiry the FortiGate generates a warning message. Enter 0 for no warning.

To configure CRL auto-update

config vpn certificate crl edit <crl_name>

set scep-url <URL_str>

set update-interval <seconds>

end end

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 45

http://docs.fortinet.com/ • Feedback

SCEP extensions What’s new in FortiOS Version 4.0 MR1

Variable Description Default

<crl_name> The name of the certificate revocation list. No default. scep-url <URL_str> Enter the URL of the SCEP server. No default.

update-interval <seconds>

Enter how frequently, in seconds, the FortiGate unit checks for an updated CRL. Enter 0 to update the CRL only when it expires.

FortiGate Version 4.0 MR1 Administration Guide

46 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 Dynamic routing for IPv6 traffic

Dynamic routing for IPv6 traffic

FortiOS Version 4.0 MR1 adds support for IPv6 dynamic routing using RIPng, BGP, or OSPF protocols.

IPv6 dynamic routing is configurable only in the CLI. The following IPv6-related commands were added:

• router access-list6

• router ospf6

• router prefix-list6

• router ripng

• get router info6 {bgp | ospf | protocols | rip} IPv6-related keywords were added to the router bgp command.

Additions to router bgp command

The following syntax descriptions are for the new keywords added to support IPv6.

config router bgp

config aggregate-address6

edit <aggr_addr_id>

set as-set {enable | disable} set prefix6 <address_ipv6mask> set summary-only {enable | disable}

end config neighbor

edit

<neighbor_address>

set allowas-in6 <max_num_AS_integer> set allowas-in-enable6 {enable | disable} set attribute-unchanged6 [as-path] [med] [next-hop] set capability-default-originate6 {enable | disable} set capability-graceful-restart6 {enable | disable} set capability-orf6 {both | none | receive | send} set default-originate-routemap6 set distribute-list-in6 <access-list-name_str> set distribute-list-out6 <access-list-name_str> set filter-list-in6 <aspath-list-name_str> set filter-list-out6 <aspath-list-name_str> set maximum-prefix6 <prefix_integer> set maximum-prefix-threshold6 <percentage_integer> set maximum-prefix-warning-only6 {enable | disable} set next-hop-self6 {enable | disable} set prefix-list-in6 <prefix-list-name_str> set prefix-list-out6 <prefix-list-name_str> set remove-private-as6 {enable | disable} set route-map-in6 <routemap-name_str> set route-map-out6 <routemap-name_str> set route-reflector-client6 {enable | disable} set route-server-client6 {enable | disable} set send-community6 {both | disable | extended | standard} set soft-reconfiguration6 {enable | disable} set unsuppress-map6 <route-map-name_str>

end

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 47

http://docs.fortinet.com/ • Feedback

Dynamic routing for IPv6 traffic What’s new in FortiOS Version 4.0 MR1

config network6

edit <network_id>

set backdoor {enable | disable} set prefix6 <address_ipv6mask> set route-map <routemap-name_str>

end

config redistribute6

Variable Description Default

config aggregate-address6 Variables edit <aggr_addr_id> Enter an ID number for the entry. The number

as-set {enable | disable} Enable or disable the generation of an

prefix6 <address_ipv6mask> Set an aggregate prefix. ::/0

summary-only {enable | disable}

config neighbor Additional Variables

activate6 {enable | disable}

allowas-in6 <max_num_AS_integer>

allowas-in-enable6 {enable | disable}

attribute-unchanged6 [as-path] [med] [next-hop]

capability-defaultoriginate6 {enable | disable}

capability-gracefulrestart6 {enable | disable}

must be an integer.

unordered list of AS numbers to include in the path information. When as-set is enabled, a

set-atomic-aggregate value does not

have to be specified.

Enable or disable the advertising of aggregate routes only (the advertising of specific routes is suppressed).

Enable or disable the address family for the BGP neighbor.

This keyword is available when allowas-in-enable6 is set to enable.

Set the maximum number of occurrences your AS number is allowed in.

Enable or disable the readvertising of all prefixes containing duplicate AS numbers. Set the amount of time that must expire before readvertising through the allowas-in keyword.

Propagate unchanged BGP attributes to the IPv6 BGP neighbor.

• To advertise unchanged AS_PATH attributes, select as-path.

• To advertise unchanged MULTI_EXIT_DISC attributes, select med.

• To advertise the IP address of the next-hop router interface (even when the address has not changed), select next-hop.

• An empty set is a supported value.

Enable or disable the advertising of the default route to IPv6 BGP neighbors.

Enable or disable the advertising of gracefulrestart capability to IPv6 BGP neighbors.

No default.

disable

enable

unset

disable

Empty set.

disable

FortiGate Version 4.0 MR1 Administration Guide

48 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 Dynamic routing for IPv6 traffic

Variable Description Default

capability-orf6 {both | none | receive | send}

default-originateroutemap6

distribute-list-in6 <access-list-name_str>

distribute-list-out6 <access-list-name_str>

filter-list-in6 <aspath-list-name_str>

filter-list-out6 <aspath-list-name_str>

maximum-prefix6 <prefix_integer>

maximum-prefix-threshold6 <percentage_integer>

maximum-prefix-warningonly6 {enable | disable}

next-hop-self6 {enable | disable}

Enable or disable the advertising of Outbound Routing Filter (ORF) prefix-list capability to the BGP neighbor.

• To enable send and receive capability, select both.

• To enable receive capability, select receive.

• To enable send capability, select send.

• To disable the advertising of ORF prefix-list capability, select none.

Limit route updates from the IPv6 BGP neighbor based on the Network Layer Reachability Information (NLRI) defined in the specified access list. You must create the access list before it can be selected here. See “router

access-list6” on page 51.

Limit route updates to the IPv6 BGP neighbor based on the NLRI defined in the specified access list. You must create the access list before it can be selected here. See “router

access-list6” on page 51.

Limit inbound IPv6 BGP routes according to the specified AS-path list. You must create the ASpath list before it can be selected here. See config router aspath-list.

Limit outbound IPv6 BGP routes according to the specified AS-path list. You must create the AS-path list before it can be selected here. See config router aspath-list.

Set the maximum number of NLRI prefixes to accept from the IPv6 BGP neighbor. When the maximum is reached, the FortiGate unit disconnects the BGP neighbor. The range is from 1 to 4 294 967 295.

Changing this value on the FortiGate unit does not disconnect the BGP neighbor. However, if the neighbor goes down because it reaches the maximum number of prefixes and you increase the maximum-prefix value afterward, the neighbor will be reset.

This keyword is available when maximum- prefix6 is set.

Specify the threshold (as a percentage) that must be exceeded before a warning message about the maximum number of NLRI prefixes is displayed. The range is from 1 to 100.

This keyword is available when maximum-prefix6 is set.

Enable or disable the display of a warning when the maximum-prefix-threshold6 has been reached.

Enable or disable advertising of the FortiGate unit’s IP address (instead of the neighbor’s IP address) in the NEXT_HOP information that is sent to IBGP peers.

none

Null

unset

disable

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 49

http://docs.fortinet.com/ • Feedback

Dynamic routing for IPv6 traffic What’s new in FortiOS Version 4.0 MR1

Variable Description Default

prefix-list-in6 <prefix-list-name_str>

prefix-list-out6 <prefix-list-name_str>

remove-private-as6 {enable | disable}

route-map-in6 <routemap-name_str>

route-map-out6 <routemap-name_str>

route-reflector-client6 {enable | disable}

route-server-client6 {enable | disable}

send-community6 {both | disable | extended | standard}

soft-reconfiguration6 {enable | disable}

unsuppress-map6 <route-map-name_str>

config network6 Variables edit <network_id> Enter an ID number for the entry. The number

Limit route updates from an IPv6 BGP neighbor based on the Network Layer Reachability Information (NLRI) in the specified prefix list. The prefix list defines the NLRI prefix and length advertised in a route. You must create the prefix list before it can be selected here. See “router

prefix-list6” on page 56.

Limit route updates to an IPv6 BGP neighbor based on the NLRI in the specified prefix list. The prefix list defines the NLRI prefix and length advertised in a route. You must create the prefix list before it can be selected here. See “router

prefix-list6” on page 56.

Remove the private AS numbers from outbound updates to the IPv6 BGP neighbor.

Limit route updates or change the attributes of route updates from the IPv6 BGP neighbor according to the specified route map. You must create the route-map before it can be selected here.

Limit route updates or change the attributes of route updates to the IPv6 BGP neighbor according to the specified route map. You must create the route-map before it can be selected here.

This keyword is available when remote-as is identical to the FortiGate unit AS number.

Enable or disable the operation of the FortiGate unit as a route reflector and identify the BGP neighbor as a route-reflector client.

Inbound routes for route reflectors can change the next-hop, local-preference, med, and as-path attributes of IBGP routes for local route selection, while outbound IBGP routes do not take into effect these attributes.

Enable or disable the recognition of the IPv6 BGP neighbor as route-server client.

Enable or disable the sending of the COMMUNITY attribute to the IPv6 BGP neighbor.

• To advertise extended and standard capabilities, select both.

• To advertise extended capabilities, select extended.

• To advertise standard capabilities, select standard.

• To disable the advertising of the COMMUNITY attribute, select disable.

Enable or disable the FortiGate unit to store unmodified updates from the IPv6 BGP neighbor to support inbound softreconfiguration.

Specify the name of the route-map to selectively unsuppress suppressed IPv6 routes. You must create the route-map before it can be selected here.

must be an integer.

Null

disable

Null

disable

both

disable

Null

No default.

FortiGate Version 4.0 MR1 Administration Guide

50 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 Dynamic routing for IPv6 traffic

Variable Description Default

backdoor {enable | disable}

prefix6 <address_ipv6mask> Enter the IP address and netmask that identifies

route-map <routemap-name_str>

config redistribute6 Variables are the same as for config redistribute

Enable or disable the route as a backdoor, which causes an administrative distance of 200 to be assigned to the route. Backdoor routes are not advertised to EBGP peers.

the BGP network to advertise. Specify the name of the route-map that will be

used to modify the attributes of the route before it is advertised. You must create the route-map before it can be selected here.

disable

::/0

Null

router access-list6

Use this command to add, edit, or delete access lists for IPv6 traffic. Access lists are filters used by FortiGate unit routing processes. For an access list to take effect, it must be called by a FortiGate unit routing process (for example, a process that supports RIPng or OSPF).

Syntax

config router access-list6

edit <access_list_name>

set comments <string> config rule

edit <access_list_id>

set action {deny | permit} set exact-match {enable | disable} set prefix6 { <prefix_ipv6mask> | any }

end

Note: The action and prefix keywords are required. The exact-match keyword is optional.

Variable Description Default

edit <access_list_name>

comments <string> Enter a descriptive comment. The max length is

config rule Variables

edit <access_list_id>

action {deny | permit} Set the action to take for this prefix. permit

exact-match {enable | disable}

prefix6 { <prefix_ipv6mask> | any }

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 51

http://docs.fortinet.com/ • Feedback

Enter a name for the access list. An access list and a prefix list cannot have the same name.

127 characters.

Enter an entry number for the rule. The number must be an integer.

By default, access list rules are matched on the prefix or any more specific prefix. Enable exact- match to match only the configured prefix.

Enter the prefix for this access list rule, either:

• Type the IP address and netmask.

•Type any to match any prefix.

No default.

disable

any

Dynamic routing for IPv6 traffic What’s new in FortiOS Version 4.0 MR1

router ospf6

Use this command to configure OSPF routing for IPv6 traffic.

Syntax

router ospf6

set abr-type {cisco | ibm | standard} set auto-cost-ref-bandwidth <mbps_integer> set default-metric <metric_integer> set passive-interface <name_str> set router-id <address_ipv4> set spf-timers <delay_integer> <hold_integer>

config area

edit <area_address_ipv4>

set default-cost <cost_integer> set stub-type {no-summary | summary} set type {regular | stub}

end

config ospf6-interface

edit <ospf_interface_name>

set area-id <ip4_addr> set cost <cost_integer> set dead-interval <seconds_integer> set hello-interval <seconds_integer> set interface <name_str> set priority <priority_integer> set retransmit-interval <seconds_integer> set status {enable | disable} set transmit-delay <seconds_integer>

end end

config redistribute {bgp | connected | rip | static}

set metric <metric_integer>

set metric-type {1 | 2}

set routemap <name_str>

set status {enable | disable} end

end

Variable Description Default

abr-type {cisco | ibm | standard}

auto-cost-ref-bandwidth <mbps_integer>

default-metric <metric_integer>

52 01-410-89802-20090903

Specify the behavior of a FortiGate unit acting as an OSPF area border router (ABR) when it has multiple attached areas and has no backbone connection. Selecting the ABR type compatible with the routers on your network can reduce or eliminate the need for configuring and maintaining virtual links. For more information, see RFC 3509.

Enter the Mbits per second for the reference bandwidth. Values can range from 1 to 65535.

Specify the default metric that OSPF should use for redistributed routes. The valid range for metric_integer is 1 to

16777214.

FortiGate Version 4.0 MR1 Administration Guide

http://docs.fortinet.com/ • Feedback

standard

1000

What’s new in FortiOS Version 4.0 MR1 Dynamic routing for IPv6 traffic

Variable Description Default

passive-interface <name_str> OSPF routing information is not sent or

router-id <address_ipv4> Set the router ID. The router ID is a unique

spf-timers <hold_integer>

<delay_integer>

received through the specified interface.

number, in IP address dotted decimal format, that is used to identify an OSPF router to other OSPF routers within an area. The router ID should not be changed while OSPF is running.

A router ID of 0.0.0.0 is not allowed. Change the default shortest path first

(SPF) calculation delay time and frequency.

The delay_integer is the time, in seconds, between when OSPF receives information that will require an SPF calculation and when it starts an SPF calculation. The valid range for delay_integer is 0 to 4294967295.

The hold_integer is the minimum time, in seconds, between consecutive SPF calculations. The valid range for hold_integer is 0 to 4294967295.

OSPF updates routes more quickly if the SPF timers are set low; however, this uses more CPU. A setting of 0 for spf-timers can quickly use up all available CPU.

No default.

0.0.0.0

5 10

config area

Use this subcommand to set OSPF area related parameters. Routers in an OSPF autonomous system (AS) or routing domain are organized into logical groupings called areas. Areas are linked together by area border routers (ABRs). There must be a backbone area that all areas can connect to. You can use a virtual link to connect areas that do not have a physical connection to the backbone. Routers within an OSPF area maintain link state databases for their own areas.

You can use the config range subcommand to summarize routes at an area boundary. If the network numbers in an area are contiguous, the ABR advertises a summary route that includes all the networks within the area that are within the specified range. See

“config range Variables” on page 54.

You can configure a virtual link using the config virtual-link subcommand to connect an area to the backbone when the area has no direct connection to the backbone (see “config virtual-link Variables” on page 54). A virtual link allows traffic from the area to transit a directly connected area to reach the backbone. The transit area cannot be a stub area. Virtual links can only be set up between two ABRs.

Variable Description Default

edit <area_address_ipv4> Type the IP address of the area. An address of

default-cost <cost_integer>

0.0.0.0 indicates the backbone area. Enter the metric to use for the summary default

route in a stub area or not so stubby area (NSSA). A lower default cost indicates a more preferred route.

The valid range for cost_integer is 1 to

16777214.

No default.

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 53

http://docs.fortinet.com/ • Feedback

Dynamic routing for IPv6 traffic What’s new in FortiOS Version 4.0 MR1

Variable Description Default

stub-type {no-summary | summary}

type {regular | stub}

config range Variables

edit <range_id> Enter an ID number for the range. The number

advertise {enable | disable}

prefix6 <address_ipv6mask>

config virtual-link Variables

edit <vlink_name> Enter a name for the virtual link. No default.

dead-interval <seconds_integer>

hello-interval <seconds_integer>

peer <address_ipv4> The router id of the remote ABR.

retransmit-interval <seconds_integer>

transmit-delay <seconds_integer>

Enter no-summary to prevent an ABR sending summary LSAs into a stub area. Enter summary to allow an ABR to send summary LSAs into a stub area.

Set the area type:

• Select regular for a normal OSPF area.

• Select stub for a stub area.

must be an integer in the 0 to 4 294 967 295 range.

Enable or disable advertising the specified range.

Specify the range of addresses to summarize. ::/0

The time, in seconds, to wait for a hello packet before declaring a router down. The value of the dead-interval should be four times the value of the hello-interval.

Both ends of the virtual link must use the same value for dead-interval.

The valid range for seconds_integer is 1 to

65535. The time, in seconds, between hello packets.

Both ends of the virtual link must use the same value for hello-interval.

The valid range for seconds_integer is 1 to

65535.

0.0.0.0 is not allowed. The time, in seconds, to wait before sending a

LSA retransmission. The value for the retransmit interval must be greater than the expected round-trip delay for a packet. The valid range for seconds_integer is 1 to 65535.

The estimated time, in seconds, required to send a link state update packet on this virtual link.

OSPF increments the age of the LSAs in the update packet to account for transmission and propagation delays on the virtual link.

Increase the value for transmit-delay on low speed links.

The valid range for seconds_integer is 1 to

65535.

summary

regular

No default.

enable

0.0.0.0

FortiGate Version 4.0 MR1 Administration Guide

54 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 Dynamic routing for IPv6 traffic

config ospf6-interface

Use this subcommand to change interface related OSPF settings.

Note: The interface keyword is required. All other keywords are optional.

Variable Description Default

edit <ospf_interface_name>

area-id <ip4_addr> Enter the area ID in A.B.C.D IPv4 format. 0.0.0.0 cost <cost_integer> Specify the cost (metric) of the link. The cost is used

dead-interval <seconds_integer>

hello-interval <seconds_integer>

interface <name_str> Enter the name of the interface to associate with this

priority <priority_integer>

retransmit-interval <seconds_integer>

status {enable | disable}

transmit-delay <seconds_integer>

Enter a descriptive name for this OSPF interface configuration. To apply this configuration to a FortiGate unit interface, set the interface

<name_str> attribute.

for shortest path first calculations. Range 1 to 65 535. Use 0 for auto-cost.

The time, in seconds, to wait for a hello packet before declaring a router down. The value of the dead-

interval should be four times the value of the hello-interval.

All routers on the network must use the same value for dead-interval.

The valid range for seconds_integer is 1 to 65535. The time, in seconds, between hello packets.

All routers on the network must use the same value for hello-interval.

The valid range for seconds_integer is 1 to 65535.

OSPF configuration. The interface might be a virtual IPSec or GRE interface.

Set the router priority for this interface. Router priority is used during the election of a

designated router (DR) and backup designated router (BDR).

An interface with router priority set to 0 can not be elected DR or BDR. The interface with the highest router priority wins the election. If there is a tie for router priority, router ID is used.

Point-to-point networks do not elect a DR or BDR; therefore, this setting has no effect on a point-to-point network.

The valid range for priority_integer is 0 to 255. The time, in seconds, to wait before sending a LSA

retransmission. The value for the retransmit interval must be greater than the expected round-trip delay for a packet. The valid range for seconds_integer is 1 to 65535.

Enable or disable OSPF on this interface. enable

The estimated time, in seconds, required to send a link state update packet on this interface.

OSPF increments the age of the LSAs in the update packet to account for transmission and propagation delays on the interface.

Increase the value for transmit-delay on low speed links.

The valid range for seconds_integer

is 1 to 65535.

No default.

Null

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 55

http://docs.fortinet.com/ • Feedback

Dynamic routing for IPv6 traffic What’s new in FortiOS Version 4.0 MR1

config redistribute

Use this subcommand to redistribute routes learned from BGP, RIP, static routes, or a direct connection to the destination network.

The OSPF redistribution table contains four static entries. You cannot add entries to the table. The entries are defined as follows:

• bgp—Redistribute routes learned from BGP.

• connected—Redistribute routes learned from a direct connection to the destination network.

• static—Redistribute the static routes defined in the FortiGate unit routing table.

• rip—Redistribute routes learned from RIP.

When you enter the subcommand, end the command with one of the four static entry names (that is, config redistribute {bgp | connected | rip | static}).

Note: All keywords are optional.

Variable Description Default

metric <metric_integer> Enter the metric to be used for the redistributed

routes. The metric_integer range is from 1 to

16777214.

metric-type {1 | 2} Specify the external link type to be used for the

redistributed routes.

routemap <name_str> Enter the name of the route map to use for the

redistributed routes.

status {enable | disable} Enable or disable redistributing routes. disable

Null.

router prefix-list6

Use this command to add, edit, or delete prefix lists for IPv6 traffic. A prefix list is an enhanced version of an access list that allows you to control the length of the prefix netmask.

Syntax

config router prefix-list6

edit <prefix_list_name>

end

set comments <string> config rule

edit <prefix_rule_id>

set action {deny | permit} set ge <length_integer> set le <length_integer> set prefix6 {<address_ipv6mask> | any}

end

Note: The action and prefix keywords are required. All other keywords are optional.

FortiGate Version 4.0 MR1 Administration Guide

56 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 Dynamic routing for IPv6 traffic

Variable Description Default

edit <prefix_list_name> Enter a name for the prefix list. A prefix list and

config rule Variables

edit <prefix_rule_id> Enter an entry number for the rule. The number

action {deny | permit} Set the action to take for this prefix. permit comments <string> Enter a description of this access list entry. The

ge <length_integer> Match prefix lengths that are greater than or

le <length_integer> Match prefix lengths that are less than or equal

prefix6 {<address_ipv6mask> | any}

an access list cannot have the same name.

must be an integer.

description can be up to 127 characters long.

equal to this number. The setting for ge should be less than the setting for le. The setting for

ge should be greater than the netmask set for prefix. length_integer can be any

number from 0 to 128.

to this number. The setting for le should be greater than the setting for ge. length_integer can be any number from 0 to 128.

Enter the prefix (IP address and netmask) for this prefix list rule or enter any to match any prefix. The length of the netmask should be less than the setting for ge. If prefix is set to any, ge and le should not be set.

No default.

Null

::/0

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 57

http://docs.fortinet.com/ • Feedback

Dynamic routing for IPv6 traffic What’s new in FortiOS Version 4.0 MR1

router ripng

Use this command to configure the “next generation” Routing Information Protocol (RIPng) on the FortiGate unit. RIPng is a distance-vector routing protocol intended for small, relatively homogeneous, IPv6 networks. RIPng uses hop count as its routing metric. Each network is usually counted as one hop. The network diameter is limited to 15 hops.

Syntax

config router ripng

set default-information-originate {enable | disable} set default-metric <metric_integer> set garbage-timer <timer_integer> set passive-interface <name_str> set timeout-timer <timer_integer> set update-timer <timer_integer>

config aggregate-address

edit <entry-id>

set prefix6 <aggregate_prefix>

end

config distribute-list

edit <distribute_list_id>

set direction {in | out} set interface <name_str> set listname <listname_str> set status {enable | disable}

end

config interface

edit <interface_name>

set split-horizon {poisoned | regular} set split-horizon-status {enable | disable}

end

config neighbor

edit <neighbor_id>

set ip6 <address_ipv6>

end

config offset-list

edit <offset_list_id>

set access-list6 <name_str> set direction {in | out} set interface <name_str> set offset <metric_integer> set status {enable | disable}

end

config redistribute {connected | static | ospf | bgp}

set metric <metric_integer> set routemap <name_str> set status {enable | disable}

end

Note: All keywords are optional.

FortiGate Version 4.0 MR1 Administration Guide

58 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 Dynamic routing for IPv6 traffic

Variable Description Default

default-information-originate {enable | disable}

default-metric <metric_integer>

garbage-timer <timer_integer> The time in seconds that must elapse after

passive-interface <name_str> Block RIPng broadcasts on the specified

timeout-timer <timer_integer> The time interval in seconds after which a

update-timer <timer_integer> The time interval in seconds between RIP

Enter enable to advertise a default static route into RIPng.

For non-default routes in the static routing table and directly connected networks the default metric is the metric that the FortiGate unit advertises to adjacent routers. This metric is added to the metrics of learned routes. The default metric can be a number from 1 to 16.

the timeout interval for a route expires, before RIPng deletes the route. If RIPng receives an update for the route after the timeout timer expires but before the garbage timer expires then the entry is switched back to reachable.

RIP timer defaults are effective in most configurations. All routers and access servers in the network should have the same RIP timer settings.

The update timer interval can not be larger than the garbage timer interval.

Range 5 to 2 147 483 647 seconds.

interface. You can use “config neighbor” on

page 61 and the passive interface

command to allow RIPng to send unicast updates to the specified neighbor while blocking broadcast updates on the specified interface.

route is declared unreachable. The route is removed from the routing table. RIP holds the route until the garbage timer expires and then deletes the route. If RIP receives an update for the route before the timeout timer expires, then the timeout-timer is restarted. If RIP receives an update for the route after the timeout timer expires but before the garbage timer expires then the entry is switched back to reachable. The value of the timeout timer should be at least three times the value of the update timer.

RIP timer defaults are effective in most configurations. All routers and access servers in the network should have the same RIP timer settings.

The update timer interval can not be larger than the timeout timer interval.

Range 5 to 2 147 483 647 seconds.

updates. RIP timer defaults are effective in most

configurations. All routers and access servers in the network should have the same RIP timer settings.

The update timer interval can not be larger than timeout or garbage timer intervals.

Range 5 to 2 147 483 647 seconds.

disable

120

No default.

180

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 59

http://docs.fortinet.com/ • Feedback

Dynamic routing for IPv6 traffic What’s new in FortiOS Version 4.0 MR1

config aggregate-address

Use this subcommand to configure aggregate address prefixes.

Variable Description Default

edit <entry-id> Enter an entry number for the aggregate address list.

prefix6 <aggregate_prefix>

Enter the prefix for the aggregate address. ::/0

config distribute-list

Use this subcommand to filter incoming or outgoing updates using an access list or a prefix list. If you do not specify an interface, the filter will be applied to all interfaces. You must configure the access list or prefix list that you want the distribution list to use before you configure the distribution list. For more information on configuring access lists and prefix lists, see “router access-list6” on page 51 and “router prefix-list6” on page 56.

Note: The direction and listname keywords are required. All other keywords are optional.

Variable Description Default

edit <distribute_list_id>

direction {in | out} Set the direction for the filter. Enter in to filter incoming

interface <name_str> Enter the name of the interface to apply this distribution

listname <listname_str>

status {enable | disable}

Enter an entry number for the distribution list. The number must be an integer.

packets. Enter out to filter outgoing packets.

list to. If you do not specify an interface, this distribution list will be used for all interfaces.

Enter the name of the access list or prefix list to use for this distribution list.

Enable or disable this distribution list. disable

No default.

out

Null.

config interface

Use this subcommand to configure and enable split horizon. A split horizon occurs when a router advertises a route it learns over the same interface it

learned it on. In this case the router that gave the learned route to the last router now has two entries to get to another location. However, if the primary route fails that router tries the second route to find itself as part of the route and an infinite loop is created. A poisoned split horizon will still advertise the route on the interface it received it on, but it will mark the route as unreachable. Any unreachable routes are automatically removed from the routing table. This is also called split horizon with poison reverse.

Note: All keywords are optional.

FortiGate Version 4.0 MR1 Administration Guide

60 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 Dynamic routing for IPv6 traffic

Variable Description Default

edit <interface_name> Type the name of the FortiGate unit interface that is

split-horizon {poisoned | regular}

split-horizon-status {enable | disable}

linked to the RIP network. The interface might be a virtual IPSec or GRE interface.

Configure RIP to use either regular or poisoned split horizon on this interface.

Select regular to prevent RIP from sending updates for a route back out on the interface from which it received that route.

Select poisoned to send updates with routes learned on an interface back out the same interface but mark those routes as unreachable.

Enable or disable split horizon for this interface. Split horizon is enabled by default.

Disable split horizon only if there is no possibility of creating a counting to infinity loop when network topology changes.

No default.

poisoned

enable

config neighbor

Use this subcommand to enable RIPng to send unicast routing updates to the router at the specified address. You can use the neighbor subcommand and “passive-interface

<name_str>” on page 59 to allow RIPng to send unicast updates to the specified neighbor

while blocking broadcast updates on the specified interface. You can configure multiple neighbors.

Note: All keywords are required.

Variable Description Default

edit <neighbor_id> Enter an entry number for the RIPng neighbor. The

number must be an integer.

interface <name> The interface that connects to the neighbor. No default. ip6 <address_ipv6> Enter the IP address of the neighboring router to which

to send unicast updates.

config offset-list

Use this subcommand to add the specified offset to the metric (hop count) of a route from the offset list.

Note: The access-list6, direction, and offset keywords are required. All other keywords are optional.

Variable Description Default

edit <offset_list_id> Enter an entry number for the offset list. The

number must be an integer.

access-list6 <name_str> Enter the name of the access list to use for this

offset list. The access list is used to determine which routes to add the metric to.

direction {in | out} Enter in to apply the offset to the metrics of

incoming routes. Enter out to apply the offset to the metrics of outgoing routes.

interface <name_str> Enter the name of the interface to match for this

offset list.

No default.

Null.

out

Null.

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 61

http://docs.fortinet.com/ • Feedback

Dynamic routing for IPv6 traffic What’s new in FortiOS Version 4.0 MR1

Variable Description Default

offset <metric_integer> Enter the offset number to add to the metric. The

metric is the hop count. The metric_integer range is from 1 to 16, with 16 being unreachable.

status {enable | disable} Enable or disable this offset list. disable

config redistribute

Use this subcommand to redistribute routes learned from OSPF, BGP, static routes, or a direct connection to the destination network.

The RIPng redistribution table contains four static entries. You cannot add entries to the table. The entries are defined as follows:

• bgp — Redistribute routes learned from BGP.

• connected — Redistribute routes learned from a direct connection to the destination network.

• ospf — Redistribute routes learned from OSPF.

• static — Redistribute the static routes defined in the FortiGate unit routing table.

When you enter the subcommand, end the command with one of the four static entry names (that is, config redistribute {bgp | connected | ospf | static}).

Note: All keywords are optional.

Variable Description Default

metric <metric_integer> Enter the metric value to be used for the

redistributed routes. The metric_integer range is from 0 to 16.

routemap <name_str> Enter the name of the route map to use for the

redistributed routes.

status {enable | disable} Enable or disable redistributing routes. disable

get router info6 {bgp | ospf | protocols | rip}

Use these commands to display information about the IPv6 dynamic routing protocols. The get router info6 protocols command returns information about all of the protocols.

Syntax

get router info6 bgp get router info6 ospf get router info6 protocols get router info6 rip

Null.

FortiGate Version 4.0 MR1 Administration Guide

62 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 IPv6 DNS

IPv6 DNS

In FortiOS Version 4.0 MR1, you can configure DNS server addresses for IPv6 traffic. This is available only in the CLI. There are new keywords for the config system dns command, as follows:

Syntax

config system dns

set ip6-primary <ipv6_addr> set ip6-secondary <ipv6_addr>

end

Variable Description Default

ip6-primary <ipv6_addr>

ip6-secondary <ipv6_addr>

These new keywords also apply to the new config system vdom-dns command. See

“Per-VDOM DNS configuration” on page 74.

Enter the IP address of the primary DNS server for IPv6 traffic.

Enter the IP address of the secondary DNS server for IPv6 traffic.

No default.

Example

config system dns

set ip6-primary 2002::1 set ip6-secondary 2002::2

end

IPv6 transparent mode

FortiOS 4.0 MR1 supports IPv6 traffic in Transparent mode.

IPv6 administrative access

You can configure remote administration over an IPv6 network. This is possible because of changes to network interface and administrator configurations. To see IPv6 options in the we-based manager, you must enable IPv6 Support on GUI in System > Admin >

Settings.

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 63

http://docs.fortinet.com/ • Feedback

IPv6 administrative access What’s new in FortiOS Version 4.0 MR1

Network interface changes for IPv6

In the web-based manager, the network interface configuration (go to System > Network > Interface) provides new fields for the IPv6 address and IPv6 Administrative Access.

Figure 3: Interface configuration with IPv6 Administrative Access options

By default, no administrative access is enabled for IPv6. In previous FortiOS releases, only ping access was available for IPv6.

In the CLI, the config system interface command has new options for the ip6-allowaccess keyword in the config ipv6 subcommand, as follows:

Syntax

config system interface

edit <interface_name>

config ipv6

set ip6-allowaccess <access_types>

end

Variable Description Default

ip6-allowaccess <access_types>

Enter the types of management access permitted on this IPv6 interface.

Valid types are: http https ping snmp ssh telnet. Separate each type with a space.

To add or remove an option from the list, retype the complete list as required.

Null.

FortiGate Version 4.0 MR1 Administration Guide

64 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 IPv6 administrative access

Administrator settings

You can configure trusted host settings for administrators who connect over an IPv6 network. The Administrator settings (go to System > Admin > Administrators) provides new fields for the IPv6 trusted host IP addresses.

Figure 4: IPv6 trusted host settings

The equivalent settings in the CLI are as follows:

Syntax

config system admin

edit "admin"

set ip6-trusthost1 2002::2/64 set ip6-trusthost2 ::/0 set ip6-trusthost3 ::/0

end

Variable Description Default

ip6-trusthost1 <ip6addr> ip6-trusthost2 <ip6addr> ip6-trusthost3 <ip6addr>

Enter up to three trusted IPv6 address from which administrative access is permitted.

Example

config system admin

edit "admin"

set ip6-trusthost1 2002::2/64 set ip6-trusthost2 ::/0 set ip6-trusthost3 ::/0

end

No default.

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 65

http://docs.fortinet.com/ • Feedback

UTM features support IPv6 traffic What’s new in FortiOS Version 4.0 MR1

UTM features support IPv6 traffic

FortiOS Version 4.0 MR1 can perform antivirus scanning on IPv6 traffic. As with IPv4 traffic, in the firewall policy you select a protection profile that includes AV scanning.

URL Filtering using FortiGuard ratings, local ratings or local categories is supported for IPv6 traffic. Rating by IP address is not supported.

Note: IPS for IPv6 traffic is supported using DoS policy in both Transparent and NAT/Route mode (same as 4.0).

HTTP basic authentication in firewall policies

HTTP basic authentication uses an authentication dialog box that is built into the browser instead of an HTML form. This type of authentication is useful for mobile devices that cannot work with HTML forms.

You can enable HTTP basic authentication at the VDOM level using a new option in the user settings.

config user setting

set auth-http-basic {disable | enable}

end

VDOM dashboard

In previous versions of FortiOS, only administrators with the super_admin profile could view the dashboard. In FortiOS Version 4.0 MR1, VDOM administrators see their own VDOM-specific dashboard when they log in or go to System > Status. The super_admin can view only the global dashboard.

Figure 5: VDOM dashboard

FortiGate Version 4.0 MR1 Administration Guide

66 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 IPsec protocol improvements

All dashboard widgets are available for use in the VDOM dashboard except for License Information, Alert Message Console, Top Viruses, and Top Attacks. The available widgets differ from their global equivalents as follows:

Table 3: Differences between global and VDOM dashboard widgets

Widget Differences with global widget

System information Cannot enable/disable Virtual Domains.

No listing of current administrators.

CLI Console User is logged into the current VDOM and cannot access global

Unit Operation Unit reboot and shutdown are not available.

Top Sessions Shows only sessions for this VDOM. Traffic History Can select only interfaces or VLANs belonging to this VDOM.

configurations.

Cannot configure management service or FortiAnalyzer unit. No information about network ports.

IPsec protocol improvements

FortiOS 4.0 MR1 will support IKEv2. Previous versions of FortiOS supported only IKEv1.

Support for IKE v2

FortiOS 4.0 MR1 supports IKEv2 (RFC 4306) for route-based VPNs only. Most IKEv1 configurations also work using IKEv2, except that:

• Extensible Authentication Protocol (XAUTH) is not available.

• Except for dialup server configurations, “selector narrowing” is not supported.

• IKEv2 has no equivalent of aggressive mode. It cannot match the gateway by ID.

Also, FortiGate HA does not provide stateful failover for IKEv2. VPNs must reconnect. In the web-based manager, the IKE Version selection is visible in Phase 1 advanced

settings when Enable IPsec Interface Mode is enabled. In the CLI, you select the IKE version as follows:

config vpn ipsec phase1-interface

edit <gateway_name>

set ike-version {1 | 2}

end

The ike-version keyword is not available if mode is aggressive. When ike-version is 2, the mode, mode-cfg, and xauthtype keywords are not available.

Support for DH-2048 (Group 14)

In Phase 1 and Phase 2 auto-key IPsec VPN configurations, Diffie-Hellman Group 14 is available. This provides a key strength of 2048 bits. In previous releases of FortiOS, group 14 was available only in FIPS-CC mode.

In the web-based manager, you go to VPN > IPsec > Auto Key to create Phase 1 or Phase 2 configurations. For both Phase 1 and Phase 2, the Diffie-Hellman groups selection is part of the Advanced settings.

In the CLI, the dhgrp keyword now accepts the value 14 when you edit a VPN configuration in any of the following commands:

config vpn ipsec phase1 config vpn ipsec phase1-interface

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 67

http://docs.fortinet.com/ • Feedback

IPsec protocol improvements What’s new in FortiOS Version 4.0 MR1

config vpn ipsec phase2 config vpn ipsec phase2-interface

Support for SHA256

In FortiOS 4.0 MR1, you can use the SHA256 authentication digest, which is more secure than the SHA1 and MD5 algorithms. The SHA256 option is available in the web-based manager locations:

• P1 Proposal, Authentication in VPN > IPsec > Auto Key (IKE) > Create Phase 1

• P2 Proposal, Authentication in VPN > IPsec > Auto Key (IKE) > Create Phase 2

• Authentication Algorithm, in VPN > IPsec > Manual Key > Create New

The equivalent settings in the CLI are:

• config vpn ipsec phase1 or config vpn ipsec phase1-interface

edit <gateway_name>

set proposal <encryption_combination>

You can set the authentication portion of <encryption_combination> to SHA256, for example 3des-sha256.

• config vpn ipsec phase2 or config vpn ipsec phase2-interface

edit <tunnel_name>

set proposal <encryption_combination>

You can set the authentication portion of <encryption_combination> to SHA256, for example 3des-sha256.

• config vpn ipsec manualkey

edit <tunnel_name>

set authentication <authentication_algorithm>

You can set <authentication_algorithm> to sha256.

• config vpn ipsec manualkey-interface

edit <tunnel_name>

set auth-alg <authentication_algorithm>

You can set <authentication_algorithm> to sha256.

FortiGate Version 4.0 MR1 Administration Guide

68 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 Auto-configuration of IPsec VPNs

Auto-configuration of IPsec VPNs

FortiOS Version 4.0 MR1 supports automatic configuration of IPsec VPNs using the proposed IKE Configuration Method described in draft-dukes-ike-mode-cfg-02. Several network equipment vendors support IKE Configuration Method, which is an alternative to DHCP over IPSec.

Dialup VPN clients connect to a FortiGate unit that acts as a VPN server, providing the client the necessary configuration information to establish a VPN tunnel. The configuration information typically includes a virtual IP address, netmask, and DNS server address.

IKE Configuration Method is available only for VPNs that are interface-based, also known as route-based. A FortiGate unit can function as either an IKE Configuration Method server or client.

IPsec Phase 1 CLI configuration for IKE Configuration Method

The mode-cfg keyword enables IKE Configuration Method. The type keyword, although unchanged from previous releases, determines whether you are creating a server or a client. Setting type to dynamic creates a server configuration, otherwise the configuration is a client.

The following syntax lists only the keywords that pertain to IKE Configuration Method. All of these keywords can be used to configure a server. Required keywords are interface,

proposal, either ip4-start-ip, ip4-end-ip and ipv4-netmask or ip6-start-ip, ip6-end-ip and ip6-prefix, depending on the value of mode-cfg-ip-version.

To configure a client, the required keywords are interface, remote-gw, and proposal.

Syntax

config vpn ipsec phase1-interface

edit <gateway_name>

set add-route {enable | disable} set assign-ip {enable | disable} set assign-ip-from {range | usrgrp} set assign-ip-type {ip | subnet} set banner <string> set domain <string> set mode-cfg {enable | disable} set mode-cfg-ip-version {4|6} set ipv4-dns-server1 set ipv4-dns-server2 set ipv4-dns-server3 set ipv6-dns-server1 set ipv6-dns-server2 set ipv6-dns-server3 set ipv4-end-ip <ip4addr> set ipv6-end-ip <ip6addr> set ipv4-netmask <ip4mask> set ipv4-start-ip <ip4addr> set ipv6-start-ip <ip6addr> set ipv6-prefix <ip6prefix> set ipv4-wins-server1 set ipv4-wins-server2

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 69

http://docs.fortinet.com/ • Feedback

Auto-configuration of IPsec VPNs What’s new in FortiOS Version 4.0 MR1

set unity-support {enable | disable} config ipv4-exclude-range

edit <entry_id>

set start-ip <ipaddr> set end-ip <ipaddr>

end

config ipv6-exclude-range

edit <entry_id>

set start-ip <ipaddr> set end-ip <ipaddr>

end

Variable Description Default

add-route {enable | disable}

assign-ip {enable | disable}

assign-ip-from {range | usrgrp}

assign-ip-type {ip | subnet}

banner <string> Specify a message to send to IKE Configuration

domain <string> Specify a domain name to send to IKE Configuration

mode-cfg {enable | disable}

mode-cfg-ip-version {4|6}

Enable to add a route to the client’s peer destination selector. Disable if you use dynamic routing over the tunnel.

For a client, enable to request an IP address from the server. For a server, enable to assign an IP address to a dialup client. This is available if mode-cfg (IKE Configuration Method) is enabled.

Select source of IP address assigned to an IKE Configuration Method client.

range — Assign an IP address from the range defined in ipv4-start-ip and ipv4-end-ip (ipv6-start-ip and ipv4-end-ip for IPv6 clients).

usrgrp — Assign the address defined in the RADIUS Framed-IP-Address for the user. This is available when the VPN is configured to authenticate clients with XAuth. xauthtype must be auto, pap, or chap.

This is available if mode-cfg (IKE Configuration Method) is enabled.

Select the type of IP address assigned to an IKE Configuration Method client:

ip — assign a single IP address to the client, as configured in assign-ip-from.

subnet — assign an IP address to each end of the VPN tunnel, as configured in assign-ip-from. This type of IP address assignment facilitates the use of dynamic routing through the tunnel.

This is available if mode-cfg (IKE Configuration Method) is enabled.

Method clients. Some clients display this message to users. This is available if mode-cfg (IKE Configuration Method) is enabled.

Method clients. This is available if mode-cfg (IKE Configuration Method) is enabled.

Enable IKE Configuration Method so that compatible clients can configure themselves with settings that the FortiGate unit provides. This is available if type is dynamic.

Select whether an IKE Configuration Method client receives an IPv4 or IPv6 IP address. This is available if mode-cfg and assign-ip are enabled.

enable

range

Null

disable

FortiGate Version 4.0 MR1 Administration Guide

70 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 Auto-configuration of IPsec VPNs

Variable Description Default

ipv4-dns-server1 ipv6-dns-server1 ipv4-dns-server2 ipv6-dns-server2 ipv4-dns-server3 ipv6-dns-server3

ipv4-end-ip <ip4addr> ipv6-end-ip <ip6addr>

ipv4-netmask <ip4mask>

ipv4-split-include <address_name>

ipv4-start-ip <ip4addr> ipv6-start-ip <ip6addr>

ipv4-wins-server1 ipv4-wins-server2

ipv6-prefix <ip6prefix>

unity-support {enable | disable}

config ipv4-exclude-range and start-ip <ipaddr> Enter the start of the exclude range. No default. end-ip <ipaddr> Enter the end of the exclude range. No default.

Enter DNS server addresses to provide to IKE Configuration Method clients. If the value is

0.0.0.0, no DNS server address is provided. Either the IPv4 or IPv6 version of these keywords is

available, depending on mode-cfg-ip-version.

Set end of IP address range to assign to IKE Configuration Method clients. This is available when

mode-cfg is enabled, type is dynamic, and assign-ip-from is range.

Either the IPv4 or IPv6 version of this keyword is available, depending on mode-cfg-ip-version.

Set the netmask value to pass to IKE Configuration Method clients.

Select the address or address group that the client can reach through the VPN. This information is sent to the client as part of IKE Configuration Method.

Set start of IP address range to assign to IKE Configuration Method clients. This is available when

mode-cfg is enabled, type is dynamic, and assign-ip-from is range.

Either the IPv4 or IPv6 version of this keyword is available, depending on mode-cfg-ip-version.

Enter WINS server addresses to provide to IKE Configuration Method clients. If the value is

0.0.0.0, no WINS server address is provided. Specify the size, in bits, of the network portion of the

subnet address for IPv6 IKE Configuration Method clients. Range is 0 to 128.

This is available when mode-cfg-ip-version is 6 and assign-ip-type is subnet.

Enable support for Cisco Unity IKE Configuration Method extensions in either a server or a client.

config ipv6-exclude-range Variables

0.0.0.0 ::

No default.

Null.

No default.

0.0.0.0

enable

IPsec Phase 2 configuration for IKE Configuration Method

There are several changes to the phase2-interface configuration when IKE Configuration Method is configured in the corresponding phase1-interface configuration.

The dhcp-ipsec keyword is not available if the corresponding phase1-interface has mode-cfg enabled. IKE Configuration Method is an alternative to DHCP over IPsec.

The keywords beginning with “src-” and “dst-” are not available if the corresponding phase1-interface configuration has mode-cfg enabled and type is set to static or ddns. This is the configuration for an IKE Configuration Method client, which receives information about destination subnets from the server and thus must not specify any traffic selectors itself.

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 71

http://docs.fortinet.com/ • Feedback

Integral basic DNS server What’s new in FortiOS Version 4.0 MR1

Integral basic DNS server

FortiOS Version 4.0 MR1 provides DNS service that you can make available on your networks. It can resolve local domain names and optionally recurse to the DNS server configured for the FortiGate unit.

Creating local DNS entries

In the web-based manager, go to System > Network > DNS Database to configure local DNS entries. This is a per-VDOM configuration.

You must first create the DNS zone. Select Create New and enter the following information:

DNS Zone Enter the DNS zone name. Domain Name Enter the DNS domain name TTL (seconds) Range 0 to 2 147 483 647.

Add DNS entries to zones as follows:

1 Go to System > Network > DNS Database. 2 Select the Edit icon for an existing DNS zone. 3 Select Create New. 4 In the New DNS Entry dialog box, enter the following information and select OK.

Type Select the type of entry:

Address (A), IPv6 Address (AAAA), Name Server (NS), Canonical Name (CNAME), or Mail Exchange (Mx).

Hostname Enter the host name. IP Address Enter the host’s IP address (IPv4).

Available if Type is Address (A).

IPv6 Address Enter the host’s IP address (IPv6).

Available if Type is IPv6 Address (AAAA).

Canonical Name Enter the host’s fully qualified domain name.

Available if Type is Canonical Name (CNAME).

Preference Enter the MX preference value. Range 0 to 65 535.

Available if Type is Mail Exchange (Mx).

TTL (seconds) Enter the TTL value. Enter 0 to use the Zone TTL value.

To add local DNS entries using the CLI, use the following new command.

Syntax

conf system dns-database

edit <zone-string>

set domain <domain> set ttl <int>

config dns-entry

edit <entry-id>

set canonical-name <canonical_name_string> set hostname <hostname_string> set ip <ip_address> set ipv6 <ipv6_address>

FortiGate Version 4.0 MR1 Administration Guide

72 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 Integral basic DNS server

set preference <preference_value> set status {enable | disable} set ttl <entry_ttl_value> set type {A|AAAA|MX|NS|CNAME}

end

Variable Description Default

edit <zone-string> Enter the DNS zone name. This is significant

set domain <domain> Set the domain name here -- when matching

set ttl <int> Set the packet time-to-live in seconds. Range

config dns-entry Variables

edit <entry-id>

canonical-name <canonical_name_string>

hostname <hostname_string>

ip <ip_address> Enter the IP address (IPv4) of the host. This is

ipv6 <ipv6_address> Enter the IP address (IPv6) of the host. This is

preference <preference_value>

status {enable | disable}

ttl <entry_ttl_value> Optionally, override the zone time-to-live value.

type {A|AAAA|MX|NS|CNAME}

only on the FortiGate unit itself.

lookup, use this zone name to match DNS queries

0 to 2 147 483 647.

Enter the canonical name of the host. This is available if type is CNAME.

Enter the name of the host. Null

available if type is A.

available if type is AAAA. Enter the preference level. 0 is the highest

preference. This is available if type is MX.

Enable the DNS entry. enable

Range 0 to 2 147 483 647 seconds.

Set to 0 to use zone ttl value. A — IPv4 host

AAAA — IPv6 host CNAME — alias MX — mail server NS — name server

No default.

86400

Null

0.0.0.0

Enabling DNS on an interface

In earlier versions of FortiOS, relay of DNS queries could be configured on models numbered 100 or lower for the Internal or DMZ interfaces. In FortiOS Version 4.0 MR1, DNS relay can be configured on any FortiGate model for any network interface.

In the web-based manager, configure DNS relay as follows.

1 Go to System > Network > Interface. 2 Select the Edit icon for the interface that you want to configure. 3 Select DNS Query and then choose one of the following options:

•

recursive — Look up domain name in local database. If the entry is not found, relay

the request to the DNS server configured for the FortiGate unit.

•

non-recursive — Look up domain name in local database. Do not relay the request

to the DNS server configured for the FortiGate unit.

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 73

http://docs.fortinet.com/ • Feedback

Per-VDOM DNS configuration What’s new in FortiOS Version 4.0 MR1

4 Select Apply or OK. To configure DNS relay using the CLI, use the new dns-query keyword in the network

interface configuration, as follows.

conf system interface

edit <interface_name>

set dns-query {recursive | non-recursive | disable}

end

Variable Description Default

edit <interface_name> Enter the name of the interface to configure. No default.

dns-query {recursive | non-recursive | disable}

disable — Disable DNS. non-recursive — Look up domain name

in local database. Do not relay the request to the DNS server configured for the FortiGate unit.

recursive — Look up domain name in local database. If the entry is not found, relay the request to the DNS server configured for the FortiGate unit.

disable

On models 100 and lower, the Internal interface defaults to recursive.

Per-VDOM DNS configuration

In FortiOS 4.0 MR1, you can optionally define separate DNS servers for each nonmanagement VDOM. The management VDOM always uses the global DNS servers.

You configure the global DNS servers using the CLI command config system dns. The VDOM-level configuration is similar:

config vdom

edit <vdom_name>

config system vdom-dns

set vdom-dns {enable | disable} set primary <dns_ipv4> set secondary <dns_ip4> set ip6-primary <dns_ip6> set ip6-secondary <dns_ip6>

end

Variable Description Default

vdom-dns {enable | disable}

primary <dns_ipv4> Enter the primary IPv4 DNS server IP address. 0.0.0.0 secondary <dns_ip4> Enter the secondary IPv4 DNS IP server address. 0.0.0.0

ip6-primary <dns_ip6>

ip6-secondary <dns_ip6>

Enable to define DNS servers for this VDOM. Disable to use global DNS servers.

Enter the primary IPv6 DNS server IP address. :: Enter the secondary IPv6 DNS IP server address. ::

disable

FortiGate Version 4.0 MR1 Administration Guide

74 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 Password policy

Password policy

Optionally, you can set a password policy to require more secure passwords than the FortiGate defaults. The password policy can apply to administrators or IPsec VPN preshared keys. You can

• require the use of special characters in the password

• require periodic password changes

• set a minimum amount of change in the new password (available in CLI only)

To set a password policy - web-based manger 1 Go to System > Admin > Settings. 2 In the Password Policy section, configure the following:

Enable Select to enable the password policy. Minimum Length Set the minimum acceptable length for passwords. Must contain Select any of the following special character types to require in a

Apply Password Policy to

Admin Password Expires after n days

password. Each selected type must occur at least once in the password.

Upper Case Letters — A, B, C, ... Z Lower Case Letters — a, b, c, ... z Numerical digits — 0, 1, 2, 3, 4, 5, 6, 7 8, 9 Non-alphanumeric letters — punctuation marks, @,#, %, etc.

Select where to apply the password policy: Admin Password — Apply to administrator passwords. If any

password does not conform to the policy, require that administrator to change the password at the next login.

IPSEC Preshared Key — Apply to preshared keys for IPSec VPNs. The policy applies only to new preshared keys. You are not required to change existing preshared keys.

Require administrators to change password after a specified number of days. Specify 0 if you do not want to require periodic password changes.

3 Configure other administration settings as needed. 4 Select Apply.

To set a password policy - CLI

config system password-policy

set status {enable | disable} set apply-to [admin-password ipsec-preshared-key] set change-4-characters {enable | disable} set expire <days> set minimum-length <chars>

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 75

http://docs.fortinet.com/ • Feedback

Use LDAP groups in firewall and SSL-VPN authentication What’s new in FortiOS Version 4.0 MR1

set must-contain [lower-case-letter upper-case-letter

non-alphanumeric number]

end

Variable Description Default

apply-to [admin-password ipsec-preshared-key]

change-4-characters {enable | disable}

expire <days> Set time to expiry in days. Enter 0 for no

minimum-length <chars> Set the minimum length of password in

must-contain [lower-case-letter upper-case-letter non-alphanumeric number]

status {enable | disable} Enable password policy. disable

Select where the policy applies: administrator passwords or IPSec preshared keys.

Enable to require the new password to differ from the old password by at least four characters.

expiry.

characters. Range 8 to 32. Specify character types that must occur

at least once in the password.

admin-password

disable

Null

config system admin

edit <name_str>

set force-password-change {enable | disable} set password-expire YYYY-MM-DD HH:MM:SS

end

Variable Description Default

edit <name_str> Enter the name of the administrator that you

force-password-change {enable | disable}

password-expire YYYY-MM-DD HH:MM:SS

want to configure. Enable to require this administrator to change

password at next login. Disabling this option does not prevent required password change due to password policy violation or expiry.

Enter the date and time that this administrator’s password expires. Enter zero values for no expiry.

Use LDAP groups in firewall and SSL-VPN authentication

Membership in specific user groups on an LDAP server can be part of the authentication requirements for firewall or SSL VPN users. This enables you to use the group memberships on a Windows AD system to control user access to resources on the FortiGate unit.

In the CLI, when you define a FortiGate user group, you can specify the required LDAP server user group memberships using the new ldap-memberof keyword.

config user group

edit <FGTgroupname>

set group-type {sslvpn | firewall } set member <user1> [<user2>] [<usern>...] set ldap-memberof <LDAPgroupstring>

end

No default.

disable

0000-00-00 00:00:00

FortiGate Version 4.0 MR1 Administration Guide

76 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 Traffic shaping enhancements

<LDAPgroupstring> is an LDAP Distinguished Name (DN) specifying the group, for example CN=group1,CN=Users,DC=test,DC=com. You can specify multiple groups by separating the group DNs with a semicolon (;).

When the FortiGate unit authenticates an LDAP user in the FortiGate user group, the user’s group memberships on the LDAP server must match at least one of the groups listed in the ldap-memberof keyword value.

Traffic shaping enhancements

FortiOS Version 4.0 MR1 introduces accounting, traffic quotas, and per-IP traffic shaping. The existing traffic shaper is now called a shared traffic shaper.

Shared traffic shaping

The traffic shaper is renamed to Shared Traffic Shaper. Go to Firewall > Traffic Shaper > Shared. Traffic shaping options are unchanged from the previous version, but accounting

and traffic quota options have been added. See “Accounting and quota enforcement”, below.

Per-IP traffic shaping

In FortiOS 4.0 MR1, you can configure traffic shaping that is applied per IP address, instead of per policy or per shaper. As with the shared traffic shaper, you select the per-IP traffic shaper in firewall policies.

To configure a per-IP traffic shaper - web-based manager 1 Go to Firewall > Traffic Shaper > Per-IP. 2 Enter the following information and then select OK.

Figure 6: Configuring a per-IP traffic shaper

Name Enter a name for the traffic shaper. Maximum Bandwidth Select the check box and enter the maximum allowed bandwidth in

Quotas and Accounting See “Accounting and quota enforcement”, below.

IP List

IP/Range An IP address or range of addresses that this shaper controls.

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 77

http://docs.fortinet.com/ • Feedback

Kbps. This limit applies to each IP address. Range 1 to 2 097 000. Enter 0 to disable bandwidth limit.

Traffic shaping enhancements What’s new in FortiOS Version 4.0 MR1

Delete icon Delete the IP address/range entry. Add Add an entry to the table.

To configure a per-IP traffic shaper - CLI

config firewall shaper per-ip-shaper

edit <shaper_name>

set bps <bandwidth> config iplist

edit <entry_id>

set start <ip4> set end <ip4>

end

Variable Description Default

bps <bandwidth> Enter the maximum allowed bandwidth in Kbps. This limit

start <ip4> end <ip4>

applies to each IP address. Set to 0 to disable bandwidth limit.

Enter the starting and ending IP addresses for an address range that this shaper controls. To enter a single IP address, enter the address as both start and end.

No default.

The accounting and quota options are described in the following section.

Accounting and quota enforcement

Both the shared and per-IP traffic shapers provide traffic accounting with enforceable quotas.

To configure traffic quotas and accounting - web-based manager 1 Go to Firewall > Traffic Shaper > Shared or Firewall > Traffic Shaper > Per-IP. 2 Select Create New or select the Edit icon for an existing traffic shaper. 3 In the Quotas and Accounting section, enter the following information:

Figure 7: Traffic shaper quotas and accounting configuration

None Select to disable accounting and quotas. Enforce Traffic Quota n MB per Select to enforce a traffic quota. Enter the maximum

Generate Accounting Log every Enable to log the volume of traffic through the traffic

amount of data in Mbytes and select the time period: Hour, Day, Week, or Month. Traffic beyond the quota is blocked.

shaper. Select the log period: Hour, Day, Week, or Month.

4 Configure other traffic shaping options as needed. 5 Select OK.

FortiGate Version 4.0 MR1 Administration Guide

78 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 Logging enhancements

To configure traffic quotas and accounting - CLI

In FortiOS 4.0 MR1, the config firewall traffic-shaper command is replaced by config firewall shaper traffic-shaper and config firewall shaper per-ip-shaper. The quota configuration for both is:

edit <shaper_name>

set action {none | log | block} set quota <Mbytes> set type {hour | day | week | month}

end

Variable Description Default

action {none | log | block} Select the traffic shaper action for quotas:

none — do nothing log — generate a traffic accounting log for

each time period selected in type block — block traffic and log the event

quota <Mbytes> Enter the quota in Mbytes. This is available

type {hour | day | week | month}

when action is block. Select the time period for quota and logging. hour

Logging enhancements

Due to the new per-VDOM FortiAnalyzer unit feature, there are some changes to logging configuration in general:

Web-based manager changes

• On the Log Setting page, the logging device radio buttons are now check boxes. You can enable multiple logging devices.

• Automatic FortiAnalyzer discovery is now available only in the CLI.

• For local logs, the new SQL log storage format is the default for all log types except content archiving and traffic logs. This is the only format from which you can generate reports. Content archiving is not available in SQL format. You can enable SQL format logging for traffic logs, but this can cause some loss of logs because SQL format writing is slower than the compressed format.

CLI changes

In the CLI, the global FortiAnalyzer configuration has moved from system fortianalyzer to log fortianalyzer setting. The keywords within the command are unchanged.

Support for per-VDOM FortiAnalyzer units or syslog devices

FortiOS Version 4.0 MR1 supports the use of multiple FortiAnalyzer units or syslog devices that are configurable per-VDOM. By default, VDOMs use the global remote logging and quarantine configuration. Currently, per-VDOM remote logging configuration is available only in the CLI.

If you want to use a different FortiAnalyzer or syslog configuration for your VDOM, you must override the global configuration using the following commands:

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 79

http://docs.fortinet.com/ • Feedback

Logging enhancements What’s new in FortiOS Version 4.0 MR1

log fortianalyzer override-filter

Use this command to override the global configuration created with the config log fortianalyzer filter command. The filter determines which types of log messages

are sent to the FortiAnalyzer unit.

Syntax

config log fortianalyzer override-filter

set override {enable | disable} set ... set ...

end

When you set override to enable, you can configure log filter settings for your VDOM using the same keywords as in the global log fortianalyzer filter command.

log syslogd override-filter

Use this command to override the global configuration created with the config log syslogd filter command. The filter determines which types of log messages are sent

to the syslog device.

Syntax

config log syslogd override-filter

set override {enable | disable} set ... set ...

end

When you set override to enable, you can configure log filter settings for your VDOM using the same keywords as in the global log syslogd filter command.

log fortianalyzer override-setting

Use this command to override the global configuration created with the config log fortianalyzer setting command. These settings configure the connection to the

FortiAnalyzer unit.

Syntax

config log fortianalyzer override-setting

set override {enable | disable}

end

When you set override to enable, you can configure FortiAnalyzer settings for your VDOM using the same keywords as in the global log fortianalyzer setting command. Your override settings can use the same FortiAnalyzer unit as another VDOM, but cannot use the FortiAnalyzer unit that is configured as a the global remote logging device.

log syslogd override-setting

Use this command to override the global configuration created with the config log syslogd setting command. These settings configure the connection to the syslog

device.

Syntax

config log syslogd override-setting

FortiGate Version 4.0 MR1 Administration Guide

80 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 Logging enhancements

set override {enable | disable}

end

When you set override to enable, you can configure syslog settings for your VDOM using the same keywords as in the global log syslogd setting command.

antivirus quarantine quar-override-setting

Use this command to override the quar-to-fortianalyzer setting in the global antivirus quarantine command.

Syntax

config antivirus quar-override-setting

set override {enable | disable} set destination {null | disk | fortianalyzer}

end

Variable Description Default

override {enable | disable}

destination

null | disk |

{

fortianalyzer}

Enable to configure quarantine destination for this VDOM. Disable to use global quarantine destination.

Select where to quarantine files:

null — Do not quarantine files. disk — Quarantine to hard disk. Available on models

that include a hard disk. fortianalyzer — Quarantine to the FortiAnalyzer unit

configured for this VDOM.

disable

null

SQL log format for Executive Summary reports

On FortiGate units that contain a hard drive, you can display Executive Summary reports based on logs stored in an SQL database. The log messages are stored in text format in the database.

You can also customize the appearance of existing reports and create new reports from the FortiGate CLI using the config report CLI commands.

For more information, see “Viewing Executive Summary reports from SQL logs” on

page 730

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 81

http://docs.fortinet.com/ • Feedback

Antivirus changes What’s new in FortiOS Version 4.0 MR1

Antivirus changes

For FortiOS 4.0 MR1, if you enable VDOMs, all UTM > Antivirus options are now configured separately for each VDOM. In FortiOS 4.0 GA, only administrators with global access could configure and manage the file quarantine, view the virus list, and configure the grayware list.

In addition, the following antivirus functionality has been renamed or moved:

•Go to Log & Report > Quarantined Files to view the quarantined files list. The functionality of the quarantined files list is unchanged except that with VDOMs enabled the Quarantined files list is now available for each VDOM and only shows files quarantined from that VDOM.

• UTM > Antivirus > Quarantine was UTM > Antivirus > Config. Functionally is unchanged.

•Go to UTM > Virus Database to view information about the current virus database on the FortiGate unit. For FortiGate units that support the extended virus database you can go to UTM > Virus Database and select the virus database to use for virus scanning. With VDOMs enabled you select the virus database to use for virus scanning for the VDOM.

• For FortiGate units that support the extended virus database you can select the virus database to use for individual protection profiles from the CLI. The Protection Profile Antivirus > Extended AV Database option has been removed from the web-based manager. New CLI options for selecting the antivirus database for a protection profile are available for each protocol. For example, to select the antivirus database in the scan protection profile for http and for FTP, enter:

config firewall profile

edit scan

set http-avdb {default | extended | normal} set ftp-avdb {default | extended | normal}

end

•Go to UTM > Virus Database to enable grayware detection. The previous UTM > Grayware page has been removed and you can no longer enable or disable individual

grayware categories.

Figure 8: Virus Database

FortiGate Version 4.0 MR1 Administration Guide

82 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 Reliable syslog

Reliable syslog

Reliable syslog protects log information through authentication and data encryption and ensures that the log messages are reliably delivered in order. FortiOS 4.0 MR1 implements the RAW profile of RFC 3195. This feature is configurable only in the CLI.

Syntax

These are global settings.

config log syslogd setting

set reliable {enable | disable} end config log syslogd2 setting

set reliable {enable | disable} end config log syslogd3 setting

set reliable {enable | disable} end

In each VDOM, you can enable reliable syslog as part of an override of the global syslog settings. See “Support for per-VDOM FortiAnalyzer units or syslog devices” on page 79.

conf log syslogd override-setting

set reliable {enable | disable} end

By default, reliable syslog is disabled.

Web filtering combined block/exempt list

FortiOS Version 4.0 MR1 combines the Web Content Block and Web Content Exempt lists into one list. Go to Web Filter > Web Content. As before, you first create a list and then add entries. The new entry dialog box looks like this:

Figure 9: New combined web filter content block/exempt list entry

Action Select one of:

Block — If the pattern matches, the Score is added to the total for the web page.

The page is blocked if the total score of the web page exceeds the web content block threshold defined in the protection profile.

Exempt — If the pattern matches, the web page will not be blocked even if there are matching Block entries.

Pattern Enter the content pattern. Web content patterns can be one word or a text string

up to 80 characters long. For a single word, the FortiGate checks all web pages for that word. For a phrase,

the FortiGate checks all web pages for any word in the phrase. For a phrase in quotation marks, the FortiGate unit checks all web pages for the entire phrase.

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 83

http://docs.fortinet.com/ • Feedback

Web filtering combined block/exempt list What’s new in FortiOS Version 4.0 MR1

Pattern Type Select a pattern type from the dropdown list: Wildcard or Regular Expression. Language The character set to which the pattern belongs: Simplified Chinese, Traditional,

Score Enter a score for the pattern.

Enable Select to enable the entry.

Chinese, French, Japanese, Korean, Thai, or Western.

When you add a web content list to a protection profile you configure a web content block threshold for the protection profile. When a web page is matched with an entry in the content block list, the score is recorded. If a web page matches more than one entry the score for the web page increases. When the total score for a web page equals or exceeds the threshold, the page is blocked.

The default score for a content list entry is 10 and the default threshold is 10. This means that by default a web page is blocked by a single match. You can change the scores and threshold so that web pages can only be blocked if there are multiple matches.

CLI Syntax

config webfilter content

edit <entry_number>

set name <list_str> set comment <comment_str> config entries

edit <content_str>

set action {block | exempt} set lang {french | japanese | korean | simch |

spanish |thai | trach | western}

set pattern-type {regexp | wildcard} set score <score_int> set status {enable | disable}

end

Variable Description Default

edit <entry_number> A unique number to identify the banned word list. name <list_str> The name of the banned word list.

comment <comment_str>

config entries Variables

edit <content_str> Enter the content to match.

action {block | exempt}

lang {french | japanese | korean | simch | spanish |thai | trach | western}

pattern-type {regexp | wildcard}

The comment attached to the banned word list.

Select one of: Block — If the pattern matches, the Score is added to the

total for the web page. The page is blocked if the total score of the web page exceeds the web content block threshold defined in the protection profile.

Exempt — If the pattern matches, the web page will not be blocked even if there are matching Block entries.

Enter the language character set used for the content. Choose from French, Japanese, Korean, Simplified Chinese, Spanish, Thai, Traditional Chinese, or Western.

Set the pattern type for the content. Choose from regexp or wildcard.Create patterns for banned words using Perl regular expressions or wildcards.

block

western

wildcard

FortiGate Version 4.0 MR1 Administration Guide

84 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 Web filtering by content header

Variable Description Default

score <score_int> A numerical weighting applied to the content. The score

status {enable | disable}

values of all the matching words appearing on a web page are added, and if the total is greater than the webwordthreshold value set in the protection profile, the page is processed according to whether the bannedword option is set with the http command in the protection profile. The score for banned content is counted once even if it appears multiple times on the web page.

Enable or disable the content entry. disable

Web filtering by content header

FortiOS 4.0 MR1 introduces web filtering by MIME content header. You can use this feature to broadly block content by type. But it is also useful to exempt audio and video streaming files from antivirus scanning. Scanning these file types can be problematic.

The content header list is available in the CLI only.

Syntax

config webfilter content-header

edit <entry_number>

set name <list_name> set comment <comment_str> config entries

edit <regex>

set action {block | exempt} set status {enable | disable}

end

Variable Description Default

edit <entry_number> A unique number to identify the content header list. name <list_name> The name of the content header list.

comment <comment_str>

config entries Variables

edit <regex> Enter a regular expression to match the content header.

action {block | exempt}

status {enable | disable}

The comment attached to the content header list.

For example, .*image.* matches image content types.

Select one of:

Block — If the pattern matches, the content is blocked. Exempt — If the pattern matches, the content is

exempted from antivirus scanning. Enable or disable the content header entry. disable

block

After you have created content header lists, you need to select the content header list in the protection profile as follows:

config firewall profile

edit <profile_name>

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 85

http://docs.fortinet.com/ • Feedback

Safe search What’s new in FortiOS Version 4.0 MR1

... set content-header-list <list_name> ...

end

Safe search

FortiOS Version 4.0 MR1 can prevent users from disabling the safe search feature of the Google, Yahoo!, or Bing search engines. This is important in environments such as education where web filtering is used to block sites with inappropriate content. If users can bypass the search engine safe search feature, the returned search results can contain inappropriate material in either summary text or thumbnail images.

The following procedures assume that the relevant firewall policies apply the protection profile that you are configuring.

To enforce safe searching - web-based manager 1 Go to Firewall > Protection Profile. 2 Select the Edit icon for the protection profile that you use.

3 Expand the Web Filtering category. 4 Select the Safe Search check box for Google and Yahoo! 5 Select OK.

To enforce safe searching - CLI

config firewall profile edit <profile_str> set safesearch [google yahoo] end

Data Leak Prevention supports international character sets

Data Leak Prevention (DLP) in FortiOS Version 4.0 MR1 has improved ability to detect data leaks where international character sets are used. DLP performs text comparisons according to its rules after converting the text to UTF-8.

Because character sets are not always accurately indicated in HTTP posts, you can optionally specify up to five character set encodings that will be checked in addition to the indicated character set. This feature can affect performance and it can be configured only in the CLI.

config firewall profile

edit <profile_name>

set http-post-lang [<charset1> ... <charset5>]

end

To view the list of available character sets, enter set http-post-lang ? from within the edit shell for the profile.

FortiGate Version 4.0 MR1 Administration Guide

86 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

What’s new in FortiOS Version 4.0 MR1 SNMPv3 enhancements

SNMPv3 enhancements

FortiOS 4.0 introduced basic support for SNMPv3, the latest version of the Simple Network Management Protocol. FortiOS Version 4.0 MR1 adds support for

• snmpEngineID

• user authentication and encryption capabilities. You can configure these new features only in the CLI.

Support for snmpEngineID

FortiOS Version 4.0 MR1 adds the SNMPv3 snmpEngineID value defined in RFC3414. Each SNMP engine maintains a value, snmpEngineID, which uniquely identifies the

SNMP engine. This value is included in each message sent to or from the SNMP engine. In FortiOS, the snmpEngineID is composed of two parts:

• Fortinet prefix 0x8000304404

•the engine-id string, 24 characters maximum, defined in the CLI config system snmp sysinfo command

The snmpEngineID is optional, so you are not required to define an engine-id value.

To specify engine-id

config system snmp sysinfo

set engine-id <string>

end

Authentication and privacy

FortiOS Version 4.0 MR1 implements the user security model of RFC 3414. You can require the user to authenticate with a password and you can use encryption to protect the communication with the user.

Syntax

The following syntax description includes only the new keywords related to security.

config system snmp user

edit <username>

set security-level <slevel> set auth-proto {md5 | sha} set auth-pwd <password> set priv-proto {aes | des} set priv-pwd <key>

end

Variable Description Default

security-level <slevel>

auth-proto {md5 | sha}

Set security level to one of:

no-auth-no-priv — no authentication or privacy auth-no-priv — authentication but no privacy auth-priv — authentication and privacy

Select authentication protocol:

md5 — HMAC-MD5-96 authentication protocol sha — HMAC-SHA-96 authentication protocol

This is available if security-level is auth-priv or auth-no-priv.

no-auth-no-priv

sha

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 87

http://docs.fortinet.com/ • Feedback

Schedule groups What’s new in FortiOS Version 4.0 MR1

Variable Description Default

auth-pwd <password>

priv-proto {aes | des}

priv-pwd <key> Enter the privacy encryption key. Maximum 32

Enter the user’s password. Maximum 32 characters. This is available if security-level is auth-priv

or auth-no-priv. Select privacy (encryption) protocol:

aes — CFB128-AES-128 symmetric encryption des — CBC-DES symmetric encryption

This is available if security-level is auth-priv.

characters. This is available if security-level is auth-priv.

No default.

aes

No default.

Schedule groups

You can now create schedule groups, similar to address groups or service groups. In a firewall policy you can select either an individual schedule or a schedule group.

To create a schedule group - web-based manager 1 Go to Firewall > Schedule > Group and select Create New.

Figure 10: Schedule Group

Group Name Enter a name to identify the service group. Available

Schedules Members The list of schedules in the group. Use the arrows to move selected

The list of recurring and one-time schedules available for your group. Use the arrow buttons to move selected schedules between this list and Members.

schedules between this list and Available Services.

2 Select OK

FortiGate Version 4.0 MR1 Administration Guide

88 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Web-based manager

This section describes the features of the user-friendly web-based manager administrative interface (sometimes referred to as a graphical user interface, or GUI) of your FortiGate unit.

Using HTTP or a secure HTTPS connection from any management computer running a web browser, you can connect to the FortiGate web-based manager to configure and manage the FortiGate unit. The recommended minimum screen resolution for the management computer is 1280 by 1024.

You can configure the FortiGate unit for HTTP and HTTPS web-based administration from any FortiGate interface. To connect to the web-based manager you require a FortiGate administrator account and password. The web-based manager supports multiple languages, but by default appears in English on first use.

You can go to System > Status to view detailed information about the status of your FortiGate unit on the system dashboard. The dashboard displays information such as the current FortiOS firmware version, antivirus and IPS definition versions, operation mode, connected interfaces, and system resources. It also shows whether the FortiGate unit is connected to a FortiAnalyzer unit and a FortiManager unit or other central management services.

You can use the web-based manager menus, lists, and configuration pages to configure most FortiGate settings. Configuration changes made using the web-based manager take effect immediately without resetting the FortiGate unit or interrupting service. You can back up your configuration at any time using the Backup Configuration button on the button bar. The button bar is located in the upper right corner of the web-based manager. The saved configuration can be restored at any time.

The web-based manager also includes detailed context-sensitive online help. Selecting Online Help on the button bar displays help for the current web-based manager page.

You can use the FortiGate command line interface (CLI) to configure the same FortiGate settings that you can configure from the web-based manager, as well as additional CLIonly settings. The system dashboard provides an easy entry point to the CLI console that you can use without exiting the web-based manager.

This section describes:

• Common web-based manager tasks

• Changing your FortiGate administrator password

• Changing the web-based manager language

• Changing administrative access to your FortiGate unit

• Changing the web-based manager idle timeout

• Connecting to the FortiGate CLI from the web-based manager

• Button bar features

• Contacting Customer Support

• Backing up your FortiGate configuration

• Using FortiGate Online Help

• Logging out

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 89

http://docs.fortinet.com/ • Feedback

Common web-based manager tasks Web-based manager

• Web-based manager pages

• Web-based manager icons

Common web-based manager tasks

This section describes the following common web-based manager tasks:

• Connecting to the web-based manager

• Changing your FortiGate administrator password

• Changing the web-based manager language

• Changing administrative access to your FortiGate unit

• Changing the web-based manager idle timeout

• Connecting to the FortiGate CLI from the web-based manager

Connecting to the web-based manager

To connect to the web-based manager, you require:

• a FortiGate unit connected to your network according to the instructions in the

QuickStart Guide and Install Guide for your FortiGate unit

• the IP address of a FortiGate interface that you can connect to

• a computer with an Ethernet connection to a network that can connect to the FortiGate unit

• a supported web browser. See the Knowledge Center articles Supported Windows web browsers and Using a Macintosh and the web-based manager.

To connect to the web-based manager 1 Start your web browser and browse to https:// followed by the IP address of the

FortiGate unit interface that you can connect to. For example, if the IP address is 192.168.1.99, browse to https://192.168.1.99.

(remember to include the “s” in https://). To support a secure HTTPS authentication method, the FortiGate unit ships with a self-

signed security certificate, which is offered to remote clients whenever they initiate a HTTPS connection to the FortiGate unit. When you connect, the FortiGate unit displays two security warnings in a browser.

The first warning prompts you to accept and optionally install the FortiGate unit’s selfsigned security certificate. If you do not accept the certificate, the FortiGate unit refuses the connection. If you accept the certificate, the FortiGate login page appears. The credentials entered are encrypted before they are sent to the FortiGate unit. If you choose to accept the certificate permanently, the warning is not displayed again.

Just before the FortiGate login page is displayed, a second warning informs you that the FortiGate certificate distinguished name differs from the original request. This warning occurs because the FortiGate unit redirects the connection. This is an informational message. Select OK to continue logging in.

2 Type admin or the name of a configured administrator in the Name field. 3 Type the password for the administrator account in the Password field. 4 Select Login.

FortiGate Version 4.0 MR1 Administration Guide

90 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Web-based manager Common web-based manager tasks

Changing your FortiGate administrator password

By default you can log into the web-based manager by using the admin administrator account and no password. You should add a password to the admin administrator account to prevent anybody from logging into the FortiGate and changing configuration options. For improved security you should regularly change the admin administrator account password and the passwords for any other administrator accounts that you add.

Note: See the Fortinet Knowledge Center article Recovering lost administrator account

passwords if you forget or lose an administrator account password and cannot log into your

FortiGate unit.

To change an administrator account password 1 Go to System > Admin > Administrators.

This web-based manager page lists the administrator accounts that can log into the FortiGate unit. The default configuration includes the admin administrator account.

2 Select the Change Password icon and enter a new password. 3 Select OK.

Note: You can also add new administrator accounts by selecting Create New. For more

information about adding administrators, changing administrator account passwords and related configuration settings, see “System Admin” on page 267.

Changing the web-based manager language

You can change the web-based manager to display language in English, Simplified Chinese, Japanese, Korean, Spanish, Traditional Chinese, or French. For best results, you should select the language that the management computer operating system uses.

To change the web-based manager language 1 Go to System > Admin > Settings. 2 Under display settings, select the web-based manager display language.

3 Select Apply.

The web-based manager displays the dashboard in the selected language. All web-based manager pages are displayed with the selected language.

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 91

http://docs.fortinet.com/ • Feedback

Common web-based manager tasks Web-based manager

Figure 11: System > Admin > Settings displayed in Simplified Chinese

Changing administrative access to your FortiGate unit

Through administrative access an administrator can connect to the FortiGate unit to view and change configuration settings. The default configuration of your FortiGate unit allows administrative access to one or more of the interfaces of the unit as described in your FortiGate unit QuickStart Guide and Install Guide.

You can change administrative access by:

• enabling or disabling administrative access from any FortiGate interface

• enabling or disabling securing HTTPS administrative access to the web-based manager (recommended)

• enabling or disabling HTTP administrative access to the web-based manager (not recommended)

• enabling or disabling secure SSH administrative access to the CLI (recommended)

• enabling or disabling SSH or Telnet administrative access to the CLI (not recommended).

To change administrative access to your FortiGate unit 1 Go to System > Network > Interface. 2 Choose an interface for which to change administrative access and select Edit. 3 Select one or more Administrative Access types for the interface. 4 Select OK.

For more information about changing administrative access see “Configuring

administrative access to an interface” on page 192.

Changing the web-based manager idle timeout

By default, the web-based manager disconnects administrative sessions if no activity takes place for 5 minutes. This idle timeout is recommended to prevent someone from using the web-based manager from a PC that is logged into the web-based manager and then left unattended. However, you can use the following steps to change this idle timeout.

FortiGate Version 4.0 MR1 Administration Guide

92 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Web-based manager Button bar features

Back up your FortiGate

configuration

Contact Customer

Online Help

Logout

Support

To change the web-based manager idle timeout 1 Go to System > Admin > Settings. 2 Change the Idle Timeout minutes as required. 3 Select Apply.

Connecting to the FortiGate CLI from the web-based manager

You can connect to the FortiGate CLI from the web-based manager dashboard by using the CLI console widget. You can use the CLI to configure all configuration options available from the web-based manager. Some configuration options are available only from the CLI. As well, you can use the CLI to enter diagnose commands and perform other advanced operations that are not available from the web-based manager. For more information about the FortiGate CLI see the FortiGate CLI Reference.

To connect to the FortiGate CLI from the web-based manager 1 Go to System > Status. 2 Locate and select the CLI Console.

Selecting the CLI console logs you into the CLI. For more information, see “CLI

Console” on page 119.

Button bar features

The button bar in the upper right corner of the web-based manager provides access to several important FortiGate features.

Figure 12: Web-based manager button bar

Contacting Customer Support

The Contact Customer Support button opens the Fortinet Support web page in a new browser window. From this page you can:

• visit the Fortinet Knowledge Center

• log into Customer Support (Support Login)

• register your Fortinet product (Product Registration)

• view Fortinet Product End of Life information

• find out about Fortinet Training and Certification

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 93

http://docs.fortinet.com/ • Feedback

Backing up your FortiGate configuration Web-based manager

• visit the FortiGuard Center.

You must register your Fortinet product to receive product updates, technical support, and FortiGuard services. To register a Fortinet product, go to Product Registration and follow the instructions.

Backing up your FortiGate configuration

The Backup Configuration button opens a dialog box for backing up your FortiGate configuration to:

• the local PC that you are using to manage the FortiGate unit.

• a management station. This can be a FortiManager unit or the FortiGuard Management Service. This option changes depending on your central management configuration (see “Central Management” on page 285).

• a USB disk, if your FortiGate unit has a USB port and you have connected a USB disk to it (see “Formatting USB Disks” on page 318).

For more information, see “Backing up and restoring” on page 312.

Figure 13: Backing up your FortiGate configuration

Using FortiGate Online Help

The Online Help button displays context-sensitive online help for the current web-based manager page. The online help page that is displayed is called a content pane and contains information and procedures related to the current web-based manager page. Most help pages also contain hyperlinks to related topics. The online help system also includes a number of links that you can use to find additional information.

FortiGate context-sensitive online help topics also include a VDOM or Global icon to indicate whether the web-based manager page is for VDOM-specific or global configuration settings. VDOM and Global configuration settings apply only to a FortiGate unit operating with virtual domains enabled. If you are not operating your FortiGate unit with virtual domains enabled, you can ignore the VDOM and Global icons. For more information about virtual domains, see “Using virtual domains” on page 159.

FortiGate Version 4.0 MR1 Administration Guide

94 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Web-based manager Using FortiGate Online Help

Show Navigation

Bookmark

Contents SearchIndex Show in Contents

Figure 14: A context-sensitive online help page (content pane only)

Show Navigation Open the online help navigation pane. From the navigation pane you

Previous Display the previous page in the online help. Next Display the next page in the online help Email Send an email to Fortinet Technical Documentation at

Print Print the current online help page. Bookmark Add an entry for this online help page to your browser bookmarks or

can use the online help table of contents, index, and search to access all of the information in the online help. The online help is organized in the same way as the FortiGate web-based manager and the FortiGate

Administration Guide.

techdoc@fortinet.com if you have comments on or corrections for the

online help or any other Fortinet technical documentation product.

favorites list to make it easier to find useful online help pages. You cannot use the Bookmark icon to add an entry to your favorites list if you are viewing online help from Internet Explorer running on a management PC with Windows XP and service pack 2 installed.

When you select help for a VDOM configuration settings web-based manager page the help display includes the VDOM icon. For information about VDOM configuration settings, see “VDOM

configuration settings” on page 160.

When you select help for a Global configuration settings web-based manager page the help display includes the Global icon. For information about Global configuration settings, see “Global

configuration settings” on page 163.

To view the online help table of contents or index, and to use the search feature, select Online Help in the button bar in the upper right corner of the web-based manager. From the online help, select Show Navigation.

Figure 15: Online help page with navigation pane and content pane

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 95

http://docs.fortinet.com/ • Feedback

Using FortiGate Online Help Web-based manager

Contents Display the online help table of contents. You can navigate through the

Index Display the online help index. You can use the index to find

Search Display the online help search. For more information, see “Searching

Show in Contents If you have used the index, search, or hyperlinks to find information in

Searching the online help

Using the online help search, you can search for one word or multiple words in the full text of the FortiGate online help system. Please note the following:

• If you search for multiple words, the search finds only those help pages that contain all of the words that you entered. The search does not find help pages that only contain one of the words that you entered.

• The help pages found by the search are ranked in order of relevance. The higher the ranking, the more likely the help page includes useful or detailed information about the word or words that you are searching for. Help pages with the search words in the help page title are ranked highest.

• You can use the asterisk (*) as a search wildcard character that is replaced by any number of characters. For example, if you search for auth* the search finds help pages containing auth, authenticate, authentication, authenticates, and so on.

• In some cases the search finds only exact matches. For example, if you search for windows the search may not find pages containing the word window. You can work around this using the * wildcard (for example by searching for window*).

table of contents to find information in the online help. The online help is organized in the same way as the FortiGate web-based manager and the FortiGate Administration Guide.

information in the online help.

the online help” on page 96.

the online help, the table of contents may not be visible or the table of contents may be out of sync with the current help page. You can select Show in Contents to display the location of the current help page within the table of contents.

To search in the online help system 1 From any web-based manager page, select the online help button. 2 Select Show Navigation. 3 Select Search.

4 In the search field, enter one or more words to search for and then press the Enter key

on your keyboard or select Go. The search results pane lists the names of all the online help pages that contain all the

words that you entered. Select a name from the list to display that help page.

FortiGate Version 4.0 MR1 Administration Guide

96 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Web-based manager Logging out

Search Field

Search Results

Figure 16: Searching the online help system

Using the keyboard to navigate in the online help

You can use the keyboard shortcuts listed in Table 4 to display and find information in the online help.

Table 4: Online help navigation keys

Key Function Alt+1 Display the table of contents. Alt+2 Display the index. Alt+3 Display the Search tab. Alt+4 Go to the previous page. Alt+5 Go to the next page. Alt+7 Send an email to Fortinet Technical Documentation at

Alt+8 Print the current online help page. Alt+9 Add an entry for this online help page to your browser bookmarks or

techdoc@fortinet.com if you have comments on or corrections for the

online help or any other Fortinet technical documentation product.

favorites list, to make it easier to find useful online help pages.

Logging out

The Logout button immediately logs you out of the web-based manager. Log out before you close the browser window. If you simply close the browser or leave the web-based manager, you remain logged in until the idle timeout (default 5 minutes) expires. To change the timeout, see “Changing the web-based manager idle timeout” on page 92.

Web-based manager pages

The web-based manager interface consists of a menu and pages. Many of the pages have multiple tabs. When you select a menu item, such as System, the web-based manager expands to reveal a submenu. When you select one of the submenu items, the associated page opens at its first tab. To view a different tab, select the tab.

The procedures in this manual direct you to a page by specifying the menu item, the submenu item and the tab, for example:

1 Go to System > Network > Interface.

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 97

http://docs.fortinet.com/ • Feedback

Web-based manager pages Web-based manager

Ta bs

Page

Button bar

Figure 17: Parts of the web-based manager

Using the web-based manager menu

The web-based manager menu provides access to configuration options for all major FortiGate features (see Figure 17 on page 98).

System Configure system settings, such as network interfaces, virtual

Router Configure FortiGate static and dynamic routing and view the router

Firewall Configure firewall policies and protection profiles that apply network

UTM Configure antivirus and antispam protection, web filtering, intrusion

VPN Configure IPSec and SSL virtual private networking. PPTP is

User Configure user accounts for use with firewall policies that require user

WAN Opt. & Cache Configure WAN optimization and web caching to improve

Endpoint NAC Configure end points, view FortiClient configuration information, and

Wireless Controller Configure a FortiGate unit to act as a wireless network controller,

Log&Report Configure logging and alert email. View log messages and reports.

domains, DHCP services, administrators, certificates, High Availability (HA), system time and set system options.

monitor.

protection features. Also configure virtual IP addresses and IP pools.

protection, data leak prevention, and application control.

configured in the CLI.

authentication. Also configure external authentication servers such as RADIUS, LDAP, TACACS+, and Windows AD. Configure monitoring of Firewall, IPSec, SSL, IM, and Banned Users.

performance and security of traffic passing between locations on your wide area network (WAN) or from the Internet to your web servers.

configure software detection patterns.

managing the wireless Access Point (AP) functionality of FortiWiFi units.

FortiGate Version 4.0 MR1 Administration Guide

98 01-410-89802-20090903

http://docs.fortinet.com/ • Feedback

Web-based manager Web-based manager pages

Edit

Delete

View

Using web-based manager lists

Many of the web-based manager pages contain lists. There are lists of network interfaces, firewall policies, administrators, users, and others.

If you log in as an administrator with an admin profile that allows Read-Write access to a list, depending on the list you will usually be able to:

• select Create New to add a new item to the list

• select the Edit icon for a list item to view and change the settings of the item

• select the Delete icon for a list item to delete the item. The delete icon will not be available if the item cannot be deleted. Usually items cannot be deleted if they have been added to another configuration; you must first find the configuration settings that the item has been added to and remove the item from them. For example, to delete a user that has been added to a user group you must first remove the user from the user group (see Figure 18).

Figure 18: A web-based manager list (read-write access)

If you log in as an administrator with an admin profile that allows Read Only access to a list, you will only be able to view the items on the list (see Figure 19).

Figure 19: A web-based manager list (read only access)

For more information, see “Admin profiles” on page 280.

Adding filters to web-based manager lists

You can add filters to control the information that is displayed complex lists in the web-based manager. See the following web-based manager pages for examples of lists with filters:

• Session list (see “Viewing the current sessions list” on page 122)

• Firewall policy and IPv6 policy lists (see “Viewing the firewall policy list” on page 390,

“Viewing the DoS policy list” on page 404, and “Viewing the sniffer policy list” on page 407)

• Intrusion protection predefined signatures list (see “Viewing the predefined signature

list” on page 533)

• Firewall user monitor list (see “Firewall user monitor list” on page 676)

• IPSec VPN Monitor (see “Monitoring VPNs” on page 626)

FortiGate Version 4.0 MR1 Administration Guide 01-410-89802-20090903 99

http://docs.fortinet.com/ • Feedback

Web-based manager pages Web-based manager

Filter added to display names that include “apache”

No filter added

• Endpoint NAC list of known endpoints (see “Monitoring endpoints” on page 700)

• Log and report log access list (see “Accessing and viewing log messages” on

page 720).

Filters are useful for reducing the number of entries that are displayed on a list so that you can focus on the information that is important to you.

For example, you can go to System > Status, and, in the Statistics section, select Details on the Sessions line to view the communications sessions that the FortiGate unit is currently processing. A busy FortiGate unit may be processing hundreds or thousands of communications sessions. You can add filters to make it easier to find specific sessions. For example, you might be looking for all communications sessions being accepted by a specific firewall policy. You can add a Policy ID filter to display only the sessions for a particular Policy ID or range of Policy IDs.

You add filters to a web-based manager list by selecting any filter icon to display the Edit Filters window. From the Edit Filters window you can select any column name to filter, and configure the filter for that column. You can also add filters for one or more columns at a time. The filter icon remains gray for unfiltered columns and changes to green for filtered columns.

Figure 20: An intrusion protection predefined signatures list filtered to display all signatures

containing “apache” with logging enabled, action set to drop, and severity set to high

The filter configuration is retained after leaving the web-based manager page and even after logging out of the web-based manager or rebooting the FortiGate unit.

Different filter styles are available depending on the type of information displayed in individual columns. In all cases, you configure filters by specifying what to filter on and whether to display information that matches the filter, or by selecting NOT to display information that does not match the filter.

Note: Filter settings are stored in the FortiGate configuration and will be maintained the next time that you access any list for which you have added filters.

On firewall policy, IPv6 policy, predefined signature and log and report log access lists, you can combine filters with column settings to provide even more control of the information displayed by the list. See “Using filters with column settings” on page 104 for more information.

Filters for columns that contain numbers

If the column includes numbers (for example, IP addresses, firewall policy IDs, or port numbers) you can filter by a single number or a range of numbers. For example, you could configure a source address column to display only entries for a single IP address or for all addresses in a range of addresses. To specify a range, separate the top and bottom

100 01-410-89802-20090903

values of the range with a hyphen, for example 25-50.

FortiGate Version 4.0 MR1 Administration Guide

http://docs.fortinet.com/ • Feedback

Fortinet FortiGate Series, FortiGate-50 Series, FortiGate-5000 Series, FortiGate-5001SX, FortiGate-5001A Administration Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

Introduction

Fortinet products

About this document

Registering your Fortinet product

Customer service and technical support

Training

Documentation

Fortinet Tools and Documentation CD

Scope

Fortinet Knowledge Base

Comments on Fortinet technical documentation

Conventions

IP addresses

Notes, Tips and Cautions

Typographical conventions

Command syntax conventions

What’s new in FortiOS Version 4.0 MR1

New SIP ALG configuration options

Opening and closing SIP register and non-register pinholes

Support for RFC 2543-compliant branch commands

Easy FortiCare and FortiGuard services registration and renewal

Endpoint control enhancements

Per-VDOM replacement messages

Content archiving is now DLP archive

Topology viewer is now a custom web-based manager page

Usage page shows application, policy, and DLP archive usage

Alert Message Console enhancements

WCCP widget

SSL VPN enhancements

Single Sign-On

IP address ranges are now defined as firewall addresses

OS Check changes

Client check changes

Virtual Desktop enhancements

Virtual Desktop Application Control

Two-factor authentication

Force UTF-8 login

FortiGate wireless controller

Interface status detection for gateway load balancing

Enhanced ECMP route failover and load balancing

SCEP extensions

Dynamic routing for IPv6 traffic

Additions to router bgp command

router access-list6

router ospf6

config area

config ospf6-interface

config redistribute

router prefix-list6

router ripng

config aggregate-address

config distribute-list

config interface

config neighbor

config offset-list

config redistribute

get router info6 {bgp | ospf | protocols | rip}

IPv6 DNS

Example

IPv6 transparent mode

IPv6 administrative access

Network interface changes for IPv6

Administrator settings

Example

UTM features support IPv6 traffic

HTTP basic authentication in firewall policies

VDOM dashboard

IPsec protocol improvements

Support for IKE v2

Support for DH-2048 (Group 14)

Support for SHA256

Auto-configuration of IPsec VPNs

IPsec Phase 1 CLI configuration for IKE Configuration Method

IPsec Phase 2 configuration for IKE Configuration Method

Integral basic DNS server