The FortiGate Cookbook 5.0.

4
Essential Recipes for Success with your FortiGate

14 August 2013

Revision 1

Copyright© 2013 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are
registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks
of Fortinet. All other product or company names may be trademarks of their respective owners.
Performance metrics contained herein were attained in internal lab tests under ideal conditions,
and performance may vary. Network variables, different network environments and other conditions
may affect performance results. Nothing herein represents any binding commitment by Fortinet, and
Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters
a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly
warrants that the identified product will perform according to the performance metrics herein. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in
Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to
change, modify, transfer, or otherwise revise this publication without notice, and the most current
version of the publication shall be applicable.

Visit these links for more information and documentation for your Fortinet products:

Fortinet Knowledge Base - http://kb.fortinet.com

Technical Documentation - http://docs.fortinet.com

Training Services - http://campus.training.fortinet.com

Technical Support - https://support.fortinet.com

Video Tutorials - http://video.fortinet.com

Please report errors or omissions in this or any Fortinet technical document to techdoc@fortinet.com.
 Contents
Introduction................................................................................................................... 1

Setup............................................................................................................................. 3

Setting up FortiGuard services............................................................................................ 4

Extra help: FortiGuard......................................................................................................... 6

Logging network traffic to gather information..................................................................... 7

Extra help: Logging........................................................................................................... 11

Using FortiCloud to record log messages......................................................................... 12

Using SNMP to monitor the FortiGate unit....................................................................... 16

Setting up an explicit proxy for users on a private network.............................................. 22

Adding packet capture to help troubleshooting................................................................ 26

Protecting a web server on the DMZ network................................................................... 29

Using port pairing to simplify transparent mode............................................................... 33

Using two ISPs for redundant Internet connections......................................................... 38

Adding a backup FortiGate unit to improve reliability....................................................... 43

Security Policies & Firewall Objects............................................................................ 49

Ordering security policies to allow different access levels................................................ 50

Controlling when BYOD users can access the Internet.................................................... 54

Using port forwarding on a FortiGate unit......................................................................... 57

Using AirPlay with iOS, AppleTV, FortiAP, and a FortiGate unit........................................ 62

Using AirPrint with iOS and OS X and a FortiGate unit..................................................... 70

Security Features........................................................................................................ 79

Monitoring your network using client reputation............................................................... 80

ii The FortiGate Cookbook 5.0.4

 Controlling network access using application control...................................................... 84

Protecting a web server from external attacks.................................................................. 90

Blocking outgoing traffic containing sensitive data.......................................................... 94

Blocking large files from entering the network.................................................................. 99

Blocking access to specific websites............................................................................. 102

Extra help: Web filtering.................................................................................................. 105

Blocking HTTPS traffic with web filtering........................................................................ 106

Using web filter overrides to control website access...................................................... 111

Wireless Networking.................................................................................................. 119

Setting up a temporary guest WiFi user.......................................................................... 120

Setting up a network using a FortiGate unit and a FortiAP unit...................................... 127

Providing remote users access to the corporate network and Internet.......................... 132

Authentication........................................................................................................... 139

Providing single sign-on for a Windows AD network with a FortiGate........................... 140

Providing single sign-on in advanced mode for a Windows AD network....................... 146

Providing single sign-on for Windows AD with LDAP..................................................... 149

Preventing security certificate warnings when using SSL inspection............................. 153

Extra help: Certificates.................................................................................................... 157

SSL and IPsec VPN.................................................................................................... 159

Using IPsec VPN to provide communication between offices........................................ 160

Providing remote users with access using SSL VPN...................................................... 168

Providing secure remote access to a network for an iOS device................................... 176

Using redundant OSPF routing over IPsec VPN............................................................. 183

Contents iii
Introduction
The FortiGate Cookbook provides examples, or recipes, of basic and advanced
FortiGate configurations to administrators who are unfamiliar with the unit. All
examples require access to the graphical user interface (GUI), also known as the
web-based manager.
Each example begins with a description of the desired configuration, followed by
step-by-step instructions. Some topics include extra help sections, containing tips
for dealing with some common challenges of using a FortiGate unit.
Using the FortiGate Cookbook, you can go from idea to execution in simple steps,
configuring a secure network for better productivity with reduced risk.

The Cookbook is divided into the following chapters:

Setup: This chapter explains the configuration of common network functions and
the different network roles a FortiGate unit can have.
Security Policies & Firewall Objects: This chapter describes security policies and
firewall objects, which determine whether to allow or block traffic.
Security Features: This chapter describes the core security features that you can
apply to the traffic accepted by your FortiGate unit.
Wireless Networking: This chapter explains how to configure and maintain a wireless
network.
Authentication: This chapter describes the FortiGate authentication process for
network users and devices.
SSL and IPsec VPN: This chapter explains the configuration and application of SSL
and IPsec virtual private networks (VPNs).

This version of the FortiGate Cookbook was written using FortiOS 5.0.4.
1
Setup
The FortiGate unit provides protection for a variety of different network functions
and configurations. This section contains information about the basic setup for
common network functions as well as different roles that a FortiGate unit can have
within your network.
This section contains the following examples:

• Setting up FortiGuard services

• Extra help: FortiGuard
• Logging network traffic to gather information
• Extra help: Logging
• Using FortiCloud to record log messages
• Using SNMP to monitor the FortiGate unit
• Setting up an explicit proxy for users on a private network
• Adding packet capture to help troubleshooting
• Protecting a web server on the DMZ network
• Using port pairing to simplify transparent mode
• Using two ISPs for redundant Internet connections
• Adding a backup FortiGate unit to improve reliability

3
 Setting up FortiGuard services
If you have purchased FortiGuard services and registered your FortiGate unit, the
FortiGate should automatically connect to a FortiGuard Distribution Network (FDN)
and display license information about your FortiGuard services. In this example, you
will verify whether the FortiGate unit is communicating with the FDN by checking
the License Information dashboard widget.

Internet

FortiGuard

FortiGate

Internal Network

4 The FortiGate Cookbook 5.0.4

Verifying the connection
On the dashboard, go to the License
Information widget.

Any subscribed services should have a green

check mark, indicating that connections are
successful.

A grey X indicates that the FortiGate unit

cannot connect to the FortiGuard network, or
that the FortiGate unit is not registered.

A red X indicates that the FortiGate unit was

able to connect but that a subscription has
expired or has not been activated.

You can also view the FortiGuard connection

status by going to System > Config >
FortiGuard.

Setting up FortiGuard services 5

 Extra help: FortiGuard
This section contains tips to help you with some common challenges of using
FortiGuard.
FortiGuard services appear as expired/unreachable.
Verify that you have registered your FortiGate unit, purchased FortiGuard services and that
the services have not expired at support.fortinet.com.

Services are active but still appear as expired/unreachable.

Verify that the FortiGate unit can communicate with the Internet.

The FortiGate is connected to the Internet but can’t communicate with

FortiGuard.
Go to System > Network > DNS and ensure that the primary and secondary DNS servers
are correct. If the FortiGate interface connected to the Internet gets its IP address using
DHCP, make sure Override internal DNS is selected.

Also, determine if the default port used for FortiGuard traffic, port 53, is being blocked, either
by a device on your network or by your ISP. If you cannot unblock the port, change it by
going to System > Config > FortiGuard and selecting the service(s) where communication
errors are occurring. Under Port Selection, select Use Alternate Port.

Communication errors remain.

FortiGate units contact the FortiGuard Network by sending UDP packets with typical source
ports of 1027 or 1031, and destination ports of 53 or 8888. The FDN reply packets would
then have a destination port of 1027 or 1031. If your ISP blocks UDP packets in this port
range, the FortiGate unit cannot receive the FDN reply packets.

In effort to avoid port blocking, You can configure your FortiGate unit to use higher-
numbered ports, such as 2048-20000, using the following CLI command:
config system global
set ip-src-port-range 2048-20000
end
Trial and error may be required to select the best source port range. You can also contact
your ISP to determine the best range to use.

6 The FortiGate Cookbook 5.0.4

 Logging network traffic to gather information
This example demonstrates how to enable logging to capture the details of the
network traffic processed by your FortiGate unit.

1. Recording log messages and enabling event logging

2. Enabling logging in the security policies
3. Results

Security events
yes only Security no
Logging Log all
Session begins traffic? event in
enabled?
session?

no yes yes

No record Record
session data

Logging network traffic to gather information 7

Recording log messages and
enabling event logging
Go to Log & Report > Log Config > Log
Settings.

Select where log messages will be recorded.

You can save log messages to disk if
your FortiGate unit supports this, to a
FortiAnalyzer or FortiManager unit if you
have one, or to FortiCloud if you have a
subscription. Each of these options allow
you to record and view log messages and to
create reports based on them.

In most cases, it is recommended to

Send Logs to FortiCloud, as shown
in the example. For more information on
FortiCloud, see “Using FortiCloud to record
log messages” on page 12.

Next, enable Event Logging.

You can choose to Enable All types of

logging, or specific types, such as WiFi
activity events, depending on your needs.

8 The FortiGate Cookbook 5.0.4

Enabling logging in the
security policies
Go to Policy > Policy > Policy. Edit the
policies controlling the traffic you wish to log.

Under Logging Options, you can choose

either Log Security Events or Log all
Sessions.

In most cases, you should select Log

Security Events. Log all Sessions can
be useful for more detailed traffic analysis
but also has a greater effect on system
performance and requires more storage.

Results
View traffic logs by going to Log & Report
> Traffic Log > Forward Traffic. The logs
display a variety of information about your
traffic, including date/time, source, device,
and destination.

To change the information shown, right-

click on any column title and select Column
Settings to enable or disable different
columns.

Logging network traffic to gather information 9

You can also select any entry to view more
information about a specific session.

Different types of event logs can be found at

Log & Report > Event Log.

The example shows the System log

that records system events, such as
administrative logins and configuration
changes.

As with the Forward Traffic log, select an

entry for further information.

10 The FortiGate Cookbook 5.0.4

Extra help: Logging
This section contains tips to help you with some common challenges of FortiGate
logging.

No log messages appear.

Ensure that logging is enabled in both the Log Settings and the policy used for the traffic
you wish to log, as logging will not function unless it is enabled in both places.

If logging is enabled in both places, check that the policy in which logging is enabled is the
policy being used for your traffic. Also make sure that the policy is getting traffic by going to
the policy list and adding the Sessions column to the list.

Logs from a FortiAnalyzer, FortiManager, or from FortiCloud do not appear in

the GUI.
Ensure that the correct log source has been selected in the Log Settings, under GUI
Preferences.

The FortiGate unit’s performance level has decreased since enabl ing disk
logging.
If enabling disk logging has impacted overall performance, change the log settings to either
send logs to a FortiAnalyzer unit, a FortiManager unit, or to FortiCloud.

Log All Sessions is enabled on all security policies and cannot be changed.
This can occur if Client Reputation is enabled.

Logging to a FortiAnalyzer unit is not working as expected.

The firmware for the FortiGate and FortiAnalyzer units may not be compatible. Check the
firmware release notes, found at support.fortinet.com, to see if this is the case.

Extra help: Logging 11

 Using FortiCloud to record log messages
This example describes setting up FortiGate logging to FortiCloud, an online log
retention service provided by Fortinet. It also describes how to use FortiCloud to
view and access FortiGate traffic logs.

You must register your FortiGate unit before you can activate FortiCloud.

1. Activating FortiCloud
2. Sending logs to FortiCloud
3. Enabling logging in your security policies
4. Results

FortiCloud

FortiGate

Internal Network
12 The FortiGate Cookbook 5.0.4
Activating FortiCloud
Go to System > Dashboard > Status.

In the FortiCloud section of the License

Information widget, select the green
Activate button.

Fill in the required information to create a

new FortiCloud account.

Using FortiCloud to record log messages 13

Sending logs to FortiCloud
Go to Log & Report > Log Config > Log
Setting.

Enable Send Logs to FortiCloud and

adjust the Event Logging settings as
required.

Select Test Connectivity to verify the

connection between the FortiGate unit and
your FortiCloud account.

Set the GUI Preferences to Display Logs

from FortiCloud, to easily view your logs.

Enabling logging in the

security policies
Go to Policy > Policy > Policy. Edit the
security policies that control the traffic you
wish to log.

Under Logging Options, select either Log

Security Events or Log all Sessions,
depending on your needs.

In most cases, Log Security Events will

provide sufficient information in the traffic
logs. Log all Sessions can be useful for
more detailed traffic analysis but also has a
greater effect on system performance and
requires more memory for storage.

14 The FortiGate Cookbook 5.0.4

Results
Go to System > Dashboard > Status.

In the FortiCloud section of the License

Information widget, select Launch Portal.

From the portal, you can view the log data

and reports.

You can access your FortiCloud account at

any time by going to www.forticloud.com.

Daily Summary reports can also be found

through the FortiGate unit by going to Log &
Report > Report > FortiCloud.

You can also configure your FortiCloud

account to have these reports emailed to
you.

Logs viewed through the GUI will also now

read Log location: FortiCloud in the upper
right corner.

Using FortiCloud to record log messages 15

 Using SNMP to monitor the FortiGate unit
Simple Network Management Protocol (SNMP) enables you to monitor hardware
on your network. You configure the hardware, such as the FortiGate SNMP
agent, to report system information and send traps (alarms or event messages) to
SNMP managers. An SNMP manager, or host, is typically a computer running an
application that reads the traps from the agent and sends out SNMP queries to the
SNMP agents.
In this example, you configure the SNMP agent and FortiGate interface to send
SNMP traps to the SNMP server for review.

1. Configuring the SNMP agent and community

2. Enabling SNMP on a FortiGate interface
3. Downloading the MIB files and configuring the SNMP
manager
4. Results

Internet

Internal Network

FortiGate

SNMP Manager

16 The FortiGate Cookbook 5.0.4

Configuring the SNMP agent
and community
Go to System > Config > SNMP.

Configure the SNMP agent.

Using SNMP to monitor the FortiGate unit 17

Under the SNMP version, create a new
community.

Add a host IP address where the SNMP

manager is installed, (in the example,
192.168.1.114/32), and select the port to
receive SNMP requests and send SNMP
traps.

You can also set the IP address/Netmask

to 0.0.0.0/0.0.0.0 and the Interface to ANY
so that any SNMP manager at any network
connected to the FortiGate unit can use this
SNMP community and receive traps from the
FortiGate unit.

Enabling SNMP on a
FortiGate interface
Go to System > Network > Interfaces.

Enable SNMP on an internal port.

18 The FortiGate Cookbook 5.0.4

Downloading the MIB files
and configuring the SNMP
manager
Go to System > Config > SNMP to
download FortiGate SNMP MIB.

Two types of MIB files are available for

FortiGate units: the Fortinet MIB, and the
FortiGate MIB. The Fortinet MIB contains
traps, fields, and information that is common
to all Fortinet products. The FortiGate MIB
contains traps, fields, and information that is
specific to FortiGate units.

Configure the SNMP manager at

192.168.1.114 to receive traps from the
FortiGate unit.

Results
This example uses the SolarWinds SNMP
trap viewer.

In the SolarWinds Toolset Launch Pad, go to

SNMP > MIB Viewer and select Launch.

Using SNMP to monitor the FortiGate unit 19

Choose Select Device, enter the IP address
of the FortiGate unit, and choose the
appropriate community string credentials.

Open the SNMP Trap Receiver and select

Launch.

20 The FortiGate Cookbook 5.0.4

Perform an action to trigger a trap (for
example, change the IP address of the DMZ
interface in the FortiGate).

Verify that the SNMP manager receives the

trap.

View the log by going to Log & Report >

Event Log > System.

Using SNMP to monitor the FortiGate unit 21

 Setting up an explicit proxy for users on a
private network
In this example, an explicit web proxy is set to accommodate faster web browsing.
This allows internal users to connect using port 8080 rather than port 80.

1. Enabling explicit web proxy on the internal interface

2. Configuring the explicit web proxy for HTTP/HTTPS traffic
3. Adding a security policy for proxy traffic
4. Results

Internet

Port 3

Explicit web proxy

FortiGate
Port 4
Internal Network

22 The FortiGate Cookbook 5.0.4

Enabling explicit web proxy
on the internal interface
Go to System > Network > Interfaces.

Edit an internal port (port 4 in the example).

Enable both DHCP Server and Explicit
Web Proxy.

Go to System > Config > Features. Ensure

that WAN Opt. & Cache is enabled.

Setting up an explicit proxy for users on a private network 23

Configuring the explicit web
proxy for HTTP/HTTPS
traffic
Go to System > Network > Explicit Proxy
and enable the HTTP/HTTPS explicit web
proxy.

Ensure that the Default Firewall Policy

Action is set to Deny.

24 The FortiGate Cookbook 5.0.4

Adding a security policy for
proxy traffic
Go to Policy > Policy > Policy.

Create a new policy and set the Incoming

Interface to web-proxy, the Outgoing
Interface to an internal port (in the example,
port 3), and the Service to webproxy.

Results
Configure web browsers on the private
network to connect using a proxy server.
The IP address of the HTTP proxy server is
10.10.1.99 (the IP address of the FortiGate
internal interface) and the port is 8080
(the default explicit web proxy port). Web
browsers configured to use the proxy server
are able to connect to the Internet.

Go to Policy > Policy > Policy to see the ID

of the policy allowing webproxy traffic.

Web proxy traffic is not counted by security

policy.

Setting up an explicit proxy for users on a private network 25

 Adding packet capture to help troubleshooting
Packet capture is a means of logging traffic and its details to troubleshoot any
issues you might encounter with traffic flow or connectivity. This example shows the
basics of setting up packet capture on the FortiGate unit and analyzing the results.

1. Creating a packet capture filter

2. Starting the packet capture
3. Stopping the packet capture
4. Results

Original Packet

Internet
FortiGate

Internal Network

Duplicate Packet

Packet Capture

26 The FortiGate Cookbook 5.0.4

Creating a packet capture
filter
Go to System > Network > Packet
Capture.

Create a new filter. In this example, the

FortiGate unit will capture 100 HTTP packets
on the internal interface from/to host
192.168.1.200.

• Host(s) can be a single IP or multiple

IPs separated by comma, IP range, or
subnet.

• Port(s) can be single or multiple

separated by comma or range.

• Protocol can be single or multiple

separated by comma or range. Use 6 for
TCP, 17 for UDP, and 1 for ICMP.

Starting the packet capture

Select Start to begin the packet capture.
Using an internal computer, or a device set to
IP address 192.168.1.200, surf the Internet to
generate traffic.

Adding packet capture to help troubleshooting 27

Stopping the packet
capture
Once the FortiGate reaches the maximum
number of packets to save (in this case 100),
the capturing progress stops and you can
download the saved pcap file.

You can also stop the capturing at any time

before reaching the maximum number of
packets.

Results
Open the pcap file with a pcap file viewer,
such as tcpdump or Wireshark.

Adjust the settings in the filter depending on

the kind of traffic you wish to capture.

Go to Log & Report > Event Log >

System to verify that the packet capture file
downloaded successfully.

28 The FortiGate Cookbook 5.0.4

 Protecting a web server on the DMZ network
In the following example, a web server is connected to a DMZ network. An internal-
to-DMZ security policy allows internal users to access the web server using an
internal IP address (10.10.10.22). A WAN-to-DMZ security policy hides the internal
address, allowing external users to access the web server using a public IP address
(172.20.120.22).

1. Configuring the FortiGate unit’s DMZ interface

2. Adding virtual IPs
3. Creating security policies
4. Results

Internet

WAN 1
172.20.120.22 DMZ Network

DMZ
FortiGate

LAN

Web Server
10.10.10.22

Internal Network

Protecting a web server on the DMZ network 29

Configuring the FortiGate
unit’s DMZ interface
Go to System > Network > Interfaces.

Edit the DMZ interface. A DMZ Network

(from the term ‘demilitarized zone’) is a
secure network connected to the FortiGate
that only grants access if it has been
explicitly allowed. Using the DMZ interface is
recommended but not required.

Adding virtual IPs

Go to Firewall Objects > Virtual IPs >
Virtual IPs.

Create two virtual IPs: one for HTTP access

and one for HTTPS access.

Each virtual IP will have the same address,

mapping from the public-facing interface to
the DMZ interface. The difference is the port
for each traffic type: port 80 for HTTP and
port 443 for HTTPS.

30 The FortiGate Cookbook 5.0.4

Creating security policies
Go to Policy > Policy > Policy.

Create a security policy to allow HTTP and

HTTPS traffic from the Internet to the DMZ
interface and the web server.

Create a second security policy to allow

HTTP and HTTPS traffic from the internal
network to the DMZ interface and the web
server.

Adding this policy allows traffic to pass

directly from the internal interface to the DMZ
interface.

Protecting a web server on the DMZ network 31

Results
External users can access the web
server on the DMZ network from the
Internet using http://172.20.120.22 and
https://172.20.120.22.

Internal users can access the web

server using http://10.10.10.22 and
https://10.10.10.22.

Go to Policy > Monitor > Policy Monitor.

Use the policy monitor to verify that traffic

from the Internet and from the internal
network is allowed to access the web server.
This verifies that the policies are configured
correctly.

Go to Log & Report > Traffic Log >

Forward Traffic.

The traffic log shows sessions from the

internal network and from the Internet
accessing the web server on the DMZ
network.

32 The FortiGate Cookbook 5.0.4

 Using port pairing to simplify transparent mode
When you create a port pair, all traffic accepted by one of the paired ports can
only exit out the other port. Restricting traffic in this way simplifies your FortiGate
configuration because security policies between these interfaces are pre-
configured.

1. Switching the FortiGate unit to transparent mode and adding a static

route
2. Creating an internal and wan1 port pair
3. Creating firewall addresses
4. Creating security policies
5. Results

Internet
Protected web server
192.168.1.200

Router

WAN 1

Internal
FortiGate

Management IP Internal Network

192.168.1.100 192.168.1.[110-150]

Using port pairing to simplify transparent mode 33

Switching the FortiGate unit
to transparent mode and
adding a static route
Go to System > Dashboard > Status.

In the System Information widget,

select Change. Set Operation mode to
Transparent.

Log into the FortiGate unit using the

management IP (in the example,
192.168.1.100).

Go to System > Network > Routing Table

and set a static route.

Creating an internal and

wan1 port pair
Go to System > Network > Interfaces.

Create an internal/wan1 pair so that all traffic

accepted by the internal interface can only
exit out of the wan1 interface.

34 The FortiGate Cookbook 5.0.4

Creating firewall addresses
Go to Firewall Objects > Address >
Addresses.

Create an address for the web server using

the web server’s Subnet IP.

Create a second address, with an IP range

for internal users.

Creating security policies

Go to Policy > Policy > Policy.

Create a security policy that allows internal

users to access the web server using HTTP
and HTTPS.

Using port pairing to simplify transparent mode 35

 Create a second security policy that allows
connections from the web server to the
internal users’ network and to the Internet
using any service.

Results
Connect to the web server from the internal
network and surf the Internet from the server
itself.

Go to Log & Report > Traffic Log >

Forward Traffic to verify that there is traffic
from the internal to wan1 interface.

36 The FortiGate Cookbook 5.0.4

Select an entry for details.

Go to Policy > Monitor > Policy Monitor

to view the active sessions.

Using port pairing to simplify transparent mode 37

 Using two ISPs for redundant Internet
connections
This example describes how to improve the reliability of a network connection
using two ISPs. The example includes the configuration of equal cost multi-path
load balancing, which efficiently distributes sessions to both Internet connections
without overloading either connection.

1. Configuring connections to the two ISPs

2. Adding security policies
3. Configuring failover detection and spillover load balancing
4. Results

Internet

WAN 1 WAN 2
ISP 1 ISP 2
FortiGate

LAN

Internal
Network

38 The FortiGate Cookbook 5.0.4

Configuring connections to
the two ISPs
Go to System > Network > Interfaces and
configure the wan1 and wan2 connections.
Make sure that both use DHCP as the
Addressing mode and have Retrieve
default gateway from server and
Override internal DNS enabled.

Using two ISPs for redundant Internet connections 39

Adding security policies
Go to Policy > Policy > Policy.

Create a security policy for the primary

interface connecting to the ISPs and the
internal network.

Create a security policy for each interface

connecting to the ISPs and the internal
network.

Configuring failover
detection and spillover load
balancing
Go to Router > Static > Settings.

Create two new Dead Gateway Detection

entries.

40 The FortiGate Cookbook 5.0.4

Set the Ping Interval and Failover
Threshold to a smaller value for a more
immediate reaction to a connection going
down.

Go to Router > Static > Settings and set

the ECMP Load Balancing Method to
Spillover.

The Spillover Threshold value is calculated

in kbps (kilobits per second). However, the
bandwidth on interfaces is calculated in kBps
(kilo Bytes per second).

For wan1 interface, Spillover Threshold = 100

kbps = 100000 bps. Assume that 1000 bps
is equal to 1024 bps. Thus, 100000 bps =
102400 bps = 102400/8 Bps = 12800 Bps.

Results
Go to Log & Report > Traffic Log >
Forward Traffic to see network traffic from
different source IP addresses flowing through
both wan1 and wan2.

Using two ISPs for redundant Internet connections 41

Disconnect the wan1 port on the FortiGate
unit to see that all traffic automatically goes
through the wan2 port unit, until wan1 is
available again.

42 The FortiGate Cookbook 5.0.4

 Adding a backup FortiGate unit to improve
reliability
Adding a backup FortiGate unit to a currently installed FortiGate unit provides
redundancy if the primary FortiGate unit fails. This system design is known as High
Availability (HA) and is intended to improve network reliability.

1. Adding the backup FortiGate unit and configuring HA

2. Testing the failover functionality
3. Upgrading the firmware for the HA cluster

Internet

Internet
Switch

Dual HA
WAN 1 WAN 1 Links WAN 2

HA 1 HA 1
FortiGate FortiGate FortiGate
(Primary) (Primary) HA 2 (Backup)
HA 2
Internal Internal Internal

Switch

Internal Network

Internal Network

Adding a backup FortiGate unit to improve reliability 43

Adding the backup
FortiGate unit and
configuring HA
Connect the backup FortiGate unit as shown
in the diagram.

Go to System > Dashboard > Status.

Change the host name of the primary

FortiGate unit.

Go to System > Config > HA.

Configure the HA settings for the primary

FortiGate unit.

Go to System > Dashboard > Status.

Change the host name of the backup

FortiGate unit.

44 The FortiGate Cookbook 5.0.4

Go to System > Config > HA.

Configure the HA settings for the backup

FortiGate unit.

Ensure that the Group Name and

Password are the same as on the primary
FortiGate unit.

Go to System > Config > HA to view the

cluster information.

Select View HA Statistics for more

information on the cluster.

Adding a backup FortiGate unit to improve reliability 45

Go to System > Dashboard > Status to
see the cluster information.

Testing the failover

functionality
Unplug the Ethernet cable from the WAN1
interface of the primary FortiGate unit. Traffic
will divert to the backup FortiGate unit.

Use the ping command to view the results.

Shut down the primary FortiGate unit, and

you will see that traffic fails over to the
backup FortiGate unit.

Use the ping command to view the results.

46 The FortiGate Cookbook 5.0.4

Upgrading the firmware for
the HA cluster
When a new version of the FortiOS firmware
becomes available, upgrade the firmware on
the primary FortiGate unit and the backup
FortiGate unit will upgrade automatically.

Go to System > Dashboard > Status

and view the System Information widget.
Select Upgrade beside the Firmware
Version listing.

The firmware will load on the primary

FortiGate unit, and then on the backup unit.

Go to Log & Report > Event Log >

System.

Go to System > Dashboard > Status. View

the System Information widget again. Both
FortiGate units should have the new firmware
installed.

Adding a backup FortiGate unit to improve reliability 47

Security Policies & Firewall Objects
Security policies and firewall objects are used to tell the FortiGate unit which traffic
should be allowed and which should be blocked.
No traffic can pass through a FortiGate unit unless specifically allowed to by
a security policy. With a security policy, you can control the addresses and
services used by the traffic and apply various features, such as security profiles,
authentication and VPNs.
Firewall objects are those elements within the security policy that further dictate how
and when network traffic is routed and controlled. This includes addresses,services,
and schedules.
This section contains the following examples:

• Ordering security policies to allow different access levels

• Controlling when BYOD users can access the Internet
• Using port forwarding on a FortiGate unit
• Using AirPlay with iOS, AppleTV, FortiAP, and a FortiGate unit
• Using AirPrint with iOS and OS X and a FortiGate unit

49
 Ordering security policies to allow different
access levels
This example illustrates how to order multiple security policies in the policy table,
in order for the appropriate policy to be applied to different network traffic. In the
example, three policies will be used: one that allows a specific PC access to all
services, one that allows only Internet access to other network devices, and the
default deny policy.

1. Configuring the Internet access only policy

2. Creating the policy for the PC
3. Ordering the policy table
4. Results

Network PC

All Services

LAN WAN 1
FortiGate

Internet Access Only

Other Network Devices

50 The FortiGate Cookbook 5.0.4

Configuring the Internet
access only policy
Go to Policy > Policy > Policy.

The screen that appears is the policy list.

In the example, Global View has been
selected, with the Seq.#, From, To, Source,
Destination, Action, Service, and
Sessions columns visible. To change the
visible columns, right-click on the menu bar
and select only the columns you wish to see.

Edit the first policy, which allows outgoing

traffic. Set Service to HTTP, HTTPS and
DNS. This policy now only allows Internet
access.

Creating the policy for the

PC
Go to System > Network > Interfaces.

Edit the LAN interface. Under DHCP Server,

expand the Advanced options.

Create a new MAC Address Access

Control List. Set MAC to the MAC address
of the PC and IP to an available IP address.

This will automatically assign the specified

Ordering security policies to allow different access levels 51

IP address to the PC when it connects to the
FortiGate.

Go to Firewall Objects > Address >

Addresses.

Create a new address. Set Type to IP

Subnet, Subnet/IP Range to the IP
address that will be assigned to the PC, and
Interface to LAN.

Using /32 as the Netmask ensures that the

firewall address applies only to the
specificed IP.

Go to Policy > Policy > Policy.

Create a new policy. Set Incoming

Interface to LAN, Source Address to the
PC address, and Outgoing Interface to
WAN1.

Ordering the policy table

Use the PC to browse to any Internet site,
then go to Policy > Policy > Policy.

The policy with Seq.# 1 is the Internet

access only policy, while 2 is the policy for
the PC. The Sessions column shows that
all sessions are currently using the Internet
access policy. Policy 3 is the default deny
policy.

To ensure that traffic from the PC matches

52 The FortiGate Cookbook 5.0.4

the PC policy, not the Internet access only
policy, select the Seq.# column and drag the
policy to the top of the list.

The device identity list will now appear at the

top of the list. After the list is refreshed, this
policy will be assigned Seq.# 1.

With this new order set, the FortiGate unit

will attempt to apply the policy for the PC to
all traffic from the LAN interface. If the traffic
comes from a different source, the FortiGate
will attempt to apply the Internet access only
policy. If this attempt also fails, traffic will be
blocked using the default deny policy.

When ordering multiple security policies, the

most specific policies (in this case, the policy
for the PC) must go to the top of the list, to
ensure that the FortiGate unit checks them
first when determining which policy to apply.

Results
Browse the Internet using the PC and
another network device, then refresh the
policy list. You can now see Sessions
occuring for both policies.

Ordering security policies to allow different access levels 53

 Controlling when BYOD users can access the
Internet
This example uses a FortiOS device definition and security policy scheduling to limit
use of Bring Your Own Device (BYOD) users during company time.

In this example, a FortiWiFi unit is used. A similar method can be used to control BYOD access using a FortiAP and a
FortiGate..

1. Adding BYODs to the FortiWiFi unit

2. Adding schedules for the use of a BYOD
3. Adding a device identity security policy
4. Results

Internet

FortiWiFi

Wireless Mobile
Devices

Internal
network

54 The FortiGate Cookbook 5.0.4

Adding BYODs to the
FortiWiFi unit
Go to User & Device > Device > Device
Definitions.

Add a new device by assigning an Alias

and setting the MAC Address and Device
Type.

The device will now appear on the definitions

list.

Devices not yet added may also appear in

the list. Double-click the entry and enter an
Alias to add it.

Adding schedules for the

use of a BYOD
Go to Firewall Objects > Schedule >
Schedules.

Create a new recurring schedule to suit

your needs. The example schedule, when
included with a security policy, allows users
to access the Internet with their personal
wireless devices over lunch time hours.

Controlling when BYOD users can access the Internet 55

Adding a device identity
security policy
Go to Policy > Policy > Policy.

Create a new policy, setting the Policy

Subtype to Device Identity. Set the
Incoming Interface to the wireless
interface used for BYOD connections and
set the Outgoing Interface as the Internet-
facing interface.

Create a new authentication rule that

includes the wireless devices and the new
schedule.

Results
Go to Log & Report > Traffic Log >
Forward Traffic. When a mobile user
connects during the lunch break, they can
surf the Internet, as shown in the logs.

When the time in the schedule is reached,

further surfing cannot continue. This does
not appear in the logs, as only allowed traffic
is logged.

Evidence that the schedule and policy are

working appears when attempting to connect
to a website, and possibly a few questions
from the BYOD users.

56 The FortiGate Cookbook 5.0.4

 Using port forwarding on a FortiGate unit
This example illustrates how to use virtual IPs to configure port forwarding on a
FortiGate unit, which redirects traffic from one port to another. In this example,
incoming connections from the Internet are allowed access to a server on the
internal network by opening TCP ports in the range 7882 to 7999 and UDP ports
2119 and 2995.

1. Creating three virtual IPs

2. Adding the virtual IPs to a VIP group
3. Creating a security policy
4. Results

Internet

Open TCP ports 7882-7999,

UDP port 2119 and 2995
for traffic from the
FortiGate
Internet to the server

Server

Using port forwarding on a FortiGate unit 57

Creating three virtual IPs
Go to Firewall Objects > Virtual IPs >
Virtual IPs.

Enable Port Forwarding and add a virtual

IP using TCP protocol with the range 7882-
7999.

Create a second virtual IP for the UDP port

2119.

Create a third a virtual IP for the UDP port

2995.

58 The FortiGate Cookbook 5.0.4

Adding virtual IPs to a VIP
group
Go to Firewall Objects > Virtual IPs > VIP
Groups.

Create a VIP group that includes all three

virtual IPs.

Creating a security policy

Go to Policy > Policy > Policy.

Create a security policy allowing inbound

connections to the server from the Internet.
Set the Destination Address as the new
VIP group.

Using port forwarding on a FortiGate unit 59

Results
Go to Policy > Monitor > Policy Monitor
to see the active sessions.

Select the blue bar for more information on a

session.

Go to Log & Report > Traffic Log >

Forward Traffic to see the logged activity.

60 The FortiGate Cookbook 5.0.4

Select an entry for more information about
the session.

Using port forwarding on a FortiGate unit 61

 Using AirPlay with iOS, AppleTV, FortiAP, and a
FortiGate unit
This example sets up AirPlay services for use with an iOS device using Bonjour and
multicast security policies.

1. Configuring the FortiAP and SSIDs

2. Adding addresses for the wireless network
3. Adding service objects for multicasting
4. Adding multicast security policies
5. Adding inter-subnet security policies
6. Results

iPad

Internal Network
(OS x)

FortiAP FortiGate

Apple
TV

62 The FortiGate Cookbook 5.0.4

Configuring the FortiAP and
SSIDs
Go to System > Network > Interfaces.

Edit the internal interface to be used for

the FortiAP and set Addressing Mode to
Dedicate to FortiAP.

Connect the FortiAP unit to the FortiGate

unit.

Go to WiFi Controller > Managed Access

Points > Managed FortiAP and authorize
the FortiAP.

Once authorized, it will appear in the

authorized list.

Using AirPlay with iOS, AppleTV, FortiAP, and a FortiGate unit 63

Go to WiFi Controller > WiFi Network >
SSID.

Create a WiFi SSID for the network for

wireless users and enable DHCP Server.

Adding addresses for the

wireless network
Go to Firewall Objects > Address >
Addresses.

Create an address for SSID 1.

64 The FortiGate Cookbook 5.0.4

Create a second address for the internal
network containing the OS X computers.

Adding two service objects

for AirPlay
Go to Firewall Objects > Service >
Services.

Add service objects for each device

connection.

Using AirPlay with iOS, AppleTV, FortiAP, and a FortiGate unit 65

Adding multicast security
policies
Go to Policy > Policy > Multicast Policy.

Create a policy to allow multicast traffic from

the LAN and WLAN1 for AppleTV to iOS
devices. Set Incoming Interface to LAN,
Source Address to the Internal network,
Outgoing Interface to the SSID, and
Destination Address to Bonjour.

The Bonjour address allows the devices to

find each other when they connect
through the FortiGate unit.

Go to Policy > Policy > Multicast Policy.

Create a policy to allow multicast traffic

from the WLAN1 and LAN for iOS devices
to AppleTV. Set Incoming Interface to
the SSID, Source Address to the SSID
IP, Outgoing Interface to LAN, and
Destination Address to Bonjour.

66 The FortiGate Cookbook 5.0.4

Adding inter-subnet security
policies
Go to Policy > Policy > Policy.

Create a policy allowing traffic from the

Apple TV to the iOS device. Set Incoming
Interface to LAN, Source Address to the
Internal network, and Outgoing Interface to
the SSID.

Create a policy allowing traffic from the

iOS device to the Apple TV. Set Incoming
Interface to the SSID, Source Address to
the SSID IP, and Outgoing Interface to the
LAN.

Results
Use Airplay from the iPad to stream video to
the Apple TV.

Go to Log & Report > Traffic Log >

Multicast Traffic to see the multicast traffic
between the WLAN1 and LAN interfaces.

Using AirPlay with iOS, AppleTV, FortiAP, and a FortiGate unit 67

Select an entry for more information.

Go to Log & Report > Traffic Log > Log

Forward and filter policy IDs 6 and 7, which
allow AirPlay traffic.

68 The FortiGate Cookbook 5.0.4

Select an entry for more information.

Apple TV can also be connected to the

Internet wirelessly. AirPlay will function
from any iOS device connected to the
same SSID as Apple TV. No configuration is
required on the FortiGate unit.

Using AirPlay with iOS, AppleTV, FortiAP, and a FortiGate unit 69

 Using AirPrint with iOS and OS X and a FortiGate
unit
This example sets up AirPrint services for use with an iOS device and OS X
computers using Bonjour and multicast security policies.

1. Configuring the FortiAP and SSIDs

2. Adding addresses for the wireless networks and printer
3. Adding service objects for printing
4. Adding multicast security policies
5. Adding inter-subnet security policies
6. Results

iPad Internal Network

OS x

FortiAP FortiGate

AirPrint

70 The FortiGate Cookbook 5.0.4

Configuring the FortiAP and
SSIDs
Go to System > Network > Interfaces.

Set an internal interface as dedicated to the

FortiAP unit.

Connect the FortiAP unit to the FortiGate

unit.

Go to WiFi Controller > Managed Access

Points > Managed FortiAP and authorize
the FortiAP.

Once authorized, it will appear in the

authorized list.

Using AirPrint with iOS and OS X and a FortiGate unit 71

Go to WiFi Controller > WiFi Network >
SSID.

Create a WiFi SSID for the network for

wireless users and enable DHCP Server.

72 The FortiGate Cookbook 5.0.4

Create an SSID for the network for the
AirPrint printer and enable DHCP Server.

Adding addresses for the

wireless networks and
printer
Go to Firewall Objects > Address >
Addresses.

Create addresses for the SSID1, SSID2, and

AirPrint printer.

Using AirPrint with iOS and OS X and a FortiGate unit 73

Create an address for the internal network
containing the OS X computers.

Adding service objects for

printing
Go to Firewall Objects > Service >
Services.

Create a new service for Internet Printing

Protocol (IPP) for iOS devices.

Create a new service for PDL Data Stream

for OS X computers.

74 The FortiGate Cookbook 5.0.4

Adding multicast security
policies
Go to Policy > Policy > Multicast Policy.

Create two policies to allow multicast traffic

from WLAN1 and WLAN2 for iOS devices.

For the first policy, set Incoming Interface

to WLAN1, Source Address to the SSID1
IP, Outgoing Interface to WLAN2, and
Destination Address to Bonjour.

For the second policy, set Incoming

Interface to WLAN2, Source Address
to the SSID2 IP, Outgoing Interface to
WLAN1, and Destination Address to
Bonjour.

The Bonjour address allows the devices to

find each other when they connect
through the FortiGate unit.

Create two policies to allow multicast

traffic from the LAN and WLAN2 for OS X
computers.

For the first policy, set Incoming Interface

to LAN, Source Address to the Internal
network, Outgoing Interface to WLAN2,
and Destination Address to Bonjour.

Using AirPrint with iOS and OS X and a FortiGate unit 75

For the second policy, set Incoming
Interface to WLAN2, Source Address to
the AirPrint, Outgoing Interface to LAN,
and Destination Address to Bonjour.

Adding inter-subnet security

policies
Go to Policy > Policy > Policy.

Create a policy allowing printing from

wireless devices. Set Incoming Interface to
WLAN1, Source Address to the SSID1 IP,
Outoing Interface to WLAN2, Destination
Address to the AirPrint, and Service to IPP.

Create a policy allowing printing from an

OS X computer to the AirPrint printer. Set
Incoming Interface to LAN, Source
Address to the Internal network, Outoing
Interface to WLAN2, Destination Address
to the AirPrint, and Service to IPP.

76 The FortiGate Cookbook 5.0.4

Results
Print a document from an iOS device.

Go to Log & Report > Traffic Log >

Multicast Traffic to see the printing traffic
passing through the FortiGate unit.

Select an entry to see more information.

Go to Log & Report > Traffic Log >

Forward Traffic and verify the entry with the
IPP service.

Using AirPrint with iOS and OS X and a FortiGate unit 77

Print a document from an OS X computer.

Go to Log & Report > Traffic Log >

Multicast Traffic to see the printing traffic
passing through the FortiGate unit.

Select an entry to see more information.

Go to Log & Report > Traffic Log >

Forward Traffic and filter the destination
interface for WLAN2 traffic.

Select an entry to see more information.

78 The FortiGate Cookbook 5.0.4

Security Features
Security features, including antivirus, web filtering, application control, intrusion
protection (IPS), email filtering, and data leak prevention (DLP), apply core security
functions to the traffic accepted by your FortiGate unit.
Each security feature has a default profile. You can also create custom profiles to
meet the needs of your network. These profiles are then applied to your security
policies and used to monitor and, if necessary, block external and internal traffic that
is considered risky or dangerous.
This section contains the following examples:

• Monitoring your network using client reputation

• Controlling network access using application controll
• Protecting a web server from external attacks
• Blocking outgoing traffic containing sensitive data
• Blocking large files from entering the network
• Blocking access to specific websites
• Extra help: Web filtering
• Blocking HTTPS traffic with web filtering
• Using web filter overrides to control website access

79
 Monitoring your network using client reputation
Client reputation allows you to monitor traffic from internal sources to identify any
users who may be engaging in risky or dangerous behavior. This example enables
client reputation on web filtering, in order to monitor user traffic to the Internet.

1. Enabling client reputation

2. Adding default security profiles to a security policy
3. Results

Internet

Traffic from internal sources

monitored by Client Reputation
FortiGate

Internal Network

80 The FortiGate Cookbook 5.0.4

Enabling client reputation
Go to Security Profiles > Client
Reputation > Threat Level Definition.

Enable Client Reputation Tracking by

selecting the Off button, so it changes to
appear green and reads On.

The client reputation profile is made up of

categories of different behaviors which could
be considered risky, dangerous, or otherwise
unwanted. All behavior types are assigned
Risk Level Values that determine how
closely that behavior is monitored.

Risk levels have a default value that you can

change to meet your needs. To change a
value, select a level indicator dial and drag
it right to increase the risk level, or left to
decrease.

Enabling Client Reputation Tracking also

enables the Log Allowed Traffic setting
for all security policies. For more
information about logging, see “Logging
network traffic to gather information” on
page 7.

Monitoring your network using client reputation 81

Adding default security
profiles to a security policy
Go to Policy > Policy > Policy.

Edit the policy controlling the traffic you

wish to monitor using client reputation.
Under Security Profiles, enable all types of
activity you wish to monitor and set them to
use the default profiles.

In the example, only the web filter profile is

enabled, so only traffic to the Internet will be
monitored.

82 The FortiGate Cookbook

Results
Monitor traffic for a day. To see the
results, go to Security Profiles > Client
Reputation > Reputation Score.

The chart lists users by IP address and

scores the users according to the risk level of
their behavior. Scores are listed from highest
to lowest.

With this information, you can see where

potential problems might occur or where
potential security breaches are imminent.

Select a blue bar to view more information

about a particular user’s activity, including
the application being used and the client
reputation score.

If you wish to continue to monitor user

behavior and are either using FortiCloud for
logging or have an SMTP email server, daily
or weekly client reputation reports can be
sent to you.

Client Reputation only monitors risky

activity, it does not block it. If you discover
activity that you are concerned about,
additional action must be taken to stop it,
such as applying a more restrictive
security policy to the traffic.

Monitoring your network using client reputation 83

 Controlling network access using application
control
This example uses application control to monitor traffic and determine what
applications are contributing to high bandwidth usage or distracting employees.
After this is determined, a different application sensor is used to block those
applications from having network access.

1. Creating an application sensor to monitor network traffic

2. Adding the monitoring sensor to a security policy
3. Reviewing the application control monitor
4. Creating an application sensor to block applications
5. Adding the blocking sensor to a security policy
6. Results

Action applied
yes

Application
yes targeted?

Application Application
Session begins specific control
traffic enabled?

no Traffic not
affected

84 The FortiGate Cookbook 5.0.4

Creating an application
control sensor to monitor
traffic
Go to Security Profiles > Application
Control > Application Sensors. Select
the plus icon in the upper right corner of
the window to create a new sensor list for
monitoring application traffic.

Select Create New to add a new application

filter. Leave all Filter Options selected.

Ensure that you set the Action to Monitor.

At this stage in the process, you are
monitoring the traffic to locate any problems
that may be occurring, rather than blocking
applications.

Controlling network access using application control 85

Adding the monitoring
sensor to a security policy
Go to Policy > Policy > Policy.

Edit the security policy that allows internal

users to access the Internet. Under Security
Profiles, enable Application Control and
set it to use the new filter.

86 The FortiGate Cookbook 5.0.4

Reviewing the application
control monitor
Go to Security Profiles > Monitor >
Application Monitor to see the results
found by the application sensor.

Select a bar to see further details on the

usage statistics.

In the example, you can see an occurrence

of an HTTP segmented download, which
typically occurs during Peer-to-Peer (P2P)
downloads. To avoid this from occurring
in the future, P2P applications must be
blocked.

Creating an application
sensor to block applications
Go to Security Profiles > Application
Control > Application Sensors and create
a new sensor list for blocking application
traffic.

Controlling network access using application control 87

Select Create New to add a new application
filter.

In the Category list, select the application

categories you wish to block. As well as
blocking P2P, other types of applications
can be selected that are known to distract
employees.

Ensure that you set the Action to Block.

Adding the blocking sensor

to a security policy
Go to Policy > Policy > Policy.

Edit the firewall policy allowing internal users

to access the Internet. Under Security
Profiles, enable Application Control and
set it to use the new filter.

88 The FortiGate Cookbook 5.0.4

Results
Go to Log & Report > Traffic Log >
Forward Traffic.

You can see the sensor is working and

blocking the traffic from the selected
application types, including the P2P
application Skype.

Select an entry to view more information,

including the application name and the
device the traffic originated on.

Controlling network access using application control 89

 Protecting a web server from external attacks
This example uses the FortiOS intrusion protection system (IPS) to protect a web
server by configuring an IPS sensor to protect against common attacks and adding
it to the policy which allows external traffic to access the server. A denial of service
(DoS) security policy is also added to further protect the server against that specific
type of attack.

1. Configuring an IPS sensor to protect against common

attacks
2. Adding the IPS sensor to a security policy
3. Adding a DoS security policy
4. Results

Attacks

Internet
FortiGate

Web Server

90 The FortiGate Cookbook 5.0.4

Configuring an IPS sensor
to protect against common
attacks
Go to Security Profiles > Intrusion
Protection > IPS Sensors. Select the plus
icon in the upper right corner of the window
to create a new sensor.

Create a new IPS filter. Set the Target to

server and set the Action to Block All.

Protecting a web server from external attacks 91

Adding the IPS sensor to a
security policy
Go to Policy > Policy > Policy. Edit the
security policy allowing traffic to the web
server from the Internet.

Enable IPS and set it to use the new sensor.

Adding a DoS security policy

Go to Policy > Policy > DoS Policy.

Create a new policy. The Incoming

Interface is your Internet-facing interface.

In the Anomalies list, enable Status and

Logging and set the Action to Block for all
types.

92 The FortiGate Cookbook

Results

WARNING: Causing a DoS attack is illegal,

unless you own the server under attack.
Before performing an attack, make sure
you have the correct server IP.

Perform an DoS tcp_sync_flood attack to the

web server IP address. IPS blocks the TCP
sync session when it reaches the tcp_syn_
flood threshold, in this case 20.

Go to Log & Report > Security Log >

Intrusion Protection to view the results of
the DoS policy.

Select an entry to view more information,

including the severity of the attack and the
attack name.

Protecting a web server from external attacks 93

 Blocking outgoing traffic containing sensitive
data
Data leak prevention (DLP) analyzes outgoing traffic and blocks any sensitive
information from leaving the network. In this example, DLP will be used to block files
using the file’s name and type.

1. Creating a file filter

2. Creating a DLP sensor that uses the file filter
3. Adding the DLP sensor to a security policy
4. Results

Internet

Data Leak

FortiGate
Internal Network

94 The FortiGate Cookbook 5.0.4

Creating a file filter
Go to Security Profiles > Data Leak
Prevention > File Filter. Select Create
New to make a File Filter Table.

Create a new filter in the table. Set the Filter

Type to File Name Pattern and enter the
pattern you wish to match. If needed, you
can use a wildcard character in the pattern.

Create a second filter, this time setting the

Filter Type to File Type. Select a File Type
from the list.

Blocking outgoing traffic containing sensitive data 95

Creating a DLP sensor that
uses the file filter
Go to Security Profiles > Data Leak
Prevention > Sensors. Select the plus icon
in the upper right corner of the window to
create a new sensor.

Select Create New to make a new filter.

Set the type to Files. Enable File Type
included in and set it to your file filter.

Under Examine the following Services,

select the services you wish to monitor with
DLP.

Set the Action to Block.

96 The FortiGate Cookbook 5.0.4

Adding the DLP sensor to a
security policy
Go to Policy > Policy > Policy. Edit the
security policy that controls the traffic you
wish to block.

Enable DLP Sensor and set it to use the

new sensor.

Results
Attempt to upload a file that matches the
file filter criteria using FTP protocol. The file
should be blocked and a message from the
server should appear.

Blocking outgoing traffic containing sensitive data 97

To find more information about the blocked
traffic, go to Log & Report > Traffic Log >
Forward Traffic.

The selected log message shows the name

of the file that was blocked (File_pattern_text.
exe), the type of file filter that blocked it
(file-type), and a variety of other information
which may be useful.

98 The FortiGate Cookbook 5.0.4

 Blocking large files from entering the network
Some files are too large to be properly scanned by a FortiGate unit, which can put
your network at risk. This example configures data leak prevention (DLP) to block
files larger than 10 MB (10,000 kB) from entering the network.

1. Creating a DLP sensor to block large files

2. Adding the DLP sensor to a security policy
3. Results

Large file containing a virus

Internet
FortiGate

Internal Network

Blocking large files from entering the network 99

Creating a DLP sensor to
block large files
Go to Security Profiles > Data Leak
Prevention > Sensors. Select the plus icon
in the upper right corner of the window to
create a new sensor.

Select Create New to make a new filter and

set the filter type to Files.

Enable File Size >= and set the size to

10,000 kB. Select all of the services you wish
to examine and set the Action to Block.

100 The FortiGate Cookbook 5.0.4

Adding the DLP sensor to a
security policy
Go to Policy > Policy > Policy.

Edit the security policy controlling the

traffic you wish to block. Under Security
Features, enable DLP Sensor and set it to
use the new sensor.

Results
Attempt to download a file larger than 10
MB. The download will fail and a replacement
message from the FortiGate unit will appear.

The DLP sensor may not take effect until

all the current sessions have expired. If
the file is not blocked immediately, wait 24
hours and try again.

Blocking large files from entering the network 101

 Blocking access to specific websites
This example sets up the FortiGate unit to block users from viewing a specific
website using web filtering.

1. Creating a web filter profile

2. Adding the web filter profile to a security policy
3. Results

Website

Block

FortiGate

Internal Network

102 The FortiGate Cookbook 5.0.4

Creating a web filter profile
Go to Security Profiles > Web Filter >
Profiles.

Create a new profile and select Enable

Web Site Filter and Create New. Set the
URL to *fortinet.com, using * as a wildcard
character in order to block all subdomains of
the site. Set the Type to Wildcard and the
Action to Block.

Adding the web filter profile

to a security policy
Go to Policy > Policy > Policy.

Edit the policy controlling the traffic you wish

to block from the website. Under Security
Profiles, enable Web Filter and set it to use
the new profile.

Blocking access to specific websites 103

Results
In a web browser, visit www.fortinet.com
and docs.fortinet.com. In both cases, the
FortiGate unit displays a message, stating
that the website is blocked.

This example will only block HTTP web

traffic. In order to block HTTPS traffic as
well, see”Blocking HTTPS traffic with web
filtering” on page 106.

104 The FortiGate Cookbook 5.0.4

 Extra help: Web filtering
This section contains tips to help you with some common challenges of FortiGate
web filtering.

The Web Filter option does not appear in the GUI.

Go to Config > System > Features and enable Web Filter.

New Web Filter profiles cannot be created.

Go to Config > System > Features and select Show More. Enable Multiple Security
Profiles.

Web Filtering has been configured but is not working.

Make sure that web filtering is enabled in a policy. If it is enabled, check that the policy is the
policy being used for the correct traffic. Also check that the policy is getting traffic by going
to the policy list and adding the Sessions column to the list.

An active FortiGuard Web Filtering license displays as expired/unreachable.

First, ensure that web filtering is enabled in one of your security policies. The FortiGuard
service will sometimes show as expired when it is not being used, to save CPU cycles.

If web filtering is enabled in a policy, go to System > Config > FortiGuard and click the
blue arrow beside Web Filtering. Under Port Selection, select Use Alternate Port (8888).
Select Apply to save the changes. Check whether the license is shown as active. If it is still
inactive/expired, switch back to the default port and check again.

Websites blocked using the FortiGuard Categories are not consistently

blocked (for example, traffic is only blocked using certain browsers).
In your web filter profile, make sure that Scan Encrypted Connections is selected. Next,
create an SSL Inspection profile and add it to the security policy. Traffic should now be
blocked consistently.

SSL Inspection is causing certificate errors.

Download the Fortinet_CA_SSLProxy certificate and install it on your web browser. For more
information, see “Preventing security certificate warnings when using SSL inspection” on
page 153.

Extra help: Web filtering 105

 Blocking HTTPS traffic with web filtering
Some websites are accessible using HTTPS protocol, such as Youtube. This
example shows how to use web filtering to block HTTPS access.

This example requires an active license for FortiGuard Web Filtering Services.

1. Verifying FortiGuard services are enabled

2. Creating a web filter profile
3. Creating an SSL inspection profile
4. Adding the profiles to a security policy
5. Results

Website

Block

HTTPS Traffic

FortiGate

Internal Network
106 The FortiGate Cookbook 5.0.4
Verifying FortiGuard
Services are enabled
Go to System > Dashboard > Status.

In the License Information widget, verify

that you have an active subscription to
FortiGuard Web Filtering. If you have a
subscription, the service will have a green
checkmark beside it.

Blocking HTTPS traffic with web filtering 107

Creating a web filter profile
Go to Security Profiles > Web Filter >
Profiles. Select the plus icon in the
upper right corner to create a new profile.

Enable FortiGuard Categories and expand

the category Bandwidth Consuming.
Right-click on Streaming Media and
Download, the category to which Youtube
belongs, and select Block.

Creating an SSL inspection

profile
Go to Policy > Policy > SSL Inspection.
Select the plus icon in the upper right corner
to create a new profile.

Enable the inspection of the HTTPS

Protocol.

108 The FortiGate Cookbook 5.0.4

Adding the profiles to a
security policy
Go to Policy > Policy > Policy.

Edit the security policy controlling the traffic

you wish to block. Under Security Profiles,
enable Web Filter and SSL Inspection and
set both to use the new profiles.

Blocking HTTPS traffic with web filtering 109

Results
Browse to https://www.youtube.com. A
replacement message appears indicating
that the website was blocked.

Blocked traffic can be monitored by going

to Security Profiles > Monitor > Web
Monitor.

110 The FortiGate Cookbook 5.0.4

 Using web filter overrides to control website
access
This example shows two methods of using web filter overrides to control access to
specific websites: one for the entire network and one for specific users.

This example requires an active license for FortiGuard Web Filtering Services.

Method 1 Method 2
1. Creating a rating override 1. Creating a user group and
two users
2. Adding FortiGuard blocking
to the default web filter profile 2. Creating a web filter profile
3. Adding the web filter profile to 3. Adding the web filter profile to
a security policy a security policy
4. Results 4. Results

Internet

FortiGuard
Override

FortiGate

Internal Network

Using web filter overrides to control website access 111

Method 1
Creating a ratings override
Go to Security Profiles > Web Filter >
Rating Overrides.

Create a new override and enter the URL

fortinet.com. Select Lookup Rating to see
its current FortiGuard Rating.

Set Category to Custom Categories (local

categories) and create a new Sub-Category
for blocked sites.

The sub-category has been added to the list

of FortiGuard Categories, under Local
Categories.

112 The FortiGate Cookbook 5.0.4

Adding FortiGuard blocking
to the default web filter
profile
Go to Security Profiles > Web Filter >
Profiles.

Create a new profile and enable FortiGuard

Categories. Right-click on Local
Categories and select Block.

Adding the web filter profile

to a security policy
Go to Policy > Policy > Policy.

Edit the policy that allows outbound traffic.

Under Security Profiles, enable Web Filter
and set it to use the new profile.

Using web filter overrides to control website access 113

Results
In a web browser, go to www.fortinet.com.

The website will be blocked and a

replacement message from FortiGuard Web
Filtering will appear.

Rating overrides can also be used to allow

access to specific sites within a FortiGuard
category, such as General Interest -
Personal, while still blocking the rest of
the sites listed in that category.

Method 2
Creating a user group and
two users
Go to User & Device > User > User
Group. Select Create New and create the
group override_group.

114 The FortiGate Cookbook 5.0.4

Go to User & Device > User > User
Definition.

Using the User Creation Wizard, create

two users (in the example, ckent and
bwayne). Assign ckent to override_group but
not bwayne.

Using web filter overrides to control website access 115

Creating a web filter profile
Go to Security Profiles > Web Filter >
Profiles.

Create a new profile and enable FortiGuard

Categories. Right click on Local
Categories and select Block.

Expand the Advanced Filter and enable

Allow Blocked Override. Set Apply to
Group(s) to override_group.

Set Assign to Profile to default to use it as

the alternate web filter profile for override_
group users.

Because the default web filter does not block

Local Categories, using it will allow ckent to
access fortinet.com for the duration of the
override period (by default, Duration is set
to 15 minutes).

Adding the web filter profile

to a security policy
Go to Policy > Policy > Policy.

Edit the policy that allows outbound traffic

and set the Policy Subtype to User
Identity.

116 The FortiGate Cookbook 5.0.4

Create an Authentication Rule that
includes both override_group and bwayne
and has Web Filter set to override_profile.

Results
In a web browser, go to www.fortinet.com.

After the user authentication screen, the

website is blocked and a replacement
message from FortiGuard Web Filtering
appears.

Select Override. You are prompted to

authenticate to view the page.

User bwayne is not able to override the web

filter and receives an error message.

Using web filter overrides to control website access 117

However, user ckent is able to override the
filter and can access the site for 15 minutes.

You can monitor web filter overrides by going

to Log & Report > Traffic Log > Forward
Traffic.

Select an entry for more information about a

session, including the user and hostname.

118 The FortiGate Cookbook 5.0.4

Wireless Networking
FortiOS WiFi networking provides a wide range of capabilities for integrating
wireless networks into your organization’s network architecture. Each WiFi network,
or SSID, is represented by a virtual network interface to which you can apply firewall
policies, security profiles, and other features in the same way you would for physical
wired networks.
This chapter contains the following examples:

• Setting up a temporary guest WiFi user

• Setting up a network using a FortiGate unit and a FortiAP unit
• Providing remote users access to the corporate network and Internet

119
 Setting up a temporary guest WiFi user
In this example, a temporary user account will be created and distributed to a guest
user, allowing the guest to have wireless access to the Internet.

1. Connecting the FortiAP unit using the DMZ interface

2. Creating a WiFi guest user group
3. Creating an SSID using a captive portal
4. Creating a security policy to allow guest users Internet
access
5. Creating a guest user management account
6. Results

Internet

Internal Network

FortiGate
FortiAP

Guest WiFi User

120 The FortiGate Cookbook 5.0.4

Connecting the FortiAP unit
using the DMZ interface
Go to System > Network > Interfaces.
Select the dmz interface.

Set the dmz interface to be Dedicated to

FortiAP.

Connect the FortiAP to the DMZ interface.

Go to WiFi Controller > Managed Access
Points > Managed FortiAP and right-click
on the FortiAP unit. Select Authorize.

Using the DMZ interface creates a secure

network that will only grant access if it is
explicitly allowed. This allows guest access
to be carefully controlled.

Setting up a temporary guest WiFi user 121

Creating a WiFi guest user
group
Go to User & Device > User > User
Group.

Create a new group, setting Type to Guest,

User ID to Email, and Password to Auto-
Generate.

These guest user accounts are temporary

and will expire four hours after the first login.

Creating an SSID using a

captive portal
Go to WiFi Controller > WiFi Network >
SSID.

Create a new SSID. Set Traffic Mode to

Tunnel to Wireless Controller and enable
DHCP Server, taking note of the IP range
assigned.

Under WiFi Settings, set Security Mode

to Captive Portal and User Groups to the
new guest user group.

A Captive Portal will intercept connections

to the wireless network and display a login
screen on the guest user’s device. The guest
must then authenticate with the portal to gain
access to the wireless network.

122 The FortiGate Cookbook 5.0.4

Creating a security policy
to allow guest users Internet
access
Go to Firewall Objects > Address >
Addresses.
Create a firewall address for the guest WiFi
users. Use the DHCP IP range for Subnet/IP
Range and set the Interface to the wireless
interface.

Go to Policy > Policy > Policy.

Create a security policy allowing guest users

to have wireless access to the Internet.

Set Incoming Interface to the wireless

interface, Outgoing Interface to your
Internet-facing interface, and Source
Address to the guest WiFi users group.

Setting up a temporary guest WiFi user 123

Creating a guest user
management account
Optionally, you can create an administrator
that is used only to create guest accounts.
Access to this account can be given to a
receptionist, to simply the process of making
new accounts.

Go to System > Admin > Administrators.

Create a new account. Set the Type to

Regular and set a Password. Enable
Restrict to Provision Guest Accounts
and set Guest Groups to the WiFi guest
user group.

124 The FortiGate Cookbook 5.0.4

Results
Log in to the FortiGate unit using the guest
user management account. Go to User &
Device > User > Guest Management and
select Create New.

Use a guest’s email account to create a new

user ID.

The FortiGate unit generates a user account

and password. This account is only valid for
four hours (the default time limit for the guest
user group).

The guest can now log in using the FortiGate

Captive Portal. Once authenticated, the
guest is able to connect wirelessly to the
Internet.

Setting up a temporary guest WiFi user 125

To verify that the guest user logged in
successfully, go to WiFi Controller >
Monitor > Client Monitor.

Go to Policy > Monitor > Policy Monitor

and verify the active sessions.

Select one of the bars to view more

information about a session.

126 The FortiGate Cookbook 5.0.4

 Setting up a network using a FortiGate unit and
a FortiAP unit
This example sets up a wired network and a wireless network that are in the same
subnet. This will allow wireless and wired users to share network resources.

1. Configuring the internal wired network to use DHCP

2. Creating the internal wireless network
3. Results

Internet

FortiGate

FortiAP

Wireless Network

Internal Network

Setting up a network using a FortiGate unit and a FortiAP unit 127

Configuring the internal
wired network to use DHCP
Edit the internal interface.

Set Addressing mode to Manual and

enable DHCP server. Take note of the IP
range.

Go to Firewall Objects > Address >

Addresses.

Set Type to IP Range and set Subnet/IP

Range to use the IP range from the DHCP
server.

128 The FortiGate Cookbook 5.0.4

Go to Policy > Policy > Policy.

Create a security policy allowing users on the

wired network to access the Internet.

Creating the internal

wireless network
Connect the FortiAP to the internal interface.
Go to WiFi Controller > Managed Access
Points > Managed FortiAP and right-click
on the FortiAP unit. Select Authorize.

It may take a few minutes for the FortiAP

unit to appear on the Managed FortiAP list.

Setting up a network using a FortiGate unit and a FortiAP unit 129

Go to WiFi Controller > WiFi Network >
SSID and create a new SSID.

Ensure the Traffic Mode is set to Local

bridge with FortiAP’s Interface.

Go to WiFi Controller > WiFi Network >

Custom AP Profile. Select Create New.

Set SSID for both Radio 1 and Radio 2 to

the new SSID.

130 The FortiGate Cookbook 5.0.4

Go to WiFi Controller > Managed Access
Points > Managed FortiAP. Edit the
FortiAP unit.

Under Wireless Settings, set AP Profile to

use the new profile.

Results
Users connected to the new SSID will be
able to access the Internet. The wireless
devices will be in the same subnet as the
internal wired network.

Go to WiFi Controller > Monitor > Client

Monitor to see WiFi users and their IP
addresses.

Go to Log & Report > Traffic Log >

Forward Traffic to verify that the same
policy controls both wired and wireless
traffic.

Setting up a network using a FortiGate unit and a FortiAP unit 131

 Providing remote users access to the corporate
network and Internet
In this example, a user in a remote location, such as a hotel or their home, will use
a FortiAP unit to securely connect to the corporate network and browse the Internet
from behind the corporate firewall.

1. Connecting the FortiAP unit to the corporate FortiGate unit

2. Creating an SSID and a firewall addresses
3. Creating security policies
4. Configuring the FortiAP unit to connect to the corporate
FortiGate unit
5. Connecting to the corporate FortiGate unit remotely
6. Results

FortiAP
Remote User

Internet

Internal Network

FortiGate

132 The FortiGate Cookbook 5.0.4

Connecting the FortiAP unit
to the corporate FortiGate
unit
Insert the Ethernet cable provided into the
FortiAP unit’s WAN port.

Connect the Ethernet cable to an internal

port on your FortiGate. You may use a
different port but, for ease of use, an internal
port is preferred.

Configure the port by going to System >

Network > Interfaces. Set the Addressing
mode to Dedicate to FortiAP.

Go to WiFi Controller > Managed

AccessPoints > Managed FortiAP. The
FortiAP unit should be listed.

There will be an orange question mark icon

listed under State. Right-click on the icon
and select Authorize.

Now that the FortiAP unit is authorized, the

icon will change to a green checkmark.

Providing remote users access to the corporate network and Internet 133
Creating an SSID and a
firewall addresses
Go to WiFi Controller > WiFi Network >
SSID. Select Create New.

Enable the DHCP Server and make note of

the IP range.

Configure the WiFi Settings with a unique

SSID name and Pre-shared Key.

Go to Firewall Objects > Address >

Addresses. Create addresses for both the
remote users and the corporate network.

For the remote users, set Type to IP Range.

The range for the remote users should be
within the range used for the DHCP server.
Set Interface to the new SSID.

134 The FortiGate Cookbook 5.0.4

For the corporate network, set Type to
Subnet and use the corporate network’s
IP address. Set Interface to an internal
interface.

Creating security policies

Go to Policy > Policy > Policy.

Create a policy that allows remote wireless

users to access the Internet. Set the
Incoming Interface to the SSID and the
Outgoing Interface as your Internet-facing
interface.

Providing remote users access to the corporate network and Internet 135
Create a second policy for remote wireless
users to access the corporate network.
Again, set the Incoming Interface to the
SSID but now the Outgoing Interface is an
internal interface.

Configuring the FortiAP unit

to connect to the corporate
FortiGate unit
Go to WiFi Controller > Managed Access
Points > Managed FortiAP and note the IP
Address assigned to your FortiAP.

Enter the address into your browser’s

address bar to access your FortiAP web
manager.

136 The FortiGate Cookbook 5.0.4

In the System Information tab, enter the
AC IP Address of the public facing interface
of the corporate FortiGate unit. The Internet-
facing interface is also the public facing
interface. To locate this IP address, go to
System > Network > Interfaces.

The FortiAP will search for this FortiGate

interface when it tries to connect.

The remote user may now take this device

to the desired remote location to connect
securely to the corporate FortiGate unit.

Connecting to the
corporate FortiGate
remotely
At the remote location, connect the FortiAP
to the Internet using an Ethernet cable. Next,
connect the FortiAP to power.

Once connected, the FortiAP requests an IP

address and locates the FortiGate wireless
controller.

The remote user can now access the

corporate network and browse the Internet
securely from behind the corporate firewall.

Providing remote users access to the corporate network and Internet 137
Results
Go to WiFi Controller > Monitor > Client
Monitor to see remote wireless users
connected to the FortiAP unit.

Go to Log & Report > Traffic Log >

Forward Traffic to see remote wireless
users appear in the logs.

Select an entry to view more information

about remote traffic to the corporate
network and to the Internet.

138 The FortiGate Cookbook 5.0.4

Authentication
Authentication, the act of confirming the identity of a person or device, is a key part
of network security. In the context of a private computer network, the identities of
users or host computers must be established to ensure that only authorized parties
can access the network. The FortiGate unit enables controlled network access and
applies authentication to users of security policies and VPN clients.
This section contains the following examples:

• Providing single sign-on for a Windows AD network with a FortiGate

• Providing single sign-on in advanced mode for a Windows AD network
• Providing single sign-on for Windows AD with LDAP
• Preventing security certificate warnings when using SSL inspection
• Extra help: Certificates

139
 Providing single sign-on for a Windows AD
network with a FortiGate
This example uses the Fortinet Single Sign-On (FSSO) Collector Agent to integrate a
FortiGate unit into the Windows AD domain.

1. Installing the FSSO Collector Agent

2. Configuring the Single Sign-on Agent
3. Configuring the FortiGate unit to connect to the FSSO agent
4. Adding a FSSO user group
5. Adding a firewall address for the internal network
6. Adding a security profile that includes an authentication rule
7. Results

Internet

FortiGate

Windows AD
Internal Network

140 The FortiGate Cookbook 5.0.4

Installing the FSSO Collector
Agent
Run the setup for the Fortinet SSO Collector
Agent. After logging in, configure the agent
settings.

Add the Collector Agent address information.

Providing single sign-on for a Windows AD network with a FortiGate 141

Select the domains to monitor, and any users
whose activity you do not wish to monitor.

Set the working mode and complete the

installation.

142 The FortiGate Cookbook 5.0.4

Configuring the Single
Sign-on Agent
If required, select Require authenticated
connection from FortiGate, and add a
password.

You will also enter this password when

configuring the FSSO on the FortiGate unit.

Configuring the FortiGate

unit to connect to the FSSO
agent
On the FortiGate unit, go to User & Device
> Authentication > Single Sign-On.

Enter this password used configuring the

FSSO on the FortiGate unit in the previous
step.

Adding a FSSO user group

On the FortiGate unit, go to User & Device
> User > User Group.

Providing single sign-on for a Windows AD network with a FortiGate 143

Adding a firewall address
for the internal network
Go to Firewall Objects > Address >
Addresses.

Adding a security
profile that includes an
authentication rule
Go to Policy > Policy > Policy.

Add an accept user identity security policy

and add the new FSSO group.

144 The FortiGate Cookbook 5.0.4

Results
Go to Log & Report > Traffic Log >
Forward Traffic. As users log into the
Windows AD system, the FortiGate collects
their connection information.

Select an entry for more information.

Providing single sign-on for a Windows AD network with a FortiGate 145

 Providing single sign-on in advanced mode for a
Windows AD network
Using Fortinet Single Sign On, the FortiGate unit automatically authenticates any
user that successfully logs into Windows. The Domain Controller agent Advanced
mode has the advantage of supporting nested or inherited user groups. If Standard
mode is used, the FortiGate unit can authenticates only users who are a direct
member of a group.

1. Configuring the DC agent for Advanced mode

2. Configuring the DC agent as an FSSO agent
3. Creating an FSSO user group
4. Creating an identity-based security policy
5. Results

Internet

FortiGate

Windows AD
Internal Network

146 The FortiGate Cookbook 5.0.4

Configuring the DC agent
for Advanced mode
Log on to the Windows server where the DC
agent is installed. Go to All Programs >
FortiNet > Fortinet Single Sign On Agent
> Configure Fortinet Single Sign On
Agent.

Select Directory Access Information and

set AD Access mode to Advanced.

The rest of the configuration is done on the

FortiGate unit.

Configuring the FSSO agent

Go to User & Device > Authentication >
Single Sign-On to enter the information the
FortiGate unit needs to access the DC agent.

After you select Apply & Refresh, the

Windows AD groups are listed. This confirms
that the FortiGate unit can communicate with
the DC agent.

On a Windows AD network with a large

number of groups, the FortiGate unit’s
performance might be affected by the
volume of user logon information it
receives. Use the Set Group Filters
function of the DC agent to send
information only for the groups you intend
to authenticate.

Providing single sign-on in advanced mode for a Windows AD network 147

Creating an FSSO user
group
Select the Windows AD groups to include in
the FortiGate FSSO user group.

Creating an identity-based
security policy
Create an identity-based security policy that
uses the FSSO user group that you created.

Results
The Windows AD user, having authenticated
at logon, does not have to authenticate again
to connect to the Internet.

148 The FortiGate Cookbook 5.0.4

 Providing single sign-on for Windows AD with
LDAP
A logged-on Windows user can be automatically authenticated on a FortiGate unit
through Fortinet Single Sign-On. Some Windows AD systems use an external LDAP
server. FSSO can also accommodate this configuration.

1. Configuring access to the LDAP server.

2. Configuring the DC agent as an FSSO agent.
3. Configuring a group filter on the DC agent.
4. Creating an FSSO user group and add Active Directory user
groups to it.
5. Creating a security policy to allow the FSSO user group
access to the Internet through the FortiGate unit.

Internet
LDAP Server
192.168.1. 117

WAN 1

FortiGate Port 1 Internal Network

Windows AD
Domain Controller
192.168.1.114

Providing single sign-on for Windows AD with LDAP 149

Configuring access to the
LDAP server
Go to User & Device > Authentication
> LDAP Server and enter the information
needed to connect the FortiGate unit to the
external LDAP server.

Configuring the DC agent as

an FSSO agent
Go to User & Device > Authentication >
Single Sign-On to enter the information the
FortiGate unit needs to access the DC agent.

Select the LDAP Server. In Users/Groups

use the Edit Users/Groups tab to select user
groups from the LDAP tree.

150 The FortiGate Cookbook 5.0.4

Configuring a group filter
on the DC agent
Log on to the Windows server where the DC
agent is installed. Go to All Programs >
FortiNet > Fortinet Single Sign On Agent
> Configure Fortinet Single Sign On
Agent.

Select Set Group Filters. Select Add. Enter

the FortiGate unit serial number and specify
which user groups the DC agent should
monitor for the FortiGate unit. Select Add
again.

To avoid adversely affecting the FortiGate

unit’s performance, configure the filter to
send information only for the groups you
intend to authenticate.

Creating an FSSO user

group and add Active
Directory user groups to it
.Go to User & Device > User > User
Group. Create a Fortinet Single Sign-On
group and select which Windows AD groups
to include as members.

Providing single sign-on for Windows AD with LDAP 151

Creating a security policy
Create identity-based security policies that
use the FSSO user group that you created.

Results
The Windows AD user, having authenticated
at logon, does not have to authenticate again
to connect to the Internet.

152 The FortiGate Cookbook 5.0.4

 Preventing security certificate warnings when
using SSL inspection
This example illustrates how to prevent your users from getting a security certificate
error, which happens because an SSL session is established with the SSL Proxy,
not the destination web site. Instead of having users select Continue when they
receive an error, a bad habit to encourage, you will provide them with the FortiGate
SSL CA certificate to install on their browsers.

1. Enabling Certificate configuration in the web-based

manager.
2. Downloading the Fortinet_CA_SSLProxy.
3. Importing the CA certificate into the web browser.

Website Certificate
Certificate

SSL proxy
FortiGate

Internal Network

Preventing security certificate warnings when using SSL inspection 153

Enabling certificate
configuration in the web-
based manager
Go to System > Config > Features and
enable Certificates.

Downloading the Fortinet_

CA_SSLProxy
Go to System > Certificates > Local
Certificates to download the Fortinet_CA_
SSLProxy certificate.

Make the CA certificate file available to your

users.

Importing the CA
certificate into the web
browser
For Internet Explorer:
Go to Tools > Internet Options. On the
Content tab, select Certificates and
find the Trusted Root Certification
Authorities.

Import the certificate using the Import

Wizard. Make sure that the certificate is
imported into Trusted Root Certification
Authorities.

You will see a warning because the FortiGate

unit’s certificate is self-signed. It is safe to
select Yes to install the certificate.

154 The FortiGate Cookbook 5.0.4

For Firefox:
Depending on platform, go to Tools >
Options or Edit > Preferences and find
the Advanced Encryption settings.

View Certificates, specifically the Authorities

certificate list.

Preventing security certificate warnings when using SSL inspection 155

Import the Fortinet_CA_SSLProxy certificate file.

Results
Even if you bypass the error message by
selecting “Continue to this website”, the
browser may still show an error in the toolbar.

After you install the FortiGate SSL CA

certificate, there will be no certificate security
issue when you browse to sites on which
the FortiGate unit performs SSL content
inspection.

156 The FortiGate Cookbook 5.0.4

Extra help: Certificates
This section contains tips to help you with some common challenges of using
certificates.

Certificate options do not appear in the GUI.

Go to System > Features > Config and select Show More. Enable the Certificates
feature.

A new certificate must be used.

Go to System > Certificates > Local Certificates and select Import.

A new certificate must be generated.

First, go to System > Certificates > Local Certificates and select Generate. Fill in the
required fields. The certificate must then be either self-signed or signed by a third party.
Finally, import the new certificate.

Certificate warnings appear when users attempt to authenticate.

Go to User & Device > Authentiction > Settings and set Certificate to use the correct
certificate.

The wrong certificate appears when using an SSL-VPN.

Go to VPN > SSL > Config and set Server Certificate to use the correct certificate.

Extra help: Certificates 157

SSL and IPsec VPN
Virtual private networks (VPNs) extend a private network across a public network,
typically the Internet. Two types of VPN can be configured with FortiGate unit: SSL
VPN and IPsec VPN.
SSL VPN configuration requires an SSL VPN web portal for users to log into, a
user authentication configuration for SSL VPN users, and the creation of SSL VPN
security policies that control the source and destination access of SSL VPN users.
IPsec supports a similar client server architecture as SSL VPN. However, to support
a client server architecture, IPsec users must install and configure an IPsec VPN
client (such as FortiClient) on their PCs or mobile devices.
This section contains the following examples:

• Providing remote users with access using SSL VPN

• Providing secure remote access to a network for an iOS device
• Using IPsec VPN to provide communication between offices
• Using redundant OSPF routing over IPsec VPN

159
 Using IPsec VPN to provide communication
between offices
This example provides secure, transparent communication between two FortiGates
located at different offices using route-based IPsec VPN. In this example, one office
will be referred to as HQ and the other will be referred to as Branch.

1. Configuring the HQ IPsec VPN

2. Adding firewall addresses for the local and remote LAN on HQ
3. Creating an HQ security policy and static route
4. Configure the Branch IPsec VPN Phase 1 and Phase 2
settings
5. Add Branch firewall addresses for the local and remote LAN
6. Create a branch IPsec security policy and static route
7. Results

WAN 1 WAN 1
172.20.120.123 172.20.120.22

IPsec Internet
FortiGate
FortiGate

Port 1 LAN
192.168.1.99/24 10.10.1.99/24

Internal Internal
Network (HQ) Network (Branch)

160 The FortiGate Cookbook 5.0.4

Configuring the HQ’s IPsec
VPN
On the HQ FortiGate, go to VPN > IPsec >
Auto Key (IKE).

Select Create Phase 1. Set IP Address

to the IP of the Branch FortiGate, Local
Interface to the Internet-facing interface,
and enter a Pre-shared Key.

Using IPsec VPN to provide communication between offices 161

Now select Create Phase 2, set it to use
the new Phase 1, and expand the Advanced
options.

Specify Source address as the HQ subnet

and Destination address as the Branch
subnet.

Adding firewall addresses

for the local and remote
LAN on HQ
Go to Firewall Objects > Address >
Addresses.

Create a local address. Set Type to Subnet,

Subnet/IP Range to the HQ subnet, and
Interface to an internal port.

162 The FortiGate Cookbook 5.0.4

Create a remote LAN address. Set Type to
Subnet, Subnet/IP Range to the Branch
subnet, and Interface to the VPN Phase 1.

Creating an HQ security
policy and static route.
Go to Policy > Policy > Policy.

Create a policy for outbound traffic. Set

Incoming Interface to an internal port,
Source Address to the local address,
Outgoing Interface to the VPN Phase 1,
and Destination Address to the remote
LAN address.

Create a second policy for inbound traffic.

Set Incoming Interface to the VPN phase
1, Source Address to the local address,
Outgoing Interface to an internal port, and
Destination Address to the local address.

Using IPsec VPN to provide communication between offices 163

Go to Router > Static > State Routes.

Create a route for IPsec traffic, setting

Device to the VPN Phase 1.

Configuring the Branch’s

IPsec VPN
One the Branch FortiGate, Go to VPN >
IPsec > Auto Key (IKE).

Select Create Phase 1. Set IP Address to

the IP of the HQ FortiGate, Local Interface
to the Internet-facing interface, and enter the
same Pre-shared Key used previously.

164 The FortiGate Cookbook 5.0.4

Now select Create Phase 2, set it to use
the new Phase 1, and expand the Advanced
options.

Specify Source address as the Branch

subnet and Destination address as the HQ
subnet.

Adding firewall addresses

for the local and remote
LAN on HQ
Go to Firewall Objects > Address >
Addresses.

Create a local address. Set Type to Subnet,

Subnet/IP Range to the Branch subnet,
and Interface to an internal port.

Using IPsec VPN to provide communication between offices 165

Create a remote LAN address. Set Type
to Subnet, Subnet/IP Range to the HQ
subnet, and Interface to the VPN Phase 1.

Creating an HQ security
policy and static route.
Go to Policy > Policy > Policy.

Create a policy for outbound traffic. Set

Incoming Interface to an internal port,
Source Address to the local address,
Outgoing Interface to the VPN Phase 1,
and Destination Address to the remote
LAN address.

Create a second policy for inbound traffic.

Set Incoming Interface to the VPN phase
1, Source Address to the local address,
Outgoing Interface to an internal port, and
Destination Address to the local address.

166 The FortiGate Cookbook 5.0.4

Go to Router > Static > State Routes.

Create a route for IPsec traffic, setting

Device to the VPN Phase 1.

Results
Go to VPN > Monitor > IPSec Monitor to
verify the status of the VPN tunnel. It should
be up.

A user on either of the office networks should

be able to connect to any address on the
other office network transparently.

From the HQ FortiGate unit go to Log &

Report > Traffic Log > Forward Traffic to
verify that both inbound and outbound traffic
is occurring.

To verify traffic on the Branch FortiGate unit

as well, go to Log & Report > Traffic Log >
Forward Traffic.

Using IPsec VPN to provide communication between offices 167

 Providing remote users with access using SSL
VPN
This example provides remote users with access to the corporate network using
SSL VPN and connect to the Internet through the corporate FortiGate unit. During
the connecting phase, the FortiGate unit will also verify that the remote user’s
antivirus software is installed and current.
1. Creating an SSL VPN tunnel for remote users
2. Creating a user and a user group
3. Adding an address for the local network
4. Adding security policies for access to the Internet and internal
network
5. Setting the FortiGate unit to verify users have current antivirus
software
6. Results

Internet
Remote SSL VPN user

WAN 1
SSL Root 172.20.120.123
Browsing

FortiGate

Port 1
192.168.1.99/24

Internal Network Windows Server

192.168.1.114

168 The FortiGate Cookbook 5.0.4

Creating an SSL VPN tunnel
for remote users
Go to VPN > SSL > Portal.

Edit the full-access portal.

The full-access portal allows the use of

tunnel mode and/or web mode. In this
scenario we are using both modes.

Enable Split Tunneling is not enabled

so that all Internet traffic will go through
the FortiGate unit and be subject to the
corporate security profiles.

Select Create New in the Include

Bookmarks area to add a bookmark for a
remote desktop link/connection.

Bookmarks are used as links to internal

network resources.

Providing remote users with access using SSL VPN 169

Creating a user and a user
group
Go to User & Device > User > User
Definition.

Add a remote user with the User Creation

Wizard (in the example, ‘twhite’).

Go to User & Device > User > User

Group.

Add the user to a user group for SSL VPN

connections.

170 The FortiGate Cookbook 5.0.4

Adding an address for the
local network
Go to Firewall Objects > Address >
Addresses.

Add the address for the local network. Set

Type to Subnet, Subnet/ IP Range to the
local subnet, and Interface to an internal
port.

Adding security policies for

access to the Internet and
internal network
Go to Policy > Policy > Policy.

Add a security policy allowing access to

the internal network. Set Type to VPN and
Subtype to SSL-VPN.

If your FortiGate unit does not have the

Policy-based IPsec feature turned on, you
will only have to set Policy Type to VPN.

Set Incoming Interface to your Internet-

facing interface, Local Interface to an
internal port and Local Protected Subnet
to the address for the local network. Create
a new Authentication Rule to allow the
remote user group access.

Providing remote users with access using SSL VPN 171

Add a second security policy allowing access
to the Internet.

For this policy, Incoming Interface is sslvpn

tunnel interface and Outgoing Interface is
your Internet-facing interface.

Setting the FortiGate

unit to verify users have
current antivirus software
Go to System > Status > Dashboard.

In the CLI Console widget, enter the

commands on the right to enable the host to
check for compliant antivirus software on the
remote user’s computer.

Results
Log into the portal using the credentials you
created in step two.

172 The FortiGate Cookbook 5.0.4

The FortiGate unit performs the host check.

After the check is complete, the portal

appears.

Select the bookmark Remote Desktop link

to begin an RDP session.

Go to VPN > Monitor > SSL-VPN to verify

the list of SSL users. The Web Application
description indicates that the user is using
web mode.

Providing remote users with access using SSL VPN 173

Go to Log & Report > Traffic Log >
Forward Traffic and view the details for the
SSL entry.

In the Tunnel Mode widget, select Connect

to enable the tunnel.

Select the bookmark Remote Desktop link

to begin an RDP session.

Go to VPN > Monitor > SSL-VPN to verify

the list of SSL users.

The tunnel description indicates that the user

is using tunnel mode.

174 The FortiGate Cookbook 5.0.4

Go to Log & Report > Traffic Log >
Forward Traffic and view the details for the
SSL entry.

Go to Log & Report > Traffic Log >

Forward Traffic.

Internet access occurs simultaneously

through the FortiGate unit.

Select an entry to view more information.

Providing remote users with access using SSL VPN 175

 Providing secure remote access to a network
for an iOS device
This recipe uses the VPN Wizard to provide a group of remote iOS users with
secure, encrypted access to the corporate network. The example enables group
members to access the internal network and forces them through the FortiGate unit
when accessing the Internet. The example uses an iPad 2 running iOS 6.1.2 (menu
options may vary for different iOS versions and devices).

1. Creating a user group for iOS users

2. Adding addresses for the local LAN and remote users
3. Configuring IPsec VPN phases using the VPN Wizard
4. Creating security policies for access to the internal network and
the Internet
5. Configuring VPN on the iOS device
6. Results

WAN 1
172.20.120.123
Internet IPsec
FortiGate
Port 1
192.168.1.99/24
Remote User
(iPad)

Internal Network

176 The FortiGate Cookbook 5.0.4

Creating a user group for
iOS users
Go to User & Device > User > User
Definition.

Create a new user.

Go to User & Device > User > User

Group.

Create a user group for iOS users and add

the user you created.

Adding addresses for the

local LAN and remote users
Go to Firewall Objects > Address >
Addresses.

Add the address for the local network,

including the subnet and local interface.

Providing secure remote access to a network for an iOS device 177

Go to Firewall Objects > Address >
Addresses.

Add the address for the remote user,

including the IP range.

Configuring the IPsec VPN

phases using the VPN Wizard
Go to VPN > IPSec > Auto Key (IKE).

Select Create VPN Wizard. Name the VPN

connection and select Dial Up - iPhone /
iPad Native IPsec Client. Click Next.

Enter your pre-shared key and select the iOS

user group, then click Next. Note that the
pre-shared key is a credential for the VPN
and should differ from the user’s password.

Select your Internet-facing interface for the

Local Outgoing Interface, and enter the IP
range from the address range you created.

178 The FortiGate Cookbook 5.0.4

Creating security policies
for access to the internal
network and the Internet
Go to Policy > Policy > Policy.

Create a security policy allowing remote iOS

users to access the internal network.

Go to Policy > Policy > Policy.

Create a security policy allowing remote iOS

users to access the Internet securely through
the FortiGate unit. Ensure that Enable NAT
is checkmarked.

Providing secure remote access to a network for an iOS device 179

Configuring VPN on the iOS
device
On the iPad, go to Settings > General >
VPN and select Add VPN Configuration.

Enter the VPN address, user account, and

password in their relevant fields. Enter the
pre-shared key in the Secret field.

Results
On the FortiGate unit, go to VPN >
Monitor > IPsec Monitor and view the
status of the tunnel.

Users on the internal network will be

accessible using the iOS device.

Go to Log & Report > Traffic Log >

Forward Traffic to view the traffic.

180 The FortiGate Cookbook 5.0.4

Select an entry to view more information.

Remote iOS users can also access the

Internet securely via the FortiGate unit.

Go to Log & Report > Traffic Log >

Forward Traffic to view the traffic.

Select an entry to view more information.

Providing secure remote access to a network for an iOS device 181

View the status of the tunnel on the iOS
device.

On the iPad, go to Settings > General >

VPN and view the Status of the connection.

Using a Ping tool, send a ping packet

directly to an IP address on the LAN behind
the FortiGate unit to verify the connection
through the VPN tunnel..

182 The FortiGate Cookbook 5.0.4

 Using redundant OSPF routing over IPsec VPN
This example sets up redundant secure communication between two remote
networks using an Open Shortest Path First (OSPF) VPN connection. In this
example, the HQ FortiGate unit will be called FortiGate 1 and the Branch FortiGate
unit will be called FortiGate 2.

1. Creating redundant IPsec tunnels on FortiGate 1

2. Configuring IP addresses and OSPF on FortiGate 1
3. Configuring firewall addresses on FortiGate 1
4. Configuring security policies on FortiGate 1
5. Creating redundant IPsec tunnels for FortiGate 2
6. Configuring IP addresses and OSPF on FortiGate 2
7. Configuring firewall addresses on FortiGate 2
8. Configuring security policies on FortiGate 2
9. Results

OSPF

WAN 1 WAN 1
172.20.120.24 172.20.120.123
IPsec

Internet
FortiGate 1 FortiGate 2
IPsec
Internal WAN 2 WAN 2 Internal
10.20.1.1/24 172.20.120.23 172.20.120.127 10.21.1.1/24

OSPF

Internal Internal
Network Network
(HQ) (Branch)

Using redundant OSPF routing over IPsec VPN 183

Creating redundant IPsec
tunnels on FortiGate 1
Go to VPN > IPsec > Auto Key (IKE).

Select Create Phase 1 and create the

primary tunnel. Set IP Address to FortiGate
2’s wan1 IP, Local Interface to wan1 (the
primary Internet-facing interface) and enter a
Pre-shared Key.

Select Create Phase 2. Set it to use the

new Phase 1.

184 The FortiGate Cookbook 5.0.4

Go to VPN > IPsec > Auto Key (IKE).

Select Create Phase 1 and create the

secondary tunnel. Set IP Address to use
FortiGate 2’s wan2 IP, Local Interface
to wan2 (the secondary Internet-facing
interface) and enter the Pre-shared Key.

Go to VPN > IPsec > Auto Key (IKE).

Select Create Phase 2. Set it to use the

new Phase 1

Using redundant OSPF routing over IPsec VPN 185

Configuring IP addresses
and OSPF on FortiGate 1
Go to System > Network > Interfaces.

Select the arrow for wan1 to expand the list.

Edit the primary tunnel interface and create
IP addresses.

Select the arrow for wan2 to expand the

list. Edit the secondary tunnel interface and
create IP addresses.

Go to Router > Dynamic > OSPF.

Enter the Router ID for FortiGate 1.

Select Create New in the Area section.

Add the backbone area of 0.0.0.0.

Select Create New in the Networks

section.

Create the networks and select Area 0.0.0.0

for each one.

186 The FortiGate Cookbook 5.0.4

Select Create New in the Interfaces
section.

Create primary and secondary tunnel

interfaces. Set a Cost of 10 for the primary
interface and 100 for the secondary interface.

Configuring firewall
addresses on FortiGate 1
Go to Firewall Objects > Address >
Addresses.

Edit the subnets behind FortiGate 1 and

FortiGate 2.

Using redundant OSPF routing over IPsec VPN 187

Edit the primary and secondary interfaces of
FortiGate 2.

Configuring security policies

on FortiGate 1
Go to Policy > Policy > Policy.

Create the four security policies required for

both FortiGate 1’s primary and secondary
interfaces to connect to FortiGate 2’s primary
and secondary interfaces.

188 The FortiGate Cookbook 5.0.4

Using redundant OSPF routing over IPsec VPN 189
Creating redundant IPsec
tunnels on FortiGate 2
Go to VPN > IPsec > Auto Key (IKE).

Select Create Phase 1 and create the

primary tunnel. Set IP Address to FortiGate
1’s wan1 IP, Local Interface to wan1 (the
primary Internet-facing interface) and enter a
Pre-shared Key.

Select Create Phase 2. Set it to use the

new Phase 1.

190 The FortiGate Cookbook 5.0.4

Select Create Phase 1 and create the
secondary tunnel. Set IP Address to use
FortiGate 2’s IP, Local Interface to wan2
(the secondary Internet-facing interface) and
enter the Pre-shared Key.

Select Create Phase 2. Set it to use the

new Phase 1.

Using redundant OSPF routing over IPsec VPN 191

Configuring IP addresses
and OSPF on FortiGate 2
Go to System > Network > Interfaces.

Select the arrow for wan1 to expand the list.

Edit the primary tunnel interface and create
IP addresses.

Select the arrow for wan2 to expand the

list. Edit the secondary tunnel interface and
create IP addresses.

Go to Router > Dynamic > OSPF.

Enter the Router ID for FortiGate 2.

Select Create New in the Area section.

Add the backbone area of 0.0.0.0.

Select Create New in the Networks

section.

Create the networks and select Area 0.0.0.0

for each one.

192 The FortiGate Cookbook 5.0.4

Select Create New in the Interfaces
section.

Create primary and secondary tunnel

interfaces. Set a Cost of 10 for the primary
interface and 100 for the secondary interface.

Configuring firewall
addresses on FortiGate 2
Go to Firewall Objects > Address >
Addresses.

Edit the subnets behind FortiGate 1 and

FortiGate 2.

Using redundant OSPF routing over IPsec VPN 193

Edit the primary and secondary interfaces of
FortiGate 1.

Configuring security policies

on FortiGate 2
Go to Policy > Policy > Policy.

Create the four security policies required for

both FortiGate 2’s primary and secondary
interfaces to connect to FortiGate 1’s primary
and secondary interfaces.

194 The FortiGate Cookbook 5.0.4

Using redundant OSPF routing over IPsec VPN 195
Results
Go to VPN > Monitor > IPsec Monitor to
verify the statuses of both the primary and
secondary IPsec VPN tunnels on FortiGate 1
and FortiGate 2.

Go to Router > Monitor > Routing.

Monitor to verify the routing table on
FortiGate 1 and FortiGate 2. Type OSPF for
the Type and select Apply Filter to verify
the OSPF route.

Verify that traffic flows via the primary tunnel.

From a PC1 set to IP:10.20.1.100 behind

FortiGate 1, run a tracert to a PC2 set to IP
address 10.21.1.00 behind FortiGate 2 and
vise versa.

From PC1, you should see that the traffic

goes through 10.1.1.2 which is the primary
tunnel interface IP set on FortiGate 2.

From PC2, you should see the traffic goes

through 10.1.1.1 which is the primary tunnel
interface IP set on FortiGate 1.

The VPN network between the two OSPF

networks uses the primary VPN connection.
Disconnect the wan1 interface and

196 The FortiGate Cookbook 5.0.4

confirm that the secondary tunnel will be
used automatically to maintain a secure
connection.

Verify the IPsec VPN tunnel statuses on

FortiGate 1 and FortiGate 2. Both FortiGates
should show that primary tunnel is DOWN
and secondary tunnel is UP.

Go to VPN > Monitor > IPsec Monitor to

verify the status.

Verify the routing table on FortiGate 1 and

FortiGate 2.

The secondary OSPF route (with cost = 100)

appears on both FortiGate units.

Go to Router > Monitor > Routing

Monitor. Type OSPF for the Type and
select Apply Filter to verify OSPF route.

Verify that traffic flows via the secondary

tunnel.

From a PC1 set to IP:10.20.1.100 behind

FortiGate 1, run a tracert to a PC2 set to
IP:10.21.1.100 behind FortiGate 2 and
vice versa. From PC1, you should see that
the traffic goes through 10.2.1.2 which is
the secondary tunnel interface IP set on
FortiGate 2.

From PC2, you should see the traffic goes

through 10.2.1.1 which is the secondary
tunnel interface IP set on FortiGate 1.

Using redundant OSPF routing over IPsec VPN 197