100% found this document useful (2 votes)

460 views

Fortigate Cookbook Expanded

This edition of the FortiGate Cookbook (Expanded Version) was written using FortiOS 5.0.7.

Uploaded by

Bogdan Ungureanu

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (2 votes)

460 views

Fortigate Cookbook Expanded

This edition of the FortiGate Cookbook (Expanded Version) was written using FortiOS 5.0.7.

Uploaded by

Bogdan Ungureanu

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 418

The FortiGate Cookbook 5.0.

7 (Expanded Version)
Essential Recipes for Success with your FortiGate
April 23, 2014

Copyright 2014 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and
FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet
names herein may also be registered and/or common law trademarks of Fortinet. All other product
or company names may be trademarks of their respective owners. Performance and other metrics
contained herein were attained in internal lab tests under ideal conditions, and actual performance
and other resultsmay vary. Network variables, different network environments and other conditions
may affect performance results. Nothing herein represents any binding commitment by Fortinet,
and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet
enters a binding written contract, signed by Fortinets General Counsel, with a purchaser that
expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified
in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty
will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet
disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express
or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication
without notice, and the most current version of the publication shall be applicable.

Fortinet Knowledge Base - http://kb.fortinet.com

Technical Documentation - http://docs.fortinet.com
Video Tutorials - http://video.fortinet.com
Training Services - http://campus.training.fortinet.com
Technical Support - https://support.fortinet.com
Please report errors or omissions in this or any Fortinet technical document to [email protected].

Contents
Change log.................................................................................................................... 1
Introduction .................................................................................................................. 2
Tips for using the FortiGate Cookbook ......................................................................... 3
Installing & Setup ......................................................................................................... 5
Connecting a private network to the Internet using NAT/Route mode .............................. 7
Extra help: NAT/Route mode ............................................................................................ 11
Quickly connecting a network to the Internet using DHCP.............................................. 14
Extra help: Private networks with DHCP .......................................................................... 16
Adding a FortiGate unit without changing the network configuration.............................. 18
Extra help: Transparent mode .......................................................................................... 22
Using VDOMs to host two FortiOS instances on a single FortiGate unit ......................... 26
Verifying and updating the FortiGate units firmware ....................................................... 33
Setting up FortiGuard services ......................................................................................... 36
Extra help: FortiGuard ...................................................................................................... 38
Logging network traffic to gather information .................................................................. 39
Extra help: Logging .......................................................................................................... 43
Using FortiCloud to record log messages ........................................................................ 44
Setting up a limited access administrator account .......................................................... 48
Using SNMP to monitor the FortiGate unit ...................................................................... 52
Setting up an explicit proxy for users on a private network ............................................. 58
Adding packet capture to help troubleshooting ............................................................... 62

Contents

iii

Protecting a web server on the DMZ network.................................................................. 65

Using port pairing to simplify transparent mode .............................................................. 69
Using two ISPs for redundant Internet connections ........................................................ 74
Adding a backup FortiGate unit to improve reliability ...................................................... 79
Associating a domain name with an interface that has a dynamic IP .............................. 84
Allowing VoIP calls using FortiVoice and FortiCall ........................................................... 86
Allowing access from the Internet to a FortiCamera unit ................................................. 93
Security Policies & Firewall Objects ........................................................................... 99
Ordering security policies to allow different access levels ............................................. 100
Using port forwarding on a FortiGate unit ...................................................................... 104
Using AirPlay with iOS, AppleTV, FortiAP, and a FortiGate unit ..................................... 109
Using AirPrint with iOS and OS X and a FortiGate unit .................................................. 117
Security Features ..................................................................................................... 126
Monitoring your network using client reputation ............................................................ 127
Controlling network access using application control ................................................... 130
Using a custom signature to block web traffic from Windows XP ................................. 136
Protecting a web server from external attacks............................................................... 141
Blocking outgoing traffic containing sensitive data........................................................ 145
Preventing credit card numbers from escaping your network ....................................... 150
Blocking access to specific websites ............................................................................ 160
Extra help: Web filtering ................................................................................................. 163
Blocking HTTP and HTTPS traffic with web filtering ...................................................... 164
Limiting access to personal interest websites using quotas .......................................... 169

The FortiGate Cookbook 5.0.7

Setting up YouTube for Education .................................................................................. 173

Using web filter overrides to control website access ..................................................... 179
Inspecting traffic content using flow-based inspection ................................................. 187
Analyzing your network traffic using a one-armed sniffer .............................................. 192
Excluding specific users from security scanning ........................................................... 203
Wireless Networking ................................................................................................. 207
Setting up a temporary guest WiFi user ......................................................................... 208
Setting up a network using a FortiGate unit and a FortiAP unit ..................................... 215
Providing remote users access to the corporate network and Internet ......................... 220
Assigning wireless users to different networks using dynamic VLANs .......................... 226
Extending the range of a wireless network by using mesh topology ............................. 236
IPv6 ........................................................................................................................... 251
Creating an IPv6 interface using SLAAC ........................................................................ 252
Authentication .......................................................................................................... 256
Identifying network users and applying web filters based on identity ........................... 257
Controlling when specific types of devices can access the Internet ............................. 263
Providing Single Sign-On for a Windows AD network with a FortiGate ......................... 267
Providing Single Sign-On in advanced mode for a Windows AD network..................... 273
Providing Single Sign-On for Windows AD with LDAP .................................................. 276
Allowing Single Sign-On access with a FortiGate and a FortiAuthenticator .................. 280
Fortinet Single Sign-On in Polling Mode for a Windows AD network ............................ 284
Preventing security certificate warnings when using SSL inspection ............................ 290
Extra help: Certificates ................................................................................................... 294

Contents

Adding FortiToken two-factor authentication to a user account .................................... 295

Using two-factor authentication with IPsec VPN ........................................................... 299
Using two-factor authentication with SSL VPN ............................................................. 306
Authenticating SSL VPN users using LDAP ................................................................... 312
SSL and IPsec VPN ................................................................................................... 320
Providing remote users with access using SSL VPN ..................................................... 321
Connecting an Android to a FortiGate with SSL VPN .................................................... 329
Configuring SSL VPN with strong authentication using certificates .............................. 337
Using IPsec VPN to provide communication between offices ....................................... 344
Extra help: IPsec VPN .................................................................................................... 352
Using policy-based IPsec VPN for communication between offices ............................. 354
Providing secure remote access to a network for an iOS device .................................. 361
Connecting an Android to a FortiGate with IPsec VPN .................................................. 369
Configuring a FortiGate unit as an L2TP/IPsec server ................................................... 378
Configuring IPsec VPN with a FortiGate and a Cisco ASA ............................................ 386
Creating a VPN with overlapping subnets...................................................................... 392
Using redundant OSPF routing over IPsec VPN ............................................................ 398

The FortiGate Cookbook 5.0.7

Change log

Date

Change Description

April 23, 2014

Added new section: IPv6

New recipes:
- Analyzing your traffic using a one-armed sniffer
- Creating an IPv6 interface using SLAAC
- Fortinet Single Sign-On in Polling Mode for a Windows AD network
Removed recipe:
- Blocking large files from entering the network
Updated to FortiOS version 5.0.7

March 5, 2014

New recipes:
- Using a custom signature to block web traffic from Windows XP
- Preventing credit card numbers from escaping your network
Updated recipes:
- Connecting a private network to the Internet using NAT/Route
mode
- Using IPsec VPN to provide communications between offices

February 3, 2014

New recipes:
- Extra help: IPsec VPN
Reordered SSL and IPsec VPN section. Added FortiGate ports
section to Tips for the FortiGate Cookbook. Added a note to
Providing secure remote access to a network for an iOS device.
Updated to FortiOS version 5.0.6

Change log

Introduction
The FortiGate Cookbook (Expanded Version) is a web-only version of the FortiGate
Cookbook that will be continuously updated with new examples not contained in
the print version. See the Change log for a list of the most recent additions.
The FortiGate Cookbook provides examples, or recipes, of basic and advanced
FortiGate configurations to administrators who are unfamiliar with the unit. All
examples require access to the graphical user interface (GUI), also known as the
web-based manager.
Each example begins with a description of the desired configuration, followed by
step-by-step instructions. Some topics include extra help sections, containing tips
for dealing with some common challenges of using a FortiGate unit.
Using the FortiGate Cookbook, you can go from idea to execution in simple steps,
configuring a secure network for better productivity with reduced risk.
The Cookbook is divided into the following chapters:
Installing & Setup explains the configuration of common network functions and the
different network roles a FortiGate unit can have.
Security Policies & Firewall Objects describes security policies and firewall objects,
which determine whether to allow or block traffic.
Security Features describes the core security features that you can apply to the
traffic accepted by your FortiGate unit.
Wireless Networking explains how to configure and maintain a wireless network.
IPv6 shows how to use the new IPv6 protocol with your FortiGate.
Authentication describes the FortiGate authentication process for network users and
devices.
SSL and IPsec VPN explains the configuration and application of SSL and IPsec
virtual private networks (VPNs).

This edition of the FortiGate Cookbook (Expanded Version) was written using FortiOS 5.0.7.
2

Tips for using the FortiGate Cookbook

Before you get started, here are a few tips about using the FortiGate Cookbook:
Understanding the basics
While the FortiGate Cookbook was written with new FortiGate users in mind, some basic
steps, such as logging into the FortiGate unit, are not included in most recipes. This
information can be found in the first example, Connecting a private network to the Internet
using NAT/Route mode on page 7, or in the QuickStart guide for your FortiGate unit.

Screenshots vs. text

The FortiGate Cookbook uses both screenshots and text to explain the steps of each
example. The screenshots display the entire configuration, while the text highlights key
details (i.e. the settings that are strictly necessary for the configuration) and provides
additional information. To get the most out of the FortiGate Cookbook, start with the
screenshots and then read the text for more details.

Model and firmware

GUI menus, options, and interface names may vary depending on the FortiGate model you
are using and the firmware build. For example, the menu Router > Static > Static Routes
is not available on some models. Also, on different models, the Ethernet interface that would
normally connect to the Internet could be named port1, wan1, wan2, or external.
Also, some features are only available through the CLI on certain FortiGate models, generally
the desktop models (FortiGate/WiFi-20 to 90 Series).

FortiGate ports
The specific ports being used in the documentation are chosen as examples. When you are
configuring your FortiGate unit, you can substitute your own ports, provided that they have
the same function.
For example, in most recipes, wan1 is the port used to provide the FortiGate unit with
access to the Internet. If your FortiGate uses a different port for this function, you should use
that port in the parts of the configuration that the recipe uses wan1.

Tips for using the FortiGate Cookbook

IP addresses
IP addresses are sometimes shown in diagrams to make it easier to see the source of the
addresses used in the recipe. When you are configuring your FortiGate unit, substitute your
own addresses.

Turning on features
Some FortiOS features can be turned off, which means they will not appear in the GUI. If an
option required for a recipe does not appear, go to System > Config > Features and make
sure that option has not been disabled.

Text elements
Bold text indicates the name of a GUI field or feature. When required, italic text indicates
information that you must enter.

Selecting OK/Apply
Always select OK or Apply when you complete a GUI step. Because this must be done
frequently, it is an assumed step and is not included in most recipes.

The FortiGate Cookbook 5.0.7

Installing & Setup

The FortiGate unit provides protection for a variety of different network functions
and configurations. This section contains information about the basic setup for
common network functions as well as different roles that a FortiGate unit can have
within your network.
This section contains the following examples:
t

Connecting a private network to the Internet using NAT/Route mode

Extra help: NAT/Route mode

Quickly connecting a network to the Internet using DHCP

Extra help: Private networks with DHCP

Adding a FortiGate unit without changing the network configuration

Extra help: Transparent mode

Using VDOMs to host two FortiOS instances on a single FortiGate unit

Verifying and updating the FortiGate units firmware

Setting up FortiGuard services

Extra help: FortiGuard

Logging network traffic to gather information

Extra help: Logging

Using FortiCloud to record log messages

Setting up a limited access administrator account

Using SNMP to monitor the FortiGate unit

Setting up an explicit proxy for users on a private network

Adding packet capture to help troubleshooting

Installing & Setup

Protecting a web server on the DMZ network

Using port pairing to simplify transparent mode

Using two ISPs for redundant Internet connections

Adding a backup FortiGate unit to improve reliability

Associating a domain name with an interface that has a dynamic IP

Allowing VoIP calls using FortiVoice and FortiCall

Allowing access from the Internet to a FortiCamera unit

The FortiGate Cookbook 5.0.7

Connecting a private network to the Internet

using NAT/Route mode
In this example, you will learn how to connect and configure a new FortiGate unit
to securely connect a private network to the Internet. Typically, a FortiGate unit is
installed as a gateway or router between a private network and the Internet, where
the FortiGate operates in NAT/Route mode in order to hide the addresses of the
private network from prying eyes, while still allowing anyone on the private network
to freely connect to the Internet.
1. Connecting the network
2. Configuring the FortiGate units interfaces
3. Creating a policy to enable NAT/Route mode
4. Results

Internet

WAN 1

FortiGate

NAT/Route
mode

port 1

Internal Network
Connecting a private network to the Internet using NAT/Route mode

Connecting the network

Connect the FortiGate WAN1 interface to
your ISP-supplied equipment.
Connect the internal network to the FortiGate
internal interface (typically port 1).

ISP

Power on the ISPs equipment, the FortiGate

unit, and the PCs on the Internal network.

FortiGate

Configuring the FortiGate

units interfaces

Internal Network

From a PC on the Internal network, connect

to the FortiGate web-based manager using
either FortiExplorer or an Internet browser.
You can configure the PC to get its IP
address using DHCP and then browse
to https://192.168.1.99. You could also
give the PC a static IP address on the
192.168.1.0/255.255.255.0 subnet.
Login using admin and no password.

Go to System > Network > Interface and.

Edit the wan1 interface.
Set the Addressing Mode to Manual and
the IP/Netmask to your public IP.

The FortiGate Cookbook 5.0.7

Edit the internal interface.

Set the Addressing Mode to Manual and
set the IP/Netmask the private IP of the
FortiGate unit.

Go to Router > Static > Static Routes and

select Create New to add a default route.
Set the Destination IP/Mask to
0.0.0.0/0.0.0.0, set the Device to wan1,
and set the Gateway to the gateway (or
default route) provided by your ISP or to the
next hop router, depending on your network
requirements.

A default route always has a Destination

IP/Mask of 0.0.0.0/0.0.0.0. Normally, you
would have only one default route. If the
static route list already contains a default
route, you can edit it or delete it and add a
new one.

The FortiGate units DNS Settings are set to

Use FortiGuard Services by default, which
is sufficient for most networks. However, if
you require the DNS servers to be changed,
go to System > Network > DNS and add
Primary and Secondary DNS servers.

Connecting a private network to the Internet using NAT/Route mode

Creating a policy to enable

NAT/Route mode
Go to Policy > Policy > Policy and select
Create New to add a security policy that
allows users on the private network to
access the Internet.
Select Enable NAT and Use Destination
Interface Address and click OK.

Some FortiGate models include this

security policy in the default configuration.
If you have one of these models, this step
has already been done for you and as
soon as your FortiGate unit is connected
and the computers on your internal
network are configured, they should be
able to access the Internet.

Results
On the PC that you used to connect to the
FortiGate internal interface, open a web
browser and browse to any Internet website.
You should also be able to connect to the
Internet using FTP or any other protocol or
connection method.
Go to Policy > Monitor > Policy Monitor
to view information about the sessions being
processed by the FortiGate unit.

The FortiGate Cookbook 5.0.7

Extra help: NAT/Route mode

This section provides instructions for troubleshooting connection issues in situations
when a NAT/Route configuration is used.
1. Use FortiExplorer if you cant connect tot he FortiGate GUI or CLI
If you cant connect to the FortiGate GUI or CLI, you may be able to connect using
FortiExplorer. See your FortiGate units QuickStart Guide for details.
THE FORTIGATE COOKBOOK

2. Check for equipment issues.

Verify that all network equipment is powered on and operating as expected. Refer to the
QuickStart Guide for information about connecting your FortiGate to the network and about
the information provided by the FortiGate unit LED indicators.

3. Check the physical network connections.

Check the cables used for all physical connections to ensure that they are fully connected
and do not appear damaged. Also check the Unit Operation dashboard widget, which shows
the connection status of FortiGate network interfaces (System > Dashboard > Status).

4. Verify that you can connect to the internal IP address of the FortiGate unit.
Use a web browser to connect to the web-based manager from the FortiGate internal
interface by browsing to its IP address. From the PC, try to ping the internal interface IP
address; for example, ping 192.168.1.99 If you cannot connect to the internal interface,
verify the IP configuration of the PC. Go to the next step when you can connect to the
internal interface.

5. Check the FortiGate interface configurations.

Check the configuration of the FortiGate interface connected to the internal network, and
check the configuration of the FortiGate interface that connects to the Internet to make sure
it includes the proper addressing mode.

6. Verify that you can communicate from the FortiGate unit to the Internet.
Access the FortiGate CLI and use the execute ping command to ping an address or
domain name on the Internet. You can also use the execute traceroute command to
troubleshoot connectivity to the Internet.
Extra help: NAT/Route mode

7. Verify the DNS configurations of the FortiGate unit and the PCs.
Check for DNS errors by pinging or using traceroute to connect to a domain name; for
example:
ping www.fortinet.com
ping: cannot resolve www.fre.com: Unknown host
If the name cannot be resolved, the FortiGate unit or PC cannot connect to a DNS server
and you should confirm the DNS server IP addresses are present and correct.

8. Verify the security policy configuration.

Go to Policy > Policy > Policy and verify that an internal -> wan1 security policy has been
added and check the Session column to ensure that traffic has been processed. Check the
configuration of the policy to make sure that Enable NAT and Use Destination Interface
Address is selected.

9. Verify the static routing configuration.

Go to Router > Static > Static Routes and verify that the default route is correct. Go to
Router > Monitor > Router Monitor and verify that the default route appears in the list as
a static route. Along with the default route, you should see at least two connected routes,
one for each connected FortiGate interface.

On some FortiGate models, routing options are configured by going to System > Network >
Routing or through the CLI.

10. Disable web filtering.

A web filtering security policy may block access to the website that you are attempting to
connect to. This could happen because the configuration of the default web filter profile is
blocking access to the site.
It is also possible that FortiGuard Web Filtering has produced a rating error for the website,
causing the web filter profile to block access. A rating error could occur for a number of
reasons, including not being able to access FortiGuard. To fix this problem, go to Security
Profiles > Web Filter > Profile and, in the default profile, enable Allow Websites When
a Rating Error Occurs.
12

The FortiGate Cookbook 5.0.7

11. Verify that you can connect to the wan1 IP address of the FortiGate unit.
Once you have established that the internal network is operating, ping the FortiGate wan1
interface IP address. If you cannot connect to the wan1 interface, the FortiGate unit is not
allowing internal to wan1 sessions.

12. Verify that you can connect to the gateway provided by your ISP.
Try pinging the default gateway IP address from a PC on the internal network.

THE FORTIGATE COOKBOOK

13. Consider changing the MAC address of your external interface

Some ISPs do not want the MAC address of the device connecting to their network cable
to change. If you have added a FortiGate unit to your network, you may have to change
the MAC address of the external interface (typically, WAN1) by using the following CLI
command:

end

edit wan1
set macaddr <xx:xx:xx:xx:xx:xx>
end

14. Reset the FortiGate unit to factory defaults and try again
If all else fails, use the CLI command
to confirm the reset.

Extra help: NAT/Route mode

. When prompted, type

Quickly connecting a network to the Internet

using DHCP
In this example, you will learn how to use a FortiGate unit to securely connect to the
Internet with minimal configuration, using DHCP.

Requirements
t
t

An ISP that provides connectivity with DHCP and accepts DHCP requests without authentication.
A FortiGate default configuration that includes a DHCP server for the internal interface and a
security policy that allows all sessions from the internal network to the internet.

1. Connecting to the ISP and to the internal network

2. Configuring your PCs
3. Results

ISP

ISP provides Internet

connectivity with DHCP

Internet

wan
lan
FortiGate

Internal Network
that uses DHCP

The FortiGate Cookbook 5.0.7

Connecting to the ISP and

to the internal network
Connect the FortiGate wan interface to your
ISP-supplied equipment.

ISP

Connect the internal network to the FortiGate

internal interface (in this example, lan).
Turn on the ISPs equipment, the FortiGate
unit, and the PCs on the internal network.

wan
lan
FortiGate

Configuring your PCs

Internal Network

If required, configure the PCs on the internal

network to automatically get their network
configuration using DHCP.
Each PC gets an address on the
192.168.1.0/255.255.255.0 subnet.

Results
From any PC on the internal network, open a
web browser and browse to any website. You
should successfully connect to the Internet.
Go to Policy > Policy > Policy and select
Global View. View Sessions and Count
columns for information about the sessions
being processed by the FortiGate.
If these columns are not visible, right-click on
the menu bar, select Sessions and Count,
and select Apply.

Quickly connecting a network to the Internet using DHCP

Extra help: Private networks with DHCP

This section provides instructions for troubleshooting connection issues when your
network uses DHCP to connect to your ISP and configure your internal network.

1. Check the wan interface.

Verify that the wan interface is getting network settings from the ISP. Go to System >
Network > Interfaces. Highlight the wan interface and select Edit. Confirm that the
Addressing Mode is set to DHCP and that the Distance is set to 5, and ensure that
Retrieve default gateway from server and Override internal DNS are both enabled.

If the IP address seems incorrect or missing, select Renew to renew the lease and get
a new IP configuration from your ISP. If you cannot get a valid IP address this way, the
FortiGate unit cannot communicate with the ISPs DHCP server.

2. Verify that your ISP automatically provides a DNS server with DHCP.
If your ISP does not supply a DNS server with DHCP, you can go to System > Network >
DNS and manually add one.

3. Verify that your ISP supplies a default gateway with DHCP.

If your ISP does not supply a default gateway with DHCP, you can go to Router > Static>
Static Route > Create New and manually add a default route that points from the wan
interface to the ISPs default gateway.

The FortiGate Cookbook 5.0.7

4. Check the internal network configuration.

If the internal network is configured to get IP addresses from the FortiGate DHCP server, go
to System > Interfaces. In the Address Range highlight your interface and click Edit.
Confirm that the DHCP server configuration uses system DNS settings as shown below.

5. Confirm that your PC successfully receives its address using DHCP.

Go to System > Monitor > DHCP Monitor to view information about the PCs configured
by the FortiGate unit DHCP server. There should be one entry here for each PC on the
network that successfully receives its address using DHCP. The following example can be
used for comparison.

If problems persist, see Connecting a private network to the Internet using NAT/Route
mode on page 7.

Adding a FortiGate unit without changing the

network configuration
This section describes how to connect and configure a new FortiGate unit to protect
a private network without changing the network configuration. This is known as
Transparent mode and it allows you to add network security without replacing the
router. The FortiGate unit blocks access from the Internet to the private network but
allows users on the private network to connect to the Internet. The FortiGate unit
monitors application usage and detects and eliminates viruses.

1. Connecting the FortiGate and configuring Transparent mode

2. Creating a security policy
3. Connecting the network
4. Results

Internet
Router
WAN 1
FortiGate
(Transparent
Mode)

Security policies
allow traffic between
network segments

port 1

Internal Network
18

The FortiGate Cookbook 5.0.7

Connecting the FortiGate

and configuring Transparent
mode

Changing to Transparent mode removes

most configuration changes made in
NAT/Route mode. To keep your current
NAT/Mode configuration, backup
the configuration using the System
Information dashboard widget.

Go to System > Dashboard > Status >

System Information and beside Operation
Mode select Change.

Set the Operation Mode to Transparent.

Set the Management IP/Netmask and
Default Gateway to connect the FortiGate
unit the internal network.
You can now access the web-based
manager by browsing to the Management
IP (in the example, you would browse to
https://10.31.101.40).
The FortiGate units DNS Settings are set to
Use FortiGuard Services by default, which
is sufficient for most networks. However, if
you require the DNS servers to be changed,
go to System > Network > DNS and add
Primary and Secondary DNS servers.

Adding a FortiGate unit without changing the network configuration

Creating a security policy

Go to Policy > Policy > Policy and select
Create New to add a security policy that
allows users on the private network to
access the Internet.

Under Security Profiles, enable Antivirus

and enable Application Control.
Press OK to save the security policy
Power off the FortiGate unit.

Connecting the network

Connect the FortiGate unit between the
internal network and the router.

Router

Connect the wan1 interface to the router

internal interface and connect the internal
network to the FortiGate internal interface
port.
Power on the FortiGate unit.

FortiGate

Internal Network

The FortiGate Cookbook 5.0.7

Results
On the PC that you used to connect to the
FortiGate internal interface, open a web
browser and browse to any Internet website.
You should also be able to connect to the
Internet using FTP or any other protocol or
connection method.
Go to Policy > Monitor > Session Monitor
to view the sessions being processed by the
FortiGate unit.

If a FortiGate unit operating in Transparent

mode is installed between a DHCP server
and PCs that get their address by DHCP,
you must add a security policy to allow the
DHCP servers response to get back
through the FortiGate unit from the DHCP
server to the DHCP client. The internal to
wan1 policy allows the DHCP request to
get from the client to the server, but the
response from the server is a new session,
not a typical response to the originating
request, so the FortiGate unit will not
accept this new session unless you add a
wan1 to the internal policy with the
service set to DHCP.

Adding a FortiGate unit without changing the network configuration

Extra help: Transparent mode

This section provides instructions for troubleshooting connection issues when using
a FortiGate in Transparent mode.

1. Use FortiExplorer if you cant connect to the FortiGate GUI or CLI

If you cant connect to the FortiGate GUI or CLI, you may be able to connect using
FortiExplorer. See your FortiGate units QuickStart Guide for details.

2. Check for equipment issues.

3. Check the physical network connections.

Check the cables used for all physical connections between the PC, the FortiGate unit, and
your ISP-supplied equipment to ensure that they are fully connected and do not appear
damaged. Also check the Unit Operation dashboard widget, which indicates the connection
status of FortiGate network interfaces (System > Dashboard > Status).

4. Verify that you can connect to the management IP address of the

FortiGate unit from the Internal network.
From the internal network, attempt to ping the management IP address. If you cannot
connect to the internal interface, verify the IP configuration of the PC and make sure the
cables are connected and all switches and other devices on the network are powered on
and operating. Go to the next step when you can connect to the internal interface.

5. Verify that you can communicate from the FortiGate unit to the Internet.
Access the FortiGate CLI and use the execute ping command to ping an address or
domain name on the Internet. You can also use the execute traceroute command to
troubleshoot connectivity to the Internet.

The FortiGate Cookbook 5.0.7

6. Verify the DNS configurations of the FortiGate unit and the PCs on the
internal network.
Check for DNS errors by pinging or using traceroute to connect to a domain name; for
example:
ping www.fortinet.com
ping: cannot resolve www.fre.com: Unknown host
If the name cannot be resolved, the FortiGate unit or PC cannot connect to a DNS server
and you should confirm the DNS server IP addresses are present and correct.

7. Verify the security policy configuration.

Go to Policy > Policy > Policy and verify that an internal -> wan1 security policy has been
added and check the Session column to ensure that traffic has been processed.

8. Verify the static routing configuration.

Go to System > Network > Routing Table and verify that the default route is correct.

9. Disable web filtering.

10. Verify that you can connect to the gateway provided by your ISP.
Try pinging the default gateway IP address from a PC on the internal network.

11. Confirm that the FortiGate unit can connect to the FortiGuard network.
Once registered, the FortiGate unit obtains antivirus and application control and other
updates from the FortiGuard network. Once the FortiGate unit is on your network, you
should confirm that it can reach the FortiGuard network. The FortiGate unit must be able
to connect to the network from its management IP address. If the following tests provide

Extra help: Transparent mode

incorrect results, the FortiGate unit cannot connect to the Internet from its management
IP address. Check the FortiGate units default route to make sure it is correct. Check your
Internet firewall to make sure it allows connections from the FortiGate management IP
address to the Internet.
First, check the License Information dashboard widget to make sure the status of all
FortiGuard services matches the services that you have purchased. The FortiGate unit
connects to the FortiGuard network to obtain this information.
Go to System > Config > FortiGuard. Open web filtering and email options and select
Test Availability. After a minute, the GUI should indicate a successful connection.

12. Check the FortiGate bridge table.

The bridge table is a list of MAC addresses of devices on the same network as the FortiGate
unit and the FortiGate interfaces from which each MAC address was found. The FortiGate
unit uses this table to determine where to forward a packet. If a the MAC address of a
specific device is getting added to the bridge table, then packets to that MAC address will
be blocked. This may appear as traffic going to a MAC address but no reply traffic coming
back. In this situation, check the bridge table to ensure the correct MAC addresses have
been added to the bridge table. Use the following CLI command to check the bridge table:.
diagnose netlink brctl name host root.b
show bridge control interface root.b host.
fdb: size=2048, used=25, num=25, depth=1
Bridge root.b host table
port no device devname mac addr ttl attributes
3 4 wan1 00:09:0f:cb:c2:77 88
3 4 wan1 00:26:2d:24:b7:d3 0
3 4 wan1 00:13:72:38:72:21 98
4 3 internal 00:1a:a0:2f:bc:c6 6
1 6 dmz 00:09:0f:dc:90:69 0 Local Static
3 4 wan1 c4:2c:03:0d:3a:38 81
3 4 wan1 00:09:0f:15:05:46 89
3 4 wan1 c4:2c:03:1d:1b:10 0
2 5 wan2 00:09:0f:dc:90:68 0 Local Static
If your devices MAC address is not listed, the FortiGate unit cannot find the device on the
network. This could indicate that the device is not connected or not operating. Check the
devices network connections and make sure it is operating correctly.

The FortiGate Cookbook 5.0.7

13. Reset the FortiGate unit to factory defaults and try again
If all else fails, use the CLI command
to confirm the reset.

. When prompted, type

Resetting the FortiGate unit to factory defaults will put the unit back into NAT/Route mode.

Extra help: Transparent mode

Using VDOMs to host two FortiOS instances on a

single FortiGate unit
Virtual Domains (VDOMs) can be used to divide a single FortiGate unit into two or
more virtual instances of FortiOS that function as independent FortiGate units. This
example simulates an ISP that provides Company A and Company B with distinct
Internet services. Each company has its own VDOM, IP address, and internal
network.
1. Switching to VDOM mode and creating two VDOMS
2. Assigning interfaces to each VDOM
3. Creating administrators for each VDOM
4. Creating a basic configuration for VDOM-A
5. Creating a basic configuration for VDOM-B
6. Connecting the gateway router
7. Results
Internet

Gateway
Router
172.20.120.2
Port 1

VDOM-A
Port 2

Company A
192.168.10.0

Port 3

VDOM-B

FortiGate with
two Virtual
Domains

Port 4

Company B
192.168.20.0

The FortiGate Cookbook 5.0.7

Switching to VDOM mode

and creating two VDOMS
Go to System > Dashboard > Status.
In the System Information widget, find
Virtual Domain and select Enable.

You will be required to re-login after

enabling Virtual Domain due to the GUI
menu options changing.

Go to Global > VDOM > VDOM.

Create two VDOMS: VDOM-A and VDOM-B.
Leave both VDOMs as Enabled, with
Operation Mode set to NAT.

Using VDOMs to host two FortiOS instances on a single FortiGate unit

Assigning interfaces to each

VDOM
Go to Global > Network > Interfaces.
Edit port1 and add it to VDOM-A. Set
Addressing Mode to Manual and assign
an IP/Network Mask to the interface (in the
example, 172.20.120.10/255.255.255.0).

Edit port2 and add it to VDOM-A. Set

Addressing Mode to Manual, assign an
IP/Network Mask to the interface (in the
example, 192.168.10.1/255.255.255.0), and
set Administrative Access to HTTPS,
PING, and SSH. Enable DHCP Server.

Edit port3 and add it to VDOM-B. Set

Addressing Mode to Manual and assign
an IP/Network Mask to the interface (in the
example, 172.20.120.20/255.255.255.0).

The FortiGate Cookbook 5.0.7

Edit port4 and add it to VDOM-B. Set

Addressing Mode to Manual, assign an
IP/Network Mask to the interface (in the
example, 192.168.20.1/255.255.255.0), and
set Administrative Access to HTTPS,
PING, and SSH. Enable DHCP Server.

Creating administrators for

each VDOM
Go to Global > Admin > Administrators.
Create an administrator for VDOM-A,
called a-admin. Set Type to Regular, set a
password, and set Admin Profile to prof_
admin.

Create an administrator for VDOM-B,

called b-admin. Set Type to Regular, set a
password, and set Admin Profile to prof_
admin.

Make sure to remove the root VDOM from

both administrator accounts.

Using VDOMs to host two FortiOS instances on a single FortiGate unit

Creating a basic
configuration for VDOM-A
Go to Virtual Domains and select
VDOM-A.
Go to Router > Static > Static Routes.
Add a default route for the VDOM. Set
Destination IP/Mask to 0.0.0.0/0.0.0.0,
set Device to port1, and set Gateway to
the IP of the gateway router (in the example,
172.20.120.2).

Connect a PC to port2. Using HTTPS

protocol, browse to the IP set for port2 and
log into VDOM-A using the a-admin account
(in the example, https://192.168.10.1).
Go to Policy > Policy > Policy.
Create a policy to allow Internet access.
Set Incoming Interface to port2 and
Outgoing Interface to port1. Select
Enable NAT.

The FortiGate Cookbook 5.0.7

Creating a basic
configuration for VDOM-B
If you have logged out of the FortiGate unit,
log back in.
Go to Virtual Domains and select
VDOM-B. Go to Router > Static > Static
Routes.
Add a default route for the VDOM. Set
Destination IP/Mask to 0.0.0.0/0.0.0.0,
set Device to port3, and set Gateway to
the IP of the gateway router (in the example,
172.20.120.2).

Connect a PC to port4. Using HTTPS

protocol, browse to the IP set for port2 and
log into VDOM-B using the b-admin account
(in the example, https://192.168.20.1).
Go to Policy > Policy > Policy.
Create a policy to allow Internet access.
Set Incoming Interface to port4 and
Outgoing Interface to port3. Select
Enable NAT.

Using VDOMs to host two FortiOS instances on a single FortiGate unit

Connecting the gateway

router
Connect port1 and port3 of the FortiGate unit
to the gateway router to allow Internet traffic
to flow.

Gateway
Router

Port 3

Port 1

VDOM-A

VDOM-B

FortiGate

Results
Connect to the Internet from the company A
and company B networks and then log into
the FortiGate unit.
Go to Virtual Domains and select
VDOM-A. Go to Policy > Policy > Monitor
to view the sessions being processed on
VDOM-A.

Go to Virtual Domains and select

VDOM-B. Go to Policy > Policy > Monitor
to view the sessions being processed on
VDOM-B.

The FortiGate Cookbook 5.0.7

Verifying and updating the FortiGate units

firmware
This example verifies the current version of FortiOS firmware and, if necessary,
updates it to the latest version.

THE FORTIGATE COOKBOOK

Always review the Release Notes before installing a new firmware version. They provide the recommended upgrade
path for the firmware release as well as additional information not available in other documentation. Only perform a
firmware update during a maintenance window.

1. Checking the current FortiOS firmware

2. Downloading the latest FortiOS firmware
3. Updating the FortiGate to the latest firmware
4. Results

Check
firmware
version

Current
version?

yes

Verifying and updating the FortiGate units firmware

Download and
install current
version

No action
required

Checking the current

FortiOS firmware
Log in to the web-based manager and view
the dashboard System Information widget
to see the Firmware Version currently
installed on your FortiGate unit.

Downloading the latest

FortiOS firmware
To download a newer firmware version,
browse to http://support.fortinet.com and log
in using your Fortinet account user name and
password.
Your FortiGate unit must be registered
before you can access firmware images
from the Support site.
Go to Download Firmware Images >
FortiGate. Locate and download the
firmware for your FortiGate unit.
Download and read the Release Notes
for this firmware version. Always review
the Release Notes before installing a new
firmware version in case you cannot update
to the new firmware release from the one
currently running.

The FortiGate Cookbook 5.0.7

Updating the FortiGate to

the latest firmware
Go to System > Dashboard > Status.
Backup your configuration from the System
Information dashboard widget, next to
System Configuration..

THE FORTIGATE COOKBOOK

Always remember to back up your

configuration before doing any firmware
upgrades.

Under System Information > Firmware

Version, select Update.
Find the firmware image file that you
downloaded and select OK to upload and
install the firmware build on the FortiGate
unit.

Results
The FortiGate unit uploads the firmware
image file, updates to the new firmware
version, restarts, and displays the FortiGate
login. This process takes a few minutes.
From the FortiGate web-based manager, go
to System > Dashboard > Status. In the
System Information widget, the Firmware
Version will show the updated version of
FortiOS.

Verifying and updating the FortiGate units firmware

Setting up FortiGuard services

If you have purchased FortiGuard services and registered your FortiGate unit, the
FortiGate should automatically connect to a FortiGuard Distribution Network (FDN)
and display license information about your FortiGuard services. In this example, you
will verify whether the FortiGate unit is communicating with the FDN by checking
the License Information dashboard widget.

Internet

FortiGuard

FortiGate

Internal Network

The FortiGate Cookbook 5.0.7

Verifying the connection

On the dashboard, go to the License
Information widget.
Any subscribed services should have a green
check mark, indicating that connections are
successful.

THE FORTIGATE COOKBOOK

A grey X indicates that the FortiGate unit

cannot connect to the FortiGuard network, or
that the FortiGate unit is not registered.
A red X indicates that the FortiGate unit was
able to connect but that a subscription has
expired or has not been activated.

You can also view the FortiGuard connection

status by going to System > Config >
FortiGuard.

Setting up FortiGuard services

Extra help: FortiGuard

This section contains tips to help you with some common challenges of using
FortiGuard.
FortiGuard services appear as expired/unreachable.
Verify that you have registered your FortiGate unit, purchased FortiGuard services and that
the services have not expired at support.fortinet.com.

Services are active but still appear as expired/unreachable.

Verify that the FortiGate unit can communicate with the Internet.

The FortiGate is connected to the Internet but cant communicate with

FortiGuard.
Go to System > Network > DNS and ensure that the primary and secondary DNS servers
are correct. If the FortiGate interface connected to the Internet gets its IP address using
DHCP, make sure Override internal DNS is selected.
Also, determine if the default port used for FortiGuard traffic, port 53, is being blocked, either
by a device on your network or by your ISP. If you cannot unblock the port, change it by
going to System > Config > FortiGuard and selecting the service(s) where communication
errors are occurring. Under Port Selection, select Use Alternate Port.

Communication errors remain.

FortiGate units contact the FortiGuard Network by sending UDP packets with typical source
ports of 1027 or 1031, and destination ports of 53 or 8888. The FDN reply packets would
then have a destination port of 1027 or 1031. If your ISP blocks UDP packets in this port
range, the FortiGate unit cannot receive the FDN reply packets.
In effort to avoid port blocking, You can configure your FortiGate unit to use highernumbered ports, such as 2048-20000, using the following CLI command:
set ip-src-port-range 2048-20000
end
Trial and error may be required to select the best source port range. You can also contact
your ISP to determine the best range to use.
38

The FortiGate Cookbook 5.0.7

Logging network traffic to gather information

This example demonstrates how to enable logging to capture the details of the
network traffic processed by your FortiGate unit.

1. Recording log messages and enabling event logging

2. Enabling logging in the security policies
3. Results

Session begins

Logging
enabled?

No record

Logging network traffic to gather information

yes

Security events
only
Security
Log all
event in
traffic?
session?

yes

Record
session data

Recording log messages and

enabling event logging
Go to Log & Report > Log Config > Log
Settings.
Select where log messages will be recorded.
You can save log messages to disk if
your FortiGate unit supports this, to a
FortiAnalyzer or FortiManager unit if you
have one, or to FortiCloud if you have a
subscription. Each of these options allow
you to record and view log messages and to
create reports based on them.
In most cases, it is recommended to
Send Logs to FortiCloud, as shown
in the example. For more information on
FortiCloud, see Using FortiCloud to record
log messages on page 44.
Next, enable Event Logging.
You can choose to Enable All types of
logging, or specific types, such as WiFi
activity events, depending on your needs.

The FortiGate Cookbook 5.0.7

Enabling logging in the

security policies
Go to Policy > Policy > Policy. Edit the
policies controlling the traffic you wish to log.
Under Logging Options, you can choose
either Log Security Events or Log all
Sessions.
In most cases, you should select Log
Security Events. Log all Sessions can
be useful for more detailed traffic analysis
but also has a greater effect on system
performance and requires more storage.

Results
View traffic logs by going to Log & Report
> Traffic Log > Forward Traffic. The logs
display a variety of information about your
traffic, including date/time, source, device,
and destination.
To change the information shown, rightclick on any column title and select Column
Settings to enable or disable different
columns.

Logging network traffic to gather information

You can also select any entry to view more

information about a specific session.

Different types of event logs can be found at

Log & Report > Event Log.
The example shows the System log
that records system events, such as
administrative logins and configuration
changes.

As with the Forward Traffic log, select an

entry for further information.

Extra help: Logging

This section contains tips to help you with some common challenges of FortiGate
logging.
No log messages appear.
Ensure that logging is enabled in both the Log Settings and the policy used for the traffic
you wish to log, as logging will not function unless it is enabled in both places.
If logging is enabled in both places, check that the policy in which logging is enabled is the
policy being used for your traffic. Also make sure that the policy is getting traffic by going to
the policy list and adding the Sessions column to the list.

Logs from a FortiAnalyzer, FortiManager, or from FortiCloud do not appear in

the GUI.
Ensure that the correct log source has been selected in the Log Settings, under GUI
Preferences.

The FortiGate units performance level has decreased since enabling disk
logging.
If enabling disk logging has impacted overall performance, change the log settings to either
send logs to a FortiAnalyzer unit, a FortiManager unit, or to FortiCloud.

Log All Sessions is enabled on all security policies and cannot be changed.
This can occur if Client Reputation is enabled.

Logging to a FortiAnalyzer unit is not working as expected.

The firmware for the FortiGate and FortiAnalyzer units may not be compatible. Check the
firmware release notes, found at support.fortinet.com, to see if this is the case.

Extra help: Logging

Using FortiCloud to record log messages

This example describes setting up FortiGate logging to FortiCloud, an online log
retention service provided by Fortinet. It also describes how to use FortiCloud to
view and access FortiGate traffic logs.

You must register your FortiGate unit before you can activate FortiCloud.

1. Activating FortiCloud
2. Sending logs to FortiCloud
3. Enabling logging in your security policies
4. Results

FortiCloud

FortiGate

Internal Network
44

The FortiGate Cookbook 5.0.7

Activating FortiCloud
Go to System > Dashboard > Status.
In the FortiCloud section of the License
Information widget, select the green
Activate button.

Fill in the required information to create a

new FortiCloud account.

Using FortiCloud to record log messages

Sending logs to FortiCloud

Go to Log & Report > Log Config > Log
Setting.
Enable Send Logs to FortiCloud and
adjust the Event Logging settings as
required.
Select Test Connectivity to verify the
connection between the FortiGate unit and
your FortiCloud account.
Set the GUI Preferences to Display Logs
from FortiCloud, to easily view your logs.

Enabling logging in the

security policies
Go to Policy > Policy > Policy. Edit the
security policies that control the traffic you
wish to log.
Under Logging Options, select either Log
Security Events or Log all Sessions,
depending on your needs.
In most cases, Log Security Events will
provide sufficient information in the traffic
logs. Log all Sessions can be useful for
more detailed traffic analysis but also has a
greater effect on system performance and
requires more memory for storage.

The FortiGate Cookbook 5.0.7

Results
Go to System > Dashboard > Status.
In the FortiCloud section of the License
Information widget, select Launch Portal.
From the portal, you can view the log data
and reports.
You can access your FortiCloud account at
any time by going to www.forticloud.com.

Daily Summary reports can also be found

through the FortiGate unit by going to Log &
Report > Report > FortiCloud.
You can also configure your FortiCloud
account to have these reports emailed to
you.

Logs viewed through the GUI will also now

read Log location: FortiCloud in the upper
right corner.

Using FortiCloud to record log messages

Setting up a limited access administrator

account
This example adds a new FortiGate administrator account that uses an
administrative profile with access limited to read and write for authentication and
device information and to reading for logs and reports. Account access to the
firewall will be limited to connections from a specific subnet.

1. Creating a new administrative profile

2. Adding a new administrator and assigning the profile
3. Results

Admin Account

Admin Profile
No Access
Fortigate
Functions

Read-Write
Read Only
Fortigate
Functions

Fortigate
Functions

The FortiGate Cookbook 5.0.7

Creating a new
administrative profile
Go to System > Admin > Admin Profile.
Create a new administer profile that allows
the administrator with this profile to view and
edit components of User and Devices and
to view logs and reports.

Setting up a limited access administrator account

Adding a new administrator

and assigning the profile
Go to System > Admin > Administrators.
Create a new administrator account and
assign it to the profile new that was just
created.
Restrict access to the firewall to logins from
Trusted Hosts Only by adding the IP address
range to one of the Trusted Host fields.

Results

Log in to the FortiGate unit using the user

name of new administrator account.
The admin profile controls what features of
the FortiGate configuration the administrator
can see and configure from web-based
manager and CLI.
This administrator can create and edit
elements regarding users, authentication and

The FortiGate Cookbook 5.0.7

devices etc. Also available for viewing are the

logs and reports. Elements not specified as
Readable do not appear.
Log in with a super admin account.
Go to System > Dashboard > Status, and
view the System Information widget.

Select Details for the Current Administrator

to view all administrators logged in.

Go to Log & Report > Event Log >

System.
The upper pane will show the activity, such
as the successful login of the t.white admin
account.
Select the entry for the new administrator
login to get more detailed information to
show in the lower pane.
The details show that the new administrator
account logged in from an IP address that is
within the ranges specified in the Trusted
Hosts field.

Setting up a limited access administrator account

Using SNMP to monitor the FortiGate unit

The Simple Network Management Protocol (SNMP) enables you to monitor
hardware on your network. You configure the hardware, such as the FortiGate
SNMP agent, to report system information and send traps (alarms or event
messages) to SNMP managers.
In this example, you configure the FortiGate SNMP agent and an example SNMP
manager so that the SNMP manager can get status information from the FortiGate
unit and so that the FortiGate unit can send traps to the SNMP manager.

1. Configuring the FortiGate SNMP agent

2. Enabling SNMP on a FortiGate interface
3. Downloading Fortinet MIB files to and configuring an
example SNMP manager
4. Results

Internet

Internal Network

FortiGate

SNMP Manager
52

The FortiGate Cookbook 5.0.7

Configuring the FortiGate

SNMP agent
Go to System > Config > SNMP.
Configure the SNMP agent.

Using SNMP to monitor the FortiGate unit

Under SNMP v1/v2c create a new

community.
Add the IP address of SNMP manager (in
the example, 192.168.1.114/32). If required,
change the query and trap ports to match
the SNMP manager.
You can add multiple SNMP managers or set
the IP address/Netmask to 0.0.0.0/0.0.0.0
and the Interface to ANY so that any SNMP
manager on any network connected to the
FortiGate unit can use this SNMP community
and receive traps from the FortiGate unit.
Enable the SNMP Events (traps) that you
need. In most cases leave them all enabled.

Enabling SNMP on a
FortiGate interface
Go to System > Network > Interfaces.
Enable SNMP administrative access on the
interface connected to the same network as
the SNMP manager.

The FortiGate Cookbook 5.0.7

Downloading the Fortinet

MIB files to and configuring
an example SNMP manager
Go to System > Config > SNMP to
download FortiGate SNMP MIB file and the
Fortinet Core MIB file.
Two types of MIB files are available for
FortiGate units: the Fortinet MIB, and the
FortiGate MIB. The Fortinet MIB contains
traps, fields, and information that is common
to all Fortinet products. The FortiGate MIB
contains traps, fields, and information that is
specific to FortiGate units.
Configure the SNMP manager at
192.168.1.114 to receive traps from the
FortiGate unit. Install the FortiGate and
Fortinet MIBs.

Results
This example uses the SolarWinds SNMP
trap viewer.
In the SolarWinds Toolset Launch Pad, go to
SNMP > MIB Viewer and select Launch.

Using SNMP to monitor the FortiGate unit

Choose Select Device, enter the IP address

of the FortiGate unit, and choose the
appropriate community string credentials.

Open the SNMP Trap Receiver and select

Launch.

The FortiGate Cookbook 5.0.7

On the FortiGate unit, perform an action to

trigger a trap (for example, change the IP
address of the DMZ interface).
Verify that the SNMP manager receives the
trap.

On the FortiGate unit, view log messages

showing the trap was sent by going to Log &
Report > Event Log > System.

Using SNMP to monitor the FortiGate unit

Setting up an explicit proxy for users on a

private network
In this example, an explicit web proxy is set to accommodate faster web browsing.
This allows internal users to connect using port 8080 rather than port 80.

1. Enabling explicit web proxy on the internal interface

2. Configuring the explicit web proxy for HTTP/HTTPS traffic
3. Adding a security policy for proxy traffic
4. Results

Internet

Port 3

Explicit web proxy

Internal Network

FortiGate

Port 4

The FortiGate Cookbook 5.0.7

Enabling explicit web proxy

on the internal interface
Go to System > Network > Interfaces.
Edit an internal port (port 4 in the example).
Enable both DHCP Server and Explicit
Web Proxy.

Go to System > Config > Features. Ensure

that WAN Opt. & Cache is enabled.

Setting up an explicit proxy for users on a private network

Configuring the explicit web

proxy for HTTP/HTTPS
traffic
Go to System > Network > Explicit Proxy
and enable the HTTP/HTTPS explicit web
proxy.
Ensure that the Default Firewall Policy
Action is set to Deny.

The FortiGate Cookbook 5.0.7

Adding a security policy for

proxy traffic
Go to Policy > Policy > Policy.
Create a new policy and set the Incoming
Interface to web-proxy, the Outgoing
Interface to an internal port (in the example,
port 3), and the Service to webproxy.

Results
Configure web browsers on the private
network to connect using a proxy server.
The IP address of the HTTP proxy server is
10.10.1.99 (the IP address of the FortiGate
internal interface) and the port is 8080
(the default explicit web proxy port). Web
browsers configured to use the proxy server
are able to connect to the Internet.
Go to Policy > Policy > Policy to see the ID
of the policy allowing webproxy traffic.
Web proxy traffic is not counted by security
policy.

Setting up an explicit proxy for users on a private network

Adding packet capture to help troubleshooting

Packet capture is a means of logging traffic and its details to troubleshoot any
issues you might encounter with traffic flow or connectivity. This example shows the
basics of setting up packet capture on the FortiGate unit and analyzing the results.

1. Creating a packet capture filter

2. Starting the packet capture
3. Stopping the packet capture
4. Results

Original Packet
Internet
FortiGate
Internal Network
Duplicate Packet

Packet Capture
62

The FortiGate Cookbook 5.0.7

Creating a packet capture

filter
Go to System > Network > Packet
Capture.
Create a new filter. In this example, the
FortiGate unit will capture 100 HTTP packets
on the internal interface from/to host
192.168.1.200.
t

Host(s) can be a single IP or multiple

IPs separated by comma, IP range, or
subnet.

Port(s) can be single or multiple

separated by comma or range.

Protocol can be single or multiple

separated by comma or range. Use 6 for
TCP, 17 for UDP, and 1 for ICMP.

Starting the packet capture

Select Start to begin the packet capture.
Using an internal computer, or a device set to
IP address 192.168.1.200, surf the Internet to
generate traffic.

Adding packet capture to help troubleshooting

Stopping the packet

capture
Once the FortiGate reaches the maximum
number of packets to save (in this case 100),
the capturing progress stops and you can
download the saved pcap file.
You can also stop the capturing at any time
before reaching the maximum number of
packets.

Results
Open the pcap file with a pcap file viewer,
such as tcpdump or Wireshark.
Adjust the settings in the filter depending on
the kind of traffic you wish to capture.

Go to Log & Report > Event Log >

System to verify that the packet capture file
downloaded successfully.

The FortiGate Cookbook 5.0.7

Protecting a web server on the DMZ network

In the following example, a web server is connected to a DMZ network. An internalto-DMZ security policy allows internal users to access the web server using an
internal IP address (10.10.10.22). A WAN-to-DMZ security policy hides the internal
address, allowing external users to access the web server using a public IP address
(172.20.120.22).

1. Configuring the FortiGate units DMZ interface

2. Adding virtual IPs
3. Creating security policies
4. Results

Internet
WAN 1
172.20.120.22

DMZ Network

FortiGate

DMZ

LAN

Web Server
10.10.10.22
Internal Network

Protecting a web server on the DMZ network

Configuring the FortiGate

units DMZ interface
Go to System > Network > Interfaces.
Edit the DMZ interface. A DMZ Network
(from the term demilitarized zone) is a
secure network connected to the FortiGate
that only grants access if it has been
explicitly allowed. Using the DMZ interface is
recommended but not required.

Adding virtual IPs

Go to Firewall Objects > Virtual IPs >
Virtual IPs.
Create two virtual IPs: one for HTTP access
and one for HTTPS access.
Each virtual IP will have the same address,
mapping from the public-facing interface to
the DMZ interface. The difference is the port
for each traffic type: port 80 for HTTP and
port 443 for HTTPS.

The FortiGate Cookbook 5.0.7

Creating security policies

Go to Policy > Policy > Policy.
Create a security policy to allow HTTP and
HTTPS traffic from the Internet to the DMZ
interface and the web server.

Create a second security policy to allow

HTTP and HTTPS traffic from the internal
network to the DMZ interface and the web
server.
Adding this policy allows traffic to pass
directly from the internal interface to the DMZ
interface.

Protecting a web server on the DMZ network

Results
External users can access the web
server on the DMZ network from the
Internet using http://172.20.120.22 and
https://172.20.120.22.
Internal users can access the web
server using http://10.10.10.22 and
https://10.10.10.22.
Go to Policy > Monitor > Policy Monitor.
Use the policy monitor to verify that traffic
from the Internet and from the internal
network is allowed to access the web server.
This verifies that the policies are configured
correctly.

Go to Log & Report > Traffic Log >

Forward Traffic.

The traffic log shows sessions from the

internal network and from the Internet
accessing the web server on the DMZ
network.

The FortiGate Cookbook 5.0.7

Using port pairing to simplify transparent mode

When you create a port pair, all traffic accepted by one of the paired ports can
only exit out the other port. Restricting traffic in this way simplifies your FortiGate
configuration because security policies between these interfaces are preconfigured.

1. Switching the FortiGate unit to transparent mode and adding a static

route
2. Creating an internal and wan1 port pair
3. Creating firewall addresses
4. Creating security policies
5. Results

Protected web server

192.168.1.200

Internet

Router

WAN 1

FortiGate

Internal

Management IP
192.168.1.100

Using port pairing to simplify transparent mode

Internal Network
192.168.1.[110-150]

Switching the FortiGate unit

to transparent mode and
adding a static route
Go to System > Dashboard > Status.
In the System Information widget,
select Change. Set Operation mode to
Transparent.
Log into the FortiGate unit using the
management IP (in the example,
192.168.1.100).
Go to System > Network > Routing Table
and set a static route.

Creating an internal and

wan1 port pair
Go to System > Network > Interfaces.
Create an internal/wan1 pair so that all traffic
accepted by the internal interface can only
exit out of the wan1 interface.

The FortiGate Cookbook 5.0.7

Creating firewall addresses

Go to Firewall Objects > Address >
Addresses.
Create an address for the web server using
the web servers Subnet IP.

Create a second address, with an IP range

for internal users.

Creating security policies

Go to Policy > Policy > Policy.
Create a security policy that allows internal
users to access the web server using HTTP
and HTTPS.

Using port pairing to simplify transparent mode

Create a second security policy that allows

connections from the web server to the
internal users network and to the Internet
using any service.

Results
Connect to the web server from the internal
network and surf the Internet from the server
itself.
Go to Log & Report > Traffic Log >
Forward Traffic to verify that there is traffic
from the internal to wan1 interface.

The FortiGate Cookbook 5.0.7

Select an entry for details.

Go to Policy > Monitor > Policy Monitor

to view the active sessions.

Using port pairing to simplify transparent mode

Using two ISPs for redundant Internet

connections
This example describes how to improve the reliability of a network connection using
two ISPs. The example includes the configuration of equal cost multi-path load
balancing, which efficiently distributes sessions to both Internet connections without
overloading either connection.

1. Configuring connections to the two ISPs

2. Adding security policies
3. Configuring failover detection and spillover load balancing
4. Results

Internet

ISP 1

WAN 2

WAN 1
FortiGate

ISP 2

LAN

Internal
Network
74

The FortiGate Cookbook 5.0.7

Configuring connections to
the two ISPs
Go to System > Network > Interfaces and
configure the wan1 and wan2 connections.
Make sure that both use DHCP as the
Addressing mode and have Retrieve
default gateway from server and
Override internal DNS enabled.

Using two ISPs for redundant Internet connections

Adding security policies

Go to Policy > Policy > Policy.
Create a security policy for the primary
interface connecting to the ISPs and the
internal network.

Create a security policy for each interface

connecting to the ISPs and the internal
network.

Configuring failover
detection and spillover load
balancing
Go to Router > Static > Settings.
Create two new Dead Gateway Detection
entries.

The FortiGate Cookbook 5.0.7

Set the Ping Interval and Failover

Threshold to a smaller value for a more
immediate reaction to a connection going
down.

Go to Router > Static > Settings and set

the ECMP Load Balancing Method to
Spillover.
The Spillover Threshold value is calculated
in kbps (kilobits per second). However, the
bandwidth on interfaces is calculated in kBps
(kilo Bytes per second).
For wan1 interface, Spillover Threshold = 100
kbps = 100000 bps. Assume that 1000 bps
is equal to 1024 bps. Thus, 100000 bps =
102400 bps = 102400/8 Bps = 12800 Bps.

Results
Go to Log & Report > Traffic Log >
Forward Traffic to see network traffic from
different source IP addresses flowing through
both wan1 and wan2.

Using two ISPs for redundant Internet connections

Disconnect the wan1 port on the FortiGate

unit to see that all traffic automatically goes
through the wan2 port unit, until wan1 is
available again.

The FortiGate Cookbook 5.0.7

Adding a backup FortiGate unit to improve

reliability
Adding a backup FortiGate unit to a currently installed FortiGate unit provides
redundancy if the primary FortiGate unit fails. This system design is known as High
Availability (HA) and is intended to improve network reliability.
1. Adding the backup FortiGate unit and configuring HA
2. Testing the failover functionality
3. Upgrading the firmware for the HA cluster

Internet

WAN 1

Switch

WAN 1

Dual HA Links
HA 1

FortiGate
(Primary)
Internal

HA 2

WAN 1

HA 1
HA 2

FortiGate
(Backup)
Internal

Switch

Internal Network

Adding a backup FortiGate unit to improve reliability

Adding the backup

FortiGate unit and
configuring HA
Connect the backup FortiGate unit as shown
in the diagram.
Go to System > Dashboard > Status.
Change the host name of the primary
FortiGate unit.

Go to System > Config > HA.

Configure the HA settings for the primary
FortiGate unit.

Go to System > Dashboard > Status.

Change the host name of the backup
FortiGate unit.

The FortiGate Cookbook 5.0.7

Go to System > Config > HA.

Configure the HA settings for the backup
FortiGate unit.
Ensure that the Group Name and
Password are the same as on the primary
FortiGate unit.

Go to System > Config > HA to view the

cluster information.

Select View HA Statistics for more

information on the cluster.

Adding a backup FortiGate unit to improve reliability

Go to System > Dashboard > Status to

see the cluster information.

Testing the failover

functionality
Unplug the Ethernet cable from the WAN1
interface of the primary FortiGate unit. Traffic
will divert to the backup FortiGate unit.
Use the ping command to view the results.

Shut down the primary FortiGate unit, and

you will see that traffic fails over to the
backup FortiGate unit.
Use the ping command to view the results.

The FortiGate Cookbook 5.0.7

Upgrading the firmware for

the HA cluster
When a new version of the FortiOS firmware
becomes available, upgrade the firmware on
the primary FortiGate unit and the backup
FortiGate unit will upgrade automatically.
Go to System > Dashboard > Status
and view the System Information widget.
Select Upgrade beside the Firmware
Version listing.
The firmware will load on the primary
FortiGate unit, and then on the backup unit.

Go to Log & Report > Event Log >

System.

Go to System > Dashboard > Status. View

the System Information widget again. Both
FortiGate units should have the new firmware
installed.

Adding a backup FortiGate unit to improve reliability

Associating a domain name with an interface

that has a dynamic IP
Using a Dynamic Domain Name Service (DDNS) means that users can reach your
network by means of a domain name that remains constant even when its IP
address changes. This example shows how to set up a FortiGate units Internetfacing interface to work with the FortiGuard DDNS.
The FortiGuard DDNS service requires an active FortiCare Support Contract.

1. Setting up FortiGuard DDNS from the GUI

2. Setting up FortiGuard DDNS from the CLI
3. Results

Internet
FortiGuard
DDNS

Remote
User
branchoffice.fortiddns.com

FortiGate

Internal Network

The FortiGate Cookbook 5.0.7

Setting up FortiGuard DDNS

from the GUI
Go to System > Network > DNS and
enable FortiGuard DDNS.
Select the FortiGate Interface connected
to the Internet, select a Server, and add a
name for the network.
The FortiGuard DDNS service verifies that
the resulting Domain name is unique and
valid. The Domain name is then displayed
with the current IP address of the interface.
You can click the domain name to browse to
the address with a web server.

Setting up FortiGuard DDNS

from the CLI
Go to System > Dashboard > Status and
use the CLI Console to setup FortiGuard
DDNS.

edit 0
set ddns-server FortiGuardDDNS
set monitor-interface wan1
end

Results
You can verify that the DDNS is working with
a utility like dig or nslookup to check that
the domain name resolves to the correct IP
address.

Server:
Address:

208.91.112.53
208.91.112.53#53

Non-authoritative answer:
Address: 172.20.120.126

Associating a domain name with an interface that has a dynamic IP

Allowing VoIP calls using FortiVoice and FortiCall

This example sets up inbound and outbound Voice over IP (VoIP) calls using
Session Initiation Protocol (SIP) through the FortiGate unit, using a FortiVoice unit
and FortiCall services.

1. Setting up a FortiCall account

2. Configuring the FortiVoice unit
3. Configuring the FortiGate unit for outbound SIP calls
4. Configuring the FortiGate unit for inbound SIP calls
5. Results

Internet
FortiCall

wan 1
172.20.120.22

FortiGate

lan
192168.1.99/24

FortiVoice

192.168.1.111

Internal
Network

IP Phone

The FortiGate Cookbook 5.0.7

Setting up a FortiCall
account
Go to www.forticall.com and follow the set
up instructions. When the account is set
up, you will be provided with information to
activate your account. You will also need to
choose a phone number for inbound calls.

Configuring the FortiVoice

unit
Insert the CD into the CD-ROM drive, the
FortiVoice Install main window will appear
within 20 seconds. Click Install FortiVoice
and follow the instructions.

Open the FortiVoice Management software

Go to Global Settings > VoIP
Configuration and set up a service provider
profile for inbound calls.

Allowing VoIP calls using FortiVoice and FortiCall

Set a service provider for outbound calls.

Go to Lines and Greetings > VoIP

Numbers and set your phone number for
inbound calls.

Set a phone number for outbound calls.

The FortiGate Cookbook 5.0.7

Configuring the FortiGate

unit for outbound SIP calls
Go to Security Profiles > VoIP > Profiles.
Create a new profile and set the Limit
REGISTER request and Limit INVITE
request.

Go to Firewall Objects > Address >

Address
Create an IP range for SIP phones.

Allowing VoIP calls using FortiVoice and FortiCall

Go to Policy > Policy > Policy.

Create a policy allowing outbound SIP traffic.
Set Incoming Interface to LAN, Source
Address to the new firewall address, and
Outgoing Interface to your Internet-facing
interface.
Under Security Profiles, enable VoIP and
set it to use the new profile.

Make sure you place this security policy on

the top of the policy list.

The FortiGate Cookbook 5.0.7

Configuring the FortiGate

unit for inbound SIP calls
Go to Firewall Objects > Virtual IPs >
Virtual IPs
Create a new virtual IP mapping the external
IP on the wan1 interface of the FortiGate to
the internal IP of the FortiVoice on UDP port
5060.

Go to Policy > Policy > Policy.

Create a policy allowing inbound SIP traffic.
Set Incoming Interface to your Internetfacing interface, Outgoing Interface to
LAN, and Destination Address to the new
virtual IP.
Enable VoIP and set it to use the new profile.

Allowing VoIP calls using FortiVoice and FortiCall

Results
Go to System > Dashboard > Status and
add the VoIP Usage widget.
When the widget appears, verify Voice
Calls.

Go to Log & Report > Traffic Log >

Forward Traffic to verify that both inbound
and outbound SIP traffic is occurring.

Select an entry for details.

The FortiGate Cookbook 5.0.7

Allowing access from the Internet to a

FortiCamera unit
This example sets up a FortiRecorder unit and FortiCamera unit for use with a
FortiGate unit. It also allows the FortiCamera unit, which is located on the internal
network, to be accessed from the Internet
1. Configuring the FortiRecorder and FortiCamera units
2. Configuring the FortiGate units interfaces
3. Adding virtual IPs
4. Adding a security policy to allow access to the FortiCamera
5. Results

Internet
wan 1
Primary IP: 172.20.120.22
Secondary IP: 172.20.120.25

FortiGate

port 1
192.168.1.200

lan
192.168.1.99/24

FortiRecorder

port 4

PoE Switch

Allowing access from the Internet to a FortiCamera unit

FortiCam

Configuring the
FortiRecorder and
FortiCamera units
Connect locally to the FortiRecorder.
Go to System > Network > Interface.
Set an IP address for port1.

Set an IP address for port4.

The FortiGate Cookbook 5.0.7

Go to System > Network > DHCP.

Create a DHCP server on port4 to lease IPs
to FortiCamera.

Go to System > Network > Routing.

Add a default route.

Go to Camera > Configuration > Camera.

Click on Force Discover to have connected
cameras displayed.

Allowing access from the Internet to a FortiCamera unit

Configuring the FortiGate

units interfaces
Go to System > Network > Interfaces.
Configure your Internet-facing interface.
Select Secondary IP Address and create a
new IP/Network Mask for the interface.
Adding a secondary IP address adds multiple
IP addresses to the interface. The FortiGate
unit, static and dynamic routing, and the
network see the secondary IP addresses as
additional IP addresses that terminate at the
interface.

Configure the lan interface. Enable DHCP

Server and create a new IP range.

The FortiGate Cookbook 5.0.7

Adding virtual IPs

Go to Firewall Objects >Virtual IPs >
Virtual IPs.
Create the two virtual IPs: one for HTTPS
traffic and one for RTSP traffic. For both
virtual IPs, set External IP Address/
Range to the secondary IP of the Internetfacing interface and the Mapped IP
Address/Range to the IP of port1 on the
FortiRecorder unit.

Adding a security policy

Go to Policy > Policy > Policy.
Create a policy allowing access to the
FortiRecorder from the Internet. Set
Incoming Interface to your Internet-facing
interface, Outgoing Interface to lan, and
Destination Address to the new virtual IPs.

Allowing access from the Internet to a FortiCamera unit

Results
From the Internet, go to the IP address of the
FortiGate units secondary IP (in the example,
https://172.20.120.25) and you should be
able to see securely live video feed using
HTTPS and RTSP (Real Time Streaming
Protocol)

Go to Log & Report > Traffic > Forward

Traffic.
Verify https and RTSP traffic trough the
FortiGate

Select an entry for details.

The FortiGate Cookbook 5.0.7

Security Policies & Firewall Objects

Security policies and firewall objects are used to tell the FortiGate unit which traffic
should be allowed and which should be blocked.
No traffic can pass through a FortiGate unit unless specifically allowed to by
a security policy. With a security policy, you can control the addresses and
services used by the traffic and apply various features, such as security profiles,
authentication and VPNs.
Firewall objects are those elements within the security policy that further dictate how
and when network traffic is routed and controlled. This includes addresses,services,
and schedules.
This section contains the following examples:
t

Ordering security policies to allow different access levels

Using port forwarding on a FortiGate unit

Using AirPlay with iOS, AppleTV, FortiAP, and a FortiGate unit

Using AirPrint with iOS and OS X and a FortiGate unit

Security Policies & Firewall Objects

Ordering security policies to allow different

access levels
This example illustrates how to order multiple security policies in the policy table,
in order for the appropriate policy to be applied to different network traffic. In the
example, three policies will be used: one that allows a specific PC access to all
services, one that allows only Internet access to other network devices, and the
default deny policy.
1. Configuring the Internet access only policy
2. Creating the policy for the PC
3. Ordering the policy table
4. Results

Network PC
All Services
LAN

FortiGate

WAN 1

Internet Access Only

Other Network Devices

100

The FortiGate Cookbook 5.0.7

Configuring the Internet

access only policy
Go to Policy > Policy > Policy.

THE FORTIGATE COOKBOOK

The screen that appears is the policy list.

In the example, Global View has been
selected, with the Seq.#, From, To, Source,
Destination, Action, Service, and
Sessions columns visible. To change the
visible columns, right-click on the menu bar
and select only the columns you wish to see.
Edit the first policy, which allows outgoing
traffic. Set Service to HTTP, HTTPS and
DNS. This policy now only allows Internet
access.

Creating the policy for the

PC
Go to System > Network > Interfaces.
Edit the LAN interface. Under DHCP Server,
expand the Advanced options.
Create a new MAC Address Access
Control List. Set MAC to the MAC address
of the PC and IP to an available IP address.
This will automatically assign the specified

Ordering security policies to allow different access levels

101

IP address to the PC when it connects to the

FortiGate.
Go to Firewall Objects > Address >
Addresses.
Create a new address. Set Type to IP
Subnet, Subnet/IP Range to the IP
address that will be assigned to the PC, and
Interface to LAN.

Using /32 as the Netmask ensures that the

firewall address applies only to the
specified IP.
Go to Policy > Policy > Policy.
Create a new policy. Set Incoming
Interface to LAN, Source Address to the
PC address, and Outgoing Interface to
WAN1.

Ordering the policy table

Use the PC to browse to any Internet site,
then go to Policy > Policy > Policy.
The policy with Seq.# 1 is the Internet
access only policy, while 2 is the policy for
the PC. The Sessions column shows that
all sessions are currently using the Internet
access policy. Policy 3 is the default deny
policy.
To ensure that traffic from the PC matches

102

The FortiGate Cookbook 5.0.7

the PC policy, not the Internet access only

policy, select the Seq.# column and drag the
policy to the top of the list.
The device identity list will now appear at the
top of the list. After the list is refreshed, this
policy will be assigned Seq.# 1.

THE FORTIGATE COOKBOOK

With this new order set, the FortiGate unit

will attempt to apply the policy for the PC to
all traffic from the LAN interface. If the traffic
comes from a different source, the FortiGate
will attempt to apply the Internet access only
policy. If this attempt also fails, traffic will be
blocked using the default deny policy.
When ordering multiple security policies, the
most specific policies (in this case, the policy
for the PC) must go to the top of the list, to
ensure that the FortiGate unit checks them
first when determining which policy to apply.

Results
Browse the Internet using the PC and
another network device, then refresh the
policy list. You can now see Sessions
occuring for both policies.

Ordering security policies to allow different access levels

103

Using port forwarding on a FortiGate unit

This example illustrates how to use virtual IPs to configure port forwarding on a
FortiGate unit, which redirects traffic from one port to another. In this example,
incoming connections from the Internet are allowed access to a server on the
internal network by opening TCP ports in the range 7882 to 7999 and UDP ports
2119 and 2995.

1. Creating three virtual IPs

2. Adding the virtual IPs to a VIP group
3. Creating a security policy
4. Results

Internet

Open TCP ports 7882-7999,

UDP port 2119 and 2995
for traffic from the
Internet to the server

FortiGate

Server
104

The FortiGate Cookbook 5.0.7

Creating three virtual IPs

Go to Firewall Objects > Virtual IPs >
Virtual IPs.
Enable Port Forwarding and add a virtual
IP using TCP protocol with the range 78827999.

Create a second virtual IP for the UDP port

2119.

Create a third a virtual IP for the UDP port

2995.

Using port forwarding on a FortiGate unit

105

Adding virtual IPs to a VIP

group
Go to Firewall Objects > Virtual IPs > VIP
Groups.
Create a VIP group that includes all three
virtual IPs.

Creating a security policy

Go to Policy > Policy > Policy.
Create a security policy allowing inbound
connections to the server from the Internet.
Set the Destination Address as the new
VIP group.

106

The FortiGate Cookbook 5.0.7

Results
Go to Policy > Monitor > Policy Monitor
to see the active sessions.

Select the blue bar for more information on a

session.

Go to Log & Report > Traffic Log >

Forward Traffic to see the logged activity.

Using port forwarding on a FortiGate unit

107

Select an entry for more information about

the session.

108

The FortiGate Cookbook 5.0.7

Using AirPlay with iOS, AppleTV, FortiAP, and a

FortiGate unit
This example sets up AirPlay services for use with an iOS device using Bonjour and
multicast security policies.

1. Configuring the FortiAP and SSIDs

2. Adding addresses for the wireless network
3. Adding service objects for multicasting
4. Adding multicast security policies
5. Adding inter-subnet security policies
6. Results

iPad

Internal Network
(OS x)

FortiAP

FortiGate

Apple
TV

Configuring the FortiAP and

SSIDs
Go to System > Network > Interfaces.
Edit the internal interface to be used for
the FortiAP and set Addressing Mode to
Dedicate to FortiAP.

Connect the FortiAP unit to the FortiGate

unit.
Go to WiFi Controller > Managed Access
Points > Managed FortiAP and authorize
the FortiAP.

Once authorized, it will appear in the

authorized list.

110

The FortiGate Cookbook 5.0.7

Go to WiFi Controller > WiFi Network >

SSID.
Create a WiFi SSID for the network for
wireless users and enable DHCP Server.

Adding addresses for the

wireless network
Go to Firewall Objects > Address >
Addresses.
Create an address for SSID 1.

Using AirPlay with iOS, AppleTV, FortiAP, and a FortiGate unit

111

Create a second address for the internal

network containing the OS X computers.

Adding two service objects

for AirPlay
Go to Firewall Objects > Service >
Services.
Add service objects for each device
connection.

112

The FortiGate Cookbook 5.0.7

Adding multicast security

policies
Go to Policy > Policy > Multicast Policy.
Create a policy to allow multicast traffic from
the LAN and WLAN1 for AppleTV to iOS
devices. Set Incoming Interface to LAN,
Source Address to the Internal network,
Outgoing Interface to the SSID, and
Destination Address to Bonjour.

The Bonjour address allows the devices to

find each other when they connect
through the FortiGate unit.

Go to Policy > Policy > Multicast Policy.

Create a policy to allow multicast traffic
from the WLAN1 and LAN for iOS devices
to AppleTV. Set Incoming Interface to
the SSID, Source Address to the SSID
IP, Outgoing Interface to LAN, and
Destination Address to Bonjour.

Using AirPlay with iOS, AppleTV, FortiAP, and a FortiGate unit

113

Adding inter-subnet security

policies
Go to Policy > Policy > Policy.
Create a policy allowing traffic from the
Apple TV to the iOS device. Set Incoming
Interface to LAN, Source Address to the
Internal network, and Outgoing Interface to
the SSID.

Create a policy allowing traffic from the

iOS device to the Apple TV. Set Incoming
Interface to the SSID, Source Address to
the SSID IP, and Outgoing Interface to the
LAN.

Results
Use Airplay from the iPad to stream video to
the Apple TV.
Go to Log & Report > Traffic Log >
Multicast Traffic to see the multicast traffic
between the WLAN1 and LAN interfaces.

114

The FortiGate Cookbook 5.0.7

Select an entry for more information.

Go to Log & Report > Traffic Log > Log

Forward and filter policy IDs 6 and 7, which
allow AirPlay traffic.

Using AirPlay with iOS, AppleTV, FortiAP, and a FortiGate unit

115

Select an entry for more information.

Apple TV can also be connected to the

Internet wirelessly. AirPlay will function
from any iOS device connected to the
same SSID as Apple TV. No configuration is
required on the FortiGate unit.

116

The FortiGate Cookbook 5.0.7

Using AirPrint with iOS and OS X and a FortiGate

unit
This example sets up AirPrint services for use with an iOS device and OS X
computers using Bonjour and multicast security policies.

1. Configuring the FortiAP and SSIDs

2. Adding addresses for the wireless networks and printer
3. Adding service objects for printing
4. Adding multicast security policies
5. Adding inter-subnet security policies
6. Results

iPad

Internal Network
OS x

FortiAP

FortiGate

AirPrint

Configuring the FortiAP and

SSIDs
Go to System > Network > Interfaces.
Set an internal interface as dedicated to the
FortiAP unit.

Connect the FortiAP unit to the FortiGate

unit.
Go to WiFi Controller > Managed Access
Points > Managed FortiAP and authorize
the FortiAP.

Once authorized, it will appear in the

authorized list.

118

The FortiGate Cookbook 5.0.7

Go to WiFi Controller > WiFi Network >

SSID.
Create a WiFi SSID for the network for
wireless users and enable DHCP Server.

Using AirPrint with iOS and OS X and a FortiGate unit

119

Create an SSID for the network for the

AirPrint printer and enable DHCP Server.

Adding addresses for the

wireless networks and
printer
Go to Firewall Objects > Address >
Addresses.
Create addresses for the SSID1, SSID2, and
AirPrint printer.

120

The FortiGate Cookbook 5.0.7

Create an address for the internal network

containing the OS X computers.

Adding service objects for

printing
Go to Firewall Objects > Service >
Services.
Create a new service for Internet Printing
Protocol (IPP) for iOS devices.

Create a new service for PDL Data Stream

for OS X computers.

Using AirPrint with iOS and OS X and a FortiGate unit

121

Adding multicast security

policies
Go to Policy > Policy > Multicast Policy.
Create two policies to allow multicast traffic
from WLAN1 and WLAN2 for iOS devices.
For the first policy, set Incoming Interface
to WLAN1, Source Address to the SSID1
IP, Outgoing Interface to WLAN2, and
Destination Address to Bonjour.
For the second policy, set Incoming
Interface to WLAN2, Source Address
to the SSID2 IP, Outgoing Interface to
WLAN1, and Destination Address to
Bonjour.

The Bonjour address allows the devices to

find each other when they connect
through the FortiGate unit.

Create two policies to allow multicast

traffic from the LAN and WLAN2 for OS X
computers.
For the first policy, set Incoming Interface
to LAN, Source Address to the Internal
network, Outgoing Interface to WLAN2,
and Destination Address to Bonjour.

122

The FortiGate Cookbook 5.0.7

For the second policy, set Incoming

Interface to WLAN2, Source Address to
the AirPrint, Outgoing Interface to LAN,
and Destination Address to Bonjour.

Adding inter-subnet security

policies
Go to Policy > Policy > Policy.
Create a policy allowing printing from
wireless devices. Set Incoming Interface to
WLAN1, Source Address to the SSID1 IP,
Outoing Interface to WLAN2, Destination
Address to the AirPrint, and Service to IPP.

Create a policy allowing printing from an

OS X computer to the AirPrint printer. Set
Incoming Interface to LAN, Source
Address to the Internal network, Outoing
Interface to WLAN2, Destination Address
to the AirPrint, and Service to IPP.

Using AirPrint with iOS and OS X and a FortiGate unit

123

Results
Print a document from an iOS device.
Go to Log & Report > Traffic Log >
Multicast Traffic to see the printing traffic
passing through the FortiGate unit.

Select an entry to see more information.

Go to Log & Report > Traffic Log >

Forward Traffic and verify the entry with the
IPP service.

124

The FortiGate Cookbook 5.0.7

Print a document from an OS X computer.

Go to Log & Report > Traffic Log >
Multicast Traffic to see the printing traffic
passing through the FortiGate unit.
Select an entry to see more information.

Go to Log & Report > Traffic Log >

Forward Traffic and filter the destination
interface for WLAN2 traffic.

Select an entry to see more information.

Using AirPrint with iOS and OS X and a FortiGate unit

125

Security Features
Security features, including antivirus, web filtering, application control, intrusion
protection (IPS), email filtering, and data leak prevention (DLP), apply core security
functions to the traffic accepted by your FortiGate unit.
Each security feature has a default profile. You can also create custom profiles to
meet the needs of your network. These profiles are then applied to your security
policies and used to monitor and, if necessary, block external and internal traffic that
is considered risky or dangerous.
This section contains the following examples:

126

Monitoring your network using client reputation

Controlling network access using application control

Using a custom signature to block web traffic from Windows XP

Protecting a web server from external attacks

Blocking outgoing traffic containing sensitive data

Preventing credit card numbers from escaping your network

Blocking access to specific websites

Extra help: Web filtering

Blocking HTTP and HTTPS traffic with web filtering

Using web filter overrides to control website access

Limiting access to personal interest websites using quotas

Setting up YouTube for Education

Inspecting traffic content using flow-based inspection

Analyzing your network traffic using a one-armed sniffer

Excluding specific users from security scanning

The FortiGate Cookbook 5.0.7

Monitoring your network using client reputation

Client reputation allows you to monitor traffic as it flows through your FortiGate unit
to identify users who may be engaging in risky or dangerous behavior. A variety
of different areas can be monitored, depending on what concerns you have about
activity on your network. In this example, particular attention will be given to any
traffic containing peer-to-peer (P2P) downloading.
Client reputation only monitors risky activity, it does not block it. If you discover activity that you are concerned about,
additional action must be taken to stop it, such as applying a more restrictive security policy to the traffic.

1. Enabling logging to disk

2. Enabling client reputation
3. Results

Internet

FortiGate

Traffic monitored by
client reputation

Internal Network
Monitoring your network using client reputation

127

Enabling logging to disk

In order to see your Client Reputation
Tracking results, logging to disk must be
enabled.
Go to Log & Report > Log Config > Log
Settings. Under Logging and Archiving,
enable Disk.

Enabling client reputation

Go to Security Profiles > Client
Reputation > Threat Level Definition.
Enable Client Reputation Tracking.
Assign a Risk Level Value for each
category, based on your traffic concerns and
needs. In the example, the value for P2P
Applications has been raised to Critical.
All other categories have been left at their
default level.

Enabling client reputation also enables the

Log Allowed Traffic setting for all
security policies. For more information,
see Logging network traffic to gather
information on page 39.

Results
After traffic has been monitoed for a day, go
to System > Dashboard > Threat History
to view the Threat History widget, which
shows a graph of monitored threats.
Any sections in red should be examined,
as they contain threats that are considered
Critical. To select this section, click on its
left side and then click on the right side.
Select a Drill-Down option to view more
information about the traffic and the client
reputation scores (the higher the score, the
riskier the behaviour).

Top Sources shows the sources of the risky

behaviour on your network.

Top Destinations shows the destinations

which have caused the risks.

Top Threat Types shows the threat

category and the risk level of the behaviour.

Monitoring your network using client reputation

129

Controlling network access using application

control
This example uses application control to monitor traffic and determine what
applications are contributing to high bandwidth usage or distracting employees.
After this is determined, a different application sensor is used to block those
applications from having network access.
1. Creating an application sensor to monitor network traffic
2. Adding the monitoring sensor to a security policy
3. Reviewing the application control monitor
4. Creating an application sensor to block applications
5. Adding the blocking sensor to a security policy
6. Results

Action applied

Application
targeted?

yes

Session begins

Application
specific
traffic

Application
control
enabled?

130

yes

Traffic not
affected

The FortiGate Cookbook 5.0.7

Creating an application
control sensor to monitor
traffic
Go to Security Profiles > Application
Control > Application Sensors. Select
the plus icon in the upper right corner of
the window to create a new sensor list for
monitoring application traffic.
Select Create New to add a new application
filter. Leave all Filter Options selected.
Ensure that you set the Action to Monitor.
At this stage in the process, you are
monitoring the traffic to locate any problems
that may be occurring, rather than blocking
applications.

Controlling network access using application control

131

Adding the monitoring

sensor to a security policy
Go to Policy > Policy > Policy.
Edit the security policy that allows internal
users to access the Internet. Under Security
Profiles, enable Application Control and
set it to use the new filter.

132

The FortiGate Cookbook 5.0.7

Reviewing the application

control monitor
Go to Security Profiles > Monitor >
Application Monitor to see the results
found by the application sensor.

Select a bar to see further details on the

usage statistics.
In the example, you can see an occurrence
of an HTTP segmented download, which
typically occurs during Peer-to-Peer (P2P)
downloads. To avoid this from occurring
in the future, P2P applications must be
blocked.

Creating an application
sensor to block applications
Go to Security Profiles > Application
Control > Application Sensors and create
a new sensor list for blocking application
traffic.

Controlling network access using application control

133

Select Create New to add a new application

filter.
In the Category list, select the application
categories you wish to block. As well as
blocking P2P, other types of applications
can be selected that are known to distract
employees.
Ensure that you set the Action to Block.

Adding the blocking sensor

to a security policy
Go to Policy > Policy > Policy.
Edit the firewall policy allowing internal users
to access the Internet. Under Security
Profiles, enable Application Control and
set it to use the new filter.

134

The FortiGate Cookbook 5.0.7

Results
Go to Log & Report > Traffic Log >
Forward Traffic.
You can see the sensor is working and
blocking the traffic from the selected
application types, including the P2P
application Skype.

Select an entry to view more information,

including the application name and the
device the traffic originated on.

Controlling network access using application control

135

Using a custom signature to block web traffic

from Windows XP
When a computers operating system lacks vendor support, it becomes a threat
to the network because newly discovered exploits will not be patched. Using the
FortiGate application control feature, you can choose to restrict these computers
from accessing external resources.
This recipe shows how to use application control to block web traffic from PCs
running on Windows operating systems using NT 5, including Windows XP and
Windows Server 2003.
1. Creating a custom application control signature
2. Creating an application control sensor
3. Adding the sensor to the outbound traffic security policy
4. Results

yes

Session begins

Web browsing
begins

NT 5
detected in
header?

136

Traffic
blocked

Traffic not
affected

The FortiGate Cookbook 5.0.7

Creating a custom
application control signature
Go to Security Profiles > Application
Control > Application List and select
Create New.
Use the following text to create the signature:
Make sure to remove all hard line breaks
from the signature. To ensure all breaks
have been removed, click and drag the
bottom right corner of the signature box
until the text appears in a single line.
F-SBID( --attack_id 8151;
--vuln_id 8151; --name "Windows.
action drop_session; --service
HTTP; --protocol tcp; --app_
--pattern "Windows NT 5."; --no_
case; --context header; )
The signature will appear at the top of the
application list and be listed in the
Web.Others category.

Creating an application
sensor
Go to Security Profiles > Application
Control > Application Sensors. Select
the plus icon in the upper right corner of the
window to create a new sensor.

Using a custom signature to block web traffic from Windows XP

137

After selecting OK, select Create New to

add the new signature.
In order to locate the correct signature, select
Show more... under Category, then select
only Web.Others.

Set Sensor Type to Specify Applications.

The new signature will appear at the top of
the list. Select the signature, then set Action
to Block.

The signature will now appear as part of the

sensor.

138

The FortiGate Cookbook 5.0.7

Adding the sensor to the

outbound traffic security
policy
Go to Policy > Policy > Policy and edit the
policy controlling your outbound traffic.
Under Security Policies, enable
Application Control and set it to use the
new sensor. In order to also block HTTPS
traffic, enable SSL/SSH Inspection and set
it to use the default sensor.

Enabling SSL/SSH Inspection will cause

web browers to experience a certificate
error. To avoid this, see Preventing
security certificate warnings when using
SSL inspection on page 290.

Results
When a PC running one of the affected
operating systems attempts to connect to
the Internet using a browser, the connection
will fail. This includes Windows virtual
machines.
PCs running on other operating systems,
including later versions of Windows, will not
be affected.

Using a custom signature to block web traffic from Windows XP

139

Go to Log & Report > Traffic Log >

Forward Traffic to see logs of the blocked
traffic.
In the example, the blocked computer (IP
address 192.168.100.112) was running
Windows XP.

This recipe will only block web traffic from

computers running the affected operating
systems. If you wish to block these
computers from being on the network
entirely, further action will be necessary.
However, the logs generated by this recipe
can be used to identify the computers you
wish to block.

140

The FortiGate Cookbook 5.0.7

Protecting a web server from external attacks

THE FORTIGATE COOKBOOK

This example uses the FortiOS intrusion protection system (IPS) to protect a web
server by configuring an IPS sensor to protect against common attacks and adding
it to the policy which allows external traffic to access the server. A denial of service
(DoS) security policy is also added to further protect the server against that specific
type of attack.

1. Configuring an IPS sensor to protect against common

attacks
2. Adding the IPS sensor to a security policy
3. Adding a DoS security policy
4. Results

Attacks

FortiGate

Internet

Web Server

Protecting a web server from external attacks

141

Configuring an IPS sensor

to protect against common
attacks
Go to Security Profiles > Intrusion
Protection > IPS Sensors. Select the plus
icon in the upper right corner of the window
to create a new sensor.

Create a new IPS filter. Set the Target to

server and set the Action to Block All.

142

The FortiGate Cookbook 5.0.7

Adding the IPS sensor to a

security policy
Go to Policy > Policy > Policy. Edit the
security policy allowing traffic to the web
server from the Internet.

THE FORTIGATE COOKBOOK

Enable IPS and set it to use the new sensor.

Adding a DoS security policy

Go to Policy > Policy > DoS Policy.
Create a new policy. The Incoming
Interface is your Internet-facing interface.
In the Anomalies list, enable Status and
Logging and set the Action to Block for all
types.

Protecting a web server from external attacks

143

Results

WARNING: Causing a DoS attack is illegal,

unless you own the server under attack.
Before performing an attack, make sure
you have the correct server IP.

Perform an DoS tcp_sync_flood attack to the

web server IP address. IPS blocks the TCP
sync session when it reaches the tcp_syn_
flood threshold, in this case 20.
Go to Log & Report > Security Log >
Intrusion Protection to view the results of
the DoS policy.

Select an entry to view more information,

including the severity of the attack and the
attack name.

144

The FortiGate Cookbook 5.0.7

Blocking outgoing traffic containing sensitive

data

THE FORTIGATE COOKBOOK

Data leak prevention (DLP) analyzes outgoing traffic and blocks any sensitive
information from leaving the network. In this example, DLP will be used to block files
using the files name and type.

1. Creating a file filter

2. Creating a DLP sensor that uses the file filter
3. Adding the DLP sensor to a security policy
4. Results

Internet

Data Leak
FortiGate
Internal Network

Blocking outgoing traffic containing sensitive data

145

Creating a file filter

Go to Security Profiles > Data Leak
Prevention > File Filter. Select Create
New to make a File Filter Table.

Create a new filter in the table. Set the Filter

Type to File Name Pattern and enter the
pattern you wish to match. If needed, you
can use a wildcard character in the pattern.

Create a second filter, this time setting the

Filter Type to File Type. Select a File Type
from the list.

146

The FortiGate Cookbook 5.0.7

Creating a DLP sensor that

uses the file filter

THE FORTIGATE COOKBOOK

Go to Security Profiles > Data Leak

Prevention > Sensors. Select the plus icon
in the upper right corner of the window to
create a new sensor.

Select Create New to make a new filter.

Set the type to Files. Enable File Type
included in and set it to your file filter.
Under Examine the following Services,
select the services you wish to monitor with
DLP.
Set the Action to Block.

Blocking outgoing traffic containing sensitive data

147

Adding the DLP sensor to a

security policy
Go to Policy > Policy > Policy. Edit the
security policy that controls the traffic you
wish to block.
Enable DLP Sensor and set it to use the
new sensor.

Results
Attempt to upload a file that matches the
file filter criteria using FTP protocol. The file
should be blocked and a message from the
server should appear.

148

The FortiGate Cookbook 5.0.7

To find more information about the blocked

traffic, go to Log & Report > Traffic Log >
Forward Traffic.

THE FORTIGATE COOKBOOK

The selected log message shows the name

of the file that was blocked (File_pattern_text.
exe), the type of file filter that blocked it
(file-type), and a variety of other information
which may be useful.

Blocking outgoing traffic containing sensitive data

149

Preventing credit card numbers from escaping

your network
The following recipe describes how to configure your FortiGate to use DLP (Data
Loss Prevention) so that credit card numbers cannot be sent out of your network
using FTP, SMTP email, or by posting to a webpage.
Consumer transactions over the Internet is based upon the idea that the consumer
trusts the vendor not to allow their credit card number into the possession of any
unintended persons. If you deal with anyones credit cards you may be legally
responsible for their security. Having the firewall prevent their loss through digital
channels may give both you and your customers some added piece of mind.
1. Obtaining credit card numbers for testing
2. Creating the DLP profile
3. Configuring the Proxy Options
4. Configuring the firewall policy
5. Results
Credit
Card
Numbers
Protocols

SMTP

FTP

HTTP

Fortinet

D
L
P

Internet

Other
Data

150

The FortiGate Cookbook 5.0.7

Obtaining credit card

numbers for testing
In order to test the validity of the profile you
will need to use a credit card number in
the traffic. A test number (will not work for
purchasing) can be obtained from one of
these pages:
http://www.paypalobjects.com/en_US/vhelp/
paypalmanager_help/credit_card_numbers.
htm
http://www.crazysquirrel.com/finance/testcc.jspx
http://www.getcreditcardnumbers.com/

Create a text file that contains some of these

sample credit card numbers.

Creating the DLP Profile

Creating the Sensor
Go to Security Profiles > Data Leak
Prevention > Sensors.

Preventing credit card numbers from escaping your network

151

Create a new profile by either selecting the

Create New icon or the View List Icon.
If using the View List option you will then
need to select the Create New option from
the menu bar in the next window.

Once the New Sensor Window is open,

type into the Name field whatever name you
want for the the name of the profile.

Creating Filters
Use the Create New option to create new
individual filters.
For the first sensor, choose the Messages
filter type, set it to messages Containing
Credit Card #, select the services you wish
to examine, and set Action to Block.

152

The FortiGate Cookbook 5.0.7

For the second filter choose the Files filter

type set it to messages Containing Credit
Card #, select the services you wish to
examine, and set Action to Block.

In this case we are going to choose both

HTTP-POST and HTTP-GET. This will
prevent not only the posting of credit
card information to a web page, but the
downloading of them as well.

Check the listing of the filters in the sensor

to make sure that the correct protocols are
selected and the action in each is set to
Block.

Configuring the Proxy

Options
Protocols dont always use the standard
ports, so proxy options will be configured to
scan any port that is carrying traffic from the
targeted protocol.

Preventing credit card numbers from escaping your network

153

Go to Policy > Policy > Proxy Options.

Create a new Proxy Option profile.
In the Protocol Port Mapping section
change the inspection ports from Specify
to Any for the protocols HTTP, SMTP, and
FTP.
In the other option areas, select options that
match up with the normal settings used by
your organization.

154

The FortiGate Cookbook 5.0.7

Configuring the Firewall

Policy
Go to Policy > Policy > Policy.
As this policy is designed to prevent specific
information from leaving the network the
direction of the policy is from the internal
interface, in this case LAN, to the external
interface, wan1.
In the Security Profiles section, enable the
DLP Sensor and choose the sensor created
for blocking the credit card numbers as well
as the appropriate Proxy Option profile.

You can also include the use of SSL/SSH

Inspection if you have that configured
to your satisfaction. This will help prevent
loss of data through SSL connections.

Preventing credit card numbers from escaping your network

155

Results
Testing SMTP
Using your favorite email client, send a
control email to an email server on the other
side of the FortiGate unit to verify everything
is working. Then try sending two emails; one
with the credit card numbers in the body
of the email message and one with the text
document as an attachment.
The control email makes it through, but the
emails with the credit card information are
not received at their destination.
Go to Log & Report > Traffic Log >
Forward Traffic. You should be able to find
a log entries showing that the traffic was
blocked. The logs even states that the reason
they were considered threats had to do with
credit-card information.

Because secure SMTP may not use

port 25, dont filter too narrowly when
searching the logs.
Also depending on your logging
configuration, the logs may not show up in
real-time.

156

The FortiGate Cookbook 5.0.7

Testing FTP
Using your preferred FTP client, upload a
control file that shouldnt be stopped to an
FTP server on the other side of the FortiGate
unit.
To be as generic as possible, this example
uses the command line.

ftp ftp.example.com 1121

Connected to ftp.example.com.
220 (vsFTPd 2.3.5)
Name (ftp.example.com:): talesian
Password:
230 Login successful.

ftp> ls
229 Entering Extended Passive Mode
(|||61875|).

229 Entering Extended Passive Mode

(|||61874|).
100% |***********************************
*********************************| 27136
226 Transfer complete.
ftp>

Preventing credit card numbers from escaping your network

157

Once you have verified that your FTP session

is working properly, try to upload the text
file with the credit card numbers to the FTP
server.
Using the command line, everything
progresses the same as the previous
example until after the put command has
been entered. At this point there is a delay
while the client tries to upload the file. After a
number of attempts the client gives up.

229 Entering Extended Passive Mode

(|||61879|).
Abort trap: 6

GUI FTP clients will show that it cannot

proceed past the queueing process.
Depending on the client, the connection to
the FTP server will time out waiting for the
upload to occur.

Testing HTTP
HTTP can be tested in two directions;
posting a credit card number and getting a
credit card number.
Try visiting one of the sites that you received
the test credit card number from. You will
receive a replacement message about the
transfer.

158

The FortiGate Cookbook 5.0.7

To test posting a credit card number, go to a

site on the far side of the firewall that you can
edit. In this example, a wiki test page was
started on a remote site and the test credit
card numbers were entered in to the page.
They were allowed onto the editing screen
because that was on the local computers
browser.

The content is not actually sent over the

network until the Save page button is
selected. At this point a warning message
is displayed to indicate that the transfer
appeared to contain a data leak.

Preventing credit card numbers from escaping your network

159

Blocking access to specific websites

This example sets up the FortiGate unit to block users from viewing a specific
website using web filtering.

1. Creating a web filter profile

2. Adding the web filter profile to a security policy
3. Results

Website
Block

FortiGate

Internal Network
160

The FortiGate Cookbook 5.0.7

Creating a web filter profile

Go to Security Profiles > Web Filter >
Profiles.
Create a new profile and select Enable
Web Site Filter and Create New. Set the
URL to *fortinet.com, using * as a wildcard
character in order to block all subdomains of
the site. Set the Type to Wildcard and the
Action to Block.

Adding the web filter profile

to a security policy
Go to Policy > Policy > Policy.
Edit the policy controlling the traffic you wish
to block from the website. Under Security
Profiles, enable Web Filter and set it to use
the new profile.

Results
In a web browser, visit www.fortinet.com
and docs.fortinet.com. In both cases, the
FortiGate unit displays a message, stating
that the website is blocked.

This example will only block HTTP web

traffic. In order to block HTTPS traffic as
well, see Blocking HTTP and HTTPS
traffic with web filtering on page 164.

162

The FortiGate Cookbook 5.0.7

Extra help: Web filtering

This section contains tips to help you with some common challenges of FortiGate
web filtering.
The Web Filter option does not appear in the GUI.
Go to Config > System > Features and enable Web Filter.

New Web Filter profiles cannot be created.

Go to Config > System > Features and select Show More. Enable Multiple Security
Profiles.

Web Filtering has been configured but is not working.

Make sure that web filtering is enabled in a policy. If it is enabled, check that the policy is the
policy being used for the correct traffic. Also check that the policy is getting traffic by going
to the policy list and adding the Sessions column to the list.

An active FortiGuard Web Filtering license displays as expired/unreachable.

First, ensure that web filtering is enabled in one of your security policies. The FortiGuard
service will sometimes show as expired when it is not being used, to save CPU cycles.
If web filtering is enabled in a policy, go to System > Config > FortiGuard and click the
blue arrow beside Web Filtering. Under Port Selection, select Use Alternate Port (8888).
Select Apply to save the changes. Check whether the license is shown as active. If it is still
inactive/expired, switch back to the default port and check again.

Websites blocked using the FortiGuard Categories are not consistently

blocked (for example, traffic is only blocked using certain browsers).
In your web filter profile, make sure that Scan Encrypted Connections is selected. Next,
create an SSL Inspection profile and add it to the security policy. Traffic should now be
blocked consistently.

SSL Inspection is causing certificate errors.

Download the Fortinet_CA_SSLProxy certificate and install it on your web browser. For more
information, see Preventing security certificate warnings when using SSL inspection on
page 290.
Extra help: Web filtering

163

Blocking HTTP and HTTPS traffic with web

filtering
In this example, sites for streaming media will be blocked using web filtering. In
order to prevent access to these sites at all times, both HTTP and HTTPS protocols
must be blocked.
This example requires an active license for FortiGuard Web Filtering Services.

1. Verifying FortiGuard services are enabled

2. Creating a web filter profile
3. Creating an SSL inspection profile
4. Adding the profiles to a security policy
5. Results

Website
Block
HTTPS Traffic

FortiGate

Internal Network
164

The FortiGate Cookbook 5.0.7

Verifying FortiGuard
Services are enabled
Go to System > Dashboard > Status.
In the License Information widget, verify
that you have an active subscription to
FortiGuard Web Filtering. If you have a
subscription, the service will have a green
checkmark beside it.

Blocking HTTP and HTTPS traffic with web filtering

165

Creating a web filter profile

Go to Security Profiles > Web Filter >
Profiles. Select the plus icon in the
upper right corner to create a new profile.
Enable FortiGuard Categories and expand
the category Bandwidth Consuming.
Right-click on Streaming Media and
Download, the category to which Youtube
belongs, and select Block.

Creating an SSL inspection

profile
Go to Policy > Policy > SSL Inspection.
Select the plus icon in the upper right corner
to create a new profile.
Enable the inspection of the HTTPS
Protocol.

166

The FortiGate Cookbook 5.0.7

Adding the profiles to a

security policy
Go to Policy > Policy > Policy.
Edit the security policy controlling the traffic
you wish to block. Under Security Profiles,
enable Web Filter and SSL Inspection and
set both to use the new profiles.

Blocking HTTP and HTTPS traffic with web filtering

167

Results
Browse to https://www.youtube.com. A
replacement message appears indicating
that the website was blocked.

Blocked traffic can be monitored by going

to Security Profiles > Monitor > Web
Monitor.

168

The FortiGate Cookbook 5.0.7

Limiting access to personal interest websites

using quotas
Many workplaces allow employees to access personal interest websites during their
breaks. The most efficient method to do this is by using quotas, since they do not
require set schedules. This example uses quotas to allow access at any point during
the day but only for a total of 15 minutes for each user.
This example requires an active license for FortiGuard Web Filtering Services.

1. Creating a web filter profile that uses quotas

2. Adding the web filter profile to a security policy
3. Adding HTTPS scanning (optional)
4. Results

Website

Quota applied
to traffic

FortiGate

Internal Network

Limiting access to personal interest websites using quotas

169

Creating a web filter profile

that uses quotas
Go to Security Profiles > Web Filter >
Profiles.
Create a new profile and enable FortiGuard
Categories. Right-click on the category
General Interest - Personal and select
Monitor. Do the same for the category
General Interest - Business
These categories include a variety of sites
that are commonly blocked in the workplace,
such as games, instant messaging, and
social media.

Expand Quota on Categories with

Monitor, Warning and Authenticate
Actions and select Create New. Select
both General Interest - Personal and
General Interest - Business and set the
Quota amount to 15 Minutes.

You can also apply quotas to specific subcategories within a FortiGuard Category,
such as Shopping and Auction and Social
Networking, both of which are found in
the General Interest - Personal category).
By doing this, you can target specific sites
you wish to limit without affecting every
site within the larger category.

170

The FortiGate Cookbook 5.0.7

Adding the web filter profile

to a security policy
Go to Policy > Policy > Policy.
Edit the policy controlling the traffic you
wish to apply the quotas to. Under Security
Profiles, enable Web Filter and set it to use
the new profile.

Adding HTTPS scanning

(optional)
If you wish to apply the quotas to HTTPS
traffic as well as HTTP, you must create an
SSL inspection profile and add it to your
security policy. For more information about
blocking HTTPS traffic, see Blocking HTTP
and HTTPS traffic with web filtering on page
164.

Limiting access to personal interest websites using quotas

171

Results
Browse to www.ebay.com, a website that is
found within the General Interest - Personal
category.
Access to the website is allowed for 15
minutes, after which a block message
appears. The message will persist for all
General Interest - Personal sites until the
quota is reset, which occurs every day at
midnight.

Go to Log & Report > Traffic Log >

Forward Traffic Log to monitor allowed
and blocked traffic to these categories that
have quotas.

Select an entry for more information about a

session.

172

The FortiGate Cookbook 5.0.7

Setting up YouTube for Education

This recipe describes how to apply the YouTube For Education filter, preventing
access to all videos that are not part of YouTubes Education portal. It also
describes how to implement security policies to prevent two common workarounds
that allow users to avoid the filter: using HTTPS access, and visiting a specific
YouTube URL.
1. Adding an Application Control Sensor
2. Creating URL and Category web filters
3. Configuring SSL/SSH Inspection
4. Creating blocking and redirecting security policies
5. Results
YouTube

YouTube EDU

Internet

FortiGate

LAN

Setting up YouTube for Education

173

Adding an Application
Control Sensor
Go to Security Profiles > Application
Control > Application Sensors.
Select the Plus icon in the upper right corner
to create a new application sensor.
Select Create New to create the application
filter, and set the Sensor Type to Specify
Applications. Filter the results by searching
for youtube, and highlight all the entries that
contain it.

Set the Action to Block.

Creating URL and Category

web filters
Go to Security Profiles > Web Filter >
Profiles. Youll need to create two filters;
one to block access to the YouTube URL and
one to enforce the YouTube Education Filter.
Create a new web filter profile, that will block
HTTP and HTTPS access to YouTube.
Enable Web Site Filter, and create a new
URL filter, entering *.youtube.com as the
URL. Set the Type to WildCard, and the
Action to Block.

Create a second web filter profile, that will

enforce the YouTube for Education filter.
You can also enable FortiGuard Categories
to block other unwanted content, but
Bandwidth Consuming > Streaming
Media and Download must be allowed
or your users will not be able to access the
Education portal.
Enable Safe Search, and enable the
Youtube Education Filter. Enter the
Education Filter registration code, provided
to you by YouTube. To get a code, visit
http://www.youtube.com/t/education.

Configuring SSL/SSH
Inspection
Go to Policy > Policy > SSL/SSH
Inspection.
Create a new Deep Inspection Options
profile. Ensure that SSH Deep Scan is
enabled.

Setting up YouTube for Education

175

Creating blocking and

redirecting security policies
Now, go to Policy > Policy > Policy. You
will need to create two policies, to prevent
the two filter workarounds.
Create the first policy, which will block
HTTPS traffic to YouTube.
Set the internal-network-facing interface as
Incoming Interface, your Internet-facing
interface as Outgoing Interface, and select
HTTPS for Service.
Enable NAT.
Under Security Profiles, enable Web
Filter, using your HTTPS filter. Enable
Application Control, using your App filter.

Lastly, enable SSL/SSH Inspection, using

your Deep Inspection filter.

176

The FortiGate Cookbook 5.0.7

Create the second policy, which will force all

remaining YouTube traffic to the Education
portal.
Set the internal interface as Incoming, the
internet-facing interface as Outgoing, and
enable NAT.

Under Security Profiles, enable Web

Filter, using your Education filter.

Enable SSL/SSH Inspection, using your

Deep Inspection filter.

Return to the policy list and move your

HTTPS blocking policy as close to the top as
possible without affecting existing policies.
Move the education filter policy immediately
below the HTTPS policy.

Setting up YouTube for Education

177

Results
Browse to www.youtube.com. You will arrive
at the YouTube for Education homepage and
only be able to access videos that have been
approved as educational content.

If you attempt to avoid the filter by visiting

https://www.youtube.com, the browser will
attempt to reach the page but will eventually
time out or present a message such as
The connection to the server was reset or
Server not found.

If you attempt to avoid the filter by visiting

a specific YouTube URL, such as
www.youtube.com/watch?v=H9UtpYOwlgk,
the video will be replaced with an error
message like the one shown.

178

The FortiGate Cookbook 5.0.7

Using web filter overrides to control website

access
This example shows two methods of using web filter overrides to control access to
specific websites: one for the entire network and one for specific users.
This example requires an active license for FortiGuard Web Filtering Services.

Method 1

Method 2

2. Adding FortiGuard blocking

to the default web filter profile

2. Creating a web filter profile

1. Creating a rating override

1. Creating a user group and

two users

3. Adding the web filter profile to

a security policy

3. Adding the web filter profile to

a security policy

4. Results

Internet

FortiGuard
Override

FortiGate

Internal Network

Using web filter overrides to control website access

179

Method 1
Creating a ratings override
Go to Security Profiles > Web Filter >
Rating Overrides.
Create a new override and enter the URL
fortinet.com. Select Lookup Rating to see
its current FortiGuard Rating.
Set Category to Custom Categories (local
categories) and create a new Sub-Category
for blocked sites.

The sub-category has been added to the list

of FortiGuard Categories, under Local
Categories.

180

The FortiGate Cookbook 5.0.7

Adding FortiGuard blocking

to the default web filter
profile
Go to Security Profiles > Web Filter >
Profiles.
Create a new profile and enable FortiGuard
Categories. Right-click on Local
Categories and select Block.

Adding the web filter profile

to a security policy
Go to Policy > Policy > Policy.
Edit the policy that allows outbound traffic.
Under Security Profiles, enable Web Filter
and set it to use the new profile.

Using web filter overrides to control website access

181

Results
In a web browser, go to www.fortinet.com.
The website will be blocked and a
replacement message from FortiGuard Web
Filtering will appear.

Rating overrides can also be used to allow

access to specific sites within a FortiGuard
category, such as General Interest Personal, while still blocking the rest of
the sites listed in that category.

Method 2
Creating a user group and
two users
Go to User & Device > User > User
Groups. Select Create New and create the
group override_group.

182

The FortiGate Cookbook 5.0.7

Go to User & Device > User > User

Definition.
Using the User Creation Wizard, create
two users (in the example, ckent and
bwayne). Assign ckent to override_group but
not bwayne.

Using web filter overrides to control website access

183

Creating a web filter profile

Go to Security Profiles > Web Filter >
Profiles.
Create a new profile and enable FortiGuard
Categories. Right click on Local
Categories and select Block.
Expand the Advanced Filter and enable
Allow Blocked Override. Set Apply to
Group(s) to override_group.
Set Assign to Profile to default to use it as
the alternate web filter profile for override_
group users.
Because the default web filter does not block
Local Categories, using it will allow ckent to
access fortinet.com for the duration of the
override period (by default, Duration is set
to 15 minutes).

Adding the web filter profile

to a security policy
Go to Policy > Policy > Policy.
Edit the policy that allows outbound traffic
and set the Policy Subtype to User
Identity.

184

The FortiGate Cookbook 5.0.7

Create an Authentication Rule that

includes both override_group and bwayne
and has Web Filter set to override_profile.

Results
In a web browser, go to www.fortinet.com.
After the user authentication screen, the
website is blocked and a replacement
message from FortiGuard Web Filtering
appears.
Select Override. You are prompted to
authenticate to view the page.

User bwayne is not able to override the web

filter and receives an error message.

Using web filter overrides to control website access

185

However, user ckent is able to override the

filter and can access the site for 15 minutes.

You can monitor web filter overrides by going

to Log & Report > Traffic Log > Forward
Traffic.

Select an entry for more information about a

session, including the user and hostname.

186

The FortiGate Cookbook 5.0.7

Inspecting traffic content using flow-based

inspection
Flow-based inspection offers an alternative to proxy-based inspection, which
imposes some limitations on performance and also changes some aspects of
packets as they pass through your FortiGate unit. This example enables flow-based
inspection for antivirus and web filtering.
1. Enabling flow-based inspection in an antivirus profile
2. Enabling flow-based inspection in a web filtering profile
3. Adding the new profiles to a security policy
4. Results

Internal Network
Web Filter

FortiGate

Virus

Internet

Virus
Virus

Inspecting traffic content using flow-based inspection

187

Enabling flow-based
inspection in an antivirus
profile
Go to Security Profiles > Antivirus >
Profile. Select the plus icon in the upper
right corner of the window to create a new
profile.
Select Flow-based as the Inspection
Mode.
Configure the profile to inspect traffic based
on your network needs.

188

The FortiGate Cookbook 5.0.7

Enabling flow-based
inspection in a web filtering
profile
Go to Security Profiles > Web Filter >
Profile. Select the plus icon in the upper
right corner of the window to create a new
profile.
Select Flow-based as the Inspection
Mode.
Configure the profile to block traffic based on
your network needs.

Inspecting traffic content using flow-based inspection

189

Adding the new profiles to a

security policy
Go to Policy > Policy > Policy.
Edit the policy controlling the traffic you
wish to inspect. Under Security Features,
enable Antivirus and Web Filter and set
them to use the new profiles.

Results
To test the AV scanning, go to www.eicar.org
and try to download a test file. The browser
will time out and display a message similar to
what is shown here from Google Chrome.

190

The FortiGate Cookbook 5.0.7

Go to Log & Report > Traffic Log >

Forward Traffic to see the blocked traffic.

To test the web filtering, browse to

www.google.com. The FortiGate unit will
display a block message.

Go to Security Profiles > Monitor > Web

Monitor to see information about blocked
Internet traffic.

Inspecting traffic content using flow-based inspection

191

Analyzing your network traffic using a onearmed sniffer

You can use a one-armed sniffer in coordination with a FortiAnalyzer to analyze
traffic going through a main FortiGate to minimize the impact on network
performance impact.
Topology Setup
Sniffing can be done by way of port mirroring or by placing a hub between the
FortiGate and the router/switch. Using a hub removes potential configuration issues
with the switch.
1. Configuring the interfaces
2. Configuring the security profiles
3. Registering the sniffer device
4. Configuring logging to the FortiAnalyzer
5. Results

192

The FortiGate Cookbook 5.0.7

Configuring the interfaces

These settings are for the FortiGate
designated as the sniffer; in this case a
FortiGate model 60D.
It is possible to use the same interface for
both the mirror traffic and access to the
FortiAnalyzer, but it is recommended to
use one for each purpose separately.
If there is not already administratively
accessible interface, consider using
FortiExplorer and a USB cable.

Configuring the Management Interface

(WAN 1) on the Sniffer

Log in to the FortiGate 60D.

Go to System > Network > Interfaces.
Select the interface that you wish to connect
to your internal network so that you can
access the device remotely and allow it to
connect to the FortiAnalyzer.
Verify that the configuration for the interface
is completed with the information shown
here. Make sure that it is on the correct
subnet range.
The purpose of this interface is to manage
the FortiGate and provide access to the
FortiAnalyzer so it is important to make sure
that the correct Administrative Access
is chosen and that the interface is on the
internal subnet.

Analyzing your network traffic using a one-armed sniffer

193

Configuring the sniffer interface

Select the interface that you wish to use to
collect the mirrored data traffic.
Verify that the configuration for the interface
is completed with the shown information:
If the One-Arm Sniffer addressing mode
is unavailable you may have to choose a
different interface.

Configuring the security

profiles
Some administrators match the content of
the profiles on the sniffer with those on the
Main FortiGate, but this is not a requirement
for the sniffer to work. The sniffer profiles
will not impact your network performance
so they can be as comprehensive as you
want. Create profiles that will capture the
information you want.
If you cannot set more than one type
of Security Profile go to System >
Config > Features and ensure that
the Multiple Security Profiles
feature is enabled.

194

The FortiGate Cookbook 5.0.7

AntiVirus Profile (Flow-based)

Go to Security Profiles > AntiVirus >
Profiles.
Apply the same settings to the profile on the
sniffer device as on the primary FortiGate.

The one-armed sniffer mode will only

allow flow-based profiles to be used.

Configure the following in the CLI, in addition

to the web-based configuration:

set default-db normal

end

set extended-utm-log enable

set options scan
end
set av-virus-log enable
set av-block-log enable
end

Analyzing your network traffic using a one-armed sniffer

195

Application Control Sensor

Go to Security Profiles > Application
Control > Application Sensors.
Apply the same settings to the profile on the
sniffer device as on the primary FortiGate.

Add the these CLI settings in addition to the

web-based configuration:
set
set
set
set

extended-utm-log enable
other-application-log enable
log enable
unknown-application-log enable

end

196

The FortiGate Cookbook 5.0.7

Webfilter Profile (Flow-based)

Go to Security Profiles > Webfilter >
Profiles.
Apply the same settings to the profile on the
sniffer device as on the primary FortiGate.

Configure the following settings in the CLI, in

addition to the web based configuration:
set extended-utm-log enable
set options https-url-scan
end

Analyzing your network traffic using a one-armed sniffer

197

IPS sensor
Go to Security Profiles > Webfilter >
Profiles.
Apply the same settings to the sensor on the
sniffer device as on the primary FortiGate.

Registering the Sniffer

device
Log in to the FortiAnalyzer.
Go to the Device Manager tab.
Select Add Device from the drop down
menu.

In the Login screen of the Add Device

wizard fill in the fields with the information
shown here.
Select Next.

198

The FortiGate Cookbook 5.0.7

In the Add Device screen of the Add

Device wizard fill in the fields with the
information shown here.
If there is no more information to enter, select
Next.

Select the sideways triangle next to Other

Device Information to expand the window
for more field options.
Select Next.

Analyzing your network traffic using a one-armed sniffer

199

A window showing successful registration

should appear.
Select Next to proceed.

The final window of the wizard provides a

summary of the configuration.

200

The FortiGate Cookbook 5.0.7

Configure logging to the

FortiAnalyzer
Go to Log & Filter > Log Config > Log
Settings.
Configure the settings as shown here.
Be sure to test the connectivity before
proceeding.

Results
Creating some logs
On a computer behind the primary FortiGate,
download some test files from the Eicar
website at:
http://www.eicar.org/85-0-Download.html
Visit some websites that should be blocked
by the policy, for example:
www.gambling.com

Analyzing your network traffic using a one-armed sniffer

201

Seeing the results on the FortiAnalyzer

Log in to the FortiAnalyzer
Go to the Log View tab.
In the left-hand column, expand the tree for
the sniffer device.
Go to Security > Intrusion Prevention.
You will see a listing of the items that are
considered relevant.
In this case the one for the test file shows the
Attack Name as Eicar.Virus.Test.File

Select the Log View Tab.

In the left-hand column, expand the tree for
the sniffer device.
Select Traffic.
Use the column filters to focus in on the
target traffic. In this case we are looking for
traffic with:
t
t
t

Source IP address = 192.168.10.100

Destination IP address = 190.93.240.30
Service = HTTP
The destination address was determined
by pinging gambling.com and looking at
the resolved address.

202

The FortiGate Cookbook 5.0.7

Excluding specific users from security scanning

In this example, two company executives will be excluded from the security
scanning that is applied to all other Internet traffic. Since the executives connect to
the Internet using the PCs that have static IP addresses, these addresses can be
used to identify their traffic.

1. Applying security profiles to the staff policy

2. Creating firewall addresses and a group for the executives
3. Creating a security policy for the executives
4. Results

Internet

FortiGate
Exec1
192.168.13.10
Exec2
192.168.13.11
Internal Network

Excluding specific users from security scanning

203

Applying security profiles to

the staff policy
Go to Policy > Policy > Policy and edit the
policy allowing Internet access. This policy
will be used by the majority of the companys
staff.
In order to view results, select Log all
Sessions.
Under Security Profiles, enable Web Filter
and Application Control. Set them to use
the default profiles.

Creating firewall addresses

and a group for the
executives
Go to Firewall Objects > Address >
Addresses. Create an address for each
executive.
Set Type to Subnet and Interface to lan.
Set Subnet/IP Range to the static IP of the
executives PC. Use /32 as the Netmask to
ensure that the firewall address applies only
to the specified IP.

204

The FortiGate Cookbook 5.0.7

Go to Firewall Objects > Address >

Groups.
Create a new group and add the new
addresses as members.

Creating a security policy

for the executives
Go to Policy > Policy > Policy.
Create a policy allowing the executives to
access the Internet. Set Incoming Interface
to lan, Source Address to the firewall
address group, and Outgoing Interface to
your Internet-facing interface. Enable NAT
and, in order to view results, select Log all
Sessions.
Leave all Security Profiles disabled.

Excluding specific users from security scanning

205

In the policy list, reorder the security policies

by clicking and dragging the Seq.# column.
Place the policy for the executives at the top
of the list.

Results
Connect to the Internet from two computers
on the internal network: one that has an IP
address assigned to one of the executives
and one that doesnt.
Go to Log & Report > Traffic Log >
Forward Traffic Log. Right-click on one of
the column headings and make sure that the
Policy ID column is selected, then select
Apply.
Policy IDs are assigned by the order in which
policies were created and so in the example
the staff policys ID is 2, while the executive
policys ID is 3.
In the log, you can see that traffic from the
computer with the executive IP is flowing
through policy 3, while traffic from the other
computer uses policy 2.
Since policy 3 does not have any security
profiles enabled, traffic from the executives is
not being scanned for security events.

206

The FortiGate Cookbook 5.0.7

Wireless Networking
FortiOS WiFi networking provides a wide range of capabilities for integrating
wireless networks into your organizations network architecture. Each WiFi network,
or SSID, is represented by a virtual network interface to which you can apply firewall
policies, security profiles, and other features in the same way you would for physical
wired networks.
This chapter contains the following examples:
t

Setting up a temporary guest WiFi user

Setting up a network using a FortiGate unit and a FortiAP unit

Providing remote users access to the corporate network and Internet

Assigning wireless users to different networks using dynamic VLANs

Extending the range of a wireless network by using mesh topology

Wireless Networking

207

Setting up a temporary guest WiFi user

In this example, a temporary user account will be created and distributed to a guest
user, allowing the guest to have wireless access to the Internet.

1. Connecting the FortiAP unit using the DMZ interface

2. Creating a WiFi guest user group
3. Creating an SSID using a captive portal
4. Creating a security policy to allow guest users Internet
access
5. Creating a guest user management account
6. Results

Internet

Internal Network

FortiGate

FortiAP

Guest WiFi User

208

The FortiGate Cookbook 5.0.7

Connecting the FortiAP unit

using the DMZ interface
Go to System > Network > Interfaces.
Select the dmz interface.
Set the dmz interface to be Dedicated to
FortiAP.

Connect the FortiAP to the DMZ interface.

Go to WiFi Controller > Managed Access
Points > Managed FortiAPs and right-click
on the FortiAP unit. Select Authorize.

Using the DMZ interface creates a secure

network that will only grant access if it is
explicitly allowed. This allows guest access
to be carefully controlled.

Setting up a temporary guest WiFi user

209

Creating a WiFi guest user

group
Go to User & Device > User > User
Groups.
Create a new group, setting Type to Guest,
User ID to Email, and Password to AutoGenerate.
These guest user accounts are temporary
and will expire four hours after the first login.

Creating an SSID using a

captive portal
Go to WiFi Controller > WiFi Network >
SSID.
Create a new SSID. Set Traffic Mode to
Tunnel to Wireless Controller and enable
DHCP Server, taking note of the IP range
assigned.
Under WiFi Settings, set Security Mode
to Captive Portal and User Groups to the
new guest user group.
A Captive Portal will intercept connections
to the wireless network and display a login
screen on the guest users device. The guest
must then authenticate with the portal to gain
access to the wireless network.

210

The FortiGate Cookbook 5.0.7

Creating a security policy

to allow guest users Internet
access
Go to Firewall Objects > Address >
Addresses.
Create a firewall address for the guest WiFi
users. Use the DHCP IP range for Subnet/IP
Range and set the Interface to the wireless
interface.

Go to Policy > Policy > Policy.

Create a security policy allowing guest users
to have wireless access to the Internet.
Set Incoming Interface to the wireless
interface, Outgoing Interface to your
Internet-facing interface, and Source
Address to the guest WiFi users group.

Setting up a temporary guest WiFi user

211

Creating a guest user

management account
Optionally, you can create an administrator
that is used only to create guest accounts.
Access to this account can be given to a
receptionist, to simply the process of making
new accounts.
Go to System > Admin > Administrators.
Create a new account. Set the Type to
Regular and set a Password. Enable
Restrict to Provision Guest Accounts
and set Guest Groups to the WiFi guest
user group.

212

The FortiGate Cookbook 5.0.7

Results
Log in to the FortiGate unit using the guest
user management account. Go to User &
Device > User > Guest Management and
select Create New.
Use a guests email account to create a new
user ID.

The FortiGate unit generates a user account

and password. This account is only valid for
four hours (the default time limit for the guest
user group).

The guest can now log in using the FortiGate

Captive Portal. Once authenticated, the
guest is able to connect wirelessly to the
Internet.

Setting up a temporary guest WiFi user

213

To verify that the guest user logged in

successfully, go to WiFi Controller >
Monitor > Client Monitor.

Go to Policy > Monitor > Policy Monitor

and verify the active sessions.

Select one of the bars to view more

information about a session.

214

The FortiGate Cookbook 5.0.7

Setting up a network using a FortiGate unit and

a FortiAP unit
This example sets up a wired network and a wireless network that are in the same
subnet. This will allow wireless and wired users to share network resources.

1. Configuring the internal wired network to use DHCP

2. Creating the internal wireless network
3. Results

Internet

FortiGate

FortiAP
Wireless Network
Internal Network

Setting up a network using a FortiGate unit and a FortiAP unit

215

Configuring the internal

wired network to use DHCP
Edit the internal interface.
Set Addressing mode to Manual and
enable DHCP server. Take note of the IP
range.

Go to Firewall Objects > Address >

Addresses.
Set Type to IP Range and set Subnet/IP
Range to use the IP range from the DHCP
server.

216

The FortiGate Cookbook 5.0.7

Go to Policy > Policy > Policy.

Create a security policy allowing users on the
wired network to access the Internet.

Creating the internal

wireless network
Connect the FortiAP to the internal interface.
Go to WiFi Controller > Managed Access
Points > Managed FortiAPs and right-click
on the FortiAP unit. Select Authorize.

It may take a few minutes for the FortiAP

unit to appear on the Managed FortiAPs
list.

Setting up a network using a FortiGate unit and a FortiAP unit

217

Go to WiFi Controller > WiFi Network >

SSID and create a new SSID.
Ensure the Traffic Mode is set to Local
bridge with FortiAPs Interface.

Bridge mode is more efficient than Tunnel

mode, as it uses the CAPWAP tunnel for
authentication only. Bridge mode is also
required in order to have a wired and
wireless network be on the same subnet.

Go to WiFi Controller > WiFi Network >

Custom AP Profiles. Select Create New.
Set SSID for both Radio 1 and Radio 2 to
the new SSID.

218

The FortiGate Cookbook 5.0.7

Go to WiFi Controller > Managed Access

Points > Managed FortiAPs. Edit the
FortiAP unit.
Under Wireless Settings, set AP Profile to
use the new profile.

Results
Users connected to the new SSID will be
able to access the Internet. The wireless
devices will be in the same subnet as the
internal wired network.
Go to WiFi Controller > Monitor > Client
Monitor to see WiFi users and their IP
addresses.
Go to Log & Report > Traffic Log >
Forward Traffic to verify that the same
policy controls both wired and wireless
traffic.

Setting up a network using a FortiGate unit and a FortiAP unit

219

Providing remote users access to the corporate

network and Internet
In this example, a user in a remote location, such as a hotel or their home, will use
a FortiAP unit to securely connect to the corporate network and browse the Internet
from behind the corporate firewall.
1. Preauthorizing the FortiAP unit on the FortiGate unit
2. Creating an SSID and firewall addresses
3. Creating security policies
4. Configuring the FortiAP unit to connect to the FortiGate unit
5. Connecting to the FortiGate unit remotely
6. Results

FortiAP

Remote User

Internet
Internal Network

FortiGate
220

The FortiGate Cookbook 5.0.7

Pre-authorizing the FortiAP

unit on the FortiGate unit
Go to WiFi Controller > Managed Access
Points > Managed FortiAPs.
Add a new FortiAP unit and enter the
units Serial Number (in the example,
FAP11C3X13000412).

The FortiAP unit will appear on the list of

Managed FortiAPs as authorized and offline.

Creating an SSID and a

firewall addresses
Go to WiFi Controller > WiFi Network >
SSID. Select Create New.
Enable the DHCP Server and make note of
the IP range.
Configure the WiFi Settings with a unique
SSID name and Pre-shared Key.

Providing remote users access to the corporate network and Internet

221

Go to Firewall Objects > Address >

Addresses. Create addresses for both the
remote users and the corporate network.
For the remote users, set Type to IP Range.
The range for the remote users should be
within the range used for the DHCP server.
Set Interface to the new SSID.

For the corporate network, set Type to

Subnet and use the corporate networks
IP address. Set Interface to an internal
interface.

Creating security policies

Go to Policy > Policy > Policy.
Create a policy that allows remote wireless
users to access the Internet. Set the
Incoming Interface to the SSID and the
Outgoing Interface as your Internet-facing
interface.

222

The FortiGate Cookbook 5.0.7

Create a second policy for remote wireless

users to access the corporate network.
Again, set the Incoming Interface to the
SSID but now the Outgoing Interface is an
internal interface.

Configuring the FortiAP unit

to connect to the corporate
FortiGate unit
Go to WiFi Controller > Managed Access
Points > Managed FortiAPs and note the
IP Address assigned to your FortiAP.
Enter the address into your browsers
address bar to access your FortiAP web
manager.

Providing remote users access to the corporate network and Internet

223

In the System Information tab, enter the

AC IP Address of the public facing interface
of the corporate FortiGate unit. The Internetfacing interface is also the public facing
interface. To locate this IP address, go to
System > Network > Interfaces.
The FortiAP will search for this FortiGate
interface when it tries to connect.
The remote user may now take this device
to the desired remote location to connect
securely to the corporate FortiGate unit.

Connecting to the
corporate FortiGate
remotely
At the remote location, connect the FortiAP
to the Internet using an Ethernet cable. Next,
connect the FortiAP to power.
Once connected, the FortiAP requests an IP
address and locates the FortiGate wireless
controller.
The remote user can now access the
corporate network and browse the Internet
securely from behind the corporate firewall.

224

The FortiGate Cookbook 5.0.7

Results
Go to WiFi Controller > Monitor > Client
Monitor to see remote wireless users
connected to the FortiAP unit.
Go to Log & Report > Traffic Log >
Forward Traffic to see remote wireless
users appear in the logs.

Select an entry to view more information

about remote traffic to the corporate
network and to the Internet.

Providing remote users access to the corporate network and Internet

225

Assigning wireless users to different networks

using dynamic VLANs
Dynamic virtual LANs (VLANs) are used to assign wireless users to different
networks without requiring the use of multiple SSIDs. This example creates dynamic
VLANs for the Techdoc and Marketing departments, with a RADIUS server used for
authentication.
1. Connecting the FortiAP unit
2. Creating an SSID with dynamic VLANs enabled
3. Creating and assigning a custom AP profile
4. Creating the VLAN interfaces
5. Creating security policies for both networks
6. Configuring a connection to the RADIUS server
7. Creating the RADIUS client
8. Creating network policies on the RADIUS client
9. Results
Internet

wan 1

FortiGate

Marketing network
User jsmith

226

RADIUS server
192.168.1.114

Techdoc network
FortiAP

User twhite

The FortiGate Cookbook 5.0.7

Connecting the FortiAP unit

Connect the FortiAP to the internal interface.
Go to WiFi Controller > Managed Access
Points > Managed FortiAPs and right-click
on the FortiAP unit. Select Authorize.

It may take a few minutes for the FortiAP

unit to appear on the Managed FortiAP list.

Creating an SSID with

dynamic VLANs enabled
Go to WiFi Controller > WiFi Network >
SSID.
Create a new SSID. Set Traffic Mode to
Local bridge with FortiAPs Interface.

Dynamic VLANs can also be used with a

FortiAP in Tunnel Mode. The only
difference in the configuration occurs
when creating VLAN interfaces, as the
initial creation must occur using the CLI.

Assigning wireless users to different networks using dynamic VLANs

227

Go to System > Dashboard > Status.

Enable dynamic VLANs on the FortiAP and
set the default VLAN ID (10 in the example)
by entering the following in the CLI Console:

set vlanid 10
end
end

Creating and assigning a

custom AP profile
Go to WiFi Controller > WiFi Network >
Custom AP profiles.
Create a new profile and select the new SSID
for both Radio 1 and Radio 2.

Go to WiFi Controller > Managed Access

Points > Managed FortiAPs.
Right-click on the FortiAP unit. Select
Assign Profile and set it to the new AP
profile.

228

The FortiGate Cookbook 5.0.7

Creating the VLAN

interfaces
Go to System > Network > Interface.
Create the VLAN interface for marketing-100.
Enable DHCP Server.

Create the VLAN interface for techdoc-200.

Enable DHCP Server.

Assigning wireless users to different networks using dynamic VLANs

229

Creating security policies

for both networks
Go to Policy > Policy > Policy.
Create a policy that allows outbound
traffic from marketing-100. Set Incoming
Interface to marketing-100 and Outgoing
Interface to the Internet-facing interface.

Create another new policy that allows

outbound traffic from techdoc-200. Set
Incoming Interface to techdoc-200 and
Outgoing Interface to the Internet-facing
interface.

230

The FortiGate Cookbook 5.0.7

Configuring a connection to
the RADIUS server
This example uses NPS on Windows
Server 2008. The RADIUS server has
already been configured with the user
group Techdoc, with member twhite, and
the user group Marketing, with member
jsmith.

Go to User & Device > Authentication >

RADIUS Servers. Select Create New.
Configure the connection to your RADIUS
server, setting both the Primary Sever
Name/IP and the Primary Server Secret.
Select Use Default Authentication
Scheme.

Assigning wireless users to different networks using dynamic VLANs

231

Creating the RADIUS client

Connect to the RADIUS server.
Open the Server Manager and create a
new RADIUS client.

232

The FortiGate Cookbook 5.0.7

Creating network policies on

the RADIUS client
Create a network policy for the TechDoc
department that uses the techdoc-200 VLAN.

Assigning wireless users to different networks using dynamic VLANs

233

Set Tunnel-Pvt-Group to 200, the VLAN ID

of techdoc-200, and Tunnel-Type to Virtual
LANs (VLAN)

Repeat this procedure to create a network

policy for the Marketing depart that uses the
marketing-100 VLAN.

234

The FortiGate Cookbook 5.0.7

Results
The SSID will appear in a list of available
wireless networks on the users devices.
Both twhite and jsmith can connect to the
SSID with their credentials.
If a certificate warning message appears,
accept the certificate.

Go to WiFi Controller > Monitor > Client

Monitor. Both users are shown using the
same SSID.

Go to Log & Report > Traffic Log >

Forward Traffic Log. Traffic flows through
both policies, using the provided credentials.

Assigning wireless users to different networks using dynamic VLANs

235

Extending the range of a wireless network by

using mesh topology
This example demonstrates how to configure a FortiGate and two FortiAP wireless
access point units to extend the reach and availability of a wireless network. This
example simulates a company that has expanded into a second, nearby building
that requires wireless access.
The FortiAP units used to create a wireless mesh must be models that have two radios.

1. Configuring an interface on the FortiGate for the APs

2. Creating two SSIDs
3. Creating a custom AP profile
4. Creating firewall addresses and an address group
5. Setting up and configuring the FortiAPs
6. Creating security policies on the FortiGate
7. Results

Internet

Backhaul Channel

FortiGate

FortiAP-1

FortiAP-2

Leaf Channel

Main Building Wireless Users

236

2nd Building Wireless Users

The FortiGate Cookbook 5.0.7

Before you begin

The following models were used in this
example: FortiGate-100D, FortiAP-220B, and
FortiAP-221B.
The FortiGate unit is in Interface Mode
(each physical port can be the interface to a
distinct subnet), so that a single port, in this
case 11, will be used for the sole purpose of
interface for the wireless network.
The computers managing the network and
FortiAPs are located on the internal network.

Configuring an interface on
the FortiGate for the APs
A dedicated network interface needs to be
configured on the Fortigate that will be used
only by the FortiAP units.
Go to System > Network > Interfaces and
edit an available internal port (in the example,
port11). Set Addressing mode to Dedicate
to FortiAP/FortiSwitch.

Extending the range of a wireless network by using mesh topology

237

Creating two SSIDs

A wireless mesh requires two SSIDs:
back-haul and leaf. The backhaul channel
is the wireless connection between the
two FortiAP units, while the leaf channel is
used by individual clients to connect to the
wireless network.
Go to System > Network > Interfaces and
create the backhaul SSID.
Set Type to WiFi SSID and configure the
WiFi Settings as needed.

Create the leaf SSID.

Set Type to WiFi SSID, enable DHCP
Server, and configure the WiFi Settings as
needed.

238

The FortiGate Cookbook 5.0.7

Creating a custom AP
profile
Go to WiFi & Switch Controller > WiFi
Network > Custom AP Profile.
Create a new profile for the FortiAP model
you are using.
Configure Radio 1 for the backhaul channel
and Radio 2 for the leaf channel.
For the backhaul channel, set Band to
802.11an_5G. For the leaf channel, set
Band to 802.11bgn_2.4G.

You may have to configure two custom AP

profiles if your FortiAP units are different
models that cannot use the same profile.

Extending the range of a wireless network by using mesh topology

239

Creating firewall addresses

and an address group
Go to Firewall Objects > Address >
Addresses.
Create a new address for the internal
network.

Create an address for FortiAP-1.

Create an address for FortiAP-2.

Create an address for leaf channel users,

using the DHCP range used by the leaf
channel SSID.

240

The FortiGate Cookbook 5.0.7

Go to Firewall > Address > Groups and

create a new group.
Add the FortiAP addresses to the group.

Setting up and configuring

the FortiAPs
In this example, the FortiAP-221B unit
is FortiAP-1, while the FortiAP-220B is
FortiAP-2.

Preauthorize FortiAP-1
Go to WiFi & Switch Controller >
Managed Devices > Managed FortiAP.
Select Create New.
Enter the serial number of the FortiAP unit
and give the Managed Access Point a name.

Extending the range of a wireless network by using mesh topology

241

Preauthorize FortiAP-2
Go to WiFi & Switch Controller >
Managed Devices > Managed FortiAP.
Select Create New.
Enter the serial number of the FortiAP and
give the Managed Access Point a name.

The FortiAP list will now show both FortiAP

units. Since they are not currently connected,
they will appear greyed out.

Apply the Custom AP profile

Go to WiFi & Switch Controller >
Managed Devices > Managed FortiAP.
The same custom AP profile needs to be
added to both the FortiAP units. Edit each
one in turn.
Use the [Change] link to assign the custom
AP profile.

242

The FortiGate Cookbook 5.0.7

The FortiAP list now shows that the SSIDs

have been added to the appropriate radios
on the APs.

Configure FortiAP-1 through its web

interface
Certain parameters of the FortiAP units can
only be configured by connecting to the unit
directly, rather than through the FortiGate
interface.
Reset the IP information of your computer
to an address on the same subnet as the
FortiAP. If the AP is in its factory default
configuration, use the following address:
IP address:
Subnet mask:

192.168.1.100
255.255.255.0

Gateway:

192.168.1.1

Connect your computer to the FortiAP

with an Ethernet cable. One end of the
Ethernet cable connected to the network
interface port of you computer and the other
connected to the POE interface on the AP.

Extending the range of a wireless network by using mesh topology

243

Open a browser window and use the IP

address of the FortiAP unit as the URL. The
factory default IP address is 192.168.1.2.
Login with the name: admin. Password is
null, so just press Login.

If this does not work, use the reset button

to return the FortiAP to default settings.

Set Address Mode to Static and set

Local IP Address to the same address as
previously set on the FortiGate unit.
Set Uplink to Ethernet and AC Discovery
Type to Auto.
Once the changes have been made, you will
not be able to connect to the FortiAP unit
through the web interface, because it is no
longer on the same subnet as your computer.
Do not reset the IP configuration on the
computer yet as you still need to configure
FortiAP #2 and the same addresses will
be used on both sides of the Ethernet
connection.

Configure AP-2 through its web

interface
As with the AP-1, connect to the web
interface. Make sure to use the correct
Ethernet porte.

244

The FortiGate Cookbook 5.0.7

Set Address Mode to Static and set

Local IP Address to the same address as
previously set on the FortiGate unit.
Set Uplink is set to Mesh, the AC Discover
Type to Static, and AC IP Address 1 to
the IP interface of the FortiGate port that is
dedicated to the FortiAPs.

Reset the computer to its normal IP address

configuration and login to the FortiGate unit.
Connect FortiAP-1 to the FortiGate interface
dedicated to the FortiAPs (in the example,
port 11).
Once the FortiAPs are configured and
powered up, they should no longer be shown
as online. The Mesh column will also show
that FortiAP-2 is connected through a mesh
to FortiAP-1.

Extending the range of a wireless network by using mesh topology

245

(Alternative) Configure AP-2 through

its console port
FortiAP-2 in the example is a FAP-220B. This
model includes a console port. This allows
for the option of using the CLI to configure
the unit.
Instead of an Ethernet cable, use a console
cable to connect from your computer to
the console port of FortiAP #2. The exact
details of connecting will defer slightly based
on whether the console cable is connected
directly from a serial port or through a USB
adapter and what operating system is on
your computer, but once the connection has
been made it proceeds as follows:
Using a utility like Putty or Terminal, connect
to the CLI. For more details on connecting
read the Quick Start Guide for the model.
Login with the credentials:
Username: admin
Password: <null>
Use the following commands to change the
network configuration.
Change Address Mode to Static:
cfg c

Set the IP address:

cfg a IPADDR=192.168.11.3
cfg a IPGW=192.168.11.1
cfg c

246

The FortiGate Cookbook 5.0.7

Change Connectivity, remebering to choose

a more secure password:

cfg
cfg
cfg
cfg

a MESH_AP_TYPE:=1
a MESH_AP_SSID:=backhaul-ssid
a MESH_AP_PASSWD:=12345678
c

Assign the discovery type to Static:

cfg -c

Statically assign the IP address for the

Access Controller (AC):

cfg a AC_IPADDR=192.168.11.1
cfg c

Creating security policies on

the FortiGate
Go to Policy > Policy > Policy and create a
policy to allow wireless users out to Internet
Set Incoming Interface to the leaf SSID,
Source Address to the address for leaf
channel users, Outgoing Interface to your
Internet-facing interface, and Enable NAT.

Extending the range of a wireless network by using mesh topology

247

Create another policy to allow traffic to reach

APs. This is primarily to allow access to the
web interfaces of the FortiAPs, so if you wish
you can limit the policy to only allow access
to those IP addresses.
Set Incoming Interface to the internal
networks interface (in the example, LAN),
Source Address to the address for the
internal network, Outgoing Interface to
the port dedicated to the FortiAPs, and
(optionally) Destination Address to the
group containing both FortiAP addresses.

After policies are created, remember to

place them at a proper point in the
sequence so that they can be reached by
the desired traffic but will not interfere
with other traffic.

Results
Wireless devices are now able to connect to
the leaf SSID, even if they are only within the
range of FortiAP-2.
There are several ways to verify that the
wireless network has been extended over
both FortiAP units.
Go to WiFi & Switch Controller >
Managed Devices > Managed FortiAPs.
You can see that Radio 2 (leaf-ssid) on
FortiAP-2 has one client connected to it,
while the same SSID on FortiAP-1 does not.

248

The FortiGate Cookbook 5.0.7

Go to WiFi & Switch Controller >

Monitor > Client Monitor.
The client monitor which SSID and FortiAP
that a client is connected to. In the example,
a client has successfully connected to the
leaf SSID on FortiAP-2.

Go to WiFi & Switch Controller > Monitor

> Wireless Health.
For information on the leaf channel, which
uses the 2.4 GHz frequency, view the Top
Client Count Per-AP (2.4 GHz Band)
widget. In the example, the only SSID on that
frequency is for the leaf channel, so the client
using radio 1 on FortiAP-2 must be using
that SSID.
For information on the backhaul channel,
which uses the 2.4 GHz frequency, view the
Top Client Count Per-AP (5 GHz Band).
Again, in the example configuration, the only
SSID on this frequency is for the backhaul
channel.

Extending the range of a wireless network by using mesh topology

249

Open a browser and verify that you can

connect to the web interface of FortiAP-1,
using the IP set in the configuration (in the
example, http://192.168.11.2).

Connect to the web interface of FortiAP-2

using its assigned IP (in the example,
http://192.168.11.3).

250

The FortiGate Cookbook 5.0.7

IPv6
Internet Protocol version 6 (IPv6) is the most significant advance in traditional
Internet communications protocol. The IPv6 address scheme is based on a 128bit address, rather than the 32-bit addresses used by IPv4, allowing IPv6 to have a
much higher address limit of over 340 undecillion possible addresses (that is 340
followed by 36 zeros). FortiGate units support IPv6 in a wide variety of network
configurations.
This section contains the following examples:
t

IPv6

Creating an IPv6 interface using SLAAC

251

Creating an IPv6 interface using SLAAC

In this recipe you will learn how to configure an interface on your FortiGate to
assign IPv6 addresses. Using Stateless Address Autoconfiguration (SLAAC), the
IPv6 interface will automatically assign IPv6 addresses to any device that connects
to that port.
This recipe assumes that your Internet connection is enabled for IPv6.
The IPv6 address block used in this recipe is reserved for documentation purposes and will not work in your
environment. If youre not sure how to determine the correct IPv6 address for your environment, refer to the FortiOS
IPv6 Handbook Chapter.

1. Configuring the IPv6 network interface

2. Configuring the IPv6 firewall address
3. Bouncing the IPv6 interface
4. Results

Port 16
2001:db8::1/32
FortiGate
IPv6 Endpoint
(SLAAC IP)

252

The FortiGate Cookbook 5.0.7

Configuring the IPv6

network interface
Navigate to System > Network >
Interfaces and choose (or create) an
interface appropriate for your network.
In the example, we are using port16 as the
IPv6 interface.
Set the Addressing mode to Manual
and enter the IP/Network Mask and IPv6
Address for the interface.
Select the desired Administrative Access
options.

Enabling router advertisements and

configuring the IPv6 prefix list

This step must be performed in the CLI

console.

In order for the IPv6 interface to

autoconfigure IPv6 addresses, the interface
must have router advertisements and specific
IPv6 prefixes enabled.

edit port16
set ip6-address 2001:db8::1/32
set ip6-send-adv enable
edit 2001:db8::/32

Navigate to System > Dashboard > Status

and scroll down to the CLI Console.
Enter the console and input the commands
shown on the right.

next
end
end
end

Creating an IPv6 interface using SLAAC

253

Configuring the IPv6

firewall address
Navigate to Firewall Objects > Address >
Addresses and select Create New > IPv6
Address.

Under Category, ensure that IPv6 Address

is selected.
Enter a Name for the firewall object and set
the IPv6 Address to the address of the IPv6
interface.

Bouncing the IPv6

interface
You can now bounce the IPv6 interface
(bring the interface down and then back up).
This causes a router advertisement using
Neighbor Discovery Protocol, which performs
address autoconfiguration and determines
the reachability of neighboring nodes.
Navigate to System > Network >
Interfaces and select the IPv6 interface you
created earlier.
Set the Administrative Access to Down.
Return to the IPv6 interface and set the
Administrative Access back to Up.

254

The FortiGate Cookbook 5.0.7

Alternatively, you can reboot the FortiGate

device, or wait for the next router
advertisement.

Results
If you havent done so already, connect a
computer to the IPv6 interface you created.
On that computer, use the Command Prompt
or Terminal, whichever is available, to view
the IP configuration.
Windows: Enter
Command Prompt.
Mac: Enter

into the

into Terminal.

You should see that an IPv6 address has

been assigned using the prefix advertised on
the connected IPv6 interface.

Creating an IPv6 interface using SLAAC

255

Authentication
Authentication, the act of confirming the identity of a person or device, is a key part
of network security. In the context of a private computer network, the identities of
users or host computers must be established to ensure that only authorized parties
can access the network. The FortiGate unit enables controlled network access and
applies authentication to users of security policies and VPN clients.
This section contains the following examples:

256

Identifying network users and applying web filters based on

identity

Controlling when specific types of devices can access the Internet

Providing Single Sign-On for a Windows AD network with a

FortiGate

Providing Single Sign-On in advanced mode for a Windows AD

network

Providing Single Sign-On for Windows AD with LDAP

Allowing Single Sign-On access with a FortiGate and a

FortiAuthenticator

Fortinet Single Sign-On in Polling Mode for a Windows AD network

Preventing security certificate warnings when using SSL inspection

Extra help: Certificates

Adding FortiToken two-factor authentication to a user account

Using two-factor authentication with IPsec VPN

Using two-factor authentication with SSL VPN

Authenticating SSL VPN users using LDAP

The FortiGate Cookbook 5.0.7

Identifying network users and applying web

filters based on identity
This example uses an identity-based security policy to identify and monitor all users
accessing the Internet through your FortiGate unit by requiring them to authenticate
in order to connect. Different web filtering profiles will also be applied to traffic
based on the users credentials.
1. Creating users
2. Creating a user group
3. Creating a web filter profile
4. Configuring an identity-based security policy
5. Results

Internal Network

Users

FortiGate

Internet

cforbes
bbennet

egilbert

Identifying network users and applying web filters based on identity

257

Creating users
Go to User & Device > User > User
Definition.
Using the User Creation Wizard, create
three local users: bbennet, cforbes, and
egilbert.

All three users now appear in the user list.

258

The FortiGate Cookbook 5.0.7

Creating a user group

Go to User & Device > User > User
Groups.
Create a new user group and add users
bbennet and cforbes.

The user group now appears in the user

group list.

Creating a web filter profile

Go to Security Profiles > Web Filter >
Profiles. The default web filter profile is
shown, which will be later applied to traffic
for members of the user group.
Create a new profile. Enable FortiGuard
Categories and set the category General
Interest - Personal to Block.

Identifying network users and applying web filters based on identity

259

Configuring an identitybased security policy

Go to Policy > Policy > Policy.
Edit the policy controlling your outgoing
traffic and set Policy Subtype to User
Identity.

Create two Authentication Rules that

allow Internet access. For the first rule, set
Group(s) to the user group. Enable Web
Filter and set it to use the default profile.

For the second rule, set User(s) to egilbert.

Enable Web Filter and set it to use the new
profile.

260

The FortiGate Cookbook 5.0.7

Results
When a user attempts to connect to the
Internet, the authentication screen will
appear. In order to get full Internet access,
log in as user cforbes.
Browse to www.ebay.com, a site that is in
the General Interest - Personal category.
Using this account, you can access the
website.

Go to User & Device > Monitor >

Firewall. The cforbes account appears on
the firewall monitor list.
Select the account on the list and select
De-authenticate. This will require you
to enter the credentials again in order to
continue browsing the Internet.
Log in again, this time using the egilbert
account.
Browse to www.ebay.com. Now that you are
using the egilbert account, the website will
be blocked.

Identifying network users and applying web filters based on identity

261

Go to Log & Report > Traffic Log >

Forward Traffic. Right-click on the header
row, enable the User column, and select
Apply to view session information for each
user.

You may be required to scroll down the

menu in order to select Apply.

Select an entry for more information.

262

The FortiGate Cookbook 5.0.7

Controlling when specific types of devices can

access the Internet
In this example, a school does not allow Internet access to mobile devices between
9am - 12pm and 1pm - 3pm. To implement this, you create a device identity policy
that permits Internet access for these devices before classes, at lunch time, and
after classes. The school is open from 7am to 6pm.
In this example, a FortiWiFi unit is used. A similar method can be used to control access using a FortiAP and a
FortiGate..

1. Creating the schedule

2. Creating the device policy
3. Configuring the authentication rule
4. Results

Internet

FortiWiFi

Wireless Mobile
Devices

Controlling when specific types of devices can access the Internet

263

Creating the schedules and

schedule group
The schedule covers several periods. It is
created by combining several schedules into
a schedule group.
Go to Firewall Objects > Schedule >
Schedules. Create recurring schedules for
the before class (7-9am), lunch (12-1pm), and
after class (3-6pm) periods.

Go to Firewall Objects > Schedule >

Groups.
Create a group and add the schedules that
you created before.

264

The FortiGate Cookbook 5.0.7

Creating the device policy

Go to Policy > Policy > Policy and create
a Device Identity policy to control Internet
access.

Create a new Authentication Rule. Set

Device to include all mobile device types
and set Schedule to the new schedule
group.

Results
When a mobile user connects during a time
set matching the schedule group, they can
surf the Internet
Go to Log & Report > Traffic Log >
Forward Traffic to view the traffic from
these devices.

Controlling when specific types of devices can access the Internet

265

When the time in the schedule is reached,

further surfing cannot continue. This does
not appear in the logs, as only allowed traffic
is logged.

266

The FortiGate Cookbook 5.0.7

Providing Single Sign-On for a Windows AD

network with a FortiGate
This example uses the Fortinet Single Sign-On (FSSO) Collector Agent to integrate a
FortiGate unit into the Windows AD domain.
1. Installing the FSSO Collector Agent
2. Configuring the Single Sign-on Agent
3. Configuring the FortiGate unit to connect to the FSSO agent
4. Adding a FSSO user group
5. Adding a firewall address for the internal network
6. Adding a security profile that includes an authentication rule
7. Results

Internet

FSSO Agent

FortiGate

FSSO Collector Agent

Windows AD

Internal Network

Providing Single Sign-On for a Windows AD network with a FortiGate

267

Installing the FSSO Collector

Agent
Run the setup for the Fortinet SSO Collector
Agent. After logging in, configure the agent
settings.

Add the Collector Agent address information.

268

The FortiGate Cookbook 5.0.7

Select the domains to monitor, and any users

whose activity you do not wish to monitor.

Set the working mode and complete the

installation.

Providing Single Sign-On for a Windows AD network with a FortiGate

269

Configuring the Single

Sign-on Agent
If required, select Require authenticated
connection from FortiGate, and add a
password.
You will also enter this password when
configuring the FSSO on the FortiGate unit.

Configuring the FortiGate

unit to connect to the FSSO
agent
On the FortiGate unit, go to User & Device
> Authentication > Single Sign-On.
Enter this password used configuring the
FSSO on the FortiGate unit in the previous
step.

Adding a FSSO user group

On the FortiGate unit, go to User & Device
> User > User Groups.

270

The FortiGate Cookbook 5.0.7

Adding a firewall address

for the internal network
Go to Firewall Objects > Address >
Addresses.

Adding a security
profile that includes an
authentication rule
Go to Policy > Policy > Policy.
Add an accept user identity security policy
and add the new FSSO group.

Providing Single Sign-On for a Windows AD network with a FortiGate

271

Results
Go to Log & Report > Traffic Log >
Forward Traffic. As users log into the
Windows AD system, the FortiGate collects
their connection information.
Select an entry for more information.

272

The FortiGate Cookbook 5.0.7

Providing Single Sign-On in advanced mode for a

Windows AD network
Using Fortinet Single Sign-On, the FortiGate unit automatically authenticates any
user that successfully logs into Windows. The Domain Controller agent Advanced
mode has the advantage of supporting nested or inherited user groups. If Standard
mode is used, the FortiGate unit can authenticates only users who are a direct
member of a group.
1. Configuring the DC agent for Advanced mode
2. Configuring the DC agent as an FSSO agent
3. Creating an FSSO user group
4. Creating an identity-based security policy
5. Results

Internet

FSSO Agent

FortiGate

DC Agent

Windows AD

Internal Network

Providing Single Sign-On in advanced mode for a Windows AD network

273

Configuring the DC agent

for Advanced mode
Log on to the Windows server where the DC
agent is installed. Go to All Programs >
FortiNet > Fortinet Single Sign On Agent
> Configure Fortinet Single Sign On
Agent.
Select Directory Access Information and
set AD Access mode to Advanced.
The rest of the configuration is done on the
FortiGate unit.

Configuring the FSSO agent

Go to User & Device > Authentication >
Single Sign-On to enter the information the
FortiGate unit needs to access the DC agent.
After you select Apply & Refresh, the
Windows AD groups are listed. This confirms
that the FortiGate unit can communicate with
the DC agent.

On a Windows AD network with a large

number of groups, the FortiGate units
performance might be affected by the
volume of user logon information it
receives. Use the Set Group Filters
function of the DC agent to send
information only for the groups you intend
to authenticate.

274

The FortiGate Cookbook 5.0.7

Creating an FSSO user

group
Select the Windows AD groups to include in
the FortiGate FSSO user group.

Creating an identity-based
security policy
Create an identity-based security policy that
uses the FSSO user group that you created.

Results

The Windows AD user, having authenticated

at logon, does not have to authenticate again
to connect to the Internet.

Providing Single Sign-On in advanced mode for a Windows AD network

275

Providing Single Sign-On for Windows AD with

LDAP
A logged-on Windows user can be automatically authenticated on a FortiGate unit
through Fortinet Single Sign-On. Some Windows AD systems use an external LDAP
server. FSSO can also accommodate this configuration.
1. Configuring access to the LDAP server
2. Configuring the DC agent as an FSSO agent
3. Configuring a group filter on the FSSO agent
4. Creating an FSSO user group and adding AD user groups
5. Creating a security policy to allow the FSSO user group access
6. Results

Internet
LDAP Server
192.168.1. 117
WAN 1

FortiGate

Internal Network

Port 1
FSSO Agent

Windows AD
Domain Controller
192.168.1.114
276

The FortiGate Cookbook 5.0.7

Configuring access to the

LDAP server
Go to User & Device > Authentication
> LDAP Servers and enter the information
needed to connect the FortiGate unit to the
external LDAP server.

Configuring the DC agent as

an FSSO agent
Go to User & Device > Authentication >
Single Sign-On to enter the information the
FortiGate unit needs to access the DC agent.
Select the LDAP Server. In Users/Groups
use the Edit Users/Groups tab to select user
groups from the LDAP tree.

Providing Single Sign-On for Windows AD with LDAP

277

Configuring a group filter

on the FSSO agent
Log on to the Windows server where the DC
agent is installed. Go to All Programs >
FortiNet > Fortinet Single Sign On Agent
> Configure Fortinet Single Sign On
Agent.
Select Set Group Filters. Select Add. Enter
the FortiGate unit serial number and specify
which user groups the DC agent should
monitor for the FortiGate unit. Select Add
again.

To avoid adversely affecting the FortiGate

units performance, configure the filter to
send information only for the groups you
intend to authenticate.

Creating an FSSO user

group and adding AD user
groups
.Go to User & Device > User > User
Groups. Create a Fortinet Single Sign-On
group and select which Windows AD groups
to include as members.

278

The FortiGate Cookbook 5.0.7

Creating a security policy to

allow the FSSO user group
access
Create identity-based security policies that
use the FSSO user group that you created.

Results

The Windows AD user, having authenticated

at logon, does not have to authenticate again
to connect to the Internet.

Providing Single Sign-On for Windows AD with LDAP

279

Allowing Single Sign-On access with a FortiGate

and a FortiAuthenticator
This example illustrates how to configure Single Sign-On (SSO) using a FortiGate
and FortiAuthenticator, with the FortiAuthenticator unit acting as the SSO Agent,
verifying and maintaining user login information. Users can then log in once when
connecting to the internal network behind the FortiGate, and be automatically
logged into servers and services that support SSO.
1. Configuring polling on the FortiAuthenticator
2. Adding a FortiAuthenticator to the FortiGate unit
3. Creating the FSSO user group
4. Creating a security policy
5. Results

(FSSO Agent)

FortiGate

SSO User Group

280

FortiAuthenticator

SSO Users

The FortiGate Cookbook 5.0.7

Configuring polling on the

FortiAuthenticator
In the FortiAuthenticator interface, go to SSO
& Dynamic Policies > SSO > Options.
In the FortiGate section, the Listening
Port should be 8000, unless the FortiGates
default port mapping has been changed.
Select Enable Authentication. and enter
the Secret Key, which you will use when
configuring the FSSO Agent on the FortiGate.
If you are using an external SSO service,
such as Windows AD or a remote LDAP
server, enable it in the the Fortinet Single
Sign-On (FSSO) section.
Go to SSO & Dynamic Policies > SSO
> Login Portal and Enable SSO Portal.
Ensure Local users is enabled, and disable
Remote users from an LDAP server.

Then go to SSO & Dynamic Policies >

SSO > FortiGate Group Filtering.
Create a new FortiGate Group Filter,
entering the FortiGates IP/hostname.
Enable Forward FSSO information for
users from the following subset of
groups only and move the groups youd like
to send to the FortiGate from Available to
Selected. Select OK to save the filter.

Allowing Single Sign-On access with a FortiGate and a FortiAuthenticator

281

Adding a FortiAuthenticator
to the FortiGate unit
In the FortiGate interface, go to User &
Device > Authentication > Single SignOn, and select Create New.
For the Type, select Fortinet Single
Sign-On Agent. Enter a Name for the
FortiAuthenticator unit.
Enter the IP address of the FortiAuthenticator
as the Primary Agent IP/Name, and enter
the secret key as the Password.
Select Apply & Refresh, and wait a minute
for the FortiAuthenticator to connect to
the FortiGate and download user group
information.

Creating the FSSO user

group
You cannot directly use the user groups
imported from FortiAuthenticator in
firewall policies, so you will need to create
FortiGate user groups to represent the
FortiAuthenticator groups. Go to User &
Device > User > User Groups, and create
a new FSSO user group.
The Members list will be populated with
the FortiAuthenticators user groups. Select
the imported groups to add them to the
FortiGate groups Members list.

282

The FortiGate Cookbook 5.0.7

Creating a security policy

Now, create a security policy to handle SSO
user traffic, so it can be easily identified in
logs and reports. Go to Policy > Policy >
Policy, and create a new policy, setting the
Policy Subtype to User Identity.

Multiple Authentication Rules can be

created for different groups of SSO users
that require different access and supervision.

Results
With the identity-based policy being the only
policy connecting the internal network to the
internet, users on the internal network will
not be able to access the internet without
authenticating.
To connect to the internet, users
must navigate in a browser to the
FortiAuthenticators IP. Users will then log
into the FortiAuthenticator as an admin
would, but will only have access to their user
account settings in the FAC interface.
Once the user has logged in, the
FortiAuthenticator retains their user
information for a time specified in the SSO
Portal settings. They will have access to the
internet, and to any other services or servers
on the internal network configured to use
SSO with the FortiAuthenticator.

Allowing Single Sign-On access with a FortiGate and a FortiAuthenticator

283

Fortinet Single Sign-On in Polling Mode for a

Windows AD network
This example uses Active Directory Polling to establish Fortinet Single Sign-On
(FSSO) for a Windows AD Domain Controller, without requiring a FortiAuthenticator
or a Collector Agent running on the Windows AD Domain to act as an intermediary
between the FortiGate and the domain.
1. Adding the LDAP Server to the FortiGate
2. Configuring the FortiGate unit to poll the Active Directory
3. Adding an FSSO user group
4. Adding a firewall address for the internal network
5. Adding a security policy that includes an authentication rule
6. Results

Internet

Polling Mode

Windows AD

284

FortiGate

Internal Network
The FortiGate Cookbook 5.0.7

Adding the LDAP Server to

the FortiGate
In the FortiGate web interface, go to
User& Device > Authentication > LDAP
Servers. Add your LDAP server details.

Configuring the FortiGate

unit to poll the Active
Directory
Next, go to User & Device >
Authentication > Single Sign-On.
For the Type, select Poll Active Directory
Server. Enter the IP, username and
password, and select the LDAP server you
added previously. Ensure Enable Polling is
checked.

Adding an FSSO user group

Go to User & Device > User > User
Groups, and add the desired AD member
groups to the group.

Fortinet Single Sign-On in Polling Mode for a Windows AD network

285

Adding a firewall address

for the internal network
Go to Firewall Objects > Address >
Addresses, and create an internal network
address to be used by the policy.

Adding a security policy that

includes an authentication
rule
Go to Policy > Policy > Policy.
Create a User Identity policy and add an
authentication rule to allow your FSSO group
to access the internet.

286

The FortiGate Cookbook 5.0.7

Results
Go to Log & Report > Traffic Log >
Forward Traffic. When users log into
the Windows AD network, the FortiGate
will automatically poll the domain for their
account information, and record their traffic.
Select an entry for more information.

Fortinet Single Sign-On in Polling Mode for a Windows AD network

287

288

The FortiGate Cookbook 5.0.7

Fortinet Single Sign-On in Polling Mode for a Windows AD network

289

Preventing security certificate warnings when

using SSL inspection
This example illustrates how to prevent your users from getting a security certificate
error, which happens because an SSL session is established with the SSL Proxy,
not the destination website. Instead of having users select Continue when they
receive an error, a bad habit to encourage, you will provide them with the FortiGate
SSL CA certificate to install on their browsers.

1. Enabling Certificate configuration in the web-based

manager.
2. Downloading the Fortinet_CA_SSLProxy.
3. Importing the CA certificate into the web browser.

Certificate

Website

SSL proxy

Certificate

FortiGate

Internal Network

290

The FortiGate Cookbook 5.0.7

Enabling certificate
configuration in the webbased manager
Go to System > Config > Features and
enable Certificates.

Downloading the Fortinet_

CA_SSLProxy
Go to System > Certificates > Local
Certificates to download the Fortinet_CA_
SSLProxy certificate.
Make the CA certificate file available to your
users.

Importing the CA
certificate into the web
browser
For Internet Explorer:

Go to Tools > Internet Options. On the

Content tab, select Certificates and
find the Trusted Root Certification
Authorities.
Import the certificate using the Import
Wizard. Make sure that the certificate is
imported into Trusted Root Certification
Authorities.
You will see a warning because the FortiGate
units certificate is self-signed. It is safe to
select Yes to install the certificate.

Preventing security certificate warnings when using SSL inspection

291

For Firefox:
Depending on platform, go to Tools >
Options or Edit > Preferences and find
the Advanced Encryption settings.

View Certificates, specifically the Authorities

certificate list.

292

The FortiGate Cookbook 5.0.7

Import the Fortinet_CA_SSLProxy certificate file.

Results
Even if you bypass the error message by
selecting Continue to this website, the
browser may still show an error in the toolbar.
After you install the FortiGate SSL CA
certificate, there will be no certificate security
issue when you browse to sites on which
the FortiGate unit performs SSL content
inspection.

Preventing security certificate warnings when using SSL inspection

293

Extra help: Certificates

This section contains tips to help you with some common challenges of using
certificates.
Certificate options do not appear in the GUI.
Go to System > Features > Config and select Show More. Enable the Certificates
feature.

A new certificate must be used.

Go to System > Certificates > Local Certificates and select Import.

A new certificate must be generated.

First, go to System > Certificates > Local Certificates and select Generate. Fill in the
required fields. The certificate must then be either self-signed or signed by a third party.
Finally, import the new certificate.

Certificate warnings appear when users attempt to authenticate.

Go to User & Device > Authentiction > Settings and set Certificate to use the correct
certificate.

The wrong certificate appears when using an SSL-VPN.

Go to VPN > SSL > Config and set Server Certificate to use the correct certificate.

294

The FortiGate Cookbook 5.0.7

Adding FortiToken two-factor authentication to

a user account
Two-factor authentication enhances security because it requires both the user
password - something that the user knows - and a dynamic token code provided by
a FortiToken - something that the user has.

1. Registering FortiToken with a FortiGate unit and FortiGuard.

2. Adding two-factor authentication to the users account.
3. Creating a policy that requires user authentication.

Internet
FortiGuard

FortiGate

Internal user
with FortiToken
or FortiToken Mobile

External user
with FortiToken
or FortiToken Mobile

Internal Network

Adding FortiToken two-factor authentication to a user account

295

Registering FortiToken
with a FortiGate unit and
FortiGuard
Go to User & Device > Two-factor
Authentication > FortiTokens and select
Create New. .Select the Serial Number
field and enter the FortiToken serial number.
If you have several FortiTokens to add, you
can list their serial numbers one per line in
a text file and use the Import function.
Select OK.

FortiOS reports the serial number as

invalid if you mistype it or if it is a
duplicate of one you have already entered.

Wait for the FortiGuard to validate your

FortiTokens serial number. When you first
enter the serial number its status is listed
as Pending. When FortiGuard validates
the serial number, the status changes to
Available.

296

If this FortiToken has already been

registered to another FortiGate unit, the
Status column shows Error.

The FortiGate Cookbook 5.0.7

Adding two-factor
authentication to the users
account
Go to User & Device > User > User
Definition and open the users account for
editing.
Enable Two-factor Authentication and select
the FortiToken from the list. Select OK.

The following steps are only for confirmation.

The list of users (User & Device > User >
User Definition) shows which users have
two-factor authentication enabled.

The FortiTokens list (User & Device > Twofactor Authentication > FortiTokens)
shows that the FortiToken is assigned to a
user.

Adding FortiToken two-factor authentication to a user account

297

Creating a policy that

requires user authentication
Go to Policy > Policy > Policy and create a
User Identity policy with an authentication
rule. This example allows the user tbrown to
access the Internet (WAN1) from the Internal
network (port1).
In this example we just add the user with
the FortiToken to the policy. We could have
added that user to a group and selected
the user group.

Results
When the user tries to access an Internet
web site, the FortiGate unit requests user
name and password authentication:

After successful ID/password authentication,

the FortiGate requests the FortiToken code.
To obtain the token code:
t

hard token: press the button on the

FortiToken device

soft token: use the FortiToken Mobile

smartphone app to obtain the code

298

The FortiGate Cookbook 5.0.7

Using two-factor authentication with IPsec VPN

An IPsec VPN can use two-factor user authentication for enhanced security. In this
example, a remote user uses FortiClient to connect to a private network behind a
FortiGate unit. The FortiGate unit and FortiClient authenticate each other using a
pre-shared key. The user is then authenticated by XAUTH (ID/password), plus a
FortiToken token code.

1. Registering FortiToken with a FortiGate unit and FortiGuard

2. Adding two-factor authentication to the users account
3. Defining an address for the internal network
4. Configuring the VPN on the FortiGate unit.
5. Configuring the VPN in FortiClient
6. Creating a security policy for VPN users
Internet

IPsec

FortiGuard

FortiGate

FortiClient user
with FortiToken
or FortiToken Mobile

Internal Network

Using two-factor authentication with IPsec VPN

299

FortiOS reports the serial number as

invalid if you mistype it or if it is a
duplicate.

Wait for the FortiGuard to validate your

FortiTokens serial number. When you first
enter the serial number, its status is listed
as Pending. When FortiGuard validates
the serial number, the status changes to
Available.

!
300

If this FortiToken has already been

registered to another FortiGate unit, the
Status column shows Error.

The FortiGate Cookbook 5.0.7

Adding two-factor
authentication to the users
account
Go to User & Device > User >
User Definition and open the users
account for editing.
Enable Two-factor Authentication and select
the FortiToken from the list. Select OK.

Defining an address for the

internal network
The VPN configuration and the firewall policy
require a defined address for the Internal
network.
Go to Firewall Objects > Address >
Addresses and select Create New.

Using two-factor authentication with IPsec VPN

301

Configuring the VPN on the

FortiGate unit
Go to VPN > IPsec > Auto Key (IKE) and
select Create VPN Wizard.
Follow the wizard, entering the information
that it requests.

The user group that you select determines

who is allowed to connect to this VPN.

Clients will connect to the FortiGate unit

through the WAN1 interface, which is
connected to the Internet.
Address Range defines the IP address range
to assign to clients.
Select the Accessible Networks for your
clients, by selected the defined firewall
address(es), or select All.

The options on the final wizard page can

make the VPN more convenient to use. They
are disabled by default.

302

The FortiGate Cookbook 5.0.7

Creating a security policy

for VPN users
Go to Policy > Policy > Policy and select
Create New. Enter a policy to enable VPN
users to authenticate and communicate with
the local network.

Using two-factor authentication with IPsec VPN

303

Configuring the VPN in

FortiClient
In the FortiClient Console, select Remote
Access, then select Configure VPN.

If FortiClient has other VPNs configured,

select Add a new connection from the
menu.

Enter the VPN configuration and select OK.

304

The FortiGate Cookbook 5.0.7

Results
In FortiClient console, select Remote Access.
Select the VPN and enter the user name and
password.

After connecting and authenticating by user

name and password, FortiClient requests the
FortiToken code.
Get the code from the FortiToken (hard
token), or FortiToken Mobile app (soft token)
and enter it.
If the token code is correct, the VPN
connects and FortiClient minimizes its
window.

On the FortiGate unit, the VPN > Monitor >

IPsec Monitor page shows the connected
client.

Using two-factor authentication with IPsec VPN

305

Using two-factor authentication with SSL VPN

An SSL VPN can use two-factor user authentication for enhanced security. In this
example, a remote user uses FortiClient to connect to a private network behind a
FortiGate unit. The FortiGate unit and FortiClient authenticate each other using a
pre-shared key. The user is authenticated by User ID/password) plus a FortiToken
token code.

1. Registering FortiToken with a FortiGate unit and FortiGuard

2. Adding two-factor authentication to the users account
3. Defining an address for the internal network
4. Configuring the SSL VPN on the FortiGate unit.
5. Creating a security policy for SSL VPN users

Internet

SSL

FortiGuard

FortiGate

Remote user
with FortiToken
or FortiToken Mobile

Internal Network

306

The FortiGate Cookbook 5.0.7

Registering FortiToken
with a FortiGate unit and
FortiGuard
Go to User & Device > Two-factor
Authentication > FortiTokens and select
Create New. Select the Serial Number
field and enter the FortiToken serial number.
If you have several FortiTokens to add, you
can list their serial numbers one per line in a
text file and use the Import function.

FortiOS reports the serial number as

invalid if you mistype it or if it is a
duplicate.

Wait for the FortiGuard to validate your

FortiTokens serial number. When you first
enter the serial number its status is listed
as Pending. When FortiGuard validates
the serial number, the status changes to
Available.

If this FortiToken has already been

registered to another FortiGate unit, the
Status column shows Error.

Using two-factor authentication with SSL VPN

307

Adding two-factor
authentication to the users
account
Go to User & Device > User >
User Definition and open the users
account for editing.
Select Enable Two-factor Authentication
and then select the FortiToken from the list.
Select OK.

Defining an address for the

internal network
Go to Firewall Objects > Address >
Addresses and select Create New.
The VPN configuration and the firewall policy
require a defined address for the Internal
network.

308

The FortiGate Cookbook 5.0.7

Creating a user group for

SSL VPN users
Go to User & Device > User > User
Groups and create a Firewall type user
group, adding the users who will be
permitted to use the SSL VPN.

Configuring an SSL VPN

web portal
Go to VPN > SSL > Config.
The default encryption will work with typical
browsers.

Using two-factor authentication with SSL VPN

309

Go to VPN > SSL > Portal.

Creating a security policy

for SSL VPN users
Go to Policy > Policy > Policy and select
Create New. Enter a policy to enable VPN
users to authenticate and communicate with
the local network.

310

The FortiGate Cookbook 5.0.7

Results
In a browser, enter the FortiGate IP
address and port 10443. For example
https://172.20.120.123:10443.
If you receive a warning about the certificate
being unrecognized, allow the browser to
continue access.
Enter the user name and password and
then select Login. If the user account has
two-factor authentication enabled, the
FortiToken Code field is added. Obtain
the code from the FortiToken device or
FortiToken Mobile app and enter it. Select
Login again.

You are connected to the SSL VPN portal.

The VPN > Monitor > SSL-VPN Monitor

page shows the connected SSL VPN client.

Using two-factor authentication with SSL VPN

311

Authenticating SSL VPN users using LDAP

This example illustrates how to configure a FortiGate to use LDAP authentication
to authenticate remote SSL VPN users. With a properly configured LDAP server,
user and authentication data can be maintained independently of the FortiGate,
accessed only when a remote user attempts to connect through the SSL VPN
tunnel.
This recipe assumes that the LDAP server is already configured.

1. Registering the LDAP server on the FortiGate

2. Importing LDAP users
3. Creating the SSL VPN user group
4. Creating the SSL address range
5. Configuring the SSL VPN tunnel
6. Creating security policies
7. Results

LDAP

id: twhite
pw: ********

Web Mode
SSL
Tunnel Mode
Remote User

312

FortiGate

Internal Network

The FortiGate Cookbook 5.0.7

Registering the LDAP server

on the FortiGate
Go to User & Device > Authentication >
LDAP Servers and select Create New.
Enter the LDAP Servers FQDN or IP in
Server Name/IP. If necessary, change the
Server Port Number (the default is 389.)
Enter the Common Name Identifier. Most
LDAP servers use cn by default.
In the Distinguished Name field, enter the
base distinguished name for the server, using
the correct X.500 or LDAP format.
Set the Bind Type to Regular, and enter
the LDAP administrators distinguished name
and password for User DN and Password.

Importing LDAP users

Go to User & Device > User > User
Definition, and create a new user, selecting
Remote LDAP User.
Choose your LDAP Server from the
dropdown list.
You will be presented with a list of user
accounts, filtered by the LDAP Filter to
include only common user classes.
If you are using a different objectClass to
identify users on your LDAP server, edit
the filter to show them in the list.

Authenticating SSL VPN users using LDAP

313

Select the users you want to register as

users on the FortiGate, and select Next.
Confirm that the user information has been
imported properly, and select Done.

Creating the SSL VPN user

group
Go to User & Device > User > User
Groups, and create an LDAP user group.
Add all of the user accounts imported from
LDAP to the Members list.
If you have already configured user groups
on the LDAP server, you can use the
Remote Groups menu to import them.

Creating the SSL address

ranges
Go to Firewall Objects > Addresses >
Addresses, and create a new address.
Set the Type to IP Range, and in the
Subnet/IP Range field, enter the range of
addresses you want to assign to SSL VPN
clients. Select Any as the Interface.
Then create another Address for each Subnet
or IP Range within your internal network to
which remote users will connect.

314

The FortiGate Cookbook 5.0.7

Configuring the SSL VPN

tunnel
Go to VPN > SSL > Portal, and select the
plus icon in the upper right to create a new
SSL Portal configuration.
Enable Tunnel Mode, and enable Split
Tunneling. For the IP Pool, select the
address range you created. Enable Web
Mode, and set the options as desired.
Enable Include Bookmarks, and create a
bookmark to access a internal network PC.
In this example, the bookmark is an RDP
connection, for remote desktop access.
By default, SSL authentication expires
after 28800 seconds (8 hours). This limit
can be changed in the CLI:
set auth-timeout

Creating security policies

You will need to create two policies to handle
web mode and tunnel mode SSL traffic.
Go to Policy > Policy > Policy, and create
a new VPN policy to allow the SSL traffic
through to the internal network.
Set the Incoming Interface to your
Internet-facing interface, your Remote
Address to all, your Local Interface to your
internal network interface, and for the Local
Protected Subnet, select the network
access addresses you created.

Authenticating SSL VPN users using LDAP

315

Under Configure SSL-VPN Authentication

Rules, select Create New to create a new
rule to govern SSL traffic.
Set the Group to your SSL VPN group,
select your LDAP user as User, and select
your SSL-VPN Portal from the list.
Configure the logging and security profiles as
needed.

Return to the policy list, and select Create

New again, to create the tunnel mode firewall
policy. Leave the Type as Firewall, and the
Subtype as Address.
Set the Incoming Interface to the SSL VPN
tunnel interface. Set the Source Address
to the VPN users address range. Set the
Outgoing Interface to the internal network
interface, and set the Destination Address
to the internal network addresses that SSL
users will need to reach.
Enable NAT, and configure logging and
security policies as needed.

316

The FortiGate Cookbook 5.0.7

Results
Log into the SSL portal using the LDAP user
credentials. The FortiGate will automatically
contact the LDAP server for verification.

The FortiGate unit performs the host check.

After the check is complete, the SSL portal

appears.

Authenticating SSL VPN users using LDAP

317

Select a bookmark, such as the RDP link, to

begin an RDP session, and connect to a PC
on the internal network.

Go to VPN > Monitor > SSL-VPN to verify

the list of SSL users. The Web Application
description indicates that the user is using
web mode.

Go to Log & Report > Traffic Log >

Forward Traffic to see details about SSL
traffic.

318

The FortiGate Cookbook 5.0.7

In the Tunnel Mode widget, select Connect

to enable the tunnel.

Select the RDP bookmark to begin an RDP

session.

Go to VPN > Monitor > SSL-VPN to verify

the list of SSL users. The Tunnel description
indicates that the user is using tunnel mode.

Authenticating SSL VPN users using LDAP

319

SSL and IPsec VPN

Virtual private networks (VPNs) extend a private network across a public network,
typically the Internet. Two types of VPN can be configured with FortiGate unit: SSL
VPN and IPsec VPN.
SSL VPN configuration requires an SSL VPN web portal for users to log into, a
user authentication configuration for SSL VPN users, and the creation of SSL VPN
security policies that control the source and destination access of SSL VPN users.
IPsec supports a similar client server architecture as SSL VPN. However, to support
a client server architecture, IPsec users must install and configure an IPsec VPN
client (such as FortiClient) on their PCs or mobile devices.
This section contains the following examples:

320

Providing remote users with access using SSL VPN

Connecting an Android to a FortiGate with SSL VPN

Configuring SSL VPN with strong authentication using certificates

Using IPsec VPN to provide communication between offices

Extra help: IPsec VPN

Using policy-based IPsec VPN for communication between offices

Providing secure remote access to a network for an iOS device

Connecting an Android to a FortiGate with IPsec VPN

Configuring a FortiGate unit as an L2TP/IPsec server

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Creating a VPN with overlapping subnets

Using redundant OSPF routing over IPsec VPN

The FortiGate Cookbook 5.0.7

Providing remote users with access using SSL

VPN
This example provides remote users with access to the corporate network using
SSL VPN and connection to the Internet through the corporate FortiGate unit.
During the connecting phase, the FortiGate unit will also verify that the remote
users antivirus software is installed and current.
THE FORTIGATE COOKBOOK

1. Creating an SSL VPN tunnel for remote users

2. Creating a user and a user group
3. Adding an address for the local network
4. Adding security policies for access to the Internet and internal
network
5. Setting the FortiGate unit to verify users have current antivirus
software
6. Results

Internet

SSL Root
Browsing

Remote SSL VPN user

WAN 1
172.20.120.123

FortiGate
Port 1
192.168.1.99/24

Internal Network

Providing remote users with access using SSL VPN

Windows Server
192.168.1.114

321

Creating an SSL VPN tunnel

for remote users
Go to VPN > SSL > Portal.
Edit the full-access portal.
The full-access portal allows the use of
tunnel mode and/or web mode. In this
scenario we are using both modes.

Enable Split Tunneling is not enabled

so that all Internet traffic will go through
the FortiGate unit and be subject to the
corporate security profiles.

Select Create New in the Include

Bookmarks area to add a bookmark for a
remote desktop link/connection.
Bookmarks are used as links to internal
network resources.

322

The FortiGate Cookbook 5.0.7

Creating a user and a user

group
Go to User & Device > User > User
Definition.

THE FORTIGATE COOKBOOK

Add a remote user with the User Creation

Wizard (in the example, twhite).

Go to User & Device > User > User

Groups.
Add the user to a user group for SSL VPN
connections.

Providing remote users with access using SSL VPN

323

Adding an address for the

local network
Go to Firewall Objects > Address >
Addresses.
Add the address for the local network. Set
Type to Subnet, Subnet/ IP Range to the
local subnet, and Interface to an internal
port.

Adding security policies for

access to the Internet and
internal network
Go to Policy > Policy > Policy.
Add a security policy allowing access to
the internal network. Set Type to VPN and
Subtype to SSL-VPN.

If your FortiGate unit does not have the

Policy-based IPsec feature turned on, you
will only have to set Policy Type to VPN.
Set Incoming Interface to your Internetfacing interface, Local Interface to an
internal port and Local Protected Subnet
to the address for the local network. Create
a new Authentication Rule to allow the
remote user group access.

324

The FortiGate Cookbook 5.0.7

Add a second security policy allowing access

to the Internet.

THE FORTIGATE COOKBOOK

For this policy, Incoming Interface is sslvpn

tunnel interface and Outgoing Interface is
your Internet-facing interface.

Setting the FortiGate

unit to verify users have
current antivirus software
Go to System > Status > Dashboard.
In the CLI Console widget, enter the
commands on the right to enable the host to
check for compliant antivirus software on the
remote users computer.

Results
Log into the portal using the credentials you
created in step two.

Providing remote users with access using SSL VPN

325

The FortiGate unit performs the host check.

After the check is complete, the portal

appears.

Select the bookmark Remote Desktop link

to begin an RDP session.

Go to VPN > Monitor > SSL-VPN to verify

the list of SSL users. The Web Application
description indicates that the user is using
web mode.

326

The FortiGate Cookbook 5.0.7

THE FORTIGATE COOKBOOK

Go to Log & Report > Traffic Log >

Forward Traffic and view the details for the
SSL entry.

In the Tunnel Mode widget, select Connect

to enable the tunnel.

Select the bookmark Remote Desktop link

to begin an RDP session.

Go to VPN > Monitor > SSL-VPN to verify

the list of SSL users.
The tunnel description indicates that the user
is using tunnel mode.

Providing remote users with access using SSL VPN

327

Go to Log & Report > Traffic Log >

Forward Traffic and view the details for the
SSL entry.

Go to Log & Report > Traffic Log >

Forward Traffic.
Internet access occurs simultaneously
through the FortiGate unit.

Select an entry to view more information.

328

The FortiGate Cookbook 5.0.7

Connecting an Android to a FortiGate with SSL

VPN
This recipe describes how to provide a group of remote Android users with secure,
encrypted access to the network using FortiClient and SSL VPN.
You must download the FortiClient application from the Play Store and install it on your Android device. Refer to the
FortiClient for Android QuickStart Guide. This recipe was tested using Android version 4.3.

1. Creating an SSL VPN tunnel for remote users

2. Creating a user and a user group
3. Adding an address for the network
4. Adding security policies for access to the Internet and
internal network
5. Configuring the tunnel on FortiClient for Android
6. Results

WAN 1
172.20.120.123
FortiGate

Internet

Port 1
192.168.1.99/24

SSL VPN

Remote User

(Android + FortiClient)

Internal Network
Connecting an Android to a FortiGate with SSL VPN

329

Creating an SSL VPN tunnel

for remote users
Go to VPN > SSL > Portal.
Edit the full-access portal.
The full-access portal allows the use of
tunnel mode and/or web mode. In this
scenario we are using both modes.

Enable Split Tunneling is not enabled

so that all Internet traffic will go through
the FortiGate unit and be subject to the
corporate security profiles.

Select Create New in the Include

Bookmarks area to add a bookmark for a
remote desktop link/connection.
Bookmarks are used as links to internal
network resources.

330

The FortiGate Cookbook 5.0.7

Creating a user and a user

group
Go to User & Device > User > User
Definition.
Add a remote user with the User Creation
Wizard (in the example, twhite).

Go to User & Device > User > User

Groups.
Add the user to a user group for SSL VPN
connections.

Connecting an Android to a FortiGate with SSL VPN

331

Adding an address for the

network
Go to Firewall Objects > Address >
Addresses.
Add the address for the local network. Set
Type to Subnet, Subnet/ IP Range to the
local subnet, and Interface to an internal
port.

Adding security policies for

access to the Internet and
internal network
Go to Policy > Policy > Policy.
Add a security policy allowing access to
the internal network. Set Type to VPN and
Subtype to SSL-VPN.

If your FortiGate unit does not have the

332

The FortiGate Cookbook 5.0.7

Add a second security policy allowing access

to the Internet.
For this policy, Incoming Interface is sslvpn
tunnel interface and Outgoing Interface is
your Internet-facing interface.

Configuring the tunnel on

FortiClient for Android
Open FortiClient on your Android device and
press Settings.

Connecting an Android to a FortiGate with SSL VPN

333

Select Server to configure the server

address.
If you changed the default SSL VPN port in
the FortiGate, you must also change the
Port setting on the Android device.
Otherwise, leave the port as default.

Next, enter the Username and Password

that you configured on the FortiGate.

Return to the main screen and press the

Connect button.
Confirm the server connection and press the
Login button.

334

The FortiGate Cookbook 5.0.7

FortiClient attempts to establish an SSL VPN

tunnel with the FortiGate.

Once the SSL VPN tunnel is active,

FortiClient shows the remote and local
endpoints, and the duration of the current
session.
With the tunnel active, the Android user can
start their phones mail client or web browser
and see content on the protected network.
To close the tunnel, press the Disconnect
button.

On the FortiGate, verify the connection by

navigating to VPN > Monitor > SSL-VPN
and verify the list of SSL users.
The tunnel description indicates that the user
is using tunnel mode.

Connecting an Android to a FortiGate with SSL VPN

335

Go to Log & Report > Traffic Log >

Forward Traffic and view the details for the
SSL entry.

Go to Log & Report > Traffic Log >

Forward Traffic.
Internet access occurs simultaneously
through the FortiGate unit.

Select an entry to view more information.

336

The FortiGate Cookbook 5.0.7

Configuring SSL VPN with strong authentication

using certificates
The FortiGate unit can require SSL VPN users to authenticate using a certificate.
Similarly, the client can require the FortiGate unit to authenticate using a certificate.
The client browser must have a local certificate installed, and the FortiGate unit
must have the corresponding CA certificate installed.
This example includes requiring client authentication as well as enabling FortiGate
unit authentication.
This example assumes that the correct CA certificate is installed on the FortiGate, and that the client browser has a
corresponding local certificate.

1. Creating an SSL VPN tunnel for remote users

2. Creating a user and a user group
3. Adding an address for the local network
4. Adding security policies for access to the Internet and
internal network
5. Configuring the SSL VPN server certificate
6. Results
Remote SSL VPN user
Internet

Internal Network

WAN 1
172.20.120.123

Client certificate
stored in browser
Certificates
must correspond

Port 1 FortiGate Certificate Authority

stored in FortiGate
192.168.1.99/24
Configuring SSL VPN with strong authentication using certificates

337

Creating an SSL VPN tunnel

for remote users
Go to VPN > SSL > Portal.
Edit the full-access portal.
The full-access portal allows the use of
tunnel mode and/or web mode. In this
example you will use both modes.

Enable Split Tunneling is not enabled

so that all Internet traffic will go through
the FortiGate unit and be subject to the
corporate security profiles.

Creating a user and a user

group
Go to User & Device > User > User
Definition.
Add a remote user with the User Creation
Wizard (in the example, twhite).

338

The FortiGate Cookbook 5.0.7

Go to User & Device > User > User

Groups.
Add the user to a user group for SSL VPN
connections.

Adding an address for the

local network
Go to Firewall Objects > Address >
Addresses.
Add the address for the local network. Set
Type to Subnet, Subnet/ IP Range to the
local subnet, and Interface to an internal
port.

Adding security policies for

access to the Internet and
internal network
Go to Policy > Policy > Policy.
Add a security policy allowing access to
the internal network. Set Type to VPN and
Subtype to SSL-VPN.
Set Incoming Interface to your Internetfacing interface, Local Interface to an
internal port and Local Protected Subnet
to the address for the local network.
Create a new Authentication Rule to allow
the remote user group access.
Enable SSL Client Certificate Restrictive.

Configuring SSL VPN with strong authentication using certificates

339

You must enable the SSL Client

Certificate Restrictive checkbox
or certificates will not be required for the
tunnel.

Add a second security policy allowing access

to the Internet.
For this policy, Incoming Interface is sslvpn
tunnel interface and Outgoing Interface is
your Internet-facing interface.

Configuring the SSL VPN

server certificate
Go to VPN > SSL > Config.
Select the desired server certificate and
enable Require Client Certificate.

You must enable the Require Client

Certificate checkbox or certificates
will not be required for the tunnel.

Optionally, set the Encryption Key

Algorithm, Idle Timeout, and Login Port
as desired.

Results
On the remote client, attempt to connect to
the SSL VPN tunnel using a web browser or
FortiClient.

340

The FortiGate Cookbook 5.0.7

Using a web browser

Enter the tunnel IP into your web browsers
address bar.
If the client certificate has not yet been
installed in the browser, you will be prompted
by a warning message.
If you are absolutely certain that this is the
IP you wish to connect to, click Proceed
anyway to accept the certificate. Otherwise,
click Back to safety (these options may
vary from browser to browser).
Once the browser acknowledges the
FortiGate certificate, you will be presented
with a web portal login screen.
Enter the username and password
associated with the VPN and click Login.
The web portal opens and displays the
session information and any bookmarks that
may have been assigned.

Use this portal to connect to the SSL VPN

tunnel. Under Tunnel Mode, click Connect.
The connection is successful when the Link
status is Up and traffic flows.

Configuring SSL VPN with strong authentication using certificates

341

Using FortiClient
Open the FortiClient application and create a
new SSL VPN connection.
When connecting to this tunnel the first time,
you are presented with a security alert asking
whether or not to trust the certificate.

To install the certificate permanently, click

View Certificate > Install Certificate.
Follow the Certificate Import Wizard. Click
Next.

342

The FortiGate Cookbook 5.0.7

When the wizard asks you which store

to place the certificate in, browse to and
select the Trusted Root Certification
Authorities store.

Click Next, confirm the import options, and

click Finish. The wizard will inform you that
the certificate imported successfully.

Click OK until you are back at the security

alert and click Yes.
The tunnel should now activate.
The next time you connect to this tunnel you
wont need to reimport the certificate, unless
of course you imported it incorrectly the first
time.

Configuring SSL VPN with strong authentication using certificates

343

Using IPsec VPN to provide communication

between offices
This example provides secure, transparent communication between two FortiGates
located at different offices using route-based IPsec VPN. In this example, one office
will be referred to as HQ and the other will be referred to as Branch.

1. Configuring the HQ IPsec VPN

2. Adding firewall addresses for the local and remote LAN on HQ
3. Creating an HQ security policy and static route
4. Configure the Branch IPsec VPN Phase 1 and Phase 2
settings
5. Add Branch firewall addresses for the local and remote LAN
6. Create a branch IPsec security policy and static route
7. Results
WAN 1
172.20.120.123
FortiGate
(HQ)

IPsec

Port 1
192.168.1.99/24

Internal
Network (HQ)

344

WAN 1
172.20.120.22
Internet

FortiGate
(Branch)
LAN
10.10.1.99/24

Internal
Network (Branch)

The FortiGate Cookbook 5.0.7

Configuring the HQs IPsec

VPN
On the HQ FortiGate, go to VPN > IPsec >
Auto Key (IKE).
Select Create Phase 1. Set IP Address
to the IP of the Branch FortiGate, Local
Interface to the Internet-facing interface,
and enter a Pre-shared Key.

Using IPsec VPN to provide communication between offices

345

Now select Create Phase 2, set it to use

the new Phase 1, and expand the Advanced
options.
Specify Source address as the HQ subnet
and Destination address as the Branch
subnet.

Adding firewall addresses

for the local and remote
LAN on HQ
Go to Firewall Objects > Address >
Addresses.
Create a local address. Set Type to Subnet,
Subnet/IP Range to the HQ subnet, and
Interface to an internal port.

346

The FortiGate Cookbook 5.0.7

Create a remote LAN address. Set Type to

Subnet, Subnet/IP Range to the Branch
subnet, and Interface to the VPN Phase 1.

Creating an HQ security
policy and static route.
Go to Policy > Policy > Policy.
Create a policy for outbound traffic. Set
Incoming Interface to an internal port,
Source Address to the local address,
Outgoing Interface to the VPN Phase 1,
and Destination Address to the remote
LAN address.

Create a second policy for inbound traffic.

Set Incoming Interface to the VPN phase
1, Source Address to the local address,
Outgoing Interface to an internal port, and
Destination Address to the local address.

Using IPsec VPN to provide communication between offices

347

Go to Router > Static > Static Routes.

Create a route for IPsec traffic, setting
Device to the VPN Phase 1.

If the Router menu is not visible, go to

System > Config > Features to ensure
that Advanced Routing is turned on.

Configuring the Branchs

IPsec VPN
One the Branch FortiGate, Go to VPN >
IPsec > Auto Key (IKE).
Select Create Phase 1. Set IP Address to
the IP of the HQ FortiGate, Local Interface
to the Internet-facing interface, and enter the
same Pre-shared Key used previously.

348

The FortiGate Cookbook 5.0.7

Now select Create Phase 2, set it to use

the new Phase 1, and expand the Advanced
options.
Specify Source address as the Branch
subnet and Destination address as the HQ
subnet.

Adding firewall addresses

for the local and remote
LAN on HQ
Go to Firewall Objects > Address >
Addresses.
Create a local address. Set Type to Subnet,
Subnet/IP Range to the Branch subnet,
and Interface to an internal port.

Using IPsec VPN to provide communication between offices

349

Create a remote LAN address. Set Type

to Subnet, Subnet/IP Range to the HQ
subnet, and Interface to the VPN Phase 1.

Create a second policy for inbound traffic.

Set Incoming Interface to the VPN
phase 1, Source Address to the local
address, Outgoing Interface to an internal
port, and Destination Address to the local
address.

350

The FortiGate Cookbook 5.0.7

Go to Router > Static > Static Routes.

Create a route for IPsec traffic, setting
Device to the VPN Phase 1.

Results
Go to VPN > Monitor > IPSec Monitor to
verify the status of the VPN tunnel. It should
be up.
A user on either of the office networks should
be able to connect to any address on the
other office network transparently.
From the HQ FortiGate unit go to Log &
Report > Traffic Log > Forward Traffic to
verify that both inbound and outbound traffic
is occurring.

To verify traffic on the Branch FortiGate unit

as well, go to Log & Report > Traffic Log >
Forward Traffic.

Using IPsec VPN to provide communication between offices

351

Extra help: IPsec VPN

This section contains tips to help you with some common challenges of IPsec VPNs.

The options to configure policy-based IPsec VPN are unavailable.

Go to System > Config > Features. Select Show More and turn on Policy-based IPsec
VPN.

The VPN connection attempt fails.

If your VPN fails to connect, check the following:
t Ensure that the pre-shared keys match exactly.
t Ensure that both ends use the same P1 and P2 proposal settings.
t Ensure that you have allowed inbound and outbound traffic for all necessary network
services, especially if services such as DNS or DHCP are having problems.
t Check that a static route has been configured properly to allow routing of VPN traffic.
t Ensure that your FortiGate unit is in NAT/Route mode, rather than Transparent.
t Check your NAT settings, enabling NAT traversal in the Phase 1 configuration while
disabling NAT in the security policy.
t Ensure that both ends of the VPN tunnel are using Main mode, unless multiple dial-up
tunnels are being used.
t If you have multiple dial-up IPsec VPNs, ensure that the Peer ID is configured properly
on the FortiGate and that clients have specified the correct Local ID.
t If you are using FortiClient, ensure that your version is compatible with the FortiGate
firmware by reading the FortiOS Release Notes.
t Ensure that the Quick Mode selectors are correctly configured. If part of the setup
currently uses firewall addresses or address groups, try changing it to either specify the
IP addresses or use an expanded address range.

352

The FortiGate Cookbook 5.0.7

t If XAUTH is enabled, ensure that the settings are the same for both ends, and that the
FortiGate unit is set to Enable as Server.
t If your FortiGate unit is behind a NAT device, such as a router, configure port forwarding
for UDP ports 500 and 4500.
t Remove any Phase 1 or Phase 2 configurations that are not in use. If a duplicate
instance of the VPN tunnel appears on the IPsec Monitor, reboot your FortiGate unit to
try and clear the entry.
If you are still unable to connect to the VPN tunnel, run the diagnostic command in the CLI:
diag debug application ike -1
diag debug enable
The resulting output may indicate where the problem is occurring. When you are finished,
disable the diagnostics by using the following command:
diag debug reset
diag debug disable

The VPN tunnel goes down frequently.

If your VPN tunnel goes down often, check the Phase 2 settings and either increase the
Keylife value or enable Autokey Keep Alive.

353

Using policy-based IPsec VPN for communication

between offices
This example uses policy-based IPsec VPN, and assumes that both offices have
connections to the Internet with static IP addresses. In this example, one FortiGate
unit will be called HQ and the other will be called Branch.

1. Enabling policy-based VPN on the HQ FortiGate unit

2. Configuring the HQ IPsec VPN Phase 1 and Phase 2 settings
3. Adding the HQ firewall addresses for the local and remote LAN
4. Creating an HQ IPsec security policy
5. Configuring the Branch IPsec VPN Phase 1 and Phase 2 settings
6. Adding Branch firewall addresses for the local and remote LAN
7. Creating a branch IPsec security policy
8. Results

wan1
172.20.120.123
FortiGate
port1
192.168.1.99/24

Internal
Network (HQ)

354

IPsec

port3
172.20.120.141
Internet

FortiGate
port4
10.10.1.99/24

Internal
Network (Branch)

The FortiGate Cookbook 5.0.7

Enabling policy-based VPN on

the HQ FortiGate unit
Go to System > Config > Features. Select
Show More and turn on Policy-based
IPsec VPN.

Configuring the HQ IPsec

VPN Phase 1 and Phase 2
settings
Go to VPN > IPsec > Auto Key (IKE).
Select Create Phase 1. Set IP Address
to the IP of the Branch FortiGate, Local
Interace to the Internet-facing interface, and
enter a Pre-shared Key.

Using policy-based IPsec VPN for communication between offices

355

Now select Create Phase 2, set it to use

the new Phase 1, and expand the Advanced
options.
Specify Source address as the HQ subnet
and Destination address as the Branch
subnet.

Adding HQ addresses for the

local and remote LAN on the
HQ FortiGate unit
Go to Firewall Objects > Address >
Address.
Create a local address. Set Type to Subnet,
Subnet/IP Range to the HQ subnet, and
Interface to an internal port.

356

The FortiGate Cookbook 5.0.7

Create a remote LAN address. Set Type to

Subnet, Subnet/IP Range to the Branch
subnet, and Interface to the Internet-facing
interface.

Creating an HQ IPsec
security policy
Go to Policy > Policy > Policy.
Create a new policy. Set Type to VPN and
Subtype to IPsec. Configure the policy to
allow traffic from the local interface to pass
through the outgoing VPN interface (in the
example, wan1) using the VPN tunnel created
in Phase 1.
When the policy is created, ensure that it is
placed at the top of the policy list by clicking
on the policy sequence number and dragging
the row to the top of the policy table.

Using policy-based IPsec VPN for communication between offices

357

Configuring the Branch

IPsec VPN Phase 1 and Phase
2 settings
Go to VPN > IPsec > Auto Key (IKE).
Select Create Phase 1. Set IP Address to
the IP of the HQ FortiGate, Local Interace
to the Internet-facing interface, and enter
the same Pre-shared Key used in the HQ
Phase 1.

Select Create Phase 2, set it to use the

new Phase 1, and expand the Advanced
options.
Specify Source address as the Branch
subnet and Destination address as the HQ
subnet.

358

The FortiGate Cookbook 5.0.7

Adding Branch addresses

for the local and remote
LAN on the HQ FortiGate
unit
Go to Firewall Objects > Address >
Address.
Create a local address. Set Type to Subnet,
Subnet/IP Range to the Branch subnet,
and Interface to an internal port.

Create a remote LAN address. Set Type

to Subnet, Subnet/IP Range to the HQ
subnet, and Interface to the Internet-facing
interface.

Using policy-based IPsec VPN for communication between offices

359

Creating a Branch IPsec

security policy
Go to Policy > Policy > Policy.
Create a new policy. Set Type to VPN and
Subtype to IPsec. Configure the policy to
allow traffic from the local interface to pass
through the outgoing VPN interface (in the
example, wan1) using the VPN tunnel created
in Phase 1.
When the policy is created, ensure that it is
placed at the top of the policy list by clicking
on the policy sequence number and dragging
the row to the top of the policy table.

From the Branch FortiGate unit go to Log &

Report > Traffic Log > Forward Traffic.

360

The FortiGate Cookbook 5.0.7

Providing secure remote access to a network

for an iOS device
This recipe uses the VPN Wizard to provide a group of remote iOS users with
secure, encrypted access to the corporate network. The example enables group
members to access the internal network and forces them through the FortiGate unit
when accessing the Internet. The example uses an iPad 2 running iOS 6.1.2 (menu
options may vary for different iOS versions and devices).
1. Creating a user group for iOS users
2. Adding addresses for the local LAN and remote users
3. Configuring IPsec VPN phases using the VPN Wizard
4. Creating security policies for access to the internal network and
the Internet
5. Configuring VPN on the iOS device
6. Results

WAN 1
172.20.120.123
FortiGate
Port 1
192.168.1.99/24

Internal Network

Internet

IPsec

Remote User
(iPad)

Creating a user group for

iOS users
Go to User & Device > User > User
Definition.
Create a new user.

Go to User & Device > User > User

Groups.
Create a user group for iOS users and add
the user you created.

Adding addresses for the

local LAN and remote users
Go to Firewall Objects > Address >
Addresses.
Add the address for the local network,
including the subnet and local interface.

362

The FortiGate Cookbook 5.0.7

Go to Firewall Objects > Address >

Addresses.
Add the address for the remote user,
including the IP range.

Configuring the IPsec VPN

phases using the VPN Wizard
Go to VPN > IPSec > Auto Key (IKE).
Select Create VPN Wizard. Name the VPN
connection and select Dial Up - iPhone /
iPad Native IPsec Client. Click Next.

Enter your pre-shared key and select the iOS

user group, then click Next. Note that the
pre-shared key is a credential for the VPN
and should differ from the users password.

Select your Internet-facing interface for the

Local Outgoing Interface, and enter the IP
range from the address range you created.

Providing secure remote access to a network for an iOS device

363

Assigning an IP to the VPN

interface (optional)
If you wish to control the IP address that will
be assigned to any traffic egressing over the
IPsec interface, you can assign an IP to the
interface.
Go to System > Network > Interfaces.
Expand your Internet-facing interface and
edit the VPN interface.
Assign the IP and Remote IP addresses.
These addresses should not be related to
the IPs used for the internal network or the
Internet-facing interface.

Creating security policies

for access to the internal
network and the Internet
Go to Policy > Policy > Policy.
Create a security policy allowing remote iOS
users to access the internal network.

364

The FortiGate Cookbook 5.0.7

Go to Policy > Policy > Policy.

Create a security policy allowing remote iOS
users to access the Internet securely through
the FortiGate unit. Ensure that Enable NAT
is checkmarked.

Configuring VPN on the iOS

device
On the iPad, go to Settings > General >
VPN and select Add VPN Configuration.

Enter the VPN address, user account, and

password in their relevant fields. Enter the
pre-shared key in the Secret field.

In order to connect to the VPN tunnel, a

Group Name may be required. If you are
unable to connect, add this field to the
VPN client to determine if the blank field is
the cause.

Providing secure remote access to a network for an iOS device

365

Results
On the FortiGate unit, go to VPN >
Monitor > IPsec Monitor and view the
status of the tunnel.

Users on the internal network will be

accessible using the iOS device.
Go to Log & Report > Traffic Log >
Forward Traffic to view the traffic.

Select an entry to view more information.

Remote iOS users can also access the

Internet securely via the FortiGate unit.
Go to Log & Report > Traffic Log >

366

The FortiGate Cookbook 5.0.7

Forward Traffic to view the traffic.

Select an entry to view more information.

View the status of the tunnel on the iOS

device.
On the iPad, go to Settings > General >
VPN and view the Status of the connection.

Providing secure remote access to a network for an iOS device

367

Using a Ping tool, send a ping packet

directly to an IP address on the LAN behind
the FortiGate unit to verify the connection
through the VPN tunnel..

368

The FortiGate Cookbook 5.0.7

Connecting an Android to a FortiGate with IPsec

VPN
This recipe describes how to provide a group of remote Android users with secure,
encrypted access to the network using FortiClient.
You must download the FortiClient application from the Play Store and install it on your Android device. Refer to the
FortiClient for Android QuickStart Guide. This recipe was tested using Android version 4.3.

1. Creating a user group for Android users

2. Adding firewall addresses for the user group and DMZ
network
3. Configuring the FortiGate as an L2TP server
4. Configuring IPsec VPN using the VPN Wizard
5. Assigning an IP to the VPN interface (optional)
6. Creating a security policy for access to the internal network
and the Internet
7. Configuring VPN on the Android device using FortiClient
8. Results
WAN 1
172.20.120.123
FortiGate

Internet

Port 1
192.168.1.99/24

IPsec

Remote User

(Android + FortiClient)

Internal Network
Connecting an Android to a FortiGate with IPsec VPN

369

Creating a user group for

Android users
Go to User & Device > User > User
Definition and select Create new to start
the user creation wizard.
Add a user for each remote client, specifying
the user type and login credentials.
Provide extra information as required and
press OK.

Go to User & Device > User > User

Groups.
Create a user group for Android users and
add the users you created.

Adding firewall addresses

for the Android user group
and the DMZ network
Go to Firewall Objects > Address >
Addresses.
Select Create New and add a firewall
address for the Android users.

370

The FortiGate Cookbook 5.0.7

Go to Firewall Objects > Address >

Addresses.
Select Create New and add a firewall
address for the DMZ network.

Configuring the FortiGate

as an L2TP server
Go to System > Dashboard > Status and
enter the following in the CLI Console:

set
set
set
set

sip 192.168.1.90
eip 192.168.1.99
status enable
usrgrp Android_Users

end

Configuring IPsec VPN using

the VPN Wizard
Go to VPN > IPSec > Auto Key (IKE) and
select Create VPN Wizard.
Select Dial Up - FortiClient Windows,
Mac and Android and follow the wizard,
entering the information that it requests.

Connecting an Android to a FortiGate with IPsec VPN

371

The user group that you select determines

who is allowed to connect to this VPN.
Enter the pre-shared key that will also be
used on the Android device.

Clients will connect to the FortiGate unit

through the WAN1 interface, which is
connected to the Internet.
Address Range defines the IP address
range to assign to clients.

The options on the final wizard page can

make the VPN more convenient to use. They
are disabled by default.

Go to VPN > IPsec > Auto Key (IKE) and

edit the AndroidVPN Phase 1.
Set 1 - Encryption to AES128 with SHA1
authentication.
Set 2 - Encryption to 3DES with SHA1
authentication.

372

The FortiGate Cookbook 5.0.7

Go to VPN > IPsec > Auto Key (IKE) and

edit the Android VPN Phase 2.
Set 1 - Encryption to AES128 with SHA1
authentication.
Set 2 - Encryption to 3DES with SHA1
authentication.
Enable Perfect Forward Secrecy (PFS)
and set Keylife to 3600 seconds.

Assigning an IP to the VPN

Connecting an Android to a FortiGate with IPsec VPN

373

Creating a security policy

for access to the internal
network and the Internet
Go to Policy > Policy > Policy.
Create a security policy allowing remote
Android users to access the internal network.
The source interface is the AndroidVPN
interface.

Configuring VPN using

FortiClient on the Android
device
On your Android device, open FortiClient and
select Add IPsec VPN.
Enter an account name for the IPsec account
and press OK.

374

The FortiGate Cookbook 5.0.7

The IPsec settings menu appears.

Begin by configuring the Phase 1 and Phase

2 encryption and authentication settings to
match those of the FortiGate

Under Server Settings > Network

Settings, enter the address of the FortiGate
interface that is connected to the Internet.
Under Server Settings > Authentication
Settings, enter the pre-shared key that you
created during Phase 1 configuration on the
FortiGate.

Connecting an Android to a FortiGate with IPsec VPN

375

Results
In FortiClient, access the newly created
VPN and enter the assigned username and
password, then press Connect.

As the FortiClient attempts to connect to the

VPN, a warning message prompts you to
trust the application.

376

The FortiGate Cookbook 5.0.7

Once the FortiClient connects to the VPN,

a connection status window indicates the
traffic flow and duration of the connection.
If there are problems connecting, check the
event log on the FortiGate unit by going to
Log & Report > Log Access > Event Log.
The logs will show if the connection was
successful. You can also use the following
command to get more details about where
the connection attempt failed:

The output can indicate something as simple

as a pre-shared key mismatch, caused by
the Android user entering the password
incorrectly.

To verify that the tunnel has come up, go to

VPN > Monitor > IPsec Monitor.
The AndroidVPN tunnel should appear in the
list.

Connecting an Android to a FortiGate with IPsec VPN

377

Configuring a FortiGate unit as an L2TP/IPsec

server
The FortiGate implementation of L2TP enables a remote dialup client to establish
an L2TP/IPsec tunnel with the FortiGate unit directly. Creating an L2TP/IPsec tunnel
allows remote users to connect to a private computer network in order to securely
access their resources. For the tunnel to work you must configure a remote client to
connect using an L2TP/IPsec VPN connection. This recipe is designed to work with
a remote Windows 7 L2TP client.
The FortiGate unit must be operating in NAT/Route mode and have a static public IP address.

1. Creating an L2TP user and user group

2. Enabling L2TP on the FortiGate
3. Configuring the L2TP/IPsec phases
4. Creating a security policy for access to the internal network
and the Internet
5. Configuring a remote Windows 7 L2TP client
6. Results
WAN 1
FortiGate

L2TP/IPsec

Port 1

Internet

L2TP/IPsec

Remote Windows 7
L2TP Client

Internal Network
378

The FortiGate Cookbook 5.0.7

Creating an L2TP user and

user group
Go to User & Device > User > User
Definition.
Create a new L2TP user for each remote
client.

Go to User & Device > User > User

Groups.
Create a user group for L2TP users and add
the users you created.

Enabling L2TP on the

FortiGate
Enable L2TP on the FortiGate and assign an
IP range for L2TP users.
Go to System > Dashboard > Status >
CLI Console and enter the CLI commands
shown here.
The sip indicates the starting IP in the IP
range. The eip indicates the ending IP in the
IP range.

Configuring a FortiGate unit as an L2TP/IPsec server

set
set
set
set

sip 192.168.10.1
eip 192.168.10.101
status enable
usrgrp L2TP_users

end

379

Configuring the L2TP/IPsec

phases
On the FortiGate, go to VPN > IPsec > Auto
Key (IKE).
Select Create Phase 1. Set IP Address
to the IP of the FortiGate, Local Interface
to the Internet-facing interface, and enter a
Pre-shared Key.

Enable all of the DH Groups and disable

Dead Peer Detection.

When you are finished with Phase 1, select

Create Phase 2. Name it appropriately and
set it to use the new L2TP Phase 1.
Expand the Advanced options and specify
a suitable Keylife. For example, 3600
seconds and 250000 KBytes.

380

The FortiGate Cookbook 5.0.7

Go to System > Dashboard > Status >

CLI Console. In the CLI Console widget,
edit the Phase 2 encapsulation mode using
the CLI commands shown here.

edit L2TP_P2
set encapsulation transport-mode
end

Creating a security policy

for access to the internal
network and the Internet
To ensure that policy-based IPsec VPN
is enabled, go to System > Config >
Features, set Policy-based IPsec VPN to
be turned on, and click Apply.

Go to Policy > Policy > Policy.

Create an IPsec VPN security policy
allowing remote L2TP users to access the
internal network.
Since L2TP is encapsulated on the data
link layer, only one policy is required for
incoming requests to WAN1.
Set both the Local Interface and the
Outgoing VPN Interface to wan1.
Set both the Local Protected Subnet and
the Remote Protected Subnet to all.
Next to VPN Tunnel, select L2TP and Allow
traffic to be initiated from the remote
site.

Configuring a FortiGate unit as an L2TP/IPsec server

381

Configuring a remote
Windows 7 L2TP client
To connect to the FortiGate using L2TP, the
remote client must be configured for L2TP/
IPsec. The following configuration was tested
on a PC running Windows 7.
On the Windows PC, create a new VPN
connection.
Right-click on the new connection and select
Properties, then modify the connection with
the settings shown.
The Host name is the wan1 interface of the
FortiGate unit that is acting as the L2TP/
IPsec server.

Under the Options tab, enable LCP

extensions.

382

The FortiGate Cookbook 5.0.7

Under the Security tab, set the Type of

VPN to Layer 2 Tunneling Protocol with
IPsec (L2TP/IPsec).
Ensure that you allow only Unencrypted
password (PAP) protocol. Disable other
protocols.

Click Advanced Settings and enter the

pre-shared key you created in the Phase 1
configuration on the FortiGate.

Configuring a FortiGate unit as an L2TP/IPsec server

383

Results
On the remote users PC, connect to the
Internet using the L2TP/IPsec connection
you created.
Enter the L2TP users credentials and click
Connect.

Verify the connection in the GUI by

navigating to VPN > Monitor > IPsec
Monitor.
You can view more detailed information
in the event log. Go to Log & Report >
Event Log > VPN.

384

The FortiGate Cookbook 5.0.7

Select an entry to view the connection

details, including IPSec Local IP, IPSec
Remote IP, VPN Tunnel type, User, and
more.
The IPSec Remote IP shown here should
match the Remote Gateway shown under
VPN > Monitor > IPsec Monitor.

Configuring a FortiGate unit as an L2TP/IPsec server

385

Configuring IPsec VPN with a FortiGate and a

Cisco ASA
The following recipe describes how to configure a site-to-site IPsec VPN tunnel.
In this example, one site is behind a FortiGate and another site is behind a Cisco
ASA. Using FortiOS 5.0 and Cisco ASDM 6.4, the example demonstrates how to
configure the tunnel between each site, avoiding overlapping subnets, so that a
secure tunnel can be established with the desired security profiles applied. The
procedure assumes that both devices are configured with appropriate internal and
external interfaces.
1. Configuring the Cisco device using the IPsec VPN Wizard
2. Configuring the FortiGate tunnel phases
3. Configuring the FortiGate policies
4. Configuring the static route in the FortiGate
5. Results

Site 1
FortiGate
LAN

386

Site 2
IPsec VPN

Internet

IPsec VPN

CISCO ASA
LAN

The FortiGate Cookbook 5.0.7

Configuring the Cisco

device using the IPsec VPN
Wizard
In the Cisco ASDM, under the Wizard menu,
select IPsec VPN Wizard.

From the options that appear, select Site-tosite, with the VPN Tunnel Interface set to
outside, then click Next.

In the Peer IP Address field, enter the IP

address of the FortiGate unit through which
the SSL VPN traffic will flow.
Under Authentication Method, enter a
secure Pre-Shared Key. You will use the
same key when configuring the FortiGate
tunnel phases. Choose something more
secure than Password.
When you are satisfied, click Next.

Configuring IPsec VPN with a FortiGate and a Cisco ASA

387

The next steps in the IPsec VPN Wizard is to

establish the tunnel phases 1 and 2.
The encryption settings established here
must match the encryption settings
configured later in the FortiGate.
Configure Phase 1 with AES-256
Encryption and SHA Authentication.
Set the Diffie-Hellman Group to 5.

Configure Phase 1 with AES-256

Encryption and SHA Authentication.
Enable PFS and set the Diffie-Hellman
Group to 2.
Click Next.

Set the Local Network and Remote

Network.

Click Next and review the configuration

before you click Finish.
The tunnel configuration on the Cisco ASA
is complete. Now you must configure the
FortiGate with similar settings, except for the
remote gateway.

388

The FortiGate Cookbook 5.0.7

Configuring the FortiGate

tunnel phases
In the FortiOS GUI, navigate to VPN >
IPsec > Auto Key (IKE) and select Create
Phase 1.
Name the tunnel, statically assign the IP
Address of the remote gateway, and set the
Local Interface to wan1.
Select Preshared Key for Authentication
Method and enter the same preshared key
you chose when configuring the Cisco IPsec
VPN Wizard.
Configure this phase to match the encryption
settings configured on the Cisco device and
click OK.

Select Create Phase 2.

Identify Phase 1, which you just configured,
and ensure that the encryption settings
match the Phase 2 encryption settings
configured on the Cisco device.
Optionally, under Quick Mode Selector,
specify the Source address and
Destination address at the endpoints of
the tunnel.

Configuring IPsec VPN with a FortiGate and a Cisco ASA

389

Configuring the FortiGate

policies
Navigate to Policy > Policy > Policy and
create firewall policies that allow inbound
and outbound traffic over the tunnel.
In the first (outbound) policy, set the
Incoming Interface to lan and set the
Source Address to all.
Set the Outgoing Interface to the tunnel
interface and set the Destination Address
to all. Configure the Schedule and Service
as desired.
Create the second (inbound) policy to allow
traffic to flow in the opposite direction, and
configure the Schedule and Service as
desired.

Configuring the static route

in the FortiGate
Navigate to Router > Static > Static
Routes and select Create New.
Create a static route with the Destination
IP/Mask matching the address of the Cisco
local network (by default, 192.168.1.0).
Under Device, select the site-to-site tunnel,
and click OK.

390

The FortiGate Cookbook 5.0.7

Results
The tunnel should now be active. On the
FortiGate, verify that the tunnel is up by
navigating to VPN > Monitor > IPsec
Monitor.
The IPsec Monitor table will indicate the
source and destination addresses, and the
status of the tunnel (up or down) and its
uptime.
For more detailed tunnel information, go to
Log & Report > Event Log > VPN and
view the table.

Select the tunnel entry in the table to view

the information in greater detail.

Configuring IPsec VPN with a FortiGate and a Cisco ASA

391

Creating a VPN with overlapping subnets

This recipe describes how to construct a VPN connection between two networks
with overlapping IP addresses in such a way that traffic will be directed to the
correct address on the correct network, using Virtual IP addresses and static routes.

1. Creating VPN tunnels between the two FortiGate units

2. Adding the virtual IP range and address
3. Creating inbound and outbound security policies
4. Configuring static routes
5. Repeat the steps on FGT2
6. Results

Internet
Port 2
172.16.20.1

FGT_1
Port 1

Network_1
10.11.101.0/24
(VIP 10.21.101.0/24)
392

Port 2
172.16.30.1
IPsec
FGT1_to_FGT2
VPN Tunnel

FGT_2
Port 1

Network_2
10.11.101.0/24
(VIP 10.31.101.0/24)
The FortiGate Cookbook 5.0.7

Creating VPN tunnels

between the two FortiGates
Go to VPN > IPsec > Auto Key (IKE).
Select Create Phase 1, and set the
IP Address to the address used by the
Internet-facing interface of FGT_2. Set the
Local Interface to your Internet-facing
interface, and enter a Pre-shared Key.

Then create the Phase 2, selecting your

Phase 1 from the list.

Adding the virtual IP range

and address
Go to Firewall Objects > Virtual IPs >
Virtual IPs.
You will need to create a Virtual IP range
that will be used to redirect the traffic to the
correct subnet. Give the VIP an appropriate
name, and set the IPsec tunnel interface as
the External Interface.
Set the External IP Address to a range
in the subnet youll be redirecting from
(10.21.101.1-10.21.101.254) and the
Mapped IP address to the internal network
range (10.11.101.1-10.11.101.254).

Creating a VPN with overlapping subnets

393

Now go to Firewall Objects > Address >

Addresses.
Create a new address, setting the Type to IP
Range, and entering the VIP range of FGT2
(10.31.101.1-10.31.101.254).

Creating inbound and

outbound security policies
Go to Policy > Policy > Policy.
Create a firewall policy to handle outbound
VPN traffic, with the network-facing interface
as the Incoming Interface, and the IPsec
interface as Outgoing. Set the Destination
Address to the VIP Address Range. Enable
NAT.

Create a second security policy to handle

inbound VPN traffic, with the IPsec interface
as the Incoming Interface, network-facing
interface as Outgoing, and your VIP range
as the Destination Address. Disable NAT.

394

The FortiGate Cookbook 5.0.7

Configuring static routes

Go to Router > Static > Static Routes.
Create a new Static Route, with the
Destination IP as 10.31.101.0/24. For your
Device, select your FGT1_to_FGT2 VPN
interface. Set Distance to lower than the
default of 10 to prioritize this route.

Repeat these steps on FGT2

First, create the Phase 1 on FGT_2, using
FGT_1s Internet-facing interface IP for
the Phase 1 IP Address, and the FGT_2s
Internet-facing interface as Local Interface.

Create the Phase 2 for FGT_2.

Creating a VPN with overlapping subnets

395

Create the VIP Range, setting the IPsec

tunnel interface as the External Interface,
the External IP Address to the intended
local VIP range (10.31.101.1-10.31.101.254)
and the Mapped IP Address to the internal
network range (10.11.101.1-10.11.101.254).

Create the address range, setting the Type

to IP Range, and entering the VIP range of
FGT1 (10.21.101.1-10.21.101.254).

Create the two firewall policies to handle

outbound and inbound VPN traffic.
For the outbound policy, select your internalnetwork-facing port as the Incoming
Interface, and the IPsec interface as
Outgoing. Set the Destination Address to
the VIP Address Range. Enable NAT.

For the inbound, set the IPsec interface

as the Incoming Interface, internal port
as Outgoing, and your VIP range as the
Destination Address. Disable NAT.

396

The FortiGate Cookbook 5.0.7

Then create the Static Route, with the

Destination IP as 10.21.101.0/24. For your
Device, select your VPN interface.
Set the Distance lower than 10.

Results
On a FortiGate unit, you can go to VPN >
Monitor > IPsec Monitor to see the status
of the VPN tunnel.

Connect to the VPN, using a network

device in Network_1. Access the address
10.31.101.50, and your session will be
redirected to Network_2s 10.11.101.50.
Then, from a VPN-connected device in
Network_2, visit 10.21.101.50, and you will
access Network_1s 10.11.101.50.

Go to Log & Report > Traffic Log >

Forward Traffic and filter the Src Interface
column with the VPN Interface name to see
incoming VPN traffic and the Dst Interface
column to see outgoing.

Creating a VPN with overlapping subnets

397

Using redundant OSPF routing over IPsec VPN

This example sets up redundant secure communication between two remote
networks using an Open Shortest Path First (OSPF) VPN connection. In this example,
the HQ FortiGate unit will be called FortiGate 1 and the Branch FortiGate unit will be
called FortiGate 2.
1. Creating redundant IPsec tunnels on FortiGate 1
2. Configuring IP addresses and OSPF on FortiGate 1
3. Configuring firewall addresses on FortiGate 1
4. Configuring security policies on FortiGate 1
5. Creating redundant IPsec tunnels for FortiGate 2
6. Configuring IP addresses and OSPF on FortiGate 2
7. Configuring firewall addresses on FortiGate 2
8. Configuring security policies on FortiGate 2
9. Results
OSPF
WAN 1
172.20.120.24
IPsec
FortiGate 1

Internal
10.20.1.1/24

IPsec

WAN 1
172.20.120.123

Internet

WAN 2
172.20.120.23

FortiGate 2

WAN 2
172.20.120.127

Internal
10.21.1.1/24

OSPF

Internal
Network
(HQ)
398

Internal
Network
(Branch)
The FortiGate Cookbook 5.0.7

Creating redundant IPsec

tunnels on FortiGate 1
Go to VPN > IPsec > Auto Key (IKE).
Select Create Phase 1 and create the
primary tunnel. Set IP Address to FortiGate
2s wan1 IP, Local Interface to wan1 (the
primary Internet-facing interface) and enter a
Pre-shared Key.

Select Create Phase 2. Set it to use the

new Phase 1.

Using redundant OSPF routing over IPsec VPN

399

Go to VPN > IPsec > Auto Key (IKE).

Select Create Phase 1 and create the
secondary tunnel. Set IP Address to use
FortiGate 2s wan2 IP, Local Interface
to wan2 (the secondary Internet-facing
interface) and enter the Pre-shared Key.

Go to VPN > IPsec > Auto Key (IKE).

Select Create Phase 2. Set it to use the
new Phase 1

400

The FortiGate Cookbook 5.0.7

Configuring IP addresses
and OSPF on FortiGate 1
Go to System > Network > Interfaces.
Select the arrow for wan1 to expand the list.
Edit the primary tunnel interface and create
IP addresses.

Select the arrow for wan2 to expand the

list. Edit the secondary tunnel interface and
create IP addresses.

Go to Router > Dynamic > OSPF.

Enter the Router ID for FortiGate 1.

Select Create New in the Area section.

Add the backbone area of 0.0.0.0.

Select Create New in the Networks

section.
Create the networks and select Area 0.0.0.0
for each one.

Using redundant OSPF routing over IPsec VPN

401

Select Create New in the Interfaces

section.
Create primary and secondary tunnel
interfaces. Set a Cost of 10 for the primary
interface and 100 for the secondary interface.

Configuring firewall
addresses on FortiGate 1
Go to Firewall Objects > Address >
Addresses.
Edit the subnets behind FortiGate 1 and
FortiGate 2.

402

The FortiGate Cookbook 5.0.7

Edit the primary and secondary interfaces of

FortiGate 2.

Configuring security policies

on FortiGate 1
Go to Policy > Policy > Policy.
Create the four security policies required for
both FortiGate 1s primary and secondary
interfaces to connect to FortiGate 2s primary
and secondary interfaces.

Using redundant OSPF routing over IPsec VPN

403

404

The FortiGate Cookbook 5.0.7

Creating redundant IPsec

tunnels on FortiGate 2
Go to VPN > IPsec > Auto Key (IKE).
Select Create Phase 1 and create the
primary tunnel. Set IP Address to FortiGate
1s wan1 IP, Local Interface to wan1 (the
primary Internet-facing interface) and enter a
Pre-shared Key.

Select Create Phase 2. Set it to use the

new Phase 1.

Using redundant OSPF routing over IPsec VPN

405

Select Create Phase 1 and create the

secondary tunnel. Set IP Address to use
FortiGate 2s IP, Local Interface to wan2
(the secondary Internet-facing interface) and
enter the Pre-shared Key.

Select Create Phase 2. Set it to use the

new Phase 1.

406

The FortiGate Cookbook 5.0.7

Configuring IP addresses
and OSPF on FortiGate 2
Go to System > Network > Interfaces.
Select the arrow for wan1 to expand the list.
Edit the primary tunnel interface and create
IP addresses.

Select the arrow for wan2 to expand the

list. Edit the secondary tunnel interface and
create IP addresses.

Go to Router > Dynamic > OSPF.

Enter the Router ID for FortiGate 2.

Select Create New in the Area section.

Add the backbone area of 0.0.0.0.

Select Create New in the Networks

section.
Create the networks and select Area 0.0.0.0
for each one.

Using redundant OSPF routing over IPsec VPN

407

Select Create New in the Interfaces

section.
Create primary and secondary tunnel
interfaces. Set a Cost of 10 for the primary
interface and 100 for the secondary interface.

Configuring firewall
addresses on FortiGate 2
Go to Firewall Objects > Address >
Addresses.
Edit the subnets behind FortiGate 1 and
FortiGate 2.

408

The FortiGate Cookbook 5.0.7

Edit the primary and secondary interfaces of

FortiGate 1.

Configuring security policies

on FortiGate 2
Go to Policy > Policy > Policy.
Create the four security policies required for
both FortiGate 2s primary and secondary
interfaces to connect to FortiGate 1s primary
and secondary interfaces.

Using redundant OSPF routing over IPsec VPN

409

410

The FortiGate Cookbook 5.0.7

Results
Go to VPN > Monitor > IPsec Monitor to
verify the statuses of both the primary and
secondary IPsec VPN tunnels on FortiGate 1
and FortiGate 2.

Go to Router > Monitor > Routing.

Monitor to verify the routing table on
FortiGate 1 and FortiGate 2. Type OSPF for
the Type and select Apply Filter to verify
the OSPF route.

Verify that traffic flows via the primary tunnel.

From a PC1 set to IP:10.20.1.100 behind
FortiGate 1, run a tracert to a PC2 set to IP
address 10.21.1.00 behind FortiGate 2 and
vise versa.
From PC1, you should see that the traffic
goes through 10.1.1.2 which is the primary
tunnel interface IP set on FortiGate 2.
From PC2, you should see the traffic goes
through 10.1.1.1 which is the primary tunnel
interface IP set on FortiGate 1.

The VPN network between the two OSPF

networks uses the primary VPN connection.
Disconnect the wan1 interface and

Using redundant OSPF routing over IPsec VPN

411

confirm that the secondary tunnel will be

used automatically to maintain a secure
connection.
Verify the IPsec VPN tunnel statuses on
FortiGate 1 and FortiGate 2. Both FortiGates
should show that primary tunnel is DOWN
and secondary tunnel is UP.
Go to VPN > Monitor > IPsec Monitor to
verify the status.

Verify the routing table on FortiGate 1 and

FortiGate 2.
The secondary OSPF route (with cost = 100)
appears on both FortiGate units.
Go to Router > Monitor > Routing
Monitor. Type OSPF for the Type and
select Apply Filter to verify OSPF route.
Verify that traffic flows via the secondary
tunnel.
From a PC1 set to IP:10.20.1.100 behind
FortiGate 1, run a tracert to a PC2 set to
IP:10.21.1.100 behind FortiGate 2 and
vice versa. From PC1, you should see that
the traffic goes through 10.2.1.2 which is
the secondary tunnel interface IP set on
FortiGate 2.
From PC2, you should see the traffic goes
through 10.2.1.1 which is the secondary
tunnel interface IP set on FortiGate 1.

412

The FortiGate Cookbook 5.0.7

FortiGate Infrastructure 7.0 Study Guide-Online Unlocked
100% (9)
FortiGate Infrastructure 7.0 Study Guide-Online Unlocked
402 pages
Fortinet Zero Trust Access Lab Guide For FortiOS 7.2 (Fortinet Training Institute)
100% (1)
Fortinet Zero Trust Access Lab Guide For FortiOS 7.2 (Fortinet Training Institute)
247 pages
Fortinet Fortigate Infrastructure Lab Guide For Fortios 72
100% (1)
Fortinet Fortigate Infrastructure Lab Guide For Fortios 72
126 pages
FortiGate Security 6.2 Lab Guide-Online
100% (3)
FortiGate Security 6.2 Lab Guide-Online
232 pages
SD-WAN 6.2 Lab Guide-Online PDF
100% (3)
SD-WAN 6.2 Lab Guide-Online PDF
85 pages
Fortinet FCP - FortiGate 7.4 Administrator Exam Preparation
From Everand
Fortinet FCP - FortiGate 7.4 Administrator Exam Preparation
Georgio Daccache
No ratings yet
Fortinet Fortimanager Study Guide For Fortimanager 72
100% (1)
Fortinet Fortimanager Study Guide For Fortimanager 72
372 pages
FortiGate Security 6.2 Study Guide
82% (17)
FortiGate Security 6.2 Study Guide
667 pages
Fortinet NSE4 FGT 7.2 - 2023.06.22 194Q v2.0
100% (1)
Fortinet NSE4 FGT 7.2 - 2023.06.22 194Q v2.0
106 pages
FortiOS 7.4.3 Administration Guide
No ratings yet
FortiOS 7.4.3 Administration Guide
3,620 pages
Fortigate Firewall
100% (1)
Fortigate Firewall
15 pages
FortiGate - Student Guide
92% (13)
FortiGate - Student Guide
271 pages
NSE5 - FMG-7.0 whatsAPP 0021655255099
No ratings yet
NSE5 - FMG-7.0 whatsAPP 0021655255099
37 pages
Getting Started with FortiGate
From Everand
Getting Started with FortiGate
Fabrizio Volpe
No ratings yet
FortiGate CLI Reference
100% (2)
FortiGate CLI Reference
726 pages
LAB 4 - Transparent Mode
100% (1)
LAB 4 - Transparent Mode
13 pages
Configuring A FortiGate Unit As An L2TP IPsec Server
No ratings yet
Configuring A FortiGate Unit As An L2TP IPsec Server
8 pages
VDOM Configuration
No ratings yet
VDOM Configuration
7 pages
Lab 11 - SSL-VPN
No ratings yet
Lab 11 - SSL-VPN
15 pages
FortiGate VPN Guide
No ratings yet
FortiGate VPN Guide
112 pages
Allen-Bradley Stratix 5700™ Network Address Translation (NAT)
100% (1)
Allen-Bradley Stratix 5700™ Network Address Translation (NAT)
20 pages
IPSEC Config - Fortigate
No ratings yet
IPSEC Config - Fortigate
220 pages
Introduction To FortiGate Part-1
100% (3)
Introduction To FortiGate Part-1
330 pages
Fortigate OS Command Line Interface
100% (7)
Fortigate OS Command Line Interface
702 pages
Fortigate VM
No ratings yet
Fortigate VM
22 pages
Virtual Lab Setup Guide FGT 6.2 PDF
100% (1)
Virtual Lab Setup Guide FGT 6.2 PDF
50 pages
Shriram's Fortigate Best Practices
100% (1)
Shriram's Fortigate Best Practices
42 pages
Fortigate Antivirus Firewall Ips User Guide
100% (1)
Fortigate Antivirus Firewall Ips User Guide
58 pages
Troubleshooting PDF
No ratings yet
Troubleshooting PDF
96 pages
Fortigate Troubleshooting 56
100% (1)
Fortigate Troubleshooting 56
64 pages
FortiGate 7.4 Operator Lesson Scripts
100% (1)
FortiGate 7.4 Operator Lesson Scripts
33 pages
CLI Commands For Troubleshooting FortiGate Firewalls
No ratings yet
CLI Commands For Troubleshooting FortiGate Firewalls
6 pages
LAB 7 - High Availability (HA)
100% (1)
LAB 7 - High Availability (HA)
17 pages
FortiGate Infrastructure 6.2 Study Guide-Online
78% (9)
FortiGate Infrastructure 6.2 Study Guide-Online
412 pages
Basic Fortigate Firewall Configuration: Content at A Glance
No ratings yet
Basic Fortigate Firewall Configuration: Content at A Glance
17 pages
Do Not Reprint © Fortinet: Fortigate Infrastructure Lab Guide
100% (1)
Do Not Reprint © Fortinet: Fortigate Infrastructure Lab Guide
147 pages
FortiOS 7.0.1 Administration Guide
No ratings yet
FortiOS 7.0.1 Administration Guide
2,150 pages
FortiOS 7.4 Best Practices
No ratings yet
FortiOS 7.4 Best Practices
47 pages
LAB 5 - Configuring A Site-to-Site IPsec VPN
No ratings yet
LAB 5 - Configuring A Site-to-Site IPsec VPN
23 pages
FortiGate Security
100% (1)
FortiGate Security
97 pages
Nse4 - FGT-6.4 V12.02
100% (1)
Nse4 - FGT-6.4 V12.02
63 pages
FortiGate Security 7.2 Study Guide-Online-10
No ratings yet
FortiGate Security 7.2 Study Guide-Online-10
40 pages
FortiGate Infrastructure 6.2 Study Guide-Online
No ratings yet
FortiGate Infrastructure 6.2 Study Guide-Online
414 pages
Fortinet NSE4 - FGT-6 0 v2019-05-02 PDF
No ratings yet
Fortinet NSE4 - FGT-6 0 v2019-05-02 PDF
47 pages
Fortigate Ipsecvpn 56 PDF
No ratings yet
Fortigate Ipsecvpn 56 PDF
242 pages
Fortigate Advanced Routing 50
No ratings yet
Fortigate Advanced Routing 50
161 pages
FortiGate Best Practices
67% (9)
FortiGate Best Practices
16 pages
Lab 3 - Nat PDF
100% (2)
Lab 3 - Nat PDF
24 pages
SD-Access Deployment Guide
No ratings yet
SD-Access Deployment Guide
95 pages
Next-Generation switching OS configuration and management: Troubleshooting NX-OS in Enterprise Environments
From Everand
Next-Generation switching OS configuration and management: Troubleshooting NX-OS in Enterprise Environments
Mamta Devi
No ratings yet
Fortigate Cookbook 505 Expanded
No ratings yet
Fortigate Cookbook 505 Expanded
364 pages
Fortigate Cookbook 506 Expanded
No ratings yet
Fortigate Cookbook 506 Expanded
399 pages
Fortigate Cookbook 504 Expanded
No ratings yet
Fortigate Cookbook 504 Expanded
311 pages
Fortigate Cookbook 504 PDF
No ratings yet
Fortigate Cookbook 504 PDF
201 pages
Fortigate Cookbook 504
No ratings yet
Fortigate Cookbook 504
220 pages
Fortigate Cookbook 52
No ratings yet
Fortigate Cookbook 52
777 pages
Fortigate Cookbook 52
No ratings yet
Fortigate Cookbook 52
777 pages
Fortigate Cookbook v5
No ratings yet
Fortigate Cookbook v5
384 pages
Fortigate Cookbook 54 PDF
No ratings yet
Fortigate Cookbook 54 PDF
209 pages
Fortinet - FortiGate Cookbook v4.0 MR3 PDF
No ratings yet
Fortinet - FortiGate Cookbook v4.0 MR3 PDF
394 pages
MCSE 05 Implementing of A Network Infrastructure 10 Theory
No ratings yet
MCSE 05 Implementing of A Network Infrastructure 10 Theory
45 pages
7324RU - System Guide
No ratings yet
7324RU - System Guide
50 pages
History of The Internet
No ratings yet
History of The Internet
8 pages
Asynchronous Transfer Mode (ATM)
No ratings yet
Asynchronous Transfer Mode (ATM)
24 pages
RAN17 1 Troubleshooting Guide 01 PDF en
No ratings yet
RAN17 1 Troubleshooting Guide 01 PDF en
249 pages
ISO OSI Model
No ratings yet
ISO OSI Model
13 pages
Wireless-G Broadband Router: User Guide
No ratings yet
Wireless-G Broadband Router: User Guide
44 pages
Emr - Na c03026850 1 PDF
No ratings yet
Emr - Na c03026850 1 PDF
839 pages
SmartPort Commissioning Acceptance Form
No ratings yet
SmartPort Commissioning Acceptance Form
3 pages
E-Link 1000EXR Datasheet v16 PDF
No ratings yet
E-Link 1000EXR Datasheet v16 PDF
2 pages
Huawei Digital Pipeline Solution Brochure-SD
No ratings yet
Huawei Digital Pipeline Solution Brochure-SD
6 pages
Single Channel LoRa IoT Kit v2 User Manual - v1.0.1 - 2
No ratings yet
Single Channel LoRa IoT Kit v2 User Manual - v1.0.1 - 2
50 pages
Credit Control Configuration: Operation Directions
No ratings yet
Credit Control Configuration: Operation Directions
27 pages
01 - MINI LINK LH Product Presentation
No ratings yet
01 - MINI LINK LH Product Presentation
35 pages
Elenos Group Webinar:: FM Single Frequency Networks Theory and Practice
No ratings yet
Elenos Group Webinar:: FM Single Frequency Networks Theory and Practice
21 pages
TETRA1
No ratings yet
TETRA1
62 pages
Call Blocking Rate
No ratings yet
Call Blocking Rate
6 pages
A Survey and Review of GSM Base Transceiver System Installation, Architecture and Uplink/Downlink
No ratings yet
A Survey and Review of GSM Base Transceiver System Installation, Architecture and Uplink/Downlink
6 pages
User Guide FTB-8510
No ratings yet
User Guide FTB-8510
206 pages
AOS 8.5.1 ReleaseNotes-v7RevB
No ratings yet
AOS 8.5.1 ReleaseNotes-v7RevB
5 pages
E.e-Sm-J530f-J5 2017
No ratings yet
E.e-Sm-J530f-J5 2017
32 pages
FG IPTV-C-0423: Telecommunication Standardization Sector
No ratings yet
FG IPTV-C-0423: Telecommunication Standardization Sector
6 pages
Radio Link Failure
No ratings yet
Radio Link Failure
19 pages
ISIS
No ratings yet
ISIS
948 pages
Eutelsat TV Line-Up Channels Transmitted by Eutelsat Satellites
No ratings yet
Eutelsat TV Line-Up Channels Transmitted by Eutelsat Satellites
135 pages
Railway Wagon Monitoring
No ratings yet
Railway Wagon Monitoring
11 pages
Chapter 2 - Network Models 2
No ratings yet
Chapter 2 - Network Models 2
20 pages
ASA Failover Troubleshooting On 7.x and 8
No ratings yet
ASA Failover Troubleshooting On 7.x and 8
5 pages
Proteus Sensor Quick Start Guide
No ratings yet
Proteus Sensor Quick Start Guide
1 page