0% found this document useful (0 votes)

100 views159 pages

FortiGate Cookbook Part2

This document provides instructions for configuring DNS filtering and adding FortiSandbox integration on FortiGate devices. It describes how to add the FortiSandbox to the security fabric, authorize the FortiGate devices on the FortiSandbox, and apply sandbox inspection to security profiles. It also covers creating a DNS web filter profile to block bandwidth consuming categories, enabling DNS filtering in policies, and viewing the results of files scanned by the FortiSandbox and blocked websites.

Uploaded by

m dicky

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

100 views159 pages

FortiGate Cookbook Part2

Uploaded by

m dicky

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 159

FortiOS - Cookbook

Version 6.0.0
Security profiles

5. Go to the Dashboard and locate the System Information widget. Verify that VM Internet Access has a green
checkmark beside it.

Adding the FortiSandbox to the Security Fabric

1. Connect to Edge.
2. To add FortiSandbox to the Security Fabric, go to Security Fabric > Settings. Enable Sandbox Inspection.
3. Make sure FortiSandbox Appliance is selected and set Server to the IP address of port 1 on the FortiSandbox.

FortiOS 6.0.0 Cookbook 201

Fortinet Inc.
Security profiles

4. Select Test Connectivity. An error message appears because Edge hasn’t been authorized on the FortiSandbox.

5. Edge, as the root FortiGate, pushes FortiSandbox settings to the other FortiGates in the Security Fabric. To verify
this, connect to Accounting and go to Security Fabric > Settings.

6. On the FortiSandbox, go to Scan Input > Device. The FortiGates in the Security Fabric (Edge, Accounting,
Marketing, and Sales) are listed but the Auth column indicates that the devices are unauthorized.

7. Select and edit Edge. Under Permissions & Policies, select Authorized.

FortiOS 6.0.0 Cookbook 202

Fortinet Inc.
Security profiles

8. Repeat this for the other FortiGates.

9. On Edge, go to Security Fabric > Settings and test the Sandbox Inspection connectivity again. External is now
connected to the FortiSandbox.

Adding sandbox inspection to security profiles

You can apply sandbox inspection with three types of security inspection: antivirus, web filter, and FortiClient compliance
profiles. In this step, you add sandbox to all FortiGate devices in the Security Fabric individually, using the profiles that
each FortiGate applies to network traffic.
In order to pass the Advanced Threat Protection check, you must add sandbox inspection to antivirus profiles for all
FortiGate devices in the Security Fabric.
1. Go to Security Profiles > AntiVirus and edit the default profile.
2. Under Inspection Options, set Send Files to FortiSandbox Appliance for Inspection to All Supported Files.

FortiOS 6.0.0 Cookbook 203

Fortinet Inc.
Security profiles

Enable Use FortiSandbox Database, so that if the FortiSandbox discovers a threat, it adds a signature for that file
to the antivirus signature database on the FortiGate.
3. Go to Security Profiles > Web Filter and edit the default profile.
4. Under Static URL Filter, enable Block malicious URLs discovered by FortiSandbox.

FortiOS 6.0.0 Cookbook 204

Fortinet Inc.
Security profiles

If the FortiSandbox discovers a threat, the URL that threat came from is added to the list of URLs that are blocked by
the FortiGate.
5. Go to Security Profiles > FortiClient Compliance Profiles and edit the default profile. Enable Security Posture
Check.
6. Enable Realtime Protection and Scan with FortiSandbox.

FortiOS 6.0.0 Cookbook 205

Fortinet Inc.
Security profiles

Results

If a FortiGate in the Security Fabric discovers a suspicious file, it sends the file to the FortiSandbox.
You can view information about scanned files on either the FortiGate that sent the file or the FortiSandbox.
1. On one of the FortiGate devices, go to the Dashboard and locate the Advanced Threat Protection Statistics widget.
This widget shows files that both the FortiGate and FortiSandbox scan.

2. On the FortiSandbox, go to System > Status and view the Scanning Statistics widget for a summary of scanned
files.

FortiOS 6.0.0 Cookbook 206

Fortinet Inc.
Security profiles

You can also view a timeline of scanning in the File Scanning Activity widget.
3. On Edge, go to Security Fabric > Security Rating and run a rating. When it is finished, select the All Results view.
In the example, all four FortiGate devices in the Security Fabric pass the Advanced Threat Protection check and the
Security Rating Score increases by 9.7 points for each FortiGate.

FortiOS 6.0.0 Cookbook 207

Fortinet Inc.
Security profiles

DNS Filtering

In this recipe you will set up DNS filtering to block access to bandwidth consuming websites.
Following the results section, you will find instructions for changing the FortiDNS server that your FortiGate will use to
verify domains, as well as troubleshooting information.
If DNS Filter is not listed under Security Profiles, go to System > Feature Visibility, and enable DNS Filter under
Security Features.

Creating a DNS web filter profile

1. Go to Security Profiles > DNS Filter, and edit the default profile.
2. Enable FortiGuard category based filter, right-click Bandwidth Consuming, and set it to Block.

FortiOS 6.0.0 Cookbook 208

Fortinet Inc.
Security profiles

Enabling DNS filtering in a security policy

All traffic that matches this policy will be redirected to the FortiDNS server.
1. Go to Policy & Objects > IPv4 Policy, and edit the outgoing policy that allows Internet access.
2. Under Security Profiles, enable DNS Filter and set it to default.

FortiOS 6.0.0 Cookbook 209

Fortinet Inc.
Security profiles

Proxy Options and SSL Inspection profiles are automatically enabled.

FortiOS 6.0.0 Cookbook 210

Fortinet Inc.
Security profiles

Results

Open a browser using a computer on the internal network and navigate to dailymotion.co.uk. The page will be blocked.

Enter the following CLI command to sniff packets with a destination URL that does not belong to the bandwidth
consuming category:
diagnose sniffer packet any 'port 53 and host 194.153.110.160' 4

The resulting output should indicate that the IP (in this example, paris.fr) was allowed by FortiGuard:
interfaces=[any]
filters=[port 53]
2.851628 172.20.121.56.59046 -> 208.91.112.52.53: udp 43
2.916281 208.91.112.52.53 -> 172.20.121.56.59046: udp 436
3.336945 10.1.2.102.51755 -> 208.91.112.53.53: udp 37
3.338611 208.91.112.53.53 -> 10.1.2.102.51755: udp 37

(Optional) Changing the FortiDNS server and port

You can use the default FortiDNS server located in Sunnyvale, USA (IP address: 208.91.112.220), or you can switch to
the server in London, UK (IP address: 194.69.172.53).
Communication between your FortiGate and the FortiDNS server uses Fortinet’s proprietary DNS communication
protocol.

FortiOS 6.0.0 Cookbook 211

Fortinet Inc.
Security profiles

config system fortiguard

set sdns-server-ip 208.91.112.220
end

The North American server should work in most cases, however you can switch to the European server to see if it
improves latency.
You can also change the port used to communicate with the FortiDNS server using the following command:
config system fortiguard
set sdns-server-port <value>
end

Troubleshooting

The Security Profiles > DNS Filter menu is missing

Go to System > Feature Visibility and enable DNS Filter.

You Configured DNS Filtering, but it is not working

Verify that DNS Filter is enabled in a policy and SSL Inspection has been applied as needed (SSL inspection is
required in order to block traffic to sites that use HTTPS).
If both settings are enabled, verify that the policy is being used for the correct traffic and that traffic is flowing by going to
the policy list and viewing the Sessions column.
If the above settings are correct, verify that DNS requests are going through the policy, rather than to an internal DNS
server. Also verify that proxy options and SSL/SSH inspection settings have both HTTP and HTTPS enabled and use
the correct ports.

Communication with the FortiDNS server fails

Verify that the correct FortiDNS server is configured using the following diagnose command:
diag test application dnsproxy 3

The resulting output should indicate that communication with the correct FortiDNS server was established. For example:
FWF60D4615016384 # diag test application dnsproxy 3
vdom: root, index=0, is master, vdom dns is enabled, mip-169.254.0.1 dns_log=1
dns64 is disabled
dns-server:208.91.112.53:53 tz=0 req=919160 to=545900 res=117880 rt=1800 secure=0
ready=1
dns-server:208.91.112.52:53 tz=0 req=913029 to=520111 res=134810 rt=6 secure=0 ready=1
dns-server:208.91.112.220:53 tz=-480 req=0 to=0 res=0 rt=0 secure=1 ready=1
dns-server:45.75.200.89:53 tz=0 req=0 to=0 res=0 rt=0 secure=1 ready=1
vfid=0, interface=wan1, ifindex=6, recursive, dns
DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000

FortiOS 6.0.0 Cookbook 212

Fortinet Inc.
Security profiles

DNS FD: udp_s=12 udp_c=14:15 ha_c=18 unix_s=19, unix_nb_s=20, unix_nc_s=21, v6_udp_

s=11, v6_udp_c=16:17
DNS FD: tcp_s=24, tcp_s6=23
FQDN: hash_size=1024, current_query=1024
DNS_DB: response_buf_sz=131072
LICENSE: expiry=2016-08-15, expired=0, type=2
FDG_SERVER:208.91.112.220:53
SERVER_LDB: gid=6d61, tz=-480
FGD_REDIR:208.91.112.55

This CLI result shows that the DNS server IP is set to the North American server, and is being accessed through port 53
(208.91.112.220:53).
Next, verify that bandwidth consuming sites are blocked, while other URLs are allowed.
Go to the CLI Console and enter the following:
diagnose sniffer packet any 'port 53' and 'host 195.8.215.138' 4

The resulting output should indicate that the IP (in this example, dailymotion.co.uk) was blocked by the FortiDNS server:
interfaces=[any]
filters=[port 53]
2.026733 172.20.121.56.59046 -> 208.91.112.220.53: udp 117
2.027316 172.20.121.56.59046 -> 45.75.200.89.53: udp 112
2.028480 172.20.121.56.59046 -> 208.91.112.220.53: udp 116
2.029591 172.20.121.56.59046 -> 208.91.112.220.53: udp 117

FortiGuard has the wrong categorization for a website

If you believe a website has been placed in the wrong category by FortiGuard, you can submit the URL for re-
classification by going to the FortiGuard website.

FortiOS 6.0.0 Cookbook 213

Fortinet Inc.
Security profiles

Content Disarm and Reconstruction (CDR)

In this recipe you will configure the default AntiVirus security profile to include a new FortiOS 6.0 feature: Content Disarm
and Reconstruction (CDR). You will apply this security profile to the Internet access policy so that exploitable content
leaving the network is stripped from documents and replaced with content that is known to be safe.
In the example, we will use FortiSandbox as the original file destination, where the original file is archived and can be
retrieved if necessary. The CDR feature works without FortiSandbox configured, but only if you wish to discard the
original file.
Content that can be scanned includes PDF and Microsoft Office files leaving the network on CDR-supported protocols*
(for more information, refer to the Security Profiles handbook).
Note that the FortiGate must be in Proxy inspection mode for CDR to function.

Setting the system inspection mode

Go to System > Settings and set System Operation Settings > Inspection Mode to Proxy.

FortiOS 6.0.0 Cookbook 214

Fortinet Inc.
Security profiles

Testing FortiSandbox connectivity

1. On the FortiGate, go to Security Fabric > Settings and enable Sandbox Inspection.
2. Select your FortiSandbox type and Server address.
3. Confirm that the service is available by selecting Test connectivity.
The Status should read "Service is online."

Enabling Content Disarm and Reconstruction

1. Go to Security Profiles > AntiVirus.

2. Under APT Protection Options, enable Content Disarm and Reconstruction and select the Original File
Destination.

If you enable FortiSandbox as the file destination, original files caught by the AntiVirus profile are archived on the
FortiSandbox. The FortiSandbox administrator can retrieve the original files, but only for a short time.
If you enable either File Quarantine or Discard as the file destination, original files caught by the AntiVirus profile
are lost. Only the disarmed content is made available.

Configuring the Internet access policy

1. Go to Policy & Objects > IPv4 Policy and Edit the Internet access policy.
2. Under Security Profiles, enable the default AntiVirus profile. Proxy Options and SSL Inspection are

FortiOS 6.0.0 Cookbook 215

Fortinet Inc.
Security profiles

automatically enabled.

Results

As the AntiVirus profile scans files using CDR, it replaces content that is deemed malicious or unsafe with content that
will allow the traffic to continue but not put the recipient at risk.
CDR appends a new cover page to the malicious/unsafe content that includes a replacement message.

If you wish to disable the cover page, enter the following commands in the CLI Console:
config antivirus profile
edit default
config content-disarm
set cover-page disable
end
end

FortiOS 6.0.0 Cookbook 216

Fortinet Inc.
Security profiles

Troubleshooting

The feature is not visible in the GUI

Confirm that the Inspection Mode is set to Proxy under System > Settings.
Also check that the AntiVirus profile inspection mode is set to proxy using the CLI Console:
config antivirus profile
edit default
set inspection-mode proxy
next
end

Error messages and/or conflicts

If you receive an error message when attempting to enable Content Disarm and Reconstruction on the AntiVirus profile,
check the Proxy Options settings in the CLI Console and disable splice and clientcomfort on CDR-supported
protocols:
>config firewall profile-protocol-options
>edit default
>config smtp
>unset options splice
>next
>config http
>unset options clientcomfort
>next
>end
>end

You should also confirm the AntiVirus profile’s protocol settings under config antivirus profile:
l ensure that set options scan is enabled on CDR-supported protocols
l if set options av-monitor is configured on a CDR-supported protocol, it overrides the config content-
disarm detect-only setting (and CDR will not occur)

The FortiSandbox service is unreachable

If testing the FortiSandbox connectivity returns a “Service is unreachable” error message, then you may need to
authorize the FortiGate on the FortiSandbox.
On the FortiSandbox, go to Scan Input > Device and edit the entry for the FortiGate.
Under Permissions & Policy, enable Authorized.

FortiOS 6.0.0 Cookbook 217

Fortinet Inc.
Security profiles

Preventing certificate warnings (CA-signed certificate)

In this recipe, you prevent users from receiving a security certificate warning when your FortiGate performs full SSL
inspection on incoming traffic. There are several methods for doing this, depending on whether you're using a CA-signed
certificate, as presented here, your FortiGate default certificate (see Preventing certificate warnings (default certificate)
on page 228, or a self-signed certification (see Preventing certificate warnings (self-signed) on page 235).
When you enable full SSL inspection, your FortiGate impersonates the recipient of the originating SSL session, then
decrypts and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the
FortiGate and the recipient by impersonating the sender, and sends the content to the end user. This is the same
process used in "man-in-the-middle" attacks, which is why a user's device may show a security certificate warning.
For more information about SSL inspection, see Why you should use SSL inspection on page 243.
Often, when users receive security certificate warnings, they simply select Continue without understanding why the
error is occurring. To avoid encouraging this habit, you can prevent the warning from appearing in the first place.

Using a CA-signed certificate

In this method, you obtain a CA-signed certificate and install this certificate on your FortiGate to use with SSL inspection.
In order to implement SSL inspection, you also need to add another security profile to your policy controlling Internet
traffic. You can use either FortiAuthenticator as your CA or a trusted private CA.
If you use FortiAuthenticator as a CA, you generate a certificate signing request (CSR) on your FortiGate, have it signed
on the FortiAuthenticator, import the certificate into your FortiGate, and configure your FortiGate to use the certificate for
SSL deep inspection of HTTPS traffic.
If you use a trusted private CA, you generate a CSR on your FortiGate, apply for an SSL certificate from the trusted
private CA, import the certificate into your FortiGate, and configure your FortiGate so the certificate can be used for SSL
deep inspection of HTTPS traffic.

FortiOS 6.0.0 Cookbook 218

Fortinet Inc.
Security profiles

Generating a CSR on a FortiGate

1. On your FortiGate, create a new CSR by going to System > Certificates and select Generate.
2. Enter a Certificate Name, the external IP of your FortiGate, and a valid email address.
3. To ensure the certificate is securely encrypted, set Key Type to RSA and Key Size to 2048 Bit (the industry
standard).

Once generated, the certificate shows a Status of Pending. To save the .csr file to your local drive, highlight the
certificate and select Download.

FortiOS 6.0.0 Cookbook 219

Fortinet Inc.
Security profiles

Getting the certificate signed by a CA

Trusted private CA:

If you want to use a trusted private CA to sign the certificate, use the CSR to apply for an SSL certificate with your trusted
private CA.

FortiAuthenticator:

1. If you want to use a FortiAuthenticator as a CA to sign the certificate, on the FortiAuthenticator, go to Certificate
Management > Certificate Authorities > Local CAs and select Import.
2. Set Type to CSR to sign, enter a Certificate ID, and import the example-cert.csr file. Make sure to select the
Certificate authority from the drop-down menu and set the Hash algorithm to SHA-256.

3. Once imported, you should see that example_cert has been signed by the FortiAuthenticator, showing a Status of
Active, and with the CA Type of Intermediate (non-signing) CA. Highlight the certificate and select Export.
This will save the example_cert.crt file to your local drive.

FortiOS 6.0.0 Cookbook 220

Fortinet Inc.
Security profiles

Importing the signed certificate to your FortiGate

1. On your FortiGate, go to System > Certificates and select Local Certificate from the Import drop-down menu.

2. Browse to the certificate file and select OK.

You should now see that the certificate has a Status of OK.

Editing the SSL inspection profile

1. To use your certificate in an SSL inspection profile go to Security Profiles > SSL/SSH Inspection. Use the
dropdown menu in the top right corner to select deep-inspection.

2. The deep-inspection profile is read-only. To use the CA-signed certificate for SSL inspection, you must clone the
deep-inspection profile and configure the new profile to use your certificate. To clone an existing profile, select the
Clone icon (one page behind another) and enter a new name when prompted. In this example, the name of the
profile is custom-deep-inspection.

FortiOS 6.0.0 Cookbook 221

Fortinet Inc.
Security profiles

3. Set CA Certificate to use the new certificate.

4. Verify that SSL inspection is applied to your policy that controls traffic to the Internet. You must also apply at least
one other security profile to that policy in order to implement SSL inspection. In this example, we apply antivirus.

FortiOS 6.0.0 Cookbook 222

Fortinet Inc.
Security profiles

FortiOS 6.0.0 Cookbook 223

Fortinet Inc.
Security profiles

Importing the certificate into web browsers

Once your certificate is signed by FortiAuthenticator, you need to import the certificate into users' browsers.

If you have the right environment, such as the Windows Group Policy Management Console,
you can push the certificate to users' browsers using the Windows Group Policy Editor. In this
case, you do not have to import the certificate into users' browsers.

The method you use for importing the certificate varies depending on the type of browser.

Internet Explorer, Chrome, and Safari (on Windows and macOS):

Internet Explorer, Chrome, and Safari use the operating system's certificate store for Internet browsing. If users will be
using these browsers, you must install the certificate into the certificate store for the OS.
1. If you are using Windows 7/8/10, double-click the certificate file and select Open. Select Install Certificate to
launch the Certificate Import Wizard.
2. Use the wizard to install the certificate into the Trusted Root Certificate Authorities store. If a security warning
appears, select Yes to install the certificate.

3. If you are using macOS, double-click the certificate file to launch Keychain Access.
4. Locate the certificate in the Certificates list and select it. Expand Trust and select Always Trust. If necessary,

FortiOS 6.0.0 Cookbook 224

Fortinet Inc.
Security profiles

enter the administrative password for your computer to make this change.

Firefox (on Windows and macOS)

Firefox has its own certificate store. To avoid errors in Firefox, the certificate must be installed in this store, rather than in
the OS.
If users are using Firefox, instead of being pushed to all of their devices, the certificate must be installed on each device.
1. In Firefox, go to Options > Privacy & Security (Windows) or Preferences > Privacy & Security (macOS).
2. Scroll down to the Certificates section. Select View Certificates, select the Authorities list. Import the certificate

FortiOS 6.0.0 Cookbook 225

Fortinet Inc.
Security profiles

and set it to be trusted for website identification.

Results

Before you install the certificate, an error message appears in users' browsers when they access a site that uses HTTPS
(this example shows an error message in Firefox).

After you install the certificate, users shouldn't experience a certificate security issue when they browse to sites that the
FortiGate performs SSL content inspection on.
Users can view information about the connection and the certificate that's used.
When users view information about the connection, they'll see that it's verified by Fortinet.

FortiOS 6.0.0 Cookbook 226

Fortinet Inc.
Security profiles

When users view the certificate in the browser, they will see which certificate is used and information about that
certificate.

FortiOS 6.0.0 Cookbook 227

Fortinet Inc.
Security profiles

Preventing certificate warnings (default certificate)

In this recipe, you prevent users from receiving a security certificate warning when your FortiGate performs full SSL
inspection on incoming traffic. There are several methods for doing this, depending on whether you're using your
ForiGate default certificate, as presented here, your a CA-signed certificate (see Preventing certificate warnings (CA-
signed certificate) on page 218, or a self-signed certification (see Preventing certificate warnings (self-signed) on page
235).
When you enable full SSL inspection, your FortiGate impersonates the recipient of the originating SSL session, then
decrypts and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the
FortiGate and the recipient by impersonating the sender, and sends the content to the end user. This is the same
process used in "man-in-the-middle" attacks, which is why a user's device may show a security certificate warning.
For more information about SSL inspection, see Why you should use SSL inspection on page 243.
Often, when users receive security certificate warnings, they simply select Continue without understanding why the
error is occurring. To avoid encouraging this habit, you can prevent the warning from appearing in the first place.

Using the default certificate

All FortiGate devices have a default certificate that’s used for full SSL inspection. This certificate is also used in the
default deep-inspection profile. To prevent users from seeing certificate warnings, you can install this certificate on
users’ devices.

Generating a unique certificate

Run the following CLI command to generate an SSL certificate that’s unique to your FortiGate:
exec vpn certificate local generate default-ssl-ca

FortiOS 6.0.0 Cookbook 228

Fortinet Inc.
Security profiles

Downloading the certificate

1. Go to Security Profiles > SSL/SSH Inspection. Use the drop-down menu in the top right corner to select deep-
inspection, which is the profile used to apply full SSL inspection.

2. The default FortiGate certificate is listed as the CA Certificate. Select Download Certificate.

Applying SSL inspection to a policy

Before you import the certificate, verify that SSL inspection is applied to your policy that controls traffic to the Internet.
You must also apply at least one other security profile to that policy in order to implement SSL inspection

Importing the certificate into web browsers

Once you have your FortiGate device’s default certificate, you need to import the certificate into users’ browsers.

The method you use for importing the certificate varies depending on the type of browser.

FortiOS 6.0.0 Cookbook 229

Fortinet Inc.
Security profiles

Internet Explorer, Chrome, and Safari (on Windows and macOS):

FortiOS 6.0.0 Cookbook 230

Fortinet Inc.
Security profiles

enter the administrative password for your computer to make this change.

Firefox (on Windows and macOS)

FortiOS 6.0.0 Cookbook 231

Fortinet Inc.
Security profiles

and set it to be trusted for website identification.

Results

Before you install the certificate, an error message appears in users' browsers when they access a site that uses HTTPS
(this example shows an error message in Firefox).

FortiOS 6.0.0 Cookbook 232

Fortinet Inc.
Security profiles

When users view the certificate in the browser, they will see which certificate is used and information about that
certificate.

FortiOS 6.0.0 Cookbook 233

Fortinet Inc.
Security profiles

FortiOS 6.0.0 Cookbook 234

Fortinet Inc.
Security profiles

Preventing certificate warnings (self-signed)

In this recipe, you prevent users from receiving a security certificate warning when your FortiGate performs full SSL
inspection on incoming traffic. There are several methods for doing this, depending on whether you're using a self-
signed certificate, as presented here, your FortiGate default certificate (see Preventing certificate warnings (default
certificate) on page 228, or a CA-signed certification (see Preventing certificate warnings (CA-signed certificate) on page
218).
When you enable full SSL inspection, your FortiGate impersonates the recipient of the originating SSL session, then
decrypts and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the
FortiGate and the recipient by impersonating the sender, and sends the content to the end user. This is the same
process used in "man-in-the-middle" attacks, which is why a user's device may show a security certificate warning.
For more information about SSL inspection, see Why you should use SSL inspection on page 243.
Often, when users receive security certificate warnings, they simply select Continue without understanding why the
error is occurring. To avoid encouraging this habit, you can prevent the warning from appearing in the first place.

Creating a certificate with OpenSSL

1. If necessary, download and install Open SSL. Make sure that the openssl.cnf file is located in the BIN folder for
OpenSSL.
2. Using a command prompt (CMD), navigate to the BIN folder.
In this example, the command is:
cd c:\OpenSSL\bin
3. Generate an RSA key with the following command:
openssl genrsa -aes256 -out fgcaprivkey.pem 2048 -config openssl cnf
This RSA key uses AES-256 encryption and a 2048-bit key.
4. When prompted, enter a passphrase for encrypting the private key.
Use the following command to launch OpenSSL, submit a new certificate request, and sign the request:
openssl req -new -x509 -days 3650 -extensions v3_ca -key fgcaprivkey.pem -out
fgcacert.pem -config openssl.cnf
The result is a standard x509 binary certificate that’s valid for 3650 days (approximately 10 years).

FortiOS 6.0.0 Cookbook 235

Fortinet Inc.
Security profiles

5. When prompted, re-enter the passphrase for encryption, then enter the details required for the certificate request,
such as location and organization name.
Two new files are created: a public certificate (fgcacert.pem) and a private key (fgcaprivkey.pem).

Importing the self-signed certificate

1. Go to System > Certificates and select Import > Local Certificate.

2. Set Type to Certificate, then select your Certificate file and Key file. Enter the Password that you set when you
created the certificate.

The certificate now appears in the Local CA Certificates list.

Editing the SSL inspection profile

1. To use your certificate in an SSL inspection profile go to Security Profiles > SSL/SSH Inspection. Use the
dropdown menu in the top right corner to select deep-inspection.

FortiOS 6.0.0 Cookbook 236

Fortinet Inc.
Security profiles

3. Set CA Certificate to use the new certificate.

4. Select Download Certificate, to download the certificate file.

Applying SSL inspection to a policy

Importing the certificate into web browsers

Once you have your self-signed certificate, you need to import the certificate into users’ browsers.

The method you use for importing the certificate varies depending on the type of browser.

FortiOS 6.0.0 Cookbook 237

Fortinet Inc.
Security profiles

Internet Explorer, Chrome, and Safari (on Windows and macOS):

FortiOS 6.0.0 Cookbook 238

Fortinet Inc.
Security profiles

enter the administrative password for your computer to make this change.

Firefox (on Windows and macOS)

FortiOS 6.0.0 Cookbook 239

Fortinet Inc.
Security profiles

and set it to be trusted for website identification.

Results

Before you install the certificate, an error message appears in users' browsers when they access a site that uses HTTPS
(this example shows an error message in Firefox).

FortiOS 6.0.0 Cookbook 240

Fortinet Inc.
Security profiles

When users view the certificate in the browser, they will see which certificate is used and information about that
certificate.

FortiOS 6.0.0 Cookbook 241

Fortinet Inc.
Security profiles

FortiOS 6.0.0 Cookbook 242

Fortinet Inc.
Security profiles

Why you should use SSL inspection

Most of us are familiar with HTTPS and how it protects a variety of activities on the Internet by applying SSL encryption to
the web traffic.
Using HTTPS provides the benefit of using encryption keeps your private data safe from prying eyes. However, there are
risks associated with its use, since encrypted traffic can be used to get around your normal defenses.
For example, you might download a file containing a virus during an e-commerce session. Or you could receive a
phishing email containing a seemingly harmless downloader file that, when launched, creates an encrypted session to a
C&C server and downloads malware onto your computer. Because the sessions in these attacks are encrypted, they
might get past your network’s security measures.
To protect your network from these threats, SSL inspection is the key your FortiGate uses to unlock encrypted sessions,
see into encrypted packets, find threats, and block them. SSL inspection not only protects you from attacks that use
HTTPS, but also from other commonly used encrypted protocols, such as SMTPS, POP3S, IMAPS, and FTPS.

Full SSL inspection

To make sure that all encrypted content is inspected, you must use full SSL inspection (also known as deep inspection).
When full SSL inspection is used, the FortiGate impersonates the recipient of the originating SSL session, then decrypts
and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the FortiGate
and the recipient by impersonating the sender, and sends the content to the sender.

FortiOS 6.0.0 Cookbook 243

Fortinet Inc.
Security profiles

When the FortiGate re-encrypts the content it uses a certificate stored on the FortiGate. The client must trust this
certificate to avoid certificate errors. Whether or not this trust exists depends on the client, which can be the computer’s
OS, a browser, or another application, which will likely maintain its own certificate repository.
There are two deployment methods for full SSL inspection:

1. Multiple Clients Connecting to Multiple Servers:

l Uses a CA certificate (which can be uploaded using the Certificates menu)

l Typically applied to outbound policies where destinations are unknown (i.e. normal web traffic)
l Address and web category whitelists can be configured to bypass SSL inspection

2. Protecting SSL Server

l Uses a server certificate (which can be uploaded using the Certificates menu) to protect a single server
l Typically used on inbound policies to protect servers available externally through Virtual IPs
l Since this is typically deployed “outside-in” (clients on the Internet accessing server(s) on the internal side of the
FortiGate), server certificates using the public FQDN of the server are often purchased from a commercial
Certificate Authority and uploaded to the FortiGate. This avoids client applications generating SSL certificate errors
due to certificate mismatch.
More detail is available in the FortiOS Online Help. Also, check the Fortinet Knowledge Base for these technical notes:
l How to Enable SSL inspection from the CLI and Apply it to a Policy
l How to block web-based chat on Gmail webmail using App Sensor + SSL inspection

SSL certificate inspection

The FortiGate also supports a second type of SSL inspection, called SSL certificate inspection. When certificate
inspection is used, the FortiGate inspects only the headers up to the SSL/TLS layer.
Certificate inspection is used to verify the identity of web servers and can be used to make sure that HTTPS protocol is
not used as a workaround to access sites you have blocked using web filtering.
The only security feature that can be applied using SSL certificate inspection mode is web filtering. However, since only
the packet header is inspected, this method does not introduce certificate errors and can be a useful alternative to full
SSL inspection when web filtering is used.
When using SSL certificate inspection, you may get certificate errors for blocked websites, due to your FortiGate
attempting to display a replacement message for that site using HTTPS. To prevent these errors, you must install the
certificate that the FortiGate uses for encryption in your browser. By default, this is the same certificate used for SSL
inspection.
For more information, see:
l Preventing certificate warnings (CA-signed certificate) on page 218.
l Preventing certificate warnings (default certificate) on page 228.
l Preventing certificate warnings (self-signed) on page 235

FortiOS 6.0.0 Cookbook 244

Fortinet Inc.
Security profiles

Troubleshooting

The most common problem with SSL inspection is users receiving SSL errors when the certificate is not trusted. This is
because, by default, the FortiGate uses a certificate that is not trusted by the client. There are several methods to fix this,
depending on whether you are using your FortiGate’s default certificate, a self-signed certificate, or a CA-signed
certificate.

Best practices

Because all traffic needs to be decrypted, inspected, and re-encrypted, using SSL inspection can reduce the overall
performance of your FortiGate. To avoid using too many resources for SSL inspection, do the following:
l Know your traffic – Know how much traffic is expected and what percentage of the traffic is encrypted. You can
also limit the number of policies that allow encrypted traffic.
l Be selective – Use whitelists or trim your policy to apply SSL inspection only where it is needed.
l Use hardware acceleration – FortiGate models with either the CP6 or CPU processor have an SSL/TLS protocol
processor for SSL content scanning and SSL acceleration. For more information about this, see the Hardware
Acceleration handbook.
l Test real-world SSL inspection performance yourself – Use the flexibility of FortiGate’s security policy to
gradually deploy SSL inspection, rather than enabling it all at once.

FortiOS 6.0.0 Cookbook 245

Fortinet Inc.
VPNs

VPNs

This section contains information about creating and using a virtual private network (VPN).

SSL VPN quick start

The following topics provide introductory instructions on configuring SSL VPN:

l SSL VPN split tunnel for remote user on page 246
l Connecting from FortiClient VPN client on page 249
l Set up FortiToken two-factor authentication on page 251
l Connecting from FortiClient with FortiToken on page 252

SSL VPN split tunnel for remote user

This is a sample configuration of remote users accessing the corporate network and internet through an SSL VPN by
tunnel mode using FortiClient but accessing the Internet without going through the SSL VPN tunnel.

Sample topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE
mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address. The port1 interface connects to the internal network.
a. Go to Network > Interfaces and edit the wan1 interface.
b. Set IP/Network Mask to 172.20.120.123/255.255.255.0.
c. Edit port1 interface and set IP/Network Mask to 192.168.1.99/255.255.255.0.

FortiOS 6.0.0 Cookbook 246

Fortinet Inc.
VPNs

d. Click OK.
e. Go to Policy & Objects > Address and create an address for internal subnet 192.168.1.0.
2. Configure user and user group.
a. Go to User & Device > User Definition to create a local user sslvpnuser1.
b. Go to User & Device > User Groups to create a group sslvpngroup with the member sslvpnuser1.
3. Configure SSL VPN web portal.
a. Go to VPN > SSL-VPN Portals to create a tunnel mode only portal my-split-tunnel-portal.
b. Enable Split Tunneling.
c. Select Routing Address to define the destination network that will be routed through the tunnel. Leave
undefined to use the destination in the respective firewall policies.
4. Configure SSL VPN settings.
a. Go to VPN > SSL-VPN Settings.
b. For Listen on Interface(s), select wan1.
c. Set Listen on Port to 10443.
d. Optionally, set Restrict Access to Limit access to specific hosts, and specify the addresses of the hosts that are
allowed to connect to this VPN.
e. Choose a certificate for Server Certificate. The default is Fortinet_Factory.
f. In Authentication/Portal Mapping All Other Users/Groups, set the Portal to tunnel-access.
g. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-split-tunnel-portal.
5. Configure SSL VPN firewall policy.
a. Go to Policy & Objects > IPv4 Policy.
b. Fill in the firewall policy name. In this example, sslvpn split tunnel access.
c. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
d. Choose an Outgoing Interface. In this example, port1.
e. Set the Source to SSLVPN_TUNNEL_ADDR1 and group to sslvpngroup. The source address references the
tunnel IP addresses that the remote clients are using.
f. In this example, the Destination is 192.168.1.0.
g. Set Schedule to always, Service to ALL, and Action to Accept.
h. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface
edit "wan1"
set vdom "root"
set ip 172.20.120.123 255.255.255.0
next
end

2. Configure internal interface and protected subnet, then connect the port1 interface to the internal network.
config system interface
edit "port1"
set vdom "root"
set ip 192.168.1.99 255.255.255.0
next
end

FortiOS 6.0.0 Cookbook 247

Fortinet Inc.
VPNs

config firewall address

edit "192.168.1.0"
set subnet 192.168.1.0 255.255.255.0
next
end

3. Configure user and user group.

config user local
edit "sslvpnuser1"
set type password
set passwd your-password
next
end
config user group
edit "sslvpngroup"
set member "sslvpnuser1"
next
end

4. Configure SSL VPN web portal.

config vpn ssl web portal
edit "my-split-tunnel-portal"
set tunnel-mode enable
set split-tunneling enable
set split-tunneling-routing-address "192.168.1.0"
set ip-pools "SSLVPN_TUNNEL_ADDR1"
next
end

5. Configure SSL VPN settings.

config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set source-interface "wan1"
set source-address "all"
set source-address6 "all"
set default-portal "full-access"
config authentication-rule
edit 1
set groups "sslvpngroup"
set portal "my-split-tunnel-portal"
next
next
end

Optionally, to restrict access to specific hosts:

config vpn ssl settings
set source-address <address> <address> ... <address>
set source-address6 <address> <address> ... <address>
end

6. Configure one SSL VPN firewall policy to allow remote user to access the internal network. Traffic is dropped from
internal to remote client.

FortiOS 6.0.0 Cookbook 248

Fortinet Inc.
VPNs

config firewall policy

edit 1
set name "sslvpn split tunnel access"
set srcintf "ssl.root"
set dstintf "port1"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "192.168.1.0"
set groups “sslvpngroup”
set action accept
set schedule "always"
set service "ALL"
next
end

Connecting from FortiClient VPN client

For FortiGate administrators, a free version of FortiClient VPN is available which supports basic IPsec and SSL VPN and
does not require registration with EMS. This version does not include central management, technical support, or some
advanced features.

Downloading and installing the standalone FortiCient VPN client

You can download the free VPN client from FNDN or FortiClient.com.
When the free VPN client is run for the first time, it displays a disclaimer. You cannot configure or create a VPN
connection until you accept the disclaimer and click I accept:

FortiOS 6.0.0 Cookbook 249

Fortinet Inc.
VPNs

Configuring an SSL VPN connection

To configure an SSL VPN connection:

1. On the Remote Access tab, click on the settings icon and then Add a New Connection.

2. Select SSL-VPN, then configure the following settings:

Connection Name SSLVPNtoHQ

Description (Optional)

Remote Gateway 172.20.120.123

Customize port 10443

Client Certificate Select Prompt on connect or the certificate from the dropdown list.

Authentication Select Prompt on login for a prompt on the connection screen

3. Click Save to save the VPN connection.

Connecting to SSL VPN

To connect to SSL VPN:

1. On the Remote Access tab, select the VPN connection from the dropdown list.
Optionally, you can right-click the FortiTray icon in the system tray and select a VPN configuration to connect.
2. Enter your username and password.
3. Click the Connect button.
4. After connecting, you can now browse your remote network. Traffic to 192.168.1.0 goes through the tunnel, while
other traffic goes through the local gateway. FortiClient displays the connection status, duration, and other relevant
information.
5. Click the Disconnect button when you are ready to terminate the VPN session.

FortiOS 6.0.0 Cookbook 250

Fortinet Inc.
VPNs

Checking the SSL VPN connection

To check the SSL VPN connection using the GUI:

1. On the FortiGate, go to VPN > Monitor > SSL-VPN Monitor to verify the list of SSL users.
2. On the FortiGate, go to Log & Report > Forward Traffic to view the details of the SSL entry.

To check the tunnel log in using the CLI:

get vpn ssl monitor

SSL VPN Login Users:
Index User Auth Type Timeout From HTTP in/out HTTPS in/out
0 sslvpnuser1 1(1) 291 10.1.100.254 0/0 0/0

SSL VPN sessions:

Index User Source IP Duration I/O Bytes Tunnel/Dest IP
0 sslvpnuser1 10.1.100.254 9 22099/43228 10.212.134.200

Set up FortiToken two-factor authentication

This configuration adds two-factor authentication (2FA) to the split tunnel configuration (SSL VPN split tunnel for remote
user on page 246). It uses one of the two free mobile FortiTokens that is already installed on the FortiGate.

To configure 2FA using the GUI:

1. Configure a user and user group.

a. Go to User & Device > User Definition and edit local user sslvpnuser1.
b. Enter the user's Email Address.
c. Enable Two-factor Authentication and select one mobile Token from the list,
d. Enable Send Activation Code and select Email.
e. Click Next and click Submit.
2. Activate the mobile token.
When a FortiToken is added to user sslvpnuser1, an email is sent to the user's email address. Follow the
instructions to install your FortiToken mobile application on your device and activate your token.

To configure 2FA using the CLI:

1. Configure a user and user group.

config user local
edit "sslvpnuser1"
set type password
set two-factor fortitoken
set fortitoken <select mobile token for the option list>
set email-to <user's email address>
set passwd <user's password>
next
end
config user group
edit "sslvpngroup"
set member "sslvpnuser1"

FortiOS 6.0.0 Cookbook 251

Fortinet Inc.
VPNs

next
end

2. Activate the mobile token.

When a FortiToken is added to user sslvpnuser1, an email is sent to the user's email address. Follow the
instructions to install your FortiToken mobile application on your device and activate your token.

Connecting from FortiClient with FortiToken

To activate your FortiToken:

1. On your device, open FortiToken Mobile. If this is your first time opening the application, it may prompt you to create
a PIN for secure access to the application and tokens.

2. You should have received your notification via email, select + and use the device camera to scan the token QR code

in your email.
3. FortiToken Mobile provisions and activates your token and generates token codes immediately. To view the OTP's
digits, select the eye icon. After you open the application, FortiToken Mobile generates a new six-digit OTP every 30
seconds.

To connect to SSL VPN:

1. On the Remote Access tab, select the VPN connection from the dropdown list.
Optionally, you can right-click the FortiTray icon in the system tray and select a VPN configuration to connect.
2. Enter your username and password.
3. Click the Connect button.
4. A Token field will appear, prompting you for the FortiToken code. Enter the FortiToken code from your Mobile
device.
5. After connecting, you can now browse your remote network. Traffic to 192.168.1.0 goes through the tunnel, while
other traffic goes through the local gateway. FortiClient displays the connection status, duration, and other relevant
information.
6. Click the Disconnect button when you are ready to terminate the VPN session.

FortiOS 6.0.0 Cookbook 252

Fortinet Inc.
VPNs

SSL VPN using web and tunnel mode

In this example, you will allow remote users to access the corporate network using an SSL VPN, connecting either by
web mode using a web browser or tunnel mode using FortiClient.
Web mode allows users to access network resources, such as the the AdminPC used in this example.
For users connecting via tunnel mode, traffic to the Internet will also flow through the FortiGate, to apply security
scanning to this traffic. During the connecting phase, the FortiGate will also verify that the remote user’s antivirus
software is installed and up-to-date.
This recipe is in the Basic FortiGate network collection. You can also use it as a standalone recipe.

Editing the SSL VPN portal

1. To edit the full-access SSL VPN portal, go to VPN > SSL-VPN Portals. The full-access portal allows the use of
tunnel mode and web mode.
2. Under Tunnel Mode, disable Enable Split Tunneling for both IPv4 and IPv6 traffic to ensure all Internet traffic will
go through the FortiGate.
3. Set Source IP Pools to use the default IP range SSLVPN_TUNNEL_ADDR1.

FortiOS 6.0.0 Cookbook 253

Fortinet Inc.
VPNs

4. Under Enable Web Mode, create Predefined Bookmarks for any internal resources that the SSL VPN users need
to access. In the example, the bookmark allows the remote user RDP access to a computer on the internal network.

FortiOS 6.0.0 Cookbook 254

Fortinet Inc.
VPNs

Configuring the SSL VPN tunnel

1. To configure the SSL VPN tunnel, go to VPN > SSL-VPN Settings.

2. Set Listen on Interface(s) to wan1. To avoid port conflicts, set Listen on Port to 10443.
3. Set Restrict Access to Allow access from any host
Optionally, set Restrict Access to Limit access to specific hosts and specify the addresses of the hosts that are
allowed to connect to this VPN.
4. In the example, the Fortinet_Factory certificate is used as the Server Certificate. To ensure that traffic is secure,
you should use your own CA-signed certificate. For more information about using certificates, see Preventing
certificate warnings (CA-signed certificates).

FortiOS 6.0.0 Cookbook 255

Fortinet Inc.
VPNs

5. Under Tunnel Mode Client Settings, set IP Ranges to use the default IP range SSLVPN_TUNNEL-ADDR1.

6. Under Authentication/Portal Mapping, click Create New to add the Employee user group and map it to the full-
access portal.
7. If necessary, map a portal for All Other Users/Groups.

FortiOS 6.0.0 Cookbook 256

Fortinet Inc.
VPNs

Adding security policies

1. To add an address for the local network, go to Policy & Objects > Addresses.
2. Set Type to Subnet, Subnet/IP Range to the local subnet, and Interface to lan.

3. To create a security policy allowing access to the internal network through the VPN tunnel interface, go to Policy &
Objects > IPv4 Policy.
4. Set Incoming Interface to ssl.root and Outgoing Interface to lan. Select Source and set Address to all and
User to the Employee user group. Set Destination to the local network address, Service to ALL, and enable NAT.

FortiOS 6.0.0 Cookbook 257

Fortinet Inc.
VPNs

5. Add a second security policy allowing SSL VPN access to the Internet.

If you are allowing split tunneling, this policy is not required.

6. For this policy, set Incoming Interface to ssl.root and Outgoing Interface to wan1. Select Source and set
Address to all and User to the Employee user group.

Verifying remote user OS and software

To verify that remote users are using up-to-date devices to connect to your network, you can configure a host check for
both operating system (supported for Windows and Mac OS) and software.
You can configure an OS host check for specific OS versions. This check includes the following options: allow the device
to connect, block the device, or check that the OS is up-to-date. The default action for all OS versions is allow.
The software host can verify whether the device has AntiVirus software recognized by Windows Security Center, firewall
software recognized by Windows Security Center, both, or a custom setting.
Configure both checks using the CLI:
config vpn ssl web portal
edit full-access
set os-check enable

FortiOS 6.0.0 Cookbook 258

Fortinet Inc.
VPNs

config os-check-list {macos-high-sierra-10.13 | macos-sierra-10.12 | os-x-el-

capitan-10.11 | os-x-mavericks-10.9 | os-x-yosemite-10.10 |windows-7 |
windows-8 | windows-8.1 | windows-10 | windows-2000 | windows-vista | windows-
xp}
set action {deny | allow | check-up-to-date}
end
set host-check {av | fw | av-fw| custom}
end

Results

The steps for connecting to the SSL VPN differ depending on whether you are using a web browser or FortiClient.

Web browsers

1. Using a supported Internet browser, connect to the SSL VPN web portal using the remote gateway configured in the
SSL VPN settings (in the example, https://172.25.176.62:10443).
2. Log in to the SSL VPN.

3. After authenticating, you can access the SSL-VPN Portal. From this portal, you can launch or download FortiClient,
access Bookmarks, or connect to other resources using the Quick Connection tool.

FortiOS 6.0.0 Cookbook 259

Fortinet Inc.
VPNs

In this example, selecting the bookmark enables you to connect to the AdminPC.

FortiOS 6.0.0 Cookbook 260

Fortinet Inc.
VPNs

FortiOS 6.0.0 Cookbook 261

Fortinet Inc.
VPNs

4. To connect to the Internet, select Quick Connection. Select HTTP/HTTPS, then enter the URL and select Launch.

The website loads.

5. To view the list of users currently connected to the SSL VPN, go to Monitor > SSL-VPN Monitor. The user is
connected to the VPN.

6. If a remote device fails the OS or host check, a warning message appears after authentication instead of the portal.

FortiOS 6.0.0 Cookbook 262

Fortinet Inc.
VPNs

FortiClient

1. If you have not done so already, download FortiClient from www.forticlient.com.

2. Open the FortiClient Console and go to Remote Access. Add a new connection.
3. Set VPN Type to SSL VPN, set Remote Gateway to the IP of the listening FortiGate interface (in the example,
172.25.176.62). Select Customize Port and set it to 10443.
4. Select Add.

5. Log in to the SSL VPN.

You are able to connect to the VPN tunnel.

FortiOS 6.0.0 Cookbook 263

Fortinet Inc.
VPNs

6. To view the list of users currently connected to the SSL VPN, go to Monitor > SSL-VPN Monitor. The user is
connected to the VPN.

SSL VPN with RADIUS and FortiToken

In this recipe, you configure a FortiAuthenticator as a RADIUS server to use with a FortiGate SSL VPN. Remote users
connect to the SSL VPN using FortiClient and use FortiToken for two-factor authentication.
If you do not already have an SSL VPN tunnel configured, see SSL VPN using web and tunnel mode.

Creating a user and a user group

1. To create a user account, connect to the FortiAuthenticator, go to Authentication > User Management > Local
Users, and select Create New.

FortiOS 6.0.0 Cookbook 264

Fortinet Inc.
VPNs

2. Enter a Username and set Password creation to Specify a password. Enter and confirm the password. Enable
Allow RADIUS authentication and set Role to User.
3. After you create the user, more options are available. Edit the account and enable Token-based authentication.

4. Set Deliver token code by to FortiToken. Set FortiToken Mobile to an available FortiToken. Set Delievery
method to Email.
5. Under User Information, set Email to the user’s email address.
6. To create a user group, go to Authentication > User Management > User Groups and select Create New. Add
the new user to the group.

FortiOS 6.0.0 Cookbook 265

Fortinet Inc.
VPNs

7. After you create the user group, more options are available. Edit the group and create a new RADIUS attribute. Set
Vendor to Fortinet, set Attribute ID to Fortinet-Group-Name, and set Value to the name of the group (in the
example, SSL_VPN_RADIUS).

Creating the RADIUS client

1. To create a RADIUS client, go to Authentication > RADIUS Service > Clients, and select Create New.
2. Enter a Name for the client. Set Client address to IP/Hostname and enter the IP address of the FortiGate (in the
example, 172.25.176.62). Set a Secret for the client.

FortiOS 6.0.0 Cookbook 266

Fortinet Inc.
VPNs

3. Under User Authentication, set Authentication method to Apply two-factor authentication if available. Select
Enable FortiToken Mobile push notifications authentication.

4. For Realms, set the default realm to local | Local users. Under Groups, enable Filter and set it to the user group.

Connecting the FortiGate to FortiAuthenticator

1. To add the FortiAuthenticator as a RADIUS server for FortiGate, connect to the FortiGate, go to User & Device >
RADIUS Servers and select Create New.

FortiOS 6.0.0 Cookbook 267

Fortinet Inc.
VPNs

2. Set a Name for the server and set Authentication method to Default.

3. Under Primary Server, set IP/Name to the IP address of the FortiAuthenticator (in this example, 172.25.176.141)
and set Secret to the same secret you configured on the FortiAuthenticator.
4. Select Test Connectivity to make sure you used the proper settings.
5. To import the user group, go to User & Device > User Groups and create a new group.

6. Set a Name for the group. Under Remote Groups, select +Add and select the RADIUS server. Set Groups to the
RADIUS attribute you assigned to the group (in the example, SSL_VPN_RADIUS).

FortiOS 6.0.0 Cookbook 268

Fortinet Inc.
VPNs

Allowing users to connect to the VPN

1. To configure SSL VPN authentication, go to VPN > SSL-VPN Settings.

2. Under Authentication/Portal Mapping, create a new entry for the RADIUS group. Set Portal to tunnel-access,
which allows users to connect using FortiClient.
3. To allow the new group access to the VPN, go to Policy & Objects > IPv4 Policy and edit the policy for the SSL
VPN. Select Source and set User to include the RADIUS group.

FortiOS 6.0.0 Cookbook 269

Fortinet Inc.
VPNs

Results

1. Log in to the SSL VPN.

2. Enter the FortiToken code when it is requested.

FortiOS 6.0.0 Cookbook 270

Fortinet Inc.
VPNs

3. You are connected to the VPN tunnel.

FortiOS 6.0.0 Cookbook 271

Fortinet Inc.
VPNs

FortiToken Mobile Push for SSL VPN

In this recipe, you set up FortiAuthenticator to function as a RADIUS server to authenticate SSL VPN users using
FortiToken Mobile Push two-factor authentication. With Push notifications enabled, the user can easily accept or deny
the authentication request.
For this configuration, you:
l Create a user on the FortiAuthenticator.
l Assign a FortiToken Mobile license to the user.
l Create the RADIUS client (FortiGate) on the FortiAuthenticator, and enable FortiToken Mobile Push notifications.
l Connect the FortiGate to the RADIUS server (FortiAuthenticator).
l Create an SSL VPN on the FortiGate, allowing internal access for remote users.
The following names and IP addresses are used:
l Username: gthreepwood
l User group: RemoteFTMGroup
l RADIUS server: OfficeRADIUS
l RADIUS client: OfficeServer
l SSL VPN user group: SSLVPNGroup
l FortiAuthenticator: 172.25.176.141
l FortiGate: 172.25.176.92
For the purposes of this recipe, a FortiToken Mobile free trial token is used. This recipe also assumes that the user has
already installed the FortiToken Mobile application on their smartphone. You can install the application for Android and
iOS. For details, see:

FortiOS 6.0.0 Cookbook 272

Fortinet Inc.
VPNs

l FortiToken Mobile for Android

l FortiToken Mobile for iOS

Adding FortiToken to FortiAuthenticator

1. On the FortiAuthenticator, go to Authentication > User Management > FortiTokens, and select Create New.
2. Set Token type to FortiToken Mobile, and enter the FortiToken Activation codes in the field provided.

Adding user to FortiAuthenticator

1. On the FortiAuthenticator, go to Authentication > User Management > Local Users, and select Create New.
2. Enter a Username (gthreepwood) and enter and confirm the user password.

FortiOS 6.0.0 Cookbook 273

Fortinet Inc.
VPNs

3. Enable Allow RADIUS authentication, and select OK to access additional settings.

4. Enable Token-based authentication and select to deliver the token code by FortiToken. Select the FortiToken
added earlier from the FortiToken Mobile drop-down menu.
5. Set Delivery method to Email. This will automatically open the User Information section where you can enter the
user email address in the field provided.

FortiOS 6.0.0 Cookbook 274

Fortinet Inc.
VPNs

6. Next, go to Authentication > User Management > User Groups, and select Create New.
7. Enter a Name (RemoteFTMUsers) and add gthreepwood to the group by moving the user from Available users to
Selected users.

FortiOS 6.0.0 Cookbook 275

Fortinet Inc.
VPNs

8. The FortiAuthenticator sends the FortiToken Mobile activation to the user’s email address. If the email does not
appear in the inbox, check the spam folder.
9. The user activates their FortiToken Mobile through the FortiToken Mobile application by either entering the
activation code provided or by scanning the QR code attached.

FortiOS 6.0.0 Cookbook 276

Fortinet Inc.
VPNs

Creating the RADIUS client on FortiAuthenticator

1. On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients, and select Create New to add the
FortiGate as a RADIUS client.
2. Enter a Name (OfficeServer), the IP address of the FortiGate, and set a Secret. The secret is a pre-shared secure
password that the FortiGate will use to authenticate to the FortiAuthenticator.
3. Set Authentication method to Enforce two-factor authentication and check the Enable FortiToken Mobile
push notifications authentication checkbox.

Note the Username input format. This is the format that the user must use to enter their
username in the web portal, made up of their username and realm. In this example, the full
username for gthreepwood is "gthreepwood@local".

FortiOS 6.0.0 Cookbook 277

Fortinet Inc.
VPNs

4. Set Realms to local | Local users, and add RemoteFTMUsers to the Groups filter.

Connecting the FortiGate to the RADIUS server

1. On the FortiGate, go to User & Device > RADIUS Servers, and select Create New to connect to the RADIUS
server (FortiAuthenticator).
2. Enter a Name (OfficeRADIUS), the IP address of the FortiAuthenticator, and enter the Secret created before.
3. Select Test Connectivity to be sure you can connect to the RADIUS server. Then select Test User Credentials
and enter the credentials for gthreepwood.

FortiOS 6.0.0 Cookbook 278

Fortinet Inc.
VPNs

4. Because the user has been assigned a FortiToken, the test should come stating that More validation is required.
5. The FortiGate can now connect to the FortiAuthenticator as the RADIUS client configured earlier.

FortiOS 6.0.0 Cookbook 279

Fortinet Inc.
VPNs

6. Then go to User & Device > User Groups, and select Create New to map authenticated remote users to a user
group on the FortiGate.
7. Enter a Name (SSLVPNGroup) and select Add under Remote Groups.

8. Select OfficeRADIUS under the Remote Server drop-down menu, and leave the Groups field blank.

FortiOS 6.0.0 Cookbook 280

Fortinet Inc.
VPNs

Configuring the SSL VPN

1. On the FortiGate, go to VPN > SSL-VPN Portals, and edit the full-access portal.
2. Toggle Enable Split Tunneling so that it is disabled.

3. Then go to VPN > SSL-VPN Settings.

4. Under Connection Settings set Listen on Interface(s) to wan1 and Listen on Port to 10443.
5. Under Tunnel Mode Client Settings, select Specify custom IP ranges. The IP Ranges should be set to
SSLVPN_TUNNEL_ADDR1 and the IPv6 version by default.
6. Under Authentication/Portal Mapping, select Create New.
7. Set the SSLVPNGroup user group to the full-access portal, and assign All Other Users/Groups to web-access

FortiOS 6.0.0 Cookbook 281

Fortinet Inc.
VPNs

— this will grant all other users access to the web portal only.
8. Go to Policy & Objects > IPv4 Policy and create a new SSL VPN policy.
9. Set Incoming Interface to the SSL-VPN tunnel interface and set Outgoing Interface to the Internet-facing
interface (in this case, wan1).
10. Set Source to the SSLVPNGroup user group and the all address.
11. Set Destination Address to all, Schedule to always, Service to ALL, and enable NAT.

FortiOS 6.0.0 Cookbook 282

Fortinet Inc.
VPNs

Results

1. From a remote device, open a web browser and navigate to the SSL VPN web portal (https://<fortigate-ip>:10443).
2. Enter gthreepwood‘s credentials and select Login. Use the correct format (in this case, username@realm), as per
the client configuration on the FortiAuthenticator.

3. The FortiAuthenticator will then push a login request notification through the FortiToken Mobile application. Select

FortiOS 6.0.0 Cookbook 283

Fortinet Inc.
VPNs

Approve.
4. Upon approving the authentication, gthreepwood is successfully logged into the SSL VPN portal.

5. On the FortiGate, go to Monitor > SSL-VPN Monitor to confirm the user’s connection.

FortiOS 6.0.0 Cookbook 284

Fortinet Inc.
VPNs

IPsec VPN with FortiClient

In this example, you allow remote users to access the corporate network using an IPsec VPN that they connect to using
FortiClient. The remote user Internet traffic is also routed through the FortiGate (split tunneling will not be enabled).
Optionally, you can create a user that uses two factor authentication, and an user LDAP user.

Adding a firewall address

1. To create a new firewall address, go to Policy & Objects > Addresses and select Create New > Address.
2. Set Category to Address and enter a Name. Set Type to Subnet, Subnet/IP Range to the local subnet, and

FortiOS 6.0.0 Cookbook 285

Fortinet Inc.
VPNs

Interface to lan.

Configuring the IPsec VPN

1. To create the VPN, go to VPN > IPsec Wizard and create a new tunnel using a pre-existing template.
2. Name the VPN. The tunnel name cannot include any spaces or exceed 13 characters. Set Template to Remote
Access, and set Remote Device Type to FortiClient VPN for OS X, Windows, and Android.

3. Set the Incoming Interface to wan1 and Authentication Method to Pre-shared Key.
4. Enter a pre-shared key. This pre-shared key is a credential for the VPN and should differ from the user password.
Select the Employees group.

5. Set Local Interface to lan and set Local Address to the local network address.

FortiOS 6.0.0 Cookbook 286

Fortinet Inc.
VPNs

6. Enter a Client Address Range for VPN users. The IP range you enter here prompts FortiOS to create a new
firewall object for the VPN tunnel using the name of your tunnel followed by the _range suffix (in the example, IPsec-
FCT_range).
7. Make sure Enable IPv4 Split Tunnel is not selected, so that all Internet traffic will go through the FortiGate. If you
do select Enable Split Tunneling, traffic not intended for the corporate network will not flow through the FortiGate
or be subject to the corporate security profiles.

8. Select Client Options as desired.

9. After you create the tunnel, a summary page appears listing the objects which have been added to the FortiGate’s
configuration by the wizard.

10. If multiple dialup IPsec VPNs are defined for the same dialup server interface, each phase1 configuration must
define a unique peer ID to distinguish the tunnel that the remote client is connecting to:
a. Go to VPN > IPsec Tunnels and edit the just created tunnel.
b. Click Convert To Custom Tunnel.
c. In the Authentication section, click Edit.

FortiOS 6.0.0 Cookbook 287

Fortinet Inc.
VPNs

d. Under Peer Options, set Accept Types to Specific peer ID.

e. In the Peer ID field, enter a unique ID, such as dialup1.
f. Click OK.
11. To view the VPN interface created by the wizard, go to Network > Interfaces.

12. To view the firewall address created by the wizard, go to Policy & Objects > Addresses.

13. To view the security policy created by the wizard, go to Policy & Objects > IPv4 Policy.

Creating a security policy

The IPsec wizard automatically created a security policy allowing IPsec VPN users to access the internal network.
However, since split tunneling is disabled, another policy must be created to allow users to access the Internet through
the FortiGate.
1. To create a new policy, go to Policy & Objects > IPv4 Policies and select Create New. Set a policy name that will
identify what this policy is used for (in the example, IPsec-VPN-Internet).
2. Set Incoming Interface to the tunnel interface and Outgoing Interface to wan1. Set Source to the IPsec client
address range, Destination Address to all, Service to ALL, and enable NAT.

FortiOS 6.0.0 Cookbook 288

Fortinet Inc.
VPNs

3. Configure any remaining firewall and security options as desired.

Add FortiToken two-factor authentication

This configuration adds two-factor authentication (2FA) to the FortiClient dialup VPN configuration (Configuring the
IPsec VPN on page 286). It uses one of the two free mobile FortiTokens that is already installed on the FortiGate.

To configure 2FA using the GUI:

1. Configure a user:
a. Go to User & Device > User Definition and create or edit local user twoFAuser1.
b. Enter the user's Email Address.
c. Enable Two-factor Authentication and select one mobile Token from the list,
d. Enable Send Activation Code and select Email.
e. Click Next and click Submit.
2. Add the user to the group:
a. Go to User & Device > User Groups and edit the Employees.
b. Add twoFAuser1 to the Members list.
c. Click OK.
3. Activate the mobile token.
a. When a FortiToken is added to user twoFAuser1, an email is sent to the user's email address. Follow the
instructions to install your FortiToken mobile application on your device and activate your token.

FortiOS 6.0.0 Cookbook 289

Fortinet Inc.
VPNs

To configure 2FA using the CLI:

1. Configure a user and user group.

config user local
edit "twoFAuser1"
set type password
set two-factor fortitoken
set fortitoken <select mobile token for the option list>
set email-to <user's email address>
set passwd <user's password>
next
end
config user group
edit "Employees"
append member "twoFAuser1"
next
end

2. Activate the mobile token.

a. When a FortiToken is added to user twoFAuser1, an email is sent to the user's email address. Follow the
instructions to install your FortiToken mobile application on your device and activate your token.

Add LDAP user authentication

This configuration adds LDAP user authentication to the FortiClient dialup VPN configuration (Configuring the IPsec
VPN on page 286). You must have already generated and exported a CA certificate from your AD server.

To configure LDAP user authentication using the GUI:

1. Import the CA certificate into FortiGate:

a. Go to System > Certificates.
If the Certificates option is not visible, enable it in Feature Visibility.
b. Click Import > CA Certificate.
c. Set Type to File.
d. Click Upload then find and select the certificate file.
e. Click OK.
The CA certificate now appears in the list of External CA Certificates. In this example, it is called CA_Cert_1.
f. Optionally, rename the system generated CA_Cert_1 to something more descriptive:
config vpn certificate ca
rename CA_Cert_1 to LDAPS-CA
end

2. Configure the LDAP user:

a. Go to User & Device > LDAP Servers and click Create New.
b. Set Name to ldaps-server and specify Server IP/Name.
c. Specify Common Name Identifier and Distinguished Name.
d. Set Bind Type to Regular.
e. Specify Username and Password.
f. Enable Secure Connection and set Protocol to LDAPS.

FortiOS 6.0.0 Cookbook 290

Fortinet Inc.
VPNs

g. For Certificate, select LDAP server CA LDAPS-CA from the list.

h. Click OK.
3. Add the LDAP user to the user group:
a. Go to User & Device > User Groups and edit the Employees group.
b. In Remote Groups, click Add to add the ldaps-server remote server.
c. Click OK.

To configure LDAP user authentication using the CLI:

1. Import the CA certificate using the GUI.

2. Configure the LDAP user:
config user ldap
edit "ldaps-server"
set server "172.20.120.161"
set cnid "cn"
set dn "cn=Users,dc=qa,dc=fortinet,dc=com"
set type regular
set username "CN=Administrator,cn=users,DC=qa,DC=fortinet,DC=com"
set password **********
set group-member-check group-object
set secure ldaps
set ca-cert "LDAPS-CA"
set port 636
next
end

3. Add the LDAP user to the user group:

config user group
edit "Employees"
append member "ldaps-server"
next
end

Configuring FortiClient

1. To add the VPN connection, open FortiClient, go to Remote Access and click Add a new connection.
2. Set the VPN to IPsec VPN and Remote Gateway to the FortiGate IP address.

FortiOS 6.0.0 Cookbook 291

Fortinet Inc.
VPNs

3. Set Authentication Method to Pre-Shared Key and enter the key below.

4. Expand Advanced Settings > Phase 1 and in the Local ID field, enter dialup1.
5. Configure remaining settings as needed, then click Save.

Results

1. On FortiClient, select the VPN, enter the username and password, and select Connect.

2. If 2FA is configured, a Token field will appear, prompting you for the FortiToken code. Enter the FortiToken code
from your mobile device.

FortiOS 6.0.0 Cookbook 292

Fortinet Inc.
VPNs

3. Once the connection is established, the FortiGate assigns the user an IP address and FortiClient displays the status
of the connection, including the IP address, connection duration, and bytes sent and received.

4. On the FortiGate, go to Monitor > IPsec Monitor and verify that the tunnel Status is Up.
5. Under Remote Gateway, the monitor shows the FortiClient user’s assigned gateway IP address.

FortiOS 6.0.0 Cookbook 293

Fortinet Inc.
VPNs

One-Click VPN (OCVPN)

In this recipe, you use the cloud-assisted OCVPN solution to greatly simplify the provisioning and configuration of IPsec
VPN.
Note the following limitations:
l The FortiGate must be registered with a valid FortiCare Support license. You can verify the status of your FortiCare
Support contract under System > FortiGuard.
l Only full-mesh VPN configurations using PSK cryptography are supported.
l Public IPs must be used (FortiGates behind NAT cannot participate).
l Non-root VDOMs and FortiGate VMs are not supported.
l Up to 16 nodes can be added to the OCVPN cloud, each with a maximum of 16 subnets.
l OCVPN with SD-WAN is not currently supported.
You can repeat the "Enabling OCVPN" section to add up to 16 nodes to the OCVPN cloud (barring the above
limitations), but you will configure only two nodes in this example.

Enabling OCVPN

1. On FGT_1, go to VPN > One-Click VPN Settings.

2. Set Status to Enabled and confirm Cloud Status. This may take a minute or two.
3. As indicated, a green checkmark appears along with the message Connected to the cloud service.

FortiOS 6.0.0 Cookbook 294

Fortinet Inc.
VPNs

4. Finally, add the required Subnets from FGT_1.

5. On FGT_2, repeat steps 1 to 4.

6. Enable and confirm connection to the cloud service, and then add the required subnets from FGT_2.

FortiOS 6.0.0 Cookbook 295

Fortinet Inc.
VPNs

Confirming cloud membership

1. In the Cloud Members table on FGT_1, click Refresh and confirm the entries.
The remote gateway and corresponding subnets for each device should populate the list.

2. You can perform step 1 on any FortiGate that is a member of the OCVPN cloud.
FGT_2 should return the same results as in step 1.

FortiOS 6.0.0 Cookbook 296

Fortinet Inc.
VPNs

Results

As the Cloud Members table populates, the OCVPN cloud updates each member automatically.
You can now verify that the remainder of the configuration has also been created, and proceed to test the tunnel.
1. On either FortiGate, go to VPN > IPsec Tunnels and confirm the entry of a new tunnel with the prefix _OCVPN.

2. Go to Network > Static Routes and confirm the new static routes.

FortiOS 6.0.0 Cookbook 297

Fortinet Inc.
VPNs

3. Go to Policy & Objects > IPv4 Policy and confirm the new policies.

4. Go to Monitor > IPsec Monitor and verify that the tunnel status is Up.

5. Go to Log & Report > VPN Events and view the tunnel statistics.

6. Using Command Prompt/Terminal, attempt a ping from one internal network to the other. Ping should be
successful:

7. Now, disable OCVPN (VPN > One-Click VPN Settings) and repeat the ping attempt to confirm that OCVPN was
indeed responsible for the successful ping above:

FortiOS 6.0.0 Cookbook 298

Fortinet Inc.
VPNs

8. Re-enable OCVPN.

Troubleshooting

The following diagnose commands can be useful.

To verify OCVPN status, use the following command:

To view device states, use the following command:

The log report example is truncated.

To print a log report, use the following command:

FortiOS 6.0.0 Cookbook 299

Fortinet Inc.
VPNs

To view a list of OCVPN cloud members, use the following command:

FortiOS 6.0.0 Cookbook 300

Fortinet Inc.
VPNs

Site-to-site IPsec VPN with two FortiGate devices

In this recipe, you create a site-to-site IPsec VPN tunnel to allow communication between two networks that are located
behind different FortiGate devices. You use the VPN Wizard’s Site to Site – FortiGate template to create the VPN
tunnel on both FortiGate devices.
In this example, one FortiGate is called HQ and the other is called Branch.

Configuring IPsec VPN on HQ

1. To create a new IPsec VPN tunnel, connect to HQ, go to VPN > IPsec Wizard, and create a new tunnel.
2. In the VPN Setup step, set Template Type to Site to Site, set Remote Device Type to FortiGate, and set NAT
Configuration to No NAT between sites.

FortiOS 6.0.0 Cookbook 301

Fortinet Inc.
VPNs

3. In the Authentication step, set IP Address to the public IP address of the Branch FortiGate (in the example,
172.25.177.46).
4. After you enter the IP address, the wizard automatically assigns an interface as the Outgoing Interface. If you want
to use a different interface, select it from the drop-down menu.
5. Set a secure Pre-shared Key.

6. In the Policy & Routing step, set Local Interface to lan. The wizard adds the local subnet automatically. Set
Remote Subnets to the Branch network’s subnet (in the example, 192.168.13.0/24).
7. Set Internet Access to None.

FortiOS 6.0.0 Cookbook 302

Fortinet Inc.
VPNs

8. A summary page shows the configuration created by the wizard, including interfaces, firewall addresses, routes,
and policies.

9. To view the VPN interface created by the wizard, go to Network > Interfaces.

10. To view the firewall addresses created by the wizard, go to Policy & Objects > Addresses.

11. To view the routes created by the wizard, go to Network > Static Routes.

12. To view the policies created by the wizard, go to Policy & Objects > IPv4 Policy.

FortiOS 6.0.0 Cookbook 303

Fortinet Inc.
VPNs

Configuring IPsec VPN on Branch

1. To create a new IPsec VPN tunnel, connect to Branch, go to VPN > IPsec Wizard, and create a new tunnel.
2. In the VPN Setup step, set Template Type to Site to Site, set Remote Device Type to FortiGate, and set NAT
Configuration to No NAT between sites.

3. In the Authentication step, set IP Address to the public IP address of the HQ FortiGate (in the example,
172.25.176.62).
4. After you enter the IP address, the wizard automatically assigns an interface as the Outgoing Interface. If you want
to use a different interface, select it from the drop-down menu.
5. Set the secure Pre-shared Key that was used for the VPN on HQ.

6. In the Policy & Routing step, set Local Interface to lan. The wizard adds the local subnet automatically. Set
Remote Subnets to the HQ network’s subnet (in the example, 192.168.65.0/24).

FortiOS 6.0.0 Cookbook 304

Fortinet Inc.
VPNs

7. Set Internet Access to None.

8. A summary page shows the configuration created by the wizard, including interfaces, firewall addresses, routes,
and policies.

9. To bring the VPN tunnel up, go to Monitor > IPsec Monitor. Right-click under Status and select Bring Up.

Results

Users on the HQ internal network can access resources on the Branch internal network and vice versa.

FortiOS 6.0.0 Cookbook 305

Fortinet Inc.
VPNs

To test the connection, ping HQ’s LAN interface from a device on the Branch internal network.

Fortinet Security Fabric over IPsec VPN

In this recipe, you add FortiTelemetry traffic to an existing IPsec VPN site-to-site tunnel between two FortiGate devices,
in order to add a remote FortiGate to the Security Fabric. You also allow the remote FortiGate to access the
FortiAnalyzer for logging.
If you do not already have a site-to-site VPN created, see Site-to-site IPsec VPN with two FortiGate devices on page 301

FortiOS 6.0.0 Cookbook 306

Fortinet Inc.
VPNs

In this example, an HA cluster called Edge is the root FortiGate in the Security Fabric and a FortiGate called Branch is
the remote FortiGate.

Configuring tunnel interfaces

1. To configure Edge to listen for FortiTelemetry traffic over the VPN, connect to Edge, go to Network > Interfaces,
and edit the tunnel interface.
2. Set IP to the local IP address for this interface (10.10.10.1) and Remote IP/Network mask to the IP address for the
Branch tunnel interface (10.10.10.2/32).
3. Under Administrative Access, enable FortiTelemetry.

4. Connect to Branch, go to Network > Interfaces, and edit the tunnel interface.
5. Set IP to the local IP address for this interface (10.10.10.2) and Remote IP/Network mask to the IP address for the

FortiOS 6.0.0 Cookbook 307

Fortinet Inc.
VPNs

Edge tunnel interface (10.10.10.1/32).

Adding tunnel interfaces to the VPN

1. To create an address for the Edge tunnel interface, connect to Edge, go to Policy & Objects > Addresses, and
create a new address.
2. Set Category to Address and set Subnet/IP Range to the IP address for the Edge tunnel interface
(10.10.10.1/32).

FortiOS 6.0.0 Cookbook 308

Fortinet Inc.
VPNs

3. Create a second address for the Branch tunnel interface. For this address, enable Static Route Configuration.

4. To allow VPN traffic between the Edge tunnel interface and the Branch tunnel interface, go to VPN > IPsec
Tunnels, and edit the VPN tunnel. Select Convert To Custom Tunnel.
5. Under Phase 2 Selectors, create a new Phase 2. Set Local Address to use a Named Address and select the
address for the Edge tunnel interface. Set Remote Address to use a Named Address, and select the address for
the Branch tunnel interface.

6. To route traffic to the Branch tunnel interface, go to Network > Static Routes, and create a new route.
7. Set Destination to Named Address, and select the address for the Branch tunnel interface. Set Device to the
tunnel interface.

FortiOS 6.0.0 Cookbook 309

Fortinet Inc.
VPNs

8. To allow traffic between the tunnel interfaces, go to Policy & Objects > IPv4 Policy and edit the policy allowing
local VPN traffic.
9. Set Source to include the Edge tunnel interface and Destination to include the Branch tunnel interface. To
configure this, you must have Multiple Interface Policies enabled. If you have not done this already, go to System >
Feature Visibility.

FortiOS 6.0.0 Cookbook 310

Fortinet Inc.
VPNs

10. Edit the policy allowing remote VPN traffic to include the tunnel interfaces.

11. On Branch, repeat steps 1 to 10 to include the following:

l Addresses for both tunnel interfaces (enable Static Route Configuration for the Edge tunnel interface

address)
l A Phase 2 that allows traffic between the Branch tunnel interface and the Edge tunnel interface

l A static route to the Edge tunnel interface

l Edited policies that allow traffic to flow between the tunnel interfaces

12. To allow the new phase 2 to take effect, go to Monitor > IPsec Monitor, and restart the VPN tunnel.

Authorizing Branch for the Security Fabric

1. You can authorize a FortiGate, FortiAP, or FortiSwitch to join the Security Fabric by using the device’s serial
number, rather than sharing the password for the Security Fabric (the Group password option is not available
FortiOS 6.0.3 and later). To authorize Branch, connect to Edge, and enter the following CLI command:

2. To add Branch to the Security Fabric, connect to Branch, and go to Security Fabric > Settings.
3. Enable FortiGate Telemetry. Set the Group name. Leave Group password blank (the Group password option
is not available in FortiOS 6.0.3 and later). Enable Connect to upstream FortiGate. Set FortiGate IP to the IP

FortiOS 6.0.0 Cookbook 311

Fortinet Inc.
VPNs

address of the Edge tunnel interface.

4. To verify that Branch is now part of the Security Fabric, connect to Edge, and go to Security Fabric > Settings.
Branch appears in the Topology.

Allowing Branch to access the FortiAnalyzer

1. To create an address for the FortiAnalyzer, connect to Branch, go to Policy & Objects > Addresses, and create a
new address. Enable Static Route Configuration.

FortiOS 6.0.0 Cookbook 312

Fortinet Inc.
VPNs

2. To allow VPN traffic between the FortiAnalyzer and the Branch tunnel interface, go to VPN > IPsec Tunnels, and
create a new Phase 2.

3. To route traffic to the FortiAnalyzer, go to Network > Static Routes, and create a new route.

4. On Edge, repeat this step to create an address for FortiAnalyzer and a new Phase 2 that allows traffic between the
FortiAnalyzer and the Branch tunnel interface. Edge doesn’t require a new static route.
5. To allow traffic between Branch and the FortiAnalyzer, go to Policy & Objects > IPv4 Policy, and create a new
policy.
6. Set Incoming Interface to the VPN interface, and set Outgoing Interface to the interface that connects to the
FortiAnalyzer (in the example, port16). Set Source to the Branch tunnel interface, and set Destination to the
FortiAnalyzer.

FortiOS 6.0.0 Cookbook 313

Fortinet Inc.
VPNs

7. Enable NAT for this policy.

8. To authorize the Branch FortiGate on the FortiAnalyzer, connect to the FortiAnalyzer, and go to Device Manager >
Unregistered.
9. Select Branch, then select +Add to register Branch.

FortiOS 6.0.0 Cookbook 314

Fortinet Inc.
VPNs

10. Branch now appears as Registered.

Results

To view Branch as part of the Security Fabric topology, connect to Edge and go to Security Fabric > Logical
Topology. Branch is shown as part of the Security Fabric, connecting over the IPsec VPN tunnel.

Desynchronizing settings for Branch (optional)

1. If you don’t want Branch to automatically use the settings that Edge pushes for the FortiAnalyzer, FortiSandbox, and
FortiManager, use the following CLI command to configure these settings locally:

2. Go to Security Fabric > Settings. You can now configure the settings for FortiAnalyzer logging, Central

FortiOS 6.0.0 Cookbook 315

Fortinet Inc.
VPNs

Management, and Sandbox Inspection. You can also choose to use local logging rather than sending logs to a
FortiAnalyzer.

This option is available for all FortiGate devices in the Security Fabric, except for the root
FortiGate.

Site-to-site IPsec VPN with overlapping subnets

In this recipe, you create a route-based IPsec VPN tunnel, as well as configure both source and destination NAT, to
allow transparent communication between two overlapping networks that are located behind different FortiGates.
In this example, one FortiGate will be referred to as HQ and the other as Branch. They both have 192.168.1.0/24 in use
as their internal network (LAN), but both LANs need to be able to communicate to each other through the IPsec tunnel.

Planning the new addressing scheme

In order for overlapping subnets to be able to communicate over a route-based IPsec tunnel, new virtual subnets of
equal size must be decided upon and used for all communication between the two overlapping subnets.

Devices on both local networks DO NOT need their IP addresses changed. However, the
devices/users will need to be sure to use the new subnet range of the remote network when
communicating across the tunnel.

FortiOS 6.0.0 Cookbook 316

Fortinet Inc.
VPNs

In this example, you perform a one-to-one mapping of HQ’s 192.168.1.0/24 network to 10.1.1.0/24, and Branch’s
192.168.1.0/24 network to 10.2.2.0/24. This will allow HQ clients to use Branch’s new subnet to communicate to Branch
clients, and vice-versa.

Configuring the IPsec VPN on HQ

1. To create the tunnel on HQ, connect to HQ and go to VPN > IPsec Tunnels.
2. In the VPN Setup step, set Template Type to Custom and enter VPN-to-Branch for the Name.

3. Enter Branch’s public IP address (in the example, 172.25.177.46) for the IP Address, and select HQ’s WAN
interface for Interface (in the example, wan1).

4. Enter a secure key for the Pre-shared Key. Later, you will enter the same key in the "Configuring the IPsec VPN on
Branch" section.

FortiOS 6.0.0 Cookbook 317

Fortinet Inc.
VPNs

5. Type the new address ranges selected in the "Planning the new addressing scheme" section for HQ and Branch’s
LAN in the Local Address and Remote Address fields (in the example, 10.1.1.0/24 and 10.2.2.0/24, respectively).

6. Optionally, expand Advanced and enable Auto-negotiate.

Configuring static routes on HQ

1. To create the necessary routes on HQ, go to Network > Static Routes and select Create New.
2. Enter the new subnet created in the "Planning the new addressing scheme" section for Branch’s LAN in the
Destination field, and select the VPN tunnel created in the "Configuring the IPsec VPN on HQ" section as the
Interface (in the example, this is 10.2.2.0/24 and VPN-to-Branch).

3. Create an additional route with the same Destination as the previous route, but this time change the
Administrative Distance to 200 and select Blackhole as the Interface. This is the best practice for route-based
IPsec VPN tunnels, as it ensures traffic for the remote FortiGate's subnet is not sent using the default route in the

FortiOS 6.0.0 Cookbook 318

Fortinet Inc.
VPNs

event that the IPsec tunnel goes down.

Configuring address objects on HQ

1. To create address objects you will utilize in a later step, navigate to Policy & Objects > Addresses and select
Create New > Address.
2. Enter HQ-original for the Name, the original LAN subnet of HQ for Subnet (in the example, 192.168.1.0/24), and
select the LAN-side interface for Interface (in the example, internal).

3. Repeat the process to create an additional new address object.

4. Enter Branch-new for the Name, the new LAN subnet of Branch for Subnet (in the example, 10.2.2.0/24), and
select the VPN interface for Interface (in the example, VPN-to-Branch).

5. To create an IP Pool, navigate to Policy & Objects > IP Pools and select Create New.
6. Enter HQ-new for the Name and select Fixed Port Range for Type. For the External IP Range enter the new
subnet for HQ (in the example, 10.1.1.1 – 10.1.1.254). You do not need to include the network address or the
broadcast address for the subnet in the External IP Range of the IP Pool. For the Internal IP Range, enter the
original subnet for HQ (in the example, 192.168.1.1 – 192.168.1.254).

FortiOS 6.0.0 Cookbook 319

Fortinet Inc.
VPNs

7. Finally, to create a Virtual IP, navigate to Policy & Objects > Virtual IPs and select Create New > Virtual IP.
8. Enter HQ-new-to-original for the Name and select the VPN interface for Interface (in the example, VPN-to-Branch).
For the External IP Address/Range enter the new subnet for HQ (in the example, 10.1.1.1 – 10.1.1.254). You do
not need to include the network address or the broadcast address for the subnet in the External IP Range of the
Virtual IP. For the Mapped IP Address/Range, enter the original subnet (in the example, 192.168.1.1 –
192.168.1.254).

Configuring firewall policies on HQ

1. To create firewall policies on HQ, go to Policy & Objects > IPv4 Policies and select Create New.
2. Enter From-HQ-to-Branch for the Name, the LAN-side interface on HQ for Incoming Interface (in the example,
internal), and the VPN tunnel interface for Outgoing Interface (in the example, VPN-to-Branch).

FortiOS 6.0.0 Cookbook 320

Fortinet Inc.
VPNs

3. For the Source, select HQ-original, for the Destination select Branch-new, and for the Service select ALL.
4. Finally, enable NAT, select Use Dynamic IP Pool, and select the HQ-new IP Pool.
5. Repeat the process to create an additional new IPv4 Policy.
6. Enter From-Branch-to-HQ for the Name, the VPN interface for Incoming Interface (in the example, VPN-to-
Branch), and the LAN-side interface for Outgoing Interface (in the example, internal).

FortiOS 6.0.0 Cookbook 321

Fortinet Inc.
VPNs

7. For the Source, select Branch-new, for the Destination select HQ-new-to-original (the Virtual IP object you created
in the "Configuring static routes on HQ" section), and for the Service select ALL.
8. Note for this policy, you do not need to enable NAT.

Configuring IPsec VPN on Branch

1. To create the tunnel on Branch, connect to Branch, and go to VPN > IPsec Tunnels and create a new tunnel.
2. In the VPN Setup step, set Template Type to Custom and enter VPN-to-HQ for the Name.

3. Enter HQ’s public IP address (in the example, 172.25.176.142) for the IP Address, and select Branch’s WAN
interface for Interface (in the example, wan1).

FortiOS 6.0.0 Cookbook 322

Fortinet Inc.
VPNs

4. Enter a matching secure key for the Pre-shared Key.

5. Type the new address ranges selected in the "Planning the new addressing scheme" section for Branch and HQ’s
LAN in the Local Address and Remote Address fields (in the example, 10.2.2.0/24 and 10.1.1.0/24, respectively).
The Local and Remote Address fields are the reverse of what you created in the "Configuring the IPsec VPN on
HQ" section.

6. Optionally, expand Advanced and enable Auto-negotiate.

Configuring static routes on Branch

1. To create the necessary routes on Branch, go to Network > Static Routes and select Create New.
2. Enter the new subnet created in the "Planning the new addressing scheme" section for HQ’s LAN in the
Destination field, and select the VPN tunnel created in the "Configuring the IPsec VPN on Branch" section as the
Interface (in the example, this is 10.1.1.0/24 and VPN-to-HQ).

3. Create an additional route with the same Destination as the previous route, but this time change the

FortiOS 6.0.0 Cookbook 323

Fortinet Inc.
VPNs

Administrative Distance to 200 and select Blackhole as the Interface.

Configuring address objects on Branch

1. To create address objects you will utilize in a later step, navigate to Policy & Objects > Addresses and select
Create New > Address.
2. Enter Branch-original for the Name, the original LAN subnet of Branch for Subnet (in the example, 192.168.1.0/24),
and select the LAN-side interface for Interface (in the example, lan).

3. Repeat the process to create an additional new address object.

4. Enter HQ-new for the Name, the new LAN subnet of HQ for Subnet (in the example, 10.1.1.0/24), and select the
VPN interface for Interface (in the example, VPN-to-HQ).

5. To create an IP Pool, navigate to Policy & Objects > IP Pools and select Create New.
6. Enter Branch-new for the Name and select Fixed Port Range for Type. For the External IP Range enter the new
subnet for Branch (in the example, 10.2.2.1 – 10.2.2.254), and enter the original subnet for Branch in the Internal IP
Range (in the example, 192.168.1.1 – 192.168.1.254).

FortiOS 6.0.0 Cookbook 324

Fortinet Inc.
VPNs

7. Finally, to create a Virtual IP, navigate to Policy & Objects > Virtual IPs and select Create New > Virtual IP.
8. Enter Branch-new-to-original for the Name and select the VPN interface for Interface (in the example, VPN-to-HQ).
For the External IP Range enter the new subnet for Branch (in the example, 10.2.2.1 – 10.2.2.254), and enter the
original subnet for Branch in the Internal IP Range (in the example, 192.168.1.1 – 192.168.1.254).

Configuring firewall policies on Branch

1. To create firewall policies on Branch, navigate to Policy & Objects > IPv4 Policies and select Create New.
2. Enter From-Branch-to-HQ for the Name, the LAN-side interface on Branch for Incoming Interface (in the example,
lan), and the VPN tunnel interface for Outgoing Interface (in the example, VPN-to-HQ).

FortiOS 6.0.0 Cookbook 325

Fortinet Inc.
VPNs

3. For the Source, select Branch-original, for the Destination select HQ-new, and for the Service select ALL.
4. Finally, enable NAT, select Use Dynamic IP Pool, and select the Branch-new IP Pool.
5. Repeat the process to create an additional new IPv4 Policy.
6. Enter From-HQ-to-Branch for the Name, the VPN interface for Incoming Interface (in the example, VPN-to-HQ),
and the LAN-side interface for Outgoing Interface (in the example, lan).

FortiOS 6.0.0 Cookbook 326

Fortinet Inc.
VPNs

7. For the Source, select HQ-new, for the Destination select Branch-new-to-original (the Virtual IP object you created
in the "Configuring address objects, Virtual IPs, and IP Pools on Branch" section), and for the Service select ALL.
8. Note for this policy, you do not need to enable NAT.

Results

1. The IPsec tunnels should now be up on both sides, which you can verify under Monitor > IPsec Monitor. If you did
not enable auto-negotiate in the "Configuring the IPsec VPN on HQ" section or "Configuring the IPsec VPN on
Branch" section earlier, then you may have to highlight the tunnel and select Bring Up.

2. From a PC on the HQ network, try to ping a PC on the Branch network using the new IP for the Branch PC. The ping
should be successful.

FortiOS 6.0.0 Cookbook 327

Fortinet Inc.
VPNs

3. From a PC on the Branch network, try to ping a PC on the HQ network using the new IP for the HQ PC. The ping
should be successful.

Explanation

Using the two example PCs below, the source and destination NAT that is performed in order to allow these two PCs in
overlapping subnets to communicate is explained.

FortiOS 6.0.0 Cookbook 328

Fortinet Inc.
VPNs

Step 1 – Ping Request: HQ Test PC sends a ping destined for Branch Test PC’s new IP address of 10.2.2.98.
Src IP: 192.168.1.12
Dst IP: 10.2.2.98
Step 2 – Source NAT: The HQ FortiGate receives the ping, and after a route lookup, matches the traffic to firewall
policy From-HQ-to-Branch that you created in the "Configuring firewall policies on HQ" section of the recipe.
Since the policy has NAT enabled and the HQ-new IP Pool selected, the HQ FortiGate will perform source NAT on HQ
Test PC’s IP address before sending into the IPsec tunnel.
Src IP: 10.1.1.12
Dst IP: 10.2.2.98

When you created an IP Pool with Type of Fixed Port Range, and then selected an External IP
Range and Internal IP Range of equal size, the last octet of the IP addresses after SNAT will
not change. This means 192.168.1.12 will be changed to 10.1.1.12, which makes using the
new address range as simple as possible.

Step 3 – Destination NAT: Branch FortiGate receives the traffic on the IPsec tunnel, and before a policy is matched,
the Virtual IP (VIP) you created called Branch-new-to-original performs destination NAT (DNAT).

Similar to our Fixed Port Range IP Pool, a VIP will exactly map the External IP Range to the
Mapped IP Range. This means that 10.2.2.98 will DNAT to 192.168.1.98.

After DNAT, a route lookup is performed, and the traffic will match the From-HQ-to-Branch policy that you created in the
"Configuring firewall policies on Branch" section of the recipe.
Src IP: 10.1.1.12
Dst IP: 192.168.1.98
Step 4 – Ping Reply: Branch Test PC receives the ping request from HQ Test PC and sends the ping reply back to
10.1.1.12.
The FortiGate is a stateful firewall, and the same firewall policy that was used when the session was initiated will be used
on the way back (the From-HQ-to-Branch policy on both FortiGates).
The session table on each FortiGate remembers the SNAT or DNAT that was performed in the "Configuring the IPsec
VPN on HQ" section and "Configuring static routes on HQ" section, and will perform the reverse operation on the reply
traffic.
Src IP: 192.168.1.98
Dst IP: 10.1.1.12

IPsec VPN to Alibaba Cloud (AliCloud)

The following recipe demonstrates how to configure a site-to-site IPsec VPN tunnel to Alibaba Cloud (AliCloud).

FortiOS 6.0.0 Cookbook 329

Fortinet Inc.
VPNs

Using FortiOS 6.0.0, the example describes how to configure the tunnel between each site, avoiding overlapping
subnets, so that a secure tunnel can be established.
The following is required for this recipe:
l One FortiGate (physical or virtual) with an Internet-facing IP address
l One valid Alibaba Cloud (AliCloud) account
l One VPC that has already been created

Configuring the Alibaba Cloud (AliCloud) VPN gateway

1. Log into Alibaba Cloud (AliCloud) and go to Products & Services > VPN Gateway.
2. Ensure that the correct region is selected in the top left corner. Otherwise, you cannot see your VPC. Verify that the
VPC has already been configured.
3. Create the VPN gateway:
a. Click Create VPN Gateway.
b. In the Name field, enter the desired name.
c. From the VPC dropdown list, select the desired VPC.
d. For IPsec VPN, select Enable.
e. Click Buy Now.
f. Select VPN Gateway Agreement of Service.
g. Click Activate.
4. Return to the Alibaba Cloud (AliCloud) management console and verify that the VPN gateway has been created
under VPNs > VPN Gateways.

FortiOS 6.0.0 Cookbook 330

Fortinet Inc.
VPNs

5. An IP address has been assigned to the VPN gateway. Note down this IP address, as you will need it later in the
process.
6. Register the FortiGate on your site as the customer gateway:
a. Go to VPN > Customer Gateways, then click Create Customer Gateway.
b. In the Name field, enter the FortiGate name.
c. In the IP Address field, enter the FortiGate's Internet-facing interface.
d. Click OK.
7. Set parameters for the IPsec tunnel:
a. Go to VPN > IPsec Connections, then click Create IPsec Connection.
b. In the Name field, enter the IPsec connection name.
c. For VPN Gateway and Customer Gateway, select those created in steps 3 and 6.
d. In the Local Network field, enter the VPC subnet address.
e. In the Remote Network field, enter the subnet address of the LAN on your site.
f. Set Effective Immediately to Yes. If this option is set to No, the VPN gateway attempts to establish IPsec tunnel
connection only when traffic occurs and may cause delays in sending traffic.
g. Configure advanced settings:
i. Click Advanced Configuration.
ii. Enter the Pre-Shared Key for authentication purposes. Your FortiGate will require this keyword in a later
step.
iii. From the Version dropdown list, select ikev2.
iv. Leave the other parameters as-is.
v. Under IPsec Configurations, modify SA Life Cycle (seconds) to 43200 so that it matches the FortiGate
default value. Advanced Configuration contains two SA Life Cycle (seconds) fields: one for IKE
configuration and one for IPsec configuration. Ensure that you are modifying the one under IPsec
configuration.
vi. Click OK.
8. Configure a static route that will route traffic to the IPsec tunnel:
a. Go to VPC > Route Tables. You will see a routing table for your VPC. Click Manage.

b. Click Add Route Entry.

FortiOS 6.0.0 Cookbook 331

Fortinet Inc.
VPNs

c. In the Destination CIDR Block field, enter the subnet address of the LAN on your site.
d. From the Next Hop Type dropdown list, select VPN Gateway.
e. From the VPN Gateway dropdown list, select the VPN gateway created in step 3.
f. Click OK.

Configuring the FortiGate

1. Log into FortiOS.

2. Create the IPsec tunnel:
a. Go to VPN > IPsec Tunnels, then click Create New.
b. Configure the basic settings:
i. In the Name field, enter the desired name.
ii. For Template Type, select Custom.
iii. Click Next.
c. Configure the network settings:
i. In the IP Address field, enter the VPN gateway's IP address as provided by Alibaba Cloud (AliCloud) in
step 5 of Configuring the Alibaba Cloud (AliCloud) VPN gateway on page 330.
ii. From the Interface dropdown list, select an Internet-facing interface, such as wan1.
iii. If you want to automatically check the available of the remote VPN gateway, set Dead Peer Detection to
On Idle.
d. Configure authentication:
i. Authentication, from the Method dropdown list, select Pre-shared Key.
ii. In the Pre-Shared Key field, enter the pre-shared key entered for the Alibaba Cloud (AliCloud) VPN
gateway in step 7 of Configuring the Alibaba Cloud (AliCloud) VPN gateway on page 330.
iii. For IKE Version, select 2.
e. Under Diffie-Hellman Groups, select 2. The Alibaba Cloud (AliCloud) VPN gateway's default DH group is 2.
Leave the other parameters as-is.
f. For Local Address, select Subnet from the dropdown list, then enter the LAN subnet address.
g. For Remote Address, select Subnet, then enter the VPC subnet address on Alibaba Cloud (AliCloud).
h. Under Advanced, also select 2 under Diffie-Hellman Groups. Leave the other parameters as-is, then click OK.
3. To pass traffic to and from the IPsec tunnel, you must create a policy that allow transaction between the FortiGate
and Alibaba Cloud (AliCloud). You must first create an address object which represents the subnet on your VPC:
a. Go to Policy & Objects > Addresses, then click Create New > Address.
b. In the Name field, enter the address object's name.
c. From the Type dropdown list, select Subnet.
d. In the Subnet/IP Range field, enter the VPC subnet address.
e. Enable Static Route Configuration. This allows you to use this address object as a static route destination in a
later step.
4. Create a policy that permits outgoing sessions to the IPsec tunnel.
a. Go to Policy & Objects > IPv4 Policy, then click Create New.
b. In the Name field, enter the desired policy name.
c. In the Incoming Interface field, select your local LAN interface.
d. In the Outgoing Interface field, select the IPsec tunnel created in step 2.
e. For Source, select all, or specify any address objects if you want to allow access only from specific addresses.
f. For Destination, select the address object created for your VPC subnet in step 3.

FortiOS 6.0.0 Cookbook 332

Fortinet Inc.
VPNs

g. For Service, select all or specify any services you want to allow.
h. Ensure that NAT is not enabled.
i. Click OK.
5. Create a policy for incoming sessions from the VPC. Repeat the steps above, except for the following:
a. In the Incoming Interface field, select the IPsec tunnel created in step 2.
b. In the Outgoing Interface field, select your local LAN interface.
c. For Source, select subnets on your VPC.
6. To avoid packet drops and fragmentation, it is recommended to limit the TCP maximum segment size (MSS) being
sent and received. For both firewall policies, configure the following in the CLI console:
config firewall policy
edit <policy-id>
set tcp-mss-sender 1350
set tcp-mss-receiver 1350
next
end
7. Go to Monitor > IPsec Monitor. If all configuration is complete as desired, the IP tunnel displays as being up.
Otherwise, you must review and correct your settings.

8. Create a static route to forward traffic from the LAN to Alibaba Cloud (AliCloud):
a. Go to Network > Static Routes, then select Create New.
b. For Destination, select Named Address. From the list, select your remote subnet.
c. From the Interface dropdown list, select the IPsec tunnel created in step 2.
d. Click OK.
9. FortiOS is now connected to Alibaba Cloud (AliCloud) via IPsec. You should see the traffic counter in Monitor >
IPsec Monitor.

SSL VPN for remote users with MFA and user sensitivity

By default, remote LDAP and RADIUS user names are case sensitive. When a remote user object is applied to SSL VPN
authentication, the user must type the exact case that is used in the user definition on the FortiGate.
Case sensitivity can be disabled by disabling the username-sensitivity CLI command, allowing the remote user
object to match any case that the end user types in.
In this example, a remote user is configured with multi-factor authentication (MFA). The user group includes the LDAP
user and server, and is applied to SSL VPN authentication and the policy.

FortiOS 6.0.0 Cookbook 333

Fortinet Inc.
VPNs

Topology

Example configuration

To configure the LDAP server:

1. Generate and export a CA certificate from the AD server .

2. Import the CA certificate into FortiGate:
a. Go to System > Features Visibility and ensure Certificates is enabled.
b. Go to System > Certificates and select Import > CA Certificate.
c. Select Local PC and then select the certificate file.
The CA certificate now appears in the list of External CA Certificates. In this example, it is called CA_Cert_1.
d. If you want, you can use CLI commands to rename the system-generated CA_Cert_1 to be more descriptive:
config vpn certificate ca
rename CA_Cert_1 to LDAPS-CA
end

3. Configure the LDAP user:

a. Go to User & Device > LDAP Servers and click Create New.
b. Configure the following options for this example:

Name WIN2K16-KLHOME

Server IP/Name 192.168.20.6

FortiOS 6.0.0 Cookbook 334

Fortinet Inc.
VPNs

Server Port 636

Common Name Identifier sAMAccountName

Distinguished Name dc=KLHOME,dc=local

Bind Type Regular

Username KLHOME\\Administrator

Password *********

Secure Connection Enable

Protocol LDAPS

Certificate CA_Cert_1
This is the CA certificate that you imported in step 2.

c. Click OK.

To configure an LDAP user with MFA:

1. Go to User & Device > User Definition and click Create New.
2. Select Remote LDAP User, then click Next.
3. Select the just created LDAP server, then click Next.

4. Right click to add the selected user, then click Submit.

5. Edit the user that you just created.
The username will be pulled from the LDAP server with the same case as it has on the server.
6. Set the Email Address to the address that FortiGate will send the FortiToken to.
7. Enable Two-factor Authentication.
8. Set Authentication Type to FortiToken.

FortiOS 6.0.0 Cookbook 335

Fortinet Inc.
VPNs

9. Set Token to a FortiToken device. See FortiToken Mobile Push for SSL VPN on page 272 for more information.

10. Click OK.

To disable case sensitivity on the remote user:

This can only be configured in the CLI.

config user local
edit "fgdocs"
set type ldap
set two-factor fortitoken
set fortitoken "FTKMOBxxxxxxxxxx"
set email-to "[email protected]"
set username-sensitivity disable
set ldap-server "WIN2K16-KLHOME"
next
end

To configure a user group with the remote user and the LDAP server:

1. Go to User & Device > User Groups and click Create New.
2. Set the Name to LDAP-USERGRP.
3. Set Members to the just created remote user.
4. In the Remote Groups table, click Add:
a. Set Remote Server to the LDAP server.
b. Set the group or groups that apply, and right click to add them.
c. Click OK.

5. Click OK.

FortiOS 6.0.0 Cookbook 336

Fortinet Inc.
VPNs

To apply the user group to the SSL VPN portal:

1. Go to VPN > SSL-VPN Settings.

2. In the Authentication/Portal Mapping table, click Create New.
a. Set Users/Groups to the just created user group.
b. Configure the remaining settings as required.
c. Click OK.

3. Click Apply.

To apply the user group to a firewall policy:

1. Go to Policy & Objects > IPv4 Policy and click Create New.
2. Configure the following:

Name SSLVPNtoInteral

Incoming Interface SSL-VPN tunnel interface (ssl.root)

Outgoing Interface port3

Source Address - SSLVPN_TUNNEL_ADDR1

User - LDAP-USERGRP

Destination The address of the internal network.

In this case: 192.168.20.0.

Schedule always

Service ALL

Action ACCEPT

NAT Enabled

FortiOS 6.0.0 Cookbook 337

Fortinet Inc.
VPNs

3. Configuring the remaining settings as required.

4. Click OK.

To configure this example in the CLI:

1. Configure the LDAP server:

config user ldap
edit "WIN2K16-KLHOME"
set server "192.168.20.6"
set cnid "sAMAccountName"
set dn "dc=KLHOME,dc=local"
set type regular
set username "KLHOME\\Administrator"
set password *********
set secure ldaps
set ca-cert "CA_Cert_1"
set port 636
next
end

2. Configure an LDAP user with MFA and disable sensitivity on the remote user:
config user local
edit "fgdocs"
set type ldap
set two-factor fortitoken
set fortitoken "FTKMOBxxxxxxxxxx"
set email-to "[email protected]"
set username-sensitivity disable
set ldap-server "WIN2K16-KLHOME"
next
end

3. Configure a user group with the remote user and the LDAP server:
config user group
edit "LDAP-USERGRP"
set member "fgdocs" "WIN2K16-KLHOME"
next
end

4. Apply the user group to the SSL VPN portal:

config vpn ssl settings
set servercert <server certificate>
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set source-interface "port1"
set source-address "all"
set default-portal "web-access"
config authentication-rule
edit 1
set groups "LDAP-USERGRP"
set portal "full-access"
next
end
end

FortiOS 6.0.0 Cookbook 338

Fortinet Inc.
VPNs

5. Apply the user group to a firewall policy:

config firewall policy
edit 5
set name "SSLVPNtoInternal"
set srcintf "ssl.root"
set dstintf "port3"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "192.168.20.0"
set action accept
set schedule "always"
set service "ALL"
set groups "LDAP-USERGRP"
set nat enable
next
end

Verification

To setup the VPN connection:

1. Download FortiClient from www.forticlient.com.

2. Open the FortiClient Console and go to Remote Access.
3. Add a new connection:
a. Set the connection name.
b. Set Remote Gateway to the IP of the listening FortiGate interface.
c. If required, set the Customize Port.
4. Save your settings.

To test the connection with case sensitivity disabled:

1. Connect to the VPN:

a. Log in to the tunnel with the username, using the same case that it is on the FortiGate.
b. When prompted, enter your FortiToken code.
You should now be connected.
2. Check the web portal log in using the CLI:
# get vpn ssl monitor
SSL VPN Login Users:
Index User Group Auth Type Timeout From HTTP in/out HTTPS
in/out
0 fgdocs LDAP-USERGRP 16(1) 289 192.168.2.202 0/0
0/0

SSL VPN sessions:

Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
0 fgdocs LDAP-USERGRP 192.168.2.202 45 99883/5572
10.212.134.200

3. Disconnect from the VPN connection.

FortiOS 6.0.0 Cookbook 339

Fortinet Inc.
VPNs

4. Reconnect to the VPN:

a. Log in to the tunnel with the username, using a different case than on the FortiGate.
b. When prompted, enter your FortiToken code.
You should now be connected.
5. Check the web portal log in using the CLI:
# get vpn ssl monitor
SSL VPN Login Users:
Index User Group Auth Type Timeout From HTTP in/out HTTPS
in/out
0 FGDOCS LDAP-USERGRP 16(1) 289 192.168.2.202 0/0
0/0

SSL VPN sessions:

Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
0 FGDOCS LDAP-USERGRP 192.168.2.202 45 99883/5572
10.212.134.200

In both cases, the remote user is matched against the remote LDAP user object and prompted for multi-factor
authentication.

To test the connection with case sensitivity enabled:

1. Enable case sensitivity for the user:

config user local
edit "fgdocs"
set username-sensitivity enable
next
end

2. Connect to the VPN

a. Log in to the tunnel with the username, using the same case that it is on the FortiGate.
b. When prompted, enter your FortiToken code.
You should now be connected.
3. Check the web portal log in using the CLI:
# get vpn ssl monitor
SSL VPN Login Users:
Index User Group Auth Type Timeout From HTTP in/out HTTPS
in/out
0 fgdocs LDAP-USERGRP 16(1) 289 192.168.2.202 0/0
0/0

SSL VPN sessions:

Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
0 fgdocs LDAP-USERGRP 192.168.2.202 45 99883/5572
10.212.134.200

1. Disconnect from the VPN connection.

2. Reconnect to the VPN:
a. Log in to the tunnel with the username, using a different case than on the FortiGate.
You will not be prompted for your FortiToken code. You should now be connected.

FortiOS 6.0.0 Cookbook 340

Fortinet Inc.
VPNs

3. Check the web portal log in using the CLI:

# get vpn ssl monitor
SSL VPN Login Users:
Index User Group Auth Type Timeout From HTTP in/out HTTPS
in/out
0 FGdocs LDAP-USERGRP 16(1) 289 192.168.2.202 0/0
0/0

SSL VPN sessions:

Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
0 FGdocs LDAP-USERGRP 192.168.2.202 45 99883/5572
10.212.134.200

In this case, the user is allowed to log in without a FortiToken code because the entered user name did not match the
name defined on the remote LDAP user object. Authentication continues to be evaluated against the LDAP server
though, which is not case sensitive.

FortiOS 6.0.0 Cookbook 341

Fortinet Inc.
WiFi

WiFi

This section contains information about creating and configuring WiFi networks.

Setting up WiFi with FortiAP

In this recipe, you will set up a WiFi network with by adding a FortiAP in Tunnel mode to your network.
You can configure a FortiAP in either Tunnel mode (default) or Bridge mode. When a FortiAP is in Tunnel mode, a
wireless-only subnet is used for wireless traffic. When a FortiAP is in Bridge mode, the Ethernet and WiFi interfaces are
connected (or bridged), allowing wired and wireless networks to be on the same subnet.

Connecting FortiAP

1. To edit the interface that will connect to the FortiAP (in the example, port 22), go to Network > Interfaces.
2. Set Role to LAN and Addressing Mode to Manual. Set IP/Network Mask to a private IP address (in the example
10.10.200.1/255.255.255.0).
3. Under Administrative Access, enable CAPWAP.
4. Enable DHCP Server.
5. Under Networked Devices, enable Device Detection.

FortiOS 6.0.0 Cookbook 342

Fortinet Inc.
WiFi

6. Connect the FortiAP unit to the interface.

7. To view the list of managed FortiAPs, go to WiFi & Switch Controller > Managed FortiAPs. The newFortiAP
appears in the list but it is grayed out because it is not authorized. If the FortiAP does not appear, wait a few
minutes, then refresh the page.
Select the FortiAP, and select Authorize.

8. After a few minutes, select Refresh. The FortiGate shows the FortiAP as authorized.

FortiOS 6.0.0 Cookbook 343

Fortinet Inc.
WiFi

Creating an SSID

1. To create a new SSID to be broadcast for WiFi users, go to WiFi & Switch Controller > SSID.
2. Set Traffic Mode to Tunnel and set IP/Network Mask to a private IP address (in the example
10.10.201.1/255.255.255.0).
3. Enable DHCP Server and Device Detection.

4. Under WiFi Settings, name the SSID (in the example, Office-WiFi) and set a secure Pre-shared Key.

FortiOS 6.0.0 Cookbook 344

Fortinet Inc.
WiFi

5. Enable Broadcast SSID.

Creating a custom FortiAP profile

1. To create a new FortiAP profile, go to WiFi & Switch Controller > FortiAP Profiles.
2. Set Platform to the FortiAP model you are using (in the example, FAP221C) and Country/Region to the
appropriate location.
3. Set an AP Login Password to secure the FortiAP.
4. Under Radio 1, set Mode to Access Point and SSIDs to Manual. Add your new SSID.

FortiOS 6.0.0 Cookbook 345

Fortinet Inc.
WiFi

5. To assign the new profile, go to WiFi & Switch Controller > Managed FortiAPs and right-click the FortiAP. Select
Assign Profile and set the FortiAP to use the new profile.

Creating a security policy

1. To create a new policy for wireless Internet access, go to Policy & Objects > IPv4 Policy and select Create New.
2. Set Incoming Interface to the SSID and Outgoing Interface to your Internet-facing interface.

FortiOS 6.0.0 Cookbook 346

Fortinet Inc.
WiFi

3. Enable NAT.

Results

1. Connect to the SSID with a wireless device. After a connection is established, browse the Internet to generate
traffic.
2. To view the traffic using the wireless Internet access policy, go to FortiView > All Segments > Polices.

3. To view more information about this traffic, right-click the policy and select Drill Down to Details.

FortiOS 6.0.0 Cookbook 347

Fortinet Inc.
WiFi

For further reading, check out Configuring a WiFi LAN in the FortiOS 6.0 Online Help.

Replacing the Fortinet_Wifi certificate

These instruction apply to FortiWiFi devices using internal WiFi radios and FortiGate/FortiWiFi
devices configured as WiFi Controllers that are managing FortiAP devices, and have WiFi
clients that are connected to WPA2-Enterprise SSID and authenticated with local user groups.

On FortiOS, the built-in Fortinet_Wifi certificate is a publicly signed certificate that is only used in WPA2-Enterprise
SSIDs with local user-group authentication. The default WiFi certificate configuration is:
config system global
set wifi-ca-certificate "Fortinet_Wifi_CA"
set wifi-certificate "Fortinet_Wifi"
end

WiFi administrators must consider the following factors:

l The Fortinet_Wifi certificate is issued to Fortinet Inc. with common name (CN) auth-cert.fortinet.com. If a company
or organization requires their own CN in their WiFi deployment, they must replace it with their own certificate.
l The Fortinet_Wifi certificate has an expire date. When it is expiring, it must be renewed or replaced with a new
certificate.

To replace the Fortinet_Wifi certificate:

1. Get new certificate files, including a root CA certificate, a certificate signed by the CA, and the corresponding private
key file:
Purchase a publicly signed certificate from a commercial certificate service provider, or generate a self-signed
certificate.
2. Import the new certificate files into FortiOS:
a. On the FortiGate, go to System > Certificates.
If VDOMs are enable, got to Global > System > Certificates.
b. Click Import > CA Certificate.

FortiOS 6.0.0 Cookbook 348

Fortinet Inc.
WiFi

c. Set the Type to File and upload the CA certificate file from the management computer.

d. Click OK.
The imported CA certificate is named CA_Cert_N, or G_CA_Cert_N when VDOMs are enabled, where N starts
from 1 and increments for each imported certificate, and G stands for global range.
e. Click Import > Local Certificate.
f. Set the Type to Certificate, upload the certificate file and key file, enter the password, and enter the certificate
name.

g. Click OK.
The imported certificates are listed on the Certificates page.
3. Change the WiFi certificate settings:
config system global
set wifi-ca-certificate <name of the imported CA certificate>
set wifi-certificate <name of the imported certificate signed by the CA>
end

FortiOS 6.0.0 Cookbook 349

Fortinet Inc.
WiFi

Notes

If necessary, the factory default certificates can also be used to replace the certificates:
config system global
set wifi-ca-certificate "Fortinet_CA"
set wifi-certificate "Fortinet_Factory"
end

As the factory default certificates are self-signed, WiFi clients will need to accept it at the
connection prompt, or import the Fortinet_CA certificate to validate it.

If the built-in Fortinet_Wifi certificate has expired and not been renewed or replaced, WiFi
clients can still connect to the WPA2-Enterprise SSID with local user-group authentication by
ignoring any prompted warning messages or bypassing Validate server certificate (or similar)
options.

With FortiOS 6.0.1 and later, the Fortinet_Wifi certificate can be updated automatically through
the FortiGuard service certificate bundle update.

Guest WiFi accounts

In this recipe, you create temporary guest accounts that can connect to your WiFi network after authenticating using a
captive portal. To make management easier, you also create a separate administrative account that can only be used to
manage guest accounts.

FortiOS 6.0.0 Cookbook 350

Fortinet Inc.
WiFi

This example uses a FortiAP in Tunnel mode to provide WiFi access to guests. For information about configuring the
FortiAP, see Setting up WiFi with FortiAP on page 342.

Creating a guest user group

1. To create a guest user group, go to User & Device > User Groups and create a new group.
2. Set Type to Guest and set User ID to Email.
3. Under Guest Details, enable Require Email, enable Password, and set the password to Auto Generated.
4. Under Expiration, set Start Countdown to After First Login and set Time to 5 minutes for testing purposes.

Creating an SSID

1. To create an SSID for guest users, go to WiFi & Switch Controller > SSID and create a new SSID.
2. Set Traffic Mode to Tunnel. Assign an IP/Network Mask to the interface and enable DHCP Server.

FortiOS 6.0.0 Cookbook 351

Fortinet Inc.
WiFi

3. Under WiFi Settings, set the following:

l Security Mode to Captive Portal
l Portal Type to Authentication
l User Groups to the guest user group

4. To broadcast the new SSID, go to WiFi & Switch Controller > FortiAP Profiles and edit the profile used by the
FortiAP.
5. Under Radio 1 set SSIDs to include the new SSID.

FortiOS 6.0.0 Cookbook 352

Fortinet Inc.
WiFi

Creating a security policy

1. To allow WiFi guest users to access the Internet, go to Policy & Objects > IPv4 Policy and create a new policy.
2. Set Incoming Interface to the guest SSID and set Outgoing Interface to your Internet-facing interface. Select
Source and set Address to all and User to the guest user group.

FortiOS 6.0.0 Cookbook 353

Fortinet Inc.
WiFi

3. Enable NAT.

Creating a guest user management account

To simplify guest account creation, you can create an admin account that is only used for guest user management. This
allows new accounts to be made as needed without requiring full administrative access to the FortiGate. In this example,
the account is made for use by receptionist.
1. To create the guest management account, go to System > Administrators and create a new account.
2. Set a User Name and set Type to Local User. Set and confirm a Password.

FortiOS 6.0.0 Cookbook 354

Fortinet Inc.
WiFi

3. Enable Restrict admin to guest account provisioning only and set Guest Group to the WiFi guest user group.

Creating a guest user account

1. Using the receptionist account, create a guest account.

2. Set Email to the user’s email address (in the example, [email protected]). To test the account, set Expiration
to 5 Minutes.

FortiOS 6.0.0 Cookbook 355

Fortinet Inc.
WiFi

3. After you select OK, a User Created Successfully notice appears that shows the new account’s Password. This
password can then be printed or emailed to the guest user. You can also view the password by editing the user
account.

Results

1. On a PC, connect to the guest SSID and attempt to browse the Internet. When the authentication screen appears,
log in using the guest user’s credentials.

FortiOS 6.0.0 Cookbook 356

Fortinet Inc.
WiFi

2. After the account is authenticated, you can connect to the Internet.

3. Five minutes after the initial login, the guest user account will expire and you will no longer be able to log in using
those credentials.
4. Use the reception account to log on to the FortiGate. The guest account is listed as Expired.

FortiOS 6.0.0 Cookbook 357

Fortinet Inc.
Copyright© 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the
U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.

PCCSE Study Guide
No ratings yet
PCCSE Study Guide
119 pages
Fortigate Cookbook 52
No ratings yet
Fortigate Cookbook 52
777 pages
Deep Dive Into Antivirus Configuration in FortiGate
No ratings yet
Deep Dive Into Antivirus Configuration in FortiGate
100 pages
FortiOS-6 0 0-Cookbook
No ratings yet
FortiOS-6 0 0-Cookbook
358 pages
FortiGate in Nat Mode
No ratings yet
FortiGate in Nat Mode
200 pages
Fortigate Cookbook 52
No ratings yet
Fortigate Cookbook 52
777 pages
SSLVPN Two Factor Authentication With Google Authenticator
No ratings yet
SSLVPN Two Factor Authentication With Google Authenticator
25 pages
FortiOS-6 2 0-Cookbook
100% (1)
FortiOS-6 2 0-Cookbook
877 pages
FortiOS 5.6 Cookbook
No ratings yet
FortiOS 5.6 Cookbook
335 pages
FortiOS-6 2 0-Cookbook PDF
No ratings yet
FortiOS-6 2 0-Cookbook PDF
792 pages
FortiOS-6 0 0-Cookbook
No ratings yet
FortiOS-6 0 0-Cookbook
342 pages
FortiOS-6 0 0-Cookbook
No ratings yet
FortiOS-6 0 0-Cookbook
353 pages
FortiOS-6 0 0-Cookbook
No ratings yet
FortiOS-6 0 0-Cookbook
357 pages
Mcafee Web Gateway 8.0.x Interface Reference Guide 1-2-2020
No ratings yet
Mcafee Web Gateway 8.0.x Interface Reference Guide 1-2-2020
335 pages
Roadshow Advanced 7.2 V3.2 230711 Final All Geo
No ratings yet
Roadshow Advanced 7.2 V3.2 230711 Final All Geo
342 pages
Fortigate CookThe FortiGate Cookbook 5.2
No ratings yet
Fortigate CookThe FortiGate Cookbook 5.2
512 pages
Fortinet ProductGuide
No ratings yet
Fortinet ProductGuide
239 pages
Fortinet Auto Discovery VPN (ADVPN) : Stéphane HAMELIN - Support Engineering Team
No ratings yet
Fortinet Auto Discovery VPN (ADVPN) : Stéphane HAMELIN - Support Engineering Team
133 pages
Vyos PDF
100% (1)
Vyos PDF
259 pages
FortiAP Configuration
No ratings yet
FortiAP Configuration
205 pages
Fortiweb v5.8.0 Administration Guide
No ratings yet
Fortiweb v5.8.0 Administration Guide
932 pages
Asa 914 VPN Config
No ratings yet
Asa 914 VPN Config
462 pages
Fortiadc-V5 2 0-Handbook PDF
No ratings yet
Fortiadc-V5 2 0-Handbook PDF
669 pages
Fortiadc-V4 8 0-Handbook
No ratings yet
Fortiadc-V4 8 0-Handbook
539 pages
Armis - IT-OT Playbook (Letter, English)
No ratings yet
Armis - IT-OT Playbook (Letter, English)
11 pages
FTNT Minixte13 - at Fortiddos
No ratings yet
FTNT Minixte13 - at Fortiddos
119 pages
Managed Fortiswitch 604
No ratings yet
Managed Fortiswitch 604
109 pages
FortiNAC Local RADIUS Server v94
No ratings yet
FortiNAC Local RADIUS Server v94
16 pages
Fortigate Cookbook 505 Expanded
No ratings yet
Fortigate Cookbook 505 Expanded
364 pages
Nse4 Infraestructura 51-100
No ratings yet
Nse4 Infraestructura 51-100
50 pages
Nse4 Infraestructura 101-150
No ratings yet
Nse4 Infraestructura 101-150
50 pages
Laboratorio 12
No ratings yet
Laboratorio 12
24 pages
FGT1 01 Introduction
No ratings yet
FGT1 01 Introduction
39 pages
AOS-CX Switch Simulator - NetEdit 2.1 Part 1 Lab Guide
100% (1)
AOS-CX Switch Simulator - NetEdit 2.1 Part 1 Lab Guide
13 pages
Fortinet ProductGuide January2013 R21
No ratings yet
Fortinet ProductGuide January2013 R21
131 pages
Laboratorio 9
No ratings yet
Laboratorio 9
21 pages
Dokumen - Tips - Alteon 28 1 SNMP Traps 29 2 Radware NBSPPDF File1 Introduction Alteon
No ratings yet
Dokumen - Tips - Alteon 28 1 SNMP Traps 29 2 Radware NBSPPDF File1 Introduction Alteon
12 pages
Fortianalyzer: Device Registration and Communication
No ratings yet
Fortianalyzer: Device Registration and Communication
41 pages
pfSenseTutorial by Chris Buechler and Scott Ullrich
No ratings yet
pfSenseTutorial by Chris Buechler and Scott Ullrich
91 pages
2019 Cloudflare Enterprise Best Practices
No ratings yet
2019 Cloudflare Enterprise Best Practices
23 pages
Securing Your Network With Pfsense: Ilta-U Dale Qualls Pattishall, Mcauliffe, Newbury, Hilliard & Geraldson LLP
No ratings yet
Securing Your Network With Pfsense: Ilta-U Dale Qualls Pattishall, Mcauliffe, Newbury, Hilliard & Geraldson LLP
86 pages
6.5.10 Lab - Explore The Evolution of Password Methods
No ratings yet
6.5.10 Lab - Explore The Evolution of Password Methods
11 pages
Fos Rest API Change Log
No ratings yet
Fos Rest API Change Log
23 pages
PAN-OS 3.0 CLI Reference Guide
100% (1)
PAN-OS 3.0 CLI Reference Guide
262 pages
Fortinac: Ruckus Zone Director Wireless Controller Integration
No ratings yet
Fortinac: Ruckus Zone Director Wireless Controller Integration
13 pages
Pan-Os Cli Quick Start
No ratings yet
Pan-Os Cli Quick Start
44 pages
FGT2 12 Virtual Domains
No ratings yet
FGT2 12 Virtual Domains
31 pages
Check Point Cyber Security Engineering (Ccse) : Course Topics Course Objectives
No ratings yet
Check Point Cyber Security Engineering (Ccse) : Course Topics Course Objectives
1 page
FortiGate FGT2 12 Virtual Domains
100% (1)
FortiGate FGT2 12 Virtual Domains
31 pages
FortiAuthenticator 4.0 Release Notes
No ratings yet
FortiAuthenticator 4.0 Release Notes
25 pages
DC1
No ratings yet
DC1
4 pages
VMware VSphere Security Configuration Guide 7 - Guidance - 703-20221031-03
No ratings yet
VMware VSphere Security Configuration Guide 7 - Guidance - 703-20221031-03
7 pages
Forcepoint NGFW SSL VPN Portal PDF
No ratings yet
Forcepoint NGFW SSL VPN Portal PDF
12 pages
HP 5900AF Initial Setup & IRF Configuration
No ratings yet
HP 5900AF Initial Setup & IRF Configuration
13 pages
Importing Cisco IOU VM Into Virtualbox
No ratings yet
Importing Cisco IOU VM Into Virtualbox
16 pages
LAB 5 - Firewall Authentication
No ratings yet
LAB 5 - Firewall Authentication
12 pages
Fortiproxy: SSL Inspection
No ratings yet
Fortiproxy: SSL Inspection
6 pages
Hotel Management System Project
No ratings yet
Hotel Management System Project
68 pages
Reference Solution For Checkpoint - Certkiller.156-215.80.v2020-06-04.by - Venla.131q.vce
No ratings yet
Reference Solution For Checkpoint - Certkiller.156-215.80.v2020-06-04.by - Venla.131q.vce
4 pages
Security+ Syllabus
No ratings yet
Security+ Syllabus
33 pages
File Structures Mini Project
No ratings yet
File Structures Mini Project
19 pages
Crypto - Marketing 1 4 1
No ratings yet
Crypto - Marketing 1 4 1
6 pages
Fast Lane - FortiWeb - NSE 6 - Web Application Firewall (WEB)
No ratings yet
Fast Lane - FortiWeb - NSE 6 - Web Application Firewall (WEB)
2 pages
Computer Fundamentals Notes
No ratings yet
Computer Fundamentals Notes
40 pages
60 Days Vocab - Textbook
No ratings yet
60 Days Vocab - Textbook
64 pages
An Introduction To Pinterest For Business (From Hubspot)
No ratings yet
An Introduction To Pinterest For Business (From Hubspot)
23 pages
Ammra Networks Limited AR 2018 04.12.18
No ratings yet
Ammra Networks Limited AR 2018 04.12.18
92 pages
3503 Lab Survey
No ratings yet
3503 Lab Survey
30 pages
Open Collective Innovation
No ratings yet
Open Collective Innovation
28 pages
Electronics & Communication Seminar Topic List
No ratings yet
Electronics & Communication Seminar Topic List
17 pages
Cisco: Exam Questions 200-125
No ratings yet
Cisco: Exam Questions 200-125
9 pages
Cert-In Open Proxy Servers: Index
No ratings yet
Cert-In Open Proxy Servers: Index
7 pages
Setting Up The Backend For The New M-Files Web and Web-Based Add-Ins
No ratings yet
Setting Up The Backend For The New M-Files Web and Web-Based Add-Ins
22 pages
L-2 GEPON System (Teracom)
No ratings yet
L-2 GEPON System (Teracom)
20 pages
Computer Networks and Internet Protocol - Unit 13 - Week 11
No ratings yet
Computer Networks and Internet Protocol - Unit 13 - Week 11
4 pages
EMPOWERMENT TECHNOLOGIES-ICT Project Prototype PDF
0% (1)
EMPOWERMENT TECHNOLOGIES-ICT Project Prototype PDF
4 pages
Farm Management Systems and The Future Internet Era
No ratings yet
Farm Management Systems and The Future Internet Era
15 pages
Chapter 3 Microsoft Dynamics CRM 4 Unleashed
No ratings yet
Chapter 3 Microsoft Dynamics CRM 4 Unleashed
13 pages
Freshtel Form For Admiral Residence v6.0 051223
No ratings yet
Freshtel Form For Admiral Residence v6.0 051223
3 pages
ADSelfServicePlus Install+SSL+Certificate
No ratings yet
ADSelfServicePlus Install+SSL+Certificate
4 pages
Cisco - Internet Access From An MPLS VPN Using A Global.2005
No ratings yet
Cisco - Internet Access From An MPLS VPN Using A Global.2005
12 pages
Datasheet - Ucm6510 - English (PABX)
No ratings yet
Datasheet - Ucm6510 - English (PABX)
2 pages
Arp Rarp
No ratings yet
Arp Rarp
3 pages
DVR 5116 H 16CH
No ratings yet
DVR 5116 H 16CH
1 page
Coba Yaml
No ratings yet
Coba Yaml
3 pages
Ed 505 Digital Citizenship Project - Netiquette-2
No ratings yet
Ed 505 Digital Citizenship Project - Netiquette-2
6 pages
Electronic Enterprise Management: Sravan Kumar 09PS022
No ratings yet
Electronic Enterprise Management: Sravan Kumar 09PS022
16 pages
Eleven
No ratings yet
Eleven
3 pages
NR PCS General Setting
No ratings yet
NR PCS General Setting
1 page
Extending Puppet - Second Edition
From Everand
Extending Puppet - Second Edition
Alessandro Franceschi
No ratings yet